Ethicontrol's privacy policy

Document number:

IS.PL-003

Version number:

1.0

Effective date:

25.08.2021

Next review date:

25.08.2022

Document Owner:

Data protection officer 

Review Response:

Data protection officer 


 

  1. DEFINITIONS

Ethicontrol

The conditional name of the company group, which includes the Estonian company "Ethicontrol OÜ" and the Ukrainian LLC "Ethicontrol".

GDPR

The General Data Protection Regulation (EU) 2016/679 is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA).

Data controller (controller)

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law

Data subjects

Any person whose personal data is being collected, held or processed.

Processor

The natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Data Protection Officer

The person responsible for ensuring that Ethicontrol follows its data protection policy and complies with the GDPR.

Notification

Notifying The Data Protection Inspectorate about the data processing activities of Ethicontrol.

The Data Protection Inspectorate

National Data Protection Authority of Estonia.

Personal data processing (processing)

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

2 GENERAL

Ethicontrol — the conditional name of the company group, which includes the Estonian company "Ethicontrol OÜ" LLC and the Ukrainian LLC "Ethicontrol".

Ethicontrol operates in the field of providing anti-corruption law enforcement services for European countries and the Middle East.

The Estonian company Ethicontrol OÜ is the head office that interacts with clients (except for Ukraine), determines the development strategy and internal requirements of Ethicontrol, including personal data protection.

LLC "Ethicontrol" provides operational activities and interaction with Ukrainian customers.

Ethicontrol processes personal data for numerous purposes, and the means of collection, lawful basis of processing, use, disclosure, and retention periods for each purpose may differ.

When collecting and using personal data, our policy is to be transparent about why and how we process personal data.  

Taking into account the area in which it operates, Ethicontrol understands the importance of ensuring personal data protection data that is processed by Ethicontrol's technical means.

Ethicontrol implements the requirements of the international standard for the personal data protection:

  • ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements
  • ISO/IEC 27701:2019 Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines

3 POLICY PURPOSE

Ethicontrol is strongly committed to protecting personal data.  This Policy describes why and how we collect and use personal data and provides information about individuals’ rights.

4. OUR PROCESSING ACTIVITIES

4.1 Data Controller

Ethicontrol is controller who processes the next categories of personal data:

  • personal data about marketing contacts;
  • personal data of recruitment applicants;
  • personal data of employees;
  • personal data of site visitors.

Detailed information about processing is present below.

4.1.1. Business contact person data

Data subject:

Contact person of existing and potential clients and/or individuals associated with them

Controller, Processor:

“Ethicontrol OÜ” is a controller and processor for processing data of clients from the European Union and the Middle East.

“Ethicontrol” LLC is a controller and processor for processing data of Ukrainian clients.

Collection​ ​of​ ​personal​ data:

Ethicontrol processes personal data about contacts using a customer relationship management system (the “CRM”).

The collection of personal data about contacts and the addition of that personal data to the CRM is initiated by a Ethicontrol user and will include:

  • first, last name of contact person;

  • employer name, 

  • contact title /position, 

  • phone, 

  • e-mail.

Use​ ​of​ ​personal​ data:

Personal data relating to business contacts may be visible to and used by Ethicontrol users to learn more about an account, client or opportunity they have an interest in, and may be used for the following purposes:

  • developing our businesses and services

  • providing information to you about us and our range of services

  • making personal data available to Ethicontrol employees for performing services and for offering new services

  • performing analytics such as on market trends, relationships maps or sales opportunities.

Systems that process the personal data are located in the EU.



 

Legal basis for processing:

We will process our business contacts’ personal data based on our legitimate business interests or the consent, if the data subject has been requested to express one. 

We have an interest in marketing our services or providing communications which we think will be of interest to recipients.

Data retention:

Personal data will be retained on the CRM for as long as it is necessary for the purposes set out above (e.g., for as long as we have, or need to keep a record of, a relationship with a business contact).  

Data subject rights:

You have a number of legal rights in relation to the personal data that we hold about you and you can exercise your rights by contacting us using the details at the end of this document. These rights include:

  • the right to obtain information regarding the processing of your personal data and access to the personal data which we hold about you;

  • the right to request that we correct your personal data if it is inaccurate or incomplete the right to request that we erase your personal data in certain circumstances. Please note that there may be circumstances where you ask us to erase your personal data but we must retain it;

  • the right to request that we restrict our processing of your personal data in certain circumstances. Again, there may be circumstances where you ask us to restrict our processing of your personal data but we must refuse that request;

  • the right to lodge a complaint with the applicable data protection regulator;

  • the right to object to the processing and we must stop unless we have an overriding reason which will be communicated to you.

  • when we are processing on the grounds of consent, you have the right to erasure.

Data Sharing:

Employees of Ethicontrol LLC, located in Ukraine, have the authority to access the data of contact persons of clients from the European Union and the Middle East to achieve a specific purpose / goal of Ethicontrol processing.

In some circumstances, such as under a court order, we are legally obliged to share information.

Information about other third parties, that take part in the personal data processing, is provided in Appendix A.

Transfers of personal data:

Employees of Ethicontrol LLC, located in Ukraine, have the authority to access the data of contact persons to achieve a specific purpose / purpose of Ethicontrol processing. Access is provided on the basis of an agreement (Standard contractual clauses for international transfers) between “Ethicontrol OÜ” and “Ethicontrol” LLC. In this case, “Ethicontrol” LLC will be a sub-processor.

4.1.2 Recruitment applicants’ data

Data subject:

Recruitment applicants.

Controller, Processor:

For the “Ethicontrol OÜ” LLC recruitment applicant “Ethicontrol OÜ” LLC is a controller and processor directly.

Accordingly, “Ethicontrol” LLC is a controller and processor for employment in “Ethicontrol” LL

Collection​ ​of​ ​personal​ data:

As part of recruitment process Ethicontrol collects and processes personal data relating to recruitment applicants such as: 

  • name of recruitment applicant;

  • details of qualifications, skills, experience and employment history

  • information about current and desired levels of remuneration;

  • contact details, including email address and telephone number.

Ethicontrol may collect this information in a variety of ways. For example, data might be contained in application forms, CVs or resumes or other identity documents, or collected through interviews or other forms of assessment. 

Ethicontrol may also collect personal data about recruitment applicant from third parties, such as references supplied by former employers. 

Use​ ​of​ ​personal​ data:

Processing data from recruitment applicants allows us to manage the recruitment process, assess and confirm a candidate's suitability for employment and decide to whom to offer a job. 

We may also need to process your data to enter into a contract with you.

Legal basis for processing:

We have a legitimate interest in processing personal data during the recruitment process and for keeping records of the process.

If your application for employment is unsuccessful, Ethicontrol will ask for consent to hold your details in order to be considered for other positions or not.

Data retention:

Data will be stored in a range of different places: CRM system, email system.

If your application for employment is unsuccessful, Ethicontrol will hold your data on file for 6 (six) months after the end of the relevant recruitment process. At the end of that period, or once you withdraw your consent, your data is deleted or destroyed.

If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your Human Resources file (electronic and paper based) and retained during your employment.

Data subject rights:

Recruitment applicants, as a data subject, has a number of rights:

  • access and obtain a copy of data on request;

  • require Ethicontrol to change incorrect or incomplete data; 

  • require Ethicontrol to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing; and 

  • object to the processing of data where Ethicontrol is relying on its legitimate interests as the legal ground for processing.

Additionally, recruitment applicants are free to withdraw consent at any time if it was given.  


 

Data Sharing:

Information about third parties that take part in the personal data processing, is provided in Appendix A.

Transfers of personal data:

We don't transfer recruitment applicant’s personal data overseas.

4.1.3 Employee’s data

Data subject:

Employee

Controller, Processor:

“Ethicontrol OÜ” LLC is a controller and processor for its own employees' data processing.

“Ethicontrol” LLC is a controller and processor for its own employees' data processing.

Collection of personal data:

We process the following categories of personal data:

  • Information related to your employment:

  • personal contact details such as your name, address, contact telephone numbers and personal email addresses;

  • your date of birth, gender and ID number;

  • a copy of your passport or similar photographic identification;

  • marital status;

  • next of kin, emergency contacts and their contact information;

  • employment and education history including your qualifications, job application, employment references, right to work information.

  • Information related to your salary, pension and loans

  • Information about your job role and your employment contract including: your start and leave dates, salary (including grade and salary band), any changes to your employment contract, working pattern (including any requests for flexible working);

  • details of your time spent working and any overtime, expenses or other payments claimed, including details of any loans such as for travel season tickets;

  • details of any leave including sick leave, holidays, special leave etc;

  • pension details including membership of both state and occupational pension schemes (current and previous);

  • your bank account details, payroll records and tax status information;

  • details relating to Maternity, Paternity, Shared Parental and Adoption leave and pay.

  • Information relating to your performance and training 

  • information relating to your performance at work eg probation reviews, promotions.

  • investigations to which you may be a party or witness.

  • disciplinary records and documentation related to any investigations, hearings and warnings/penalties issued.

  • information related to your training history and development needs.

  • Information relating to monitoring 

  • information about your access to data;

  • information derived from monitoring IT acceptable use standards.







 

Use​ ​of​ ​personal​ data:

Information related to your employment:

We use the information to carry out the contract we have with you, provide you access to business services required for your role and manage our human resources processes. 

Information related to your salary, pension and loans

We process this information for the payment of your salary, pension and other employment-related benefits. We also process it for the administration of statutory and contractual leave entitlements such as a holiday or maternity leave.

Information relating to your performance and training 

We use this information to assess your performance, to conduct pay and grading reviews and to deal with any employer / employee related disputes. We also use it to meet the training and development needs required for your role.

Information relating to monitoring 

We use this information to assess your compliance with corporate policies and procedures and to ensure the security of our premises, IT systems and employees.

Legal basis for processing:

We will only collect, use and share your personal information where we are satisfied that one or more of the following legal bases apply:

  • The processing is necessary for compliance with a legal obligation to which Ethicontrol is subject, for example, disclosing information to local tax authorities, making statutory payments, avoiding unlawful termination, avoiding unlawful discrimination, meeting statutory record keeping requirements or health and safety obligations;

  • The processing is necessary for the performance of a contract to which you are a party;

  • The processing is necessary for the legitimate interests pursued by Ethicontrol or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal information. Ethicontrol considers that it has a legitimate interest in processing personal information for the purposes set out above, and to support the achievement of its immediate and long-term business goals and outcomes.

Data retention:

We will store your personal information for as long as is reasonably necessary for the purposes for which it was collected, as explained in this Policy. 

In some circumstances we may store your personal information for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory, tax, accounting, or necessary technical requirements.  

In specific circumstances we may store your personal information for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal information or dealings.

Data subject rights:

You have a number of legal rights in relation to the personal data that we hold about you and you can exercise your rights by contacting us using the details at the end of this document. These rights include:

  • the right to obtain information regarding the processing of your personal data and access to the personal data which we hold about you;

  • the right to request that we correct your personal data if it is inaccurate or incomplete the right to request that we erase your personal data in certain circumstances. Please note that there may be circumstances where you ask us to erase your personal data but we must retain it;

  • the right to request that we restrict our processing of your personal data in certain circumstances. Again, there may be circumstances where you ask us to restrict our processing of your personal data but we must refuse that request;

  • the right to lodge a complaint with the applicable data protection regulator;

  • when we are processing on the grounds of legitimate interest, you have the right to object to the processing and we must stop unless we have an overriding reason which will be communicated to you.


 

Data Sharing:

In some circumstances, such as under a court order, we are legally obliged to share information.

Information about third parties, that take part in the personal data processing, is provided in Appendix A.

Transfers of personal data:

We don't transfer staff personal data overseas.

4.2 Data processor

The main product of Ethicontrol is a multi-channel platform, which is provided as an online service for working with informants, incidents, and internal investigations.

“Ethicontrol OÜ” ensures the operation of the call centre (if required) and performs the administration of the Platform on the basis of an agreement with the Customer.

“Ethicontrol OÜ” is a processor according to this agreement. The following categories of personal data of the Customer's employees (users of the Platform, whistleblowers, witnesses, accused person) are subject to processing:

  • identification data (name, surname, position, login of the Platform, photo);
  • contact details (phone number, e-mail);
  • event log data (IP address, operating system, browser, date and event description);
  • whistleblower message.

Customer determines the purpose, legal basis for the processing of personal data, the existing rights of data subjects, the ways of their implementation, the list of data recipients. That information is included in the Data processing agreement.

If it is necessary, specialists of "Ethicontrol" LLC may involve the terms of the agreement with the Customer. Involvement takes place on the basis of an agreement (Standard contractual clauses for international transfers) between "Ethicontrol OÜ" and "Ethicontrol" LLC.  "Ethicontrol" LLC will be a sub-processor in this case. Employees of  "Ethicontrol" LLC can perform the following tasks:

  • provide administration of the Platform's software;
  • provide services of call centre operators.

Information about other third parties, that take part in the personal data processing, is provided in Appendix A.

Physically, the data is stored in the European Union.

Detailed information on the processes of personal data processing is given in a separate document: GDPR handbook. This document can be obtained by potential and existing customers upon request.


 

5 COMPLAINTS

We hope that you won’t ever need to, but if you do want to complain about our use of personal data, please send an email with the details of your complaint to Data protection officer (you can see his contact below). We will look into and respond to any complaints we receive.

You can complain to the Data Protection Inspectorate of Estonia too:

  • telephone (from abroad add +372) 627 4135
  •  e-mail info[a]aki.ee

6 CONTACT INFO OF DATA PROTECTION OFFICER

If you have any questions about this Policy or how and why we process personal data, please contact us at:

  •  e-mail privacy (at) ethicontrol.com

7 POLICY REVISION

We recognise that transparency is an ongoing responsibility so we will keep this privacy statement under regular review. 

Responsibility for amending the policy relies on the Data protection officer.

Annex A

List of sub-processors of Ethicontrol

Subprocessor 

Tasks

Link 

Data location

Google Inc.

Providing cloud services (G Suit product):

  • e-mail
  • data storing

It relates to the next clauses of the Policy 

4.1.1 Contact person data

  • 4.1.2 Recruitment applicants’ data 

Germany

Web-site activity analyzing:

  • Google Analytics

  • Google AdWords

  • Google Tag Manager

  • Google Fonts

  • Google Maps

  • Google Site Search

  • Google AdSense

  • Google Website Optimizer

It relates to the next clauses of the Policy 

  • 4.1.4 Website visitors’ data  

Germany

Hubspot

Customer Relationship Management system

It relates to the next clauses of the Policy

  • 4.1.1 Contact person data 

  • 4.1.3 Employee’s data 

Germany

Digital Ocean Inc.

Hosting services.

It relates to the next clauses of the Policy 

4.2 Data processor

Germany

Linode, LLC.

Hosting services.

It relates to the next clauses of the Policy:

  • 4.2 Data processor

Germany

Microsoft Inc.

Azure hosting services

It relates to the next clauses of the Policy:

  • 4.2 Data processor 

Germany, 

UAE, 

Local

Amazon Inc

AWS hosting services

It relates to the next clauses of the Policy:

  • 4.2 Data processor 

Ireland

GigaCloud LLC

Hosting services

It relates to the next clauses of the Policy:

  • 4.2 Data processor

Germany, 

Local (Ukraine)

Cloudflare

Content Delivery Network

Used as a web infrastructure and website security, providing content delivery network services, DDoS mitigation, internet security, and distributed domain name server services

It relates to the next clauses of the Policy:

  • 4.2 Data processor

  • 4.1.4 Website visitors’ data 

Local 

 

Data Centers located all around the world. Traffic will be automatically routed to the nearest data center.

Freshdesk

Helpdesk portal for users. Knowledge base and articles

It relates to the next clauses of the Policy:

  • 4.1.1 Contact person data

  • 4.1.3 Employee’s data

Germany

Zadarma

Calling functionality

Used as a numbers and trunk provider for marketing phone lines as well as service hotlines

It relates to the next clauses of the Policy:

  • 4.1.1 Contact person data

  • 4.1.3 Employee’s data

  • 4.2 Data processor

Bulgaria

Stripe

Payment processing for international customers

It relates to the next clauses of the Policy:

  • 4.1.1 Contact person data

Germany

Waveapps

Wave Financial Inc

Accounting and billing for international customers

It relates to the next clauses of the Policy:

  • 4.1.1 Contact person data

Canada

Bo.in.ua

Accounting and billing of Ukrainian customers

It relates to the next clauses of the Policy:

  • 4.1.1 Contact person data

  • 4.1.3 Employee’s data

Ukraine

Tilda

Content Delivery Network used at marketing website only

It relates to the next clauses of the Policy:

  • 4.1.1 Contact person data

Local 

 

Data Centers located all around the world. Traffic will be automatically routed to the nearest data center.

We will get in touch with you!
Painless ethics management and compliance is a click away from you.
Approximate employees count
0
50000
Confirm your interest
We promise not to spam you. We also care about confidentiality and personal data protection.