Estonian Red Cross Privacy Policy

1. General Provisions

1.1. This privacy policy governs the principles of collecting, processing, and storing personal data. The Estonian Red Cross is committed to protecting the privacy of its clients and members. We respect your trust.

1.2. A data subject within the meaning of this privacy policy is a client or any other natural person whose personal data is processed by the data controller.

1.3. A client within the meaning of this privacy policy is anyone who registers as a member, volunteer, consumer of training/services, or purchases goods or services from the website of the Estonian Red Cross NGO.

1.4. The data controller adheres to the principles of data processing established by legislation, including the lawful, fair, and secure processing of personal data. The data controller is able to confirm that personal data is processed in accordance with the applicable laws.

2. Collection, Processing, and Storage of Personal Data

2.1. The personal data collected, processed, and stored by the data controller is primarily obtained electronically, mainly through the website and email. We process personal data of Red Cross volunteers, members, donors, clients, partners, and training participants.

2.2. By sharing their personal data, the data subject grants the data controller the right to collect, organize, use, and manage personal data for the purposes defined in this privacy policy, which the data subject has shared either directly or indirectly.

2.3. We use personal data for communication, customer service, service provision, as well as for authorized and targeted marketing.

2.4. The data subject is responsible for the accuracy, correctness, and completeness of the data submitted. Knowingly providing false information is considered a violation of the privacy policy. The data subject is obliged to promptly notify the data controller of any changes to the submitted data.

2.5. The data controller is not liable for damages caused to the data subject or third parties as a result of the data subject providing incorrect information.

2.6. Our principle is that personal data is not disclosed to parties outside the organization. Data may only be disclosed, if necessary, within the global Red Cross organization, its branches, departments, and institutions, as well as to authorized data processors under a data processing agreement.

3. Processing of Clients' Personal Data

3.1. The data controller may process the following personal data of the data subject:

• First and last name;
• Date of birth;
• Phone number;
• Email address;
• Contact address;
• Bank account number;
• Payment card details.

3.2. In addition to the above, the data controller has the right to collect information about the client available in public registers.

3.3. The legal basis for processing personal data is Article 6(1) points a), b), c), and f) of the General Data Protection Regulation (GDPR):

• a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
• b) processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract;
• c) processing is necessary for compliance with a legal obligation to which the controller is subject;
• f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

3.4. Processing of personal data based on the purpose of processing:

• Purpose - security and safety: Retention as required by law
• Purpose - order processing (trainings): Retention - 7 years
• Purpose - customer management: Retention - 7 years
• Purpose - financial activity, accounting: Retention - as required by law
• Purpose - marketing: Retention - 2 years

3.5. The data controller has the right to share clients' personal data with third parties, such as authorized data processors, accountants, transport and courier companies, payment service providers.

3.6. The data controller implements organizational and technical measures that ensure the protection of personal data.

3.7. The data controller retains data depending on purpose, but not longer than 10 years.

3.8. We only collect and process necessary data and delete outdated data as soon as possible.

4. Cookies

4.1. The website may use cookies, mobile device identifiers, and web beacons. These technologies collect data about how and when services are used, such as accessed pages, viewed content, and device information.

4.2. Cookies help improve products and services and display relevant content. Cookies alone cannot identify a user unless the user has provided identifying information.

5. Website Privacy

5.1. Users must agree to the terms of use. Website content is the property of the Red Cross. Copying or distribution is prohibited without written consent. Public materials may be used with proper citation.

5.2. Website content is not legally binding. The Red Cross may change content or access terms at any time.

5.3. The Red Cross is not liable for direct or indirect damages caused by website usage or service interruptions.

5.4. The Red Cross is not responsible for third-party website content linked on its site.

6. Data Subject Rights

• 6.1. Right to access personal data.
• 6.2. Right to receive information about data processing.
• 6.3. Right to correct inaccurate data.
• 6.4. Right to withdraw consent at any time.
• 6.5. To exercise rights, contact: andmekaitse@redcross.ee
• 6.6. Right to file a complaint with the Data Protection Inspectorate.

7. Final Provisions

7.1. This privacy policy is in accordance with Regulation (EU) 2016/679 (GDPR), Estonian Personal Data Protection Act, and other applicable laws.

7.2. The data controller may amend this policy and will inform data subjects via https://redcross.ee/