Approved by
a directive of
Sale Course
1. General Provisions
1.1. This privacy policy is designed and maintained by Sale Course (the “Operator”) under the Law on Personal Data, the Law on Advertising, and other regulations on data pri-vacy in effect in Estonia.
1.2. This policy applies to any data relating to an identified or identifiable natural person and received by the Operator via its website at https://sale-course.com/ This poli-cy does not apply to:
• relationships that arise as part of processing personal data of the Operator’s staff (those relationships are governed by separate in-house regulations on per-sonal-data processing); or
• relationships that do not fall within the scope of the Law on Personal Data.
1.3. This policy governs the Operator’s conduct in processing personal data accepted for that purpose and how the Operator processes the personal data received from natural persons (each such person, a “User”) with or without automation tools. It also sets out procedures aimed at preventing violations of Estonian law relating to personal data and at eliminating the consequences of any such violation.
1.4. This policy aims to protect the rights and freedoms of natural persons whose personal data the Operator processes. The policy also provides for the liability of the Operator’s employees who, in processing any such data, violate the provisions governing the pro-cessing of personal data.
1.5. The Operator may process the following personal data:
• Name
• Phone number
• Email address
1.6. In operating the website’s services, the Operator may also process nonpersonal data automatically transmitted when the User has access to the website via the software in-stalled on the user’s device:
• Details on the browser or any other application used to browse the website
• IP address
• Cookies
1.7. The Operator will process personal data by maintaining databases using automated, mechanical, or manual means to:
1.7.1. Process Users’ requests and request-related actions.
1.7.2. Inform Users of any changes to the Operator’s terms of use, special offers, events, discounts, and the like.
1.7.3. Accomplish other purposes consistent with Estonian law and the Operator’s line of activity.
1.7.4. The Operator will process the data listed in section 1.6 to analyze and improve the performance of the website; track and understand how Users use the website; re-solve issues relating to the website; develop new products; expand services; evalu-ate the efficiency of advertising campaigns; guarantee security; prevent fraud; and provide efficient customer service.
1.8. The Operator will process personal data with one or more of the following operations:
• Collection
• Recording
• Systematization
• Accumulation
• Storage
• Clarification
• Retrieval
• Use
• Transmission (distribution, provision, access)
• Anonymization
• Blocking
• Deletion
• Destruction
2. Receipt, Use, and Disclosure of Personal Data
2.1. The Operator will receive and proceed with processing personal data upon receiving a User’s consent. Unless a law provides otherwise, a User may give consent in any form that makes it possible to ascertain that the User has done so: in writing, orally, or as otherwise provided by Estonian law, including through an implied-in-fact contract (by accepting this policy via the website). If a User does not consent to the processing of that User’s personal data, the Operator will not process those data.
2.2. The Operator will receive a User’s personal data through:
• Forms the User fills out on the website
• Other methods consistent with Estonian and international law on data privacy
2.3. The User’s consent to the processing of the User’s personal data will be deemed to have been given when the User completes one or more of the following actions:
• checking the “I agree” box under the legal provisions in the related form or by clicking Submit or Subscribe.
2.4. The consent will be deemed to have been given as required and will remain in force until the User applies to the Operator for the processing to be terminated.
2.5. A User may at any time withdraw that User’s consent in keeping with Estonian law. To withdraw the consent, the User must send the Operator a notification to that effect at the Operator’s registered address. If a User withdraws the consent to the processing of the User’s personal data, the Operator must cease the processing or cause it to be ter-minated (if the processing is carried out by another person acting on the Operator’s in-structions) or, if the personal data no longer need to be kept for purposes of processing, destroy the personal data or cause the data to be destroyed (if the processing is carried out by another person acting on the Operator’s instructions) no later than thirty days from the date of receipt of the withdrawal, unless otherwise provided by a contract to which the User is a party or under which the User is a beneficiary or surety or by an-other agreement between the Operator and the User or unless the operator has the right to process the personal data without the consent of the User on the grounds provided by the Law on Personal Data or other laws.
3. Rules and Procedures for Processing Personal Data
3.1. The Operator must assign data-processing tasks only to those of its employees whose job duties include processing personal data. The Operator must require that in pro-cessing personal data its employees maintain the confidentiality and security of those personal data.
3.2. The Operator may engage a third party to process personal data on the condition that that third party comply with this policy.
3.3. If the Operator engages a third party to process personal data, the amount of personal data and the number of methods the third party uses to process personal data must be as small as possible. When processing personal data, any such third party must maintain the confidentiality and security of those personal data.
3.4. In providing services and in engaging in its internal activity, the Operator may process personal data both with automated (computer-aided) means and with manual (hard copy) means. The Operator must keep Users’ personal data as required by its in-house regulations.
3.5. The Operator’s obligation to keep personal data confidential will not apply when a User voluntarily provides personal data to be made publicly available. The User acknowledges that the personal data so provided will become publicly available.
4. Requirements for Data Privacy
4.1. In processing personal data, the Operator must ensure any data received are kept con-fidential.
4.2. Unless a law provides otherwise, the Operator must require that any person who gains access to a User’s personal data not disclose those personal data without that User’s consent.
4.3. Unless Estonian law requires otherwise, the Operator’s employees must refrain from disclosing personal data and other information considered confidential by the Operator.
4.4. To secure protection of personal data processed, the Operator must take the necessary and adequate legal, organizational, and technical steps to protect personal data from unauthorized or unintentional access as well as from deletion, modification, blocking, copying, provision, distribution, and other illicit acts. The Operator must cause all steps taken to provide organizational and technical protection to comply with law, including the Estonian law governing the processing of personal data.
4.5. The Operator’s legal, organizational, and technical steps to protect personal data include:
• Identifying threats to personal data as part of processing in dedicated information systems
• Maintaining the security of personal data as part of processing in dedicated information systems so that the Operator complies with the data-privacy re-quirements aimed to establish the protection levels set by the Estonian gov-ernment
• Using approved data-protection means
• Evaluating the efficiency of steps taken to protect personal data before com-missioning an information system for personal data
• Providing traceability for data carriers containing personal data
• Detecting in a timely manner unauthorized access to personal data and taking related steps
• Restoring personal data modified or deleted as a result of unauthorized access to those data
• Taking steps to prevent unauthorized access to personal data or their disclosure to a third party unauthorized to access those data
• Preventing tampering with technical means for automated processing of personal data
• Monitoring steps taken to protect personal data and information systems
4.5.1. The steps that the Operator takes as part of enforcing the personal-data protection system, depending on then-current security threats to personal data and the infor-mation technology used, include:
• Identifying and authenticating Users and the facilities they access
• Managing Users’ access to those facilities
• Imposing restrictions on the software environment
• Protecting data carriers used to store or process personal data
• Registering security events
• Providing antivirus protection
• Detecting and preventing intrusions
• Maintaining the integrity of the information system and personal data
• Protecting the virtualization environment
• Protecting the technical means used
• Protecting the information system and its components and communication and data-transfer systems
• Detecting individual or multiple incidents that may cause the information system to fail or may result in security threats to personal data as well as re-sponding to any such incidents and threats
• Managing the configuration of the information system and of the data-protection system
4.6. To guarantee that the level of data privacy in place at the Operator complies with the Law on Personal Data and the Law on Information, Information Tech-nology, and Information Protection, the Operator is not required to disclose information on specific means used or steps taken to protect per-sonal data.
4.7. The Operator must not disclose any information received from Users. The Operator may, however, provide any such information to an agent or a third party acting on an agreement between that agent or third party and the Operator for the Operator to com-ply with its obligations to the User. The Operator may also disclose any such infor-mation if so required by law.
5. Agreement to Receive Advertising Material
5.1. By agreeing to receive newsletters or subscribing to advertising material by checking the “I agree” box under the legal provisions in the related form, the User acknowledges the User’s agreement to receive, via email or by text message, communications listed in section 1.7.2 (including ads) from the Operator or a third party engaged by the Op-erator.
5.2. By agreeing to receive advertising material as provided in section 5.1, Users acknowledge that they are acting by their own will and in their interest and that the personal data so provided is accurate.
6. Final Provisions
6.1. This policy is approved by a directive of the CEO and will come into effect when the CEO signs that directive.
6.2. To be valid, any changes and supplements to this policy must be approved by a directive of the CEO.
6.3. The current version of this policy is available at: https://sale-course.com/policy-personal-data/