Contact us

Privacy policy

The NGO Crisis Research Center processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council, the Personal Data Protection Act, and other legislation regulating data protection.

This privacy policy describes the processing of personal data by the NGO Crisis Research Center (registry code: 80606975; hereinafter also referred to as the “Organization” or “we”).

Before accessing our website or using the website or any of our services, please read this privacy policy carefully. If you do not agree with these terms, we ask you to immediately discontinue the use of the website and other services.

The Organization has the right to make unilateral amendments to this privacy policy from time to time. We make every effort to keep the privacy policy up to date and available on the website www.kruk.ee. To stay informed about the latest version of the privacy policy, we recommend visiting our website periodically. We may also notify you of changes to the privacy policy by email or through other contact details known to us.

1. Terms

The Organization or “we” (registry code: 80606975) acts either as a data controller, meaning the entity that determines the purposes and means of processing personal data, or as a data processor when acting in accordance with data processing agreements concluded between data controllers.

A data subject or “you” is an identifiable or identified natural person whose personal data are processed, regardless of whether a contract exists between us or not. Personal data are any information relating to an identifiable or identified natural person (the data subject).

Processing of personal data refers to any operation performed on personal data (e.g. collection, storage, modification, transmission, deletion, organization). The website means the homepage managed by the Organization: www.kruk.ee.

2. Content of personal data

To achieve the purposes set out in the personal data processing conditions, we process any data relating to an identified or identifiable natural person, regardless of the form or format in which such data exist. The exact set of personal data processed varies from case to case, and we always follow the principle of processing as little personal data as possible — meaning that we process only the data that are relevant and necessary to achieve the purposes of processing.

Among other things, we process the following personal data:

  • Identification and contact details: first and last name, personal identification code, contact details (email address, postal address, telephone number);
  • Work-related data: position, employer;
  • Other data: the scope and duration of services ordered, inquiries made on the website or by email, information related to customer communication, including communication with potential clients, volunteers, and donors; any other personal data disclosed by the data subject through the use of our website or in the course of receiving our services, including free services.

The above-mentioned personal data are collected in the course of using the Organization’s services — when making a donation, subscribing to the newsletter, responding to surveys/studies, during communication, or in any other manner, including on the initiative of the data subject. In the case of donations, the NGO Crisis Research Center is the data controller; the NGO Crisis Research Center transmits the personal data necessary for processing payments to the authorized processor Maksekeskus AS.

We also collect non-personalised information, including data on the duration of website visits, the number of clicks, and user behaviour, but we do so solely for analytical purposes and to improve the convenience of the Organization’s website. We use only secure services. In addition to the above, we have the right to collect data that are available in public registers.

3. Legal basis and purpose of processing personal data

We process personal data when a legal basis exists and only for as long as necessary to fulfil the purposes set out in this privacy policy. These personal data processing terms describe how we collect and process personal data when acting as a data controller.

When acting as a data processor, we operate in accordance with the data processing agreements concluded between us and the data controllers, as well as the applicable legislation. We keep confidential and secure all other information disclosed to us in the course of using our services.

  1. Performance of a contract: we process identification data in order to conclude a contract with you for the provision or use of the Organization’s services (including for preparing the contract and for pre-contractual communication). For the sake of clarity, as a data processor we process only the personal data necessary for our cooperation partners to fulfil their obligations arising from the law or from contracts concluded with you. In addition, we process data to improve the quality of the service, to send the client important notifications related to the service and the performance of the contract, and to manage the client relationship;
  2. Consent of the data subject: we process personal data on the basis of the data subject’s consent, provided that the purposes of such processing are communicated prior to the giving of consent. Users may also voluntarily (i.e., based on consent) participate in various surveys and studies. If you send us emails, you thereby also consent to the processing of your personal data (including storing the content of emails and inquiries) so that we can respond to your emails and questions. You have the right to withdraw your consent to such processing at any time by notifying us using the contact details provided in this privacy policy or, where available, by using other technical means. Withdrawing consent does not affect the lawfulness of processing carried out prior to the withdrawal;
  3. Fulfilment of obligations arising from legislation: we may process your personal data to comply with obligations established by law, such as ensuring the protection of personal data (including responding to data subject requests and inquiries from competent authorities), retaining personal data for any period required to comply with statutory obligations (e.g., for accounting purposes), and for fulfilling other obligations arising from applicable legislation.
4. Security measures

We process personal data only when a legal basis exists and for legitimate purposes. To ensure the security of personal data, we use appropriate measures and store personal data in a way that guarantees their security and confidentiality. Access to personal data is granted only to individuals for whom it is necessary in connection with the performance of their work duties, the provision of services, or to whom the disclosure of personal data is permitted under the personal data processing terms or applicable legislation. We implement the necessary organizational, physical, and IT security measures to ensure the protection of personal data.

Our employees are obligated under their employment and/or service agreements, as well as under applicable legislation, to keep personal data entrusted to them in the course of their work confidential; this confidentiality obligation is indefinite and applies to both current and former employees.

When we transmit personal data to authorized processors acting on our behalf, we ensure their reliability and conclude appropriate agreements and data processing contracts with them.

If a personal data breach occurs and it is likely to pose a risk to the rights and freedoms of the data subject, we will notify the Estonian Data Protection Inspectorate of the breach. In addition, we will take measures to stop the breach as soon as possible.

We are not responsible for any misuse of your personal data resulting from malware on your computer or other device.

5. Recipients

We have the right to disclose and transmit personal data without your prior consent to authorized processors acting on our behalf and under appropriate data processing agreements, as well as when necessary to comply with obligations arising from legislation. To protect our rights, we also have the right to disclose personal data to third parties.

With your consent and in accordance with these personal data processing terms, we may disclose and transmit personal data to our cooperation partners.

6. Deletion and retention

We retain personal data only for as long as necessary to achieve the purposes described in this privacy policy, to protect our rights, or to comply with obligations arising from legislation. After the above period, we retain your personal data only with your consent and for as long as that consent has not been withdrawn by requesting the deletion of your personal data. If email communication and/or other correspondence has taken place between us, the personal data contained in such emails and/or other communication will be retained until you withdraw your consent by requesting the deletion of such data.

7. Your rights and obligations

You may request information from us at any time regarding the processing of your personal data. In accordance with applicable legislation, you may have the right to:

  • request the deletion of your personal data; however, we cannot delete data that we process as a data processor unless the data controller has authorized it;
  • request the correction of your inaccurate personal data if they have changed or if they are incorrect, incomplete, or otherwise inaccurate;
  • request the restriction of the processing of your personal data;
  • object to the use of your personal data;
  • the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit those data to another data controller.

If we process personal data based on your consent, you may withdraw that consent at any time. This does not affect the lawfulness of processing carried out prior to the withdrawal. The data subject is responsible for ensuring that the data they provide are accurate, correct, and complete. Knowingly providing false data is considered a violation of the privacy policy. The data subject is obligated to immediately inform the data controller of any changes to the submitted data.

8. Cookies

We use cookies on our website. Cookies are small text files stored on your computer to “remember” you and your preferences, enabling us to provide relevant information, recommendations, and to improve the user experience. We use only those cookies that are necessary for the functioning of the website.

9. Requests and complaints

In matters related to the processing of personal data, the data subject has the right to contact the Organization as the data controller at the following address: info@kruk.ee.

We respond to a data subject’s request within 30 days and inform the user whether and which measures have been taken to address the request. If the request is complex or extensive, the response period may be extended by 60 days.

The data subject also has the right to submit a complaint to the national data protection supervisory authority if they believe that the processing of their personal data does not comply with the applicable legislation.

Effective from February 4, 2022.

Photo: data agreement (Vanessa Garcia/Pexels, 2020).

Jaga postitust:

Get A Quote
Get A Quote