Hausing Technologies OÜ privacy policy

Valid from: 01.11.2019.

The Privacy Policy (hereinafter referred to as the "Privacy Policy") is an appendix to the Terms of Use and uses the terms as set forth in the Terms of Use. The Privacy Policy defines the conditions, procedures, liability, etc. for the processing of (personal) data between the User and Hausing. The Privacy Policy does not cover the processing of (personal) data related to the User by Hausing in connection with the management of the contractual relationship between the parties (incl. mutual settlement).

1. THE ROLE OF HAUSING IN DATA PROCESSING

   1. The purpose of the Services provided to the User is to make it technically possible for the User to use the data processing possibilities arising from the use of the Platform. The main purpose of the data processing related to the Platform is not the processing of personal data. Due to the functions of the Platform and the specific activities of the User, it is possible that personal data will still be processed in this way when using the functions of the Platform. In particular, it may be related to the processing of the data of the User's employees, which is related to the accounting or the processing of the data of the User's individual customers.

   2. Hausing does not have direct control over the data processing process via the Platform and does not directly manage or monitor or control the input and processing of specific data by the User. Hausing's role in the provision of services is primarily concerned with ensuring the functioning of the general system, which does not focus on the processing of data relating to an individual. Hausing cannot independently identify a data subject related to (personal) data.

   3. The Platform enables to process the data entered by the User in the database (hereinafter referred to as the “User database”) on the basis of the choices made by the User and using standard functions. The result of data processing depends primarily on the data entered by the User and the unique choices made by the User (given orders). The data is entered into the User database at the User's free choice and Hausing has no control or knowledge of the content.

   4. In essence, Hausing does not have perceptible access to the user interface / account of the User's Platform and the content presented in it, therefore it cannot perceive the data entered by a particular User (incl. links between individual data, personalize them, etc.), defined options and data processing results. Hausing also does not monitor the User's activities when using the data processing functions of the Platform (incl. does not monitor the data entered in the database, the choices made and the results obtained, data sessions, etc.).

   5. As the User database is encrypted, Hausing does not have the possibility to independently perceive and distinguish the data contained therein (including identifying and distinguishing possible personal data from other data).

   6. Hausing's role in processing the User's data is that Hausing manages the technical environment (data space) in which the Platform and the encrypted database used by the User are located and where data processing or operations are performed under the control and management of the User in order for the Platform to function technically and for copies of the User database to be made systematically (usually automatically). Such copies of the User database are all encrypted in a way that does not allow the data contained in them to be reasonably used or perceived outside the User's user interface / account (and the associated rights).

   7. It follows from the foregoing that Hausing does not process personal data directly or independently, but is only indirectly involved in the process of such processing, without having direct systematic access to personal data.

   8. Unless otherwise agreed by the parties, Hausing is not involved in the processing of the data entered by the User in the database in any other way than described in the Privacy Policy.

   9. Due to the specific nature of Hausing's activities, a Data Protection Officer do not need to be appointed.
      
      
      

2. CHIEF PROCESSOR

   1. The chief processor of personal data is the User in whose name the personal data is processed. The User is obliged to take all measures to ensure the protection of the personal data processed and compliance with the conditions set out in the EU General Data Protection Regulation (2016/679) and other applicable legislation. The User is responsible for the consequences of non-compliance with such personal data protection conditions. If the User appoints a data protection officer, they shall immediately forward the contact details of this person to Hausing.
      
      

3. PROVIDING HELP TO THE USER

   1. Due to Hausing's role and its substantive ignorance regarding the processing of personal data, it also does not have a reasonable opportunity to assist the User in exercising data subject's rights (incl. ensuring transparency, providing information and access to personal data, correcting and deleting personal data, restricting processing, transferring personal data, dealing with objections, etc.).

   2. The User, for their part, shall make every effort to prevent data subjects from turning to Hausing to exercise their rights.

   3. If a person contacts Hausing, claiming to be a data subject whose personal data is processed by the User and wishes to exercise their data subject's rights, Hausing shall refer the person to the User either through the data protection contacts notified by Hausing or through the User's contact upon conclusion of the notified Service Agreement (s). The User forwards their data protection contact address to Hausing as soon as possible to: tagasiside@hausing.ee
      
      

4. DATA REPOSITORY

   1. The data related to the Services (User database) and the Platform are physically located in the Republic of Estonia. Specifically, they are located on servers managed by Hausing's contractual partner AS Wavecom, registry code 10756058 (hereinafter referred to as the "Data Repository"). An agreement has been entered into with AS Wavecom to ensure data protection, to which at least similar conditions to the Privacy Policy apply.

   2. In order to ensure data protection in the Data Repository:

      1. the data exchange takes place with the User and the Platform and the database located in the Data Repository through an encrypted data exchange channel and this data exchange is not monitored by the Data Repository in terms of content;

      2. the Data Repository shall use redundant hardware systems that reduce the risk of data loss in the event of hardware failure and uninterruptible power supply (UPS) systems that reduce the risk of data loss and system failure in the event of a power failure;

      3. the exact architectural creation and operation of the Data Repository are kept confidential in order to reduce the risk of external attacks;

      4. the Data Repository implements up-to-date measures and tools against anti-virus and external attacks;

      5. McAfee SIEM solutions are used for data protection, and the staff of the Data Repository constantly monitors and controls (24 h) the functioning of these security measures and responds to suspicious behavior / attacks and failures;

      6. software security patches and anti-virus updates are automatically and continuously installed as they are released;

      7. encrypted backups of the User database (usually automatically) are made to various locations in the European Union;

      8. the User databases and backups made from them are encrypted and the Data Repository has no right to decrypt them independently;

      9. the Data Repository does not have detailed knowledge of the operation of the Platform and data processing (incl. the structure and operation of the database);

      10. the Data Repository servers are located, where the User's data is physically located, in protected (locked and guarded) premises, which are not known to the public and to which access is constantly monitored and controlled. Access to the relevant premises is restricted to specific persons competent with the data protection knowledge of the Data Repository, who periodically undergo the relevant training;

      11. does not transmit encrypted copies of the User databases to the Data Repository itself;

      12. the Data Repository is bound by a confidentiality requirement that precludes the disclosure of (personal) data.

   3. Hausing does not involve any person other than the Data Repository in storing / processing (personal) data without the written permission of the User. However, if such involvement of persons proves to be reasonably necessary for Hausing to be able to engage in and develop its economic activities, but the User does not grant such permission, Hausing has the right to immediately terminate the Service Provision agreements concluded between the Parties. When other parties are involved, they will always be subject to an agreement containing the same data protection obligations as it applies to Hausing and which will ensure that adequate appropriate technical and organizational measures are implemented.
      
      

5. DATA EXCHANGE

   1. Data exchange related to the processing of data in the User database shall take place by the User (through the choices and commands made on the Platform) and under their direct control. Hausing does not transfer personal data to third parties or control the content of the User's data exchange.

   2. Physical movement of the User database and its backups

      1. The User database and its backup copies move physically between the Data Repository and the User through an encrypted channel, whereby the data transfer session is generally initiated by the User.

   3. Accidental exposure of Hausing employees to User data processing data

      1. The elimination of some technical failures and problems related to the operation of the Platform and data processing (incl. identification of their causes) is possible only if the respective Hausing employee (Accommodation Service administrator or consultant) has access to the User Platform user interface / account. Such access right is temporarily created by the User itself during the performance of the respective operation.

   4. The administrator of the Accommodation Service may be allowed random access to some individual data in connection with the performance of the above tasks. The administrator of the Accommodation Service has entered into a corresponding confidentiality agreement and received appropriate instructions, according to which:

      1. the administrator of the Accommodation Service must do everything reasonably possible to prevent the perception of the User's data (incl. viewing, remembering, writing, saving) and processing it outside the User's account / database;

      2. they do not have the right to use the User's data in any way after performing a specific task.

      3. In such a situation, the User is obliged to:

         1. arrange for the granting of rights to the administrator of the Accommodation Service only for the time and to the extent necessary to eliminate the specific failure / problem;

         2. directly monitor and register (log in) all data processing performed by the Accommodation Service administrator via the User Platform user interface / account and keep the corresponding log.

   5. Registration of data processing operations (logging)

      1. Due to the fact that Hausing, like the Data Repository, does not process personal data independently or directly, they are also not in a position to keep a corresponding register of personal data processing operations. The obligation to register (log in) personal data processing operations is performed by the User, even if the Hausing employee (Accommodation Services administrator) accidentally comes into contact with personal data in connection with the provision of technical assistance.

      2. The logs of the Platform, on the basis of which it is possible to monitor the activities of different persons, shall not record separately the processing of personal data and the circumstances thereof. Deletion of User database and backups.

      3. Hausing is related to the User's data processing process (database and backups) as long as the User is provided with the Accommodation Service. Upon termination of the provision of the Accommodation Service to the User, the User database and all its backup copies shall be deleted within one calendar month at the latest, except for if required by law to be retained by Hausing.

      4. During the provision of the Accommodation Service, automatically backed up copies of the User database shall be kept for one (1) calendar month, after which they shall be deleted.

   6. Ensuring the security of data processing

      1. Hausing has taken and will continue to take economically reasonable measures to ensure the security of the processing of (personal) data. To this end, the technical and organizational measures used by Hausing and the Data Repository in the provision of the Services will be tested and evaluated, and new and best practices will be applied to ensure the security of data processing in accordance with the development of information technology.

   7. Notification of infringements and measures to prevent infringements

      1. If Hausing becomes aware of a personal data breach, in particular if a specific data leak has occurred in the Data Repository, as a result of which third parties have access to personalized unencrypted personal data without the User's request or order, Hausing shall take reasonable steps to prevent such data leakage and shall immediately notify the User of such data leakage. If necessary and at the request of the User, Hausing will later describe the data leakage sufficiently in order for the User to be able to fulfill their notification obligations arising from the obligation to protect personal data.

      2. The Parties shall cooperate in good faith to resolve any problems that may arise.
         
         

6. PERSONAL DATA PROCESSING SERVICE

   1. In addition to the provisions of the Privacy Policy (except for the management of the contractual relationship between the parties), Hausing and Data Repository process personal data from the User only in accordance with the instructions documented by the User and on the basis of a separately concluded agreement.

   2. If the User wishes Hausing to perform the activities of an authorized processor of personal data (incl. to assist the User in fulfilling the latter's obligations) within the meaning of the General Data Protection Regulation (2016/679) and / or to fulfill the respective obligations, the User may order a corresponding personal data processing service (hereinafter “Personal Data Processing Service”) from Hausing.

   3. The Personal Data Processing Service also assists the User in fulfilling the obligations related to the security of processing, informing the supervisory authority and the data subject, data protection impact assessment and prior consultation with the supervisory authority.

   4. The collection of any additional information related to personal data, preparation of documents and making them available to the User, as well as preparation, provisioning and contribution to related audit and control activities shall also be considered a Personal Data Processing Service.

   5. The Personal Data Processing Service is considered to be all activities requested or required of Hausingo in connection with (or with reference to) the User's compliance with personal data protection requirements, regardless of whether it is requested by the User, data subject, supervisory authority, court or other interested person. If the User does not wish to use the Personal Data Processing Service, they must take all necessary measures (incl. appropriate notification and conclusion of agreements) in order to prevent the submission of such wishes or requests to Hausing.

   6. The precondition for the provision of the Personal Data Processing Service is that Hausing actually has the knowledge, control and real function with regard to the substantive processing of specific personal data. To this end, the User must continuously provide Hausing with detailed input on the processing of personal data (incl. describe the content and duration, nature and purpose of the processing, type of personal data, categories of data subjects, etc.). The provision of the Personal Data Processing Service may also lead to the need to technically redesign the Services provided to the User. It also presupposes that Hausing must have a continuous substantive overview of the User's data processing. The respective circumstances and conditions shall be agreed between the parties when ordering the Personal Data Processing Service.
      
      

7. COMPENSATION FOR COSTS AND DAMAGES

   1. If Hausing is forced to participate in any proceedings (incl. in a supervisory authority, court, etc.) in connection with the processing of personal data by the User, the User undertakes to reimburse Hausing in full and immediately for all related procedural costs of Hausing.

   2. If the User's breach of its obligations regarding the protection of personal data (including the performance of this agreement) imposes proprietary obligations on Hausing (e.g. payment of a fine or compensation, compliance with precepts, etc.), the User undertakes to compensate Hausing in full and immediately.
      
      

8. CONFIDENTIALITY

   1. The (personal) data in the User database are confidential.

   2. Both Hausing and Data Repository employees who have access to or have access to the User database and backups have entered into appropriate confidentiality agreements that exclude the disclosure of data, except for legal obligations to publish data.
      
      

9. USER CONFIRMATIONS

   1. By agreeing to the Privacy Policy and / or using the Services, the User confirms that they are convinced that the processes and measures related to the Hausing Services meet the User's expectations and enable to ensure the proper processing of personal data by the User, including agreeing that:

      1. Data processing related to the Services is under the complete control of the User. This means that Hausing does not directly process personal data and does not qualify as an authorized processor of personal data in the classical sense;

      2. Given the nature of participation in data processing, Hausing and the Data Repository have implemented appropriate technical and organizational measures to ensure compliance with the EU General Data Protection Regulation (2016/679) and related legislation and the protection of data subjects' rights when processing personal data;

      3. The level of security offered by Hausing in the provision of the Services is, in their opinion, sufficient;

      4. The information provided in the special conditions is sufficient to demonstrate compliance with Hausing's obligations; they shall not require Hausing to take any further action in relation to the pseudonymisation and encryption of (personal) data without any obligation to reimburse any additional costs; increasing the ongoing confidentiality, integrity, availability and resilience of systems and services; restoring the availability of and access to (personal) data in the event of a technical incident.
         
         

10. CONFIDENTIALITY

    1. The User undertakes to refrain from distributing and making available the Privacy Policy. The communication and exchange of data between the Parties in connection with the fulfillment of the provisions of the Privacy Policy shall be confidential.
       
       

11. CONFLICTS

    1. The Privacy Policy specifies the Terms of Use in relation to the processing of personal data, without changing the principles set out in the Terms of Use. In case of conflict with other agreements / conditions in the same field, the provisions of the Privacy Policy shall apply.
       
       

12. ENTRY INTO FORCE AND IMPACT

    1. Due to the fact that Hausing cannot physically control whether or not the User processes personal data when using the Services, all Users must agree to the Privacy Policy in order to avoid ambiguity and misunderstanding.

    2. If the User does not confirm the acceptance of the Privacy Terms, the User must immediately stop processing the personal data related to the use of the Platform and the Services and refrain from doing so in the future. If the consent is not confirmed, Hausing may terminate the provision of the Services to the User and cancel the Agreement unilaterally.