This document on the terms and conditions for personal data processing (hereinafter the “Privacy Terms”) describes how AS Operail (registry code 11575850) and its group companies process personal data. These Privacy Terms apply in all companies that are part of the AS Operail group.
The purpose of the Privacy Terms is to provide our clients and partners with clear and transparent information on how AS Operail or our group companies may process your personal data when you are using our services or contacting us. If you have concluded a contract with an AS Operail group company, the terms of the concluded contract may specify the terms and legal basis of personal data processing.
If you have additional questions about how we process your personal data or, if you wish to forward us requests for exercising the rights involved in personal data processing, please contact us using the contact details provided in the section “Contact” below.
AS Operail may from time to time amend these terms and conditions for personal data processing. The updated terms and conditions for personal data processing are published on the webpage https://operail.com/.
“GDPR” Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Operail” AS Operail and companies in the same group.
Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Applicable law” All valid European Union legal acts and all valid legal acts of the Republic of Estonia, including, but not limited to, the national implementation acts for GDPR which are applicable during the validity of these terms and conditions or shall be applicable after the terms and conditions enter into force.
A natural person whose data is processed by an Operail group company.
“Processing” Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Controller” A natural or legal person, public sector authority, agency or other body who, alone or jointly with others, determines the purposes and means of the personal data processing. For the purposes of these Privacy Terms, the Controller is Operail or an Operail company who processes the personal data in any given case.
“Processor” A natural or legal person, public sector authority, agency or other body who processes the personal data on behalf of the controller.
“Website” Operail’s website https://operail.com/.
2.1. Operail processes personal data primarily for the purposes of providing services to its clients and partners and for performing its contractual obligations to its clients and partners. If a client of partner of Operail is a data subject, the legal basis for personal data processing is article 6(1)(b) of the GDPR – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. If the client or partner is a legal person, we process data that are necessary to determine the right of representation.
2.2. Operail may process personal data also where it is required to perform a legal obligation applicable to Operail. For example, if a court requests personal data from Operail under an applicable court order or court judgement or if a law enforcement agency requests personal data under an applicable regulation. Also, if Operail is obligated to keep personal data, for example, under the Accounting Act or other applicable legal acts. In case of such processing, the legal basis is article 6(1)(c) of the GDPR – processing is necessary for compliance with a legal obligation to which the controller is subject.
2.3. In certain cases, Operail may process personal data also if it is necessary for the purposes of the legitimate interests pursued by Operail, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. In such case, the legal basis for personal data processing is article 6(1)(f) of the GDPR.
2.4. Operail may process personal data also in relation to an employment relationship or if you are applying for a job in an Operail group company. Operail has adopted separate terms for the processing of personal data in relation to an employment relationship and which are presented to you when you are employed at or applying for a job at Operail.
2.5. Depending on the legal relationship between you and Operail, Operail may process the following data about you:
|Purpose||Collected personal data|
|Provision of website||Data collected with cookies (read the separate section on using cookies)|
|Provision of services and sale of products to legal persons|
Contact details of the legal person’s representative: name, e-mail address, telephone number:
Basis of right of representation: position/job at legal person
|Ensuring security at Operail’s premises|
Security camera recordings: when you are present on Operail’s premises, we may record your image with security cameras (read the separate section on using security cameras).
|Responding to inquiries, questions and requests.||Content of the inquiry, complaint or request and contact details.|
|The performance of an employment contract or another contract under the law of obligations and applying for a job.||Read more about the terms of processing personal data for employees and candidates.|
3.1. Operail does not retain your personal data longer than it is necessary based on the purpose of personal data processing or under applicable law.
3.2. Operail applies the following retention periods under the law:
3.2.1. we retain accounting documents for 7 years under the Accounting Act;
3.2.2. as a rule, we retain the data collected upon the conclusion of a contract, for which a longer retention period does not arise from applicable law, as long as we need to for the performance of the contract throughout the validity of the contract or for up to 10 years after the expiry of the contract, based on Operail’s legitimate interest pursuant to article 6(1)(f) of the GDPR and the limitation period set out in the General Part of the Civil Code Act.
3.2.3. as a rule, we retain received inquiries, questions and requests for up to 3 years as of resolving the respective inquiry, question or request;
3.2.4 we retain security camera recordings for up to 30 days as of making the recording.
3.3. If you wish to get more detailed information on the retention periods of the personal data pertaining to you, please contact us using the contact details provided in the section “Contact” below.
Depending on the legal relationship between you and Operail, Operail may process the following data about you:
|Purpose of processing||Types of personal data processed||Source of personal data||Retention period||Legal basis|
|Performance of contracts concluded with legal persons.||Contact details of the legal person (name, e-mail, telephone number)||Data subject or the legal person who is Operail’s client||Term of the contract and up to 10 years after the termination of the contract.||GDPR article 6 (1) (b), after the termination of the contract GDPR article 6 (1) (f)|
|Retention of accounting documents||Amounts payable, amounts paid and other accounting documents||Legal person who is Operail’s client||7 years under the Accounting Act||IKÜM artikkel 6 (1) (b), IKÜM artikkel 6 (1) (c)|
|Responding to inquiries, questions or complaints||Depending on the specific inquiry||Data subject||Up to 3 years as of resolving the inquiry||GDPR article 6 (1) (a), GDPR article 6 (1) (f)|
|Information about using our website||Automatically collected information about the use of the website (see also the chapter on using cookies)||Automatically||Up to 2 years||GDPR article 6 (1) (f)|
|The performance of an employment contract or another contract under the law of obligations and applying for a job.||Read more about the terms of processing personal data for employees and candidates.|
|Videovalve korraldamine||Read more in the chapter on the use of security cameras.|
5.1. Under the applicable law, Operail is entitled to use surveillance equipment for the protection of persons and property. For that purpose, Operail uses security cameras on its territory and in relation to this we process personal data.
5.2. The use of security cameras is necessary first and foremost on Operail’s territory, incl. production areas, in order to ensure security, prevent and process security incidents and ensure the safety of Operail’s property and people, incl. employees. The cameras are also used inside the locomotives, in the work cabins of the locomotive team.
5.3. The legal basis for the use of security cameras is Operail’s legitimate interest under article 6(1)(f) of the GDPR. Operail also proceeds from the Railways Act which provides that a railway undertaking shall ensure the safety of rail transport and that the railway vehicles that they use meet the applicable safety, maintenance and other requirements.
5.4. Operail’s surveillance equipment comprises of cameras installed on the territory which record the territory around the clock (24/7). Additionally, the cameras inside the locomotives are positioned towards the work desk – these cameras record only the work of the engine driver.
5.5. Operail uses cameras in the public spaces of Operail’s territory, incl. the warehouse territory, production areas, outside territories and other public spaces used by the employees or our visitors. The purpose of using cameras is to monitor activity on Operail’s territory, incl. production areas, selected passageways in the buildings and courtyards. The indoor cameras in locomotives are used in the work cabin of the locomotive team.
5.6. Security cameras are never installed in areas where employees, clients of Operail or other persons who may be in the camera vision, can presume complete privacy. For example, cameras are never in dressings rooms, restrooms etc.
5.7. When security cameras are used, there is always a sign in the security camera’s surveillance area regarding the use of a camera, i.e. a sign depicting a camera and/or the words “VIDEO SURVEILLANCE”. In the absence of a sign, cameras are not used.
5.8. Operail does not generally transfer personal data to third parties, except when they are entitled or obliged to under the applicable law. For example, Operail may transfer recordings to authorities under the applicable law, for example, when it is required to investigate committed violations or other incidents by authorised persons, e.g. the Police and Border Guard Board, under the applicable law.
5.9. Access to security camera recordings is limited to a group of people who require access strictly in relation to the performance of their duties.
5.10. Operail stores camera recordings in accordance with reasonable organisational and technical security measures in order to protect personal data from accidental, unauthorised processing or disclosure. Camera recordings are stored in Operail’s local server room.
5.11. Operail retains outdoor camera recordings for up to 90 days as of the making of the recording, except when during this time proceedings have been initiated for investigating an offence or another incident committed during the same period and in relation to this it is necessary to retain the specific recording for a longer period. The 90-day retention period is necessary for investigating or identifying possible incidents or offences committed during this period. Therefore, possible damage in relation to an offence in Operail are generally identified up to 90 days after the offence has occurred. In order for Operail to be able to take legal measures against the offender in case of a violation and to protect its rights, we need to retain camera recordings for up to 90 days as of the making of the recording.
5.12. Operail retains the recordings of indoor cameras for a maximum of 14 days. A longer retention period may be set for specific individual extracts if the data is still necessary based on the purpose of the collection for processing an incident.
5.13. All Operail employees, clients or other third persons who have been present on Operail’s territory and whose image Operail has recorded, have the right to access the recording containing their image. Operail cannot hand over a camera recording to an employee or third person if the recording has been deleted by the time of receiving the request for access to the recording. Additionally, we ask you to take into account that for the purposes of protecting the rights and interests of other persons in the recording, we need to edit their image so that they cannot be identified (blur the image), therefore, we cannot provide immediate access.
6.2. For recording cookies, we ask for the consent of the website visitor via the website.
6.3. Cookies can be classified according to their time of validity:
6.3.1. temporary i.e. session cookies – usually valid for one browsing session and are deleted after closing the browser;
6.3.2. permanent cookies – stored on the user’s device permanently for the period determined for the cookie and activated each time the user visits the website where the cookie was placed.
6.4. Cookies can be classified according to their origin:
6.4.1. first party cookies – originate from the website administrator;
6.4.2. third party cookies – originate e.g. from the advertisements of other websites that are placed on the website visited by the user.
6.5. Cookies can be classified according to the purpose of the cookie:
6.5.1. necessary cookies – required for moving around on websites, using its features and providing services selected by the users, without installing these cookies, the user cannot be provided the website and their requested features;
6.5.2. statistics cookies – these cookies collect information about how visitors use websites, for example, which websites they visit most often and which error notices are displayed on websites;
6.5.3. preference cookies – these cookies enable to remember the selections of the user (for example, the text size, other features of the website that can be modified) and the user’s characteristics (e.g. username, language or country of the user) in order to provide more personalised and convenient possibilities to use the website;
6.5.4. advertising cookies – collect information about the user’s visits and use of websites in order to display advertisements that are of interest for the user.
6.6. The website uses the following cookies:
|_ga||Third-party analytical cookie||The _ga cookie installed by Google Analytics calculates the data of visitors, sessions and campaigns and also monitors the use of the site for the analytical report of the site. The cookie stores information anonymously and assigns a randomly generated number to identify unique visitors. Read more about Google’s privacy terms here: https://policies.google.com/privacy||2 years|
|_gid||Third-party analytical cookie||The _gid cookie installed by Google Analytics stores information about how visitors use the website, while also creating an analytical report on the functionality of the website. Some collected data include the number of visitors, their origin and sites that they visit anonymously. Read more about Google’s privacy terms here: https://policies.google.com/privacy||1 day|
|_gat_gtag_UA_*_*||Third-party analytical cookie|
Google assigned cookie to distinguish website users. Read more about Google’s privacy terms here: https://policies.google.com/privacy
|django_language||Functionality cookie||This cookie is used to store the choice of language of the website.||1 year|
6.7. You have the right to disable cookies at any time by changing your browser settings. When doing so, please take into account that some functions of the website may not function properly. Cookies can be disabled by following the instructions under the browser’s “help” section. More information on how cookies operate or how to disable cookies is also available on the website www.allaboutcookies.org.
7.1. Operail does not transfer personal data to third parties, except when possessing the legitimate right under applicable law.
7.2. Operail may use processors for personal data processing or share personal data between Operail group companies for internal administration purposes. The processors of Operail, who in limited circumstances may process the personal data are, for example, IT-service providers (server service providers, IT-developers) or the providers of other support services. Operail uses as processors only such partners whose reliability Operail has verified and who have committed to processing personal data in compliance with applicable law.
8.1. Operail shall ensure the security of processing, for the purposes of protecting personal data from accidental or unauthorised processing, disclosure or destruction.
8.2. Taking into account the state of the art and costs of implementation, and the nature, scope, context and purposes of the personal data processing as well as the risk to the rights and freedoms of data subjects, of varying likelihood and severity, that may result from personal data processing, Operail shall apply appropriate technical and organisational measures upon personal data processing to ensure the protection of personal data.
9.1. Operail shall ensure all the rights of the data subject arising from the applicable law.
9.2. All data subjects shall inter alia have the following rights:
9.2.1. right to access: the right to ask at any time whether Operail holds any personal data about them or not and receive information about which personal data Operail is processing about them;
9.2.2. right to rectification: the right to request from Operail the supplementation or rectification of their personal data if these are insufficient, incomplete or inaccurate;
9.2.3. right to object: the right to submit objections to Operail concerning the processing of one’s personal data, for example if the personal data is processed on the basis of the legitimate interests of Operail;
9.2.4. right to erasure: the right to request the erasure of personal data, for example, if the personal data are processed based on the data subject’s consent and the data subject has withdrawn their consent;
9.2.5. right to restriction of processing: the right to obtain from Operail the restriction of processing under the applicable law, for example, where Operail no longer needs the personal data for the purposes of the processing or where the data subject has objected to processing;
9.2.6. right to withdraw the consent for processing personal data: if the processing of personal data is based on the data subject’s consent, the data subject has the right to withdraw the consent given to Operail at any time;
9.2.7. right to data portability: the right to receive from Operail the personal data that the data subject has provided to Operail and which are processed on the basis of the data subject’s consent or for the performance of a contract concluded with the data subject, in writing or in a generally used electronic format and, if technically possible, request that Operail transfers these data to another controller;
9.2.8. right to lodge a complaint: If the employee is of the opinion that the processing of their personal data has violated their rights, they have the right at any time to file this claim to the Data Protection Inspectorate Tatari 39, 10134 Tallinn, firstname.lastname@example.org, www.aki.ee.
9.3. The rights of the data subject listed in this section regarding the processing of their personal data are not absolute rights. In certain cases the rights of other data subjects or the rights or legal obligations of Operail may limit the rights of the data subject.
9.4. In order to exercise the rights pertaining to the processing of personal data or to submit requests concerning the processing of personal data, please contact us at the contact details provided in the section “Contact” below or contact your direct supervisor, human resources officer or data protection officer.
10.1. In case of questions concerning the processing of personal data or in order to submit requests concerning the processing of personal data, please contact Operail using the following contact details:
Metalli 3, 10615 Tallinn, Estonia
+372 615 7600