These terms and conditions set out the principles for the processing of personal data of natural persons (“data subject”) by NIKITA Company (“we”) as the controller. We process the personal data of the following data subjects to the extent set out in the terms and terms and conditions: (i) clients that are natural persons and their representatives; (ii) persons (including a person other than a client) whose personal data are processed for the purpose of providing legal services; (iii) participants in our recruitment process; (iv) visitors to our website. We have the right to change these terms and terms and conditions unilaterally. Updated terms and conditions will be published on our website.
Personal data means any information relating to an identified or identifiable natural person. The processing of personal data means any operation which is performed on personal data or on sets of personal data. We are the controllers in enabling the use of the website and in providing legal services. A processor is a natural or legal person, public authority, agency or other organisation that processes personal data on our behalf. In certain cases, we may also be processors or recipients of personal data.
Composition of personal data
In order to achieve the purposes set out in the terms and conditions, we need to process some or all of the following personal data. The exact composition of the personal data processed is different in each case. We always follow the principle that we process as little personal data as is necessary to achieve the purpose:
a. first name and surname, personal identification code, date of birth, information on the identity document;
b. main area of activity, place of work and contact details, including telephone number, e-mail address, postal address, place of residence;
c. concluded contracts and information on their performance;
d. bank account number and information related to the submission and payment of invoices and collection of debts;
e. communication (client correspondece), including e-mail exchange;
f. personal data related to the use of the website and cookies (generally it does not allow the identification of a natural person);
g. personal data disclosed, made known to us or arising within the provision of legal services, including personal data concerning a person other than the client;
h. personal data otherwise disclosed;
i. personal data obtained from state registers, databases and other reliable sources;
j. personal data lawfully obtained from third parties;
k. data collected in the course of fulfilling legal obligations.
Legal basis and purposes of processing
We process personal data (including personal data of a person other than a client pursuant to § 41 (41) of the Bar Association Act) for the purpose of concluding, executing and enforcing a client contract, in order to make preparations for the conclusion of the client contract, identify the client, reach an agreement on the terms and conditions of the client contract, provide quality legal services and fulfill obligations under the client contract, to ensure smooth settlement and, if necessary, collection of debts, to ensure the protection of our rights and to provide the client with important information related to the contract.
We process personal data for the purpose of recruiting and concluding an employment contract, as well as on the basis of a legitimate interest, in order to carry out the recruitment process, make preparations for the conclusion of an employment contract, reach an agreement on the terms and conditions of the employment contract, fulfill obligations under the employment contract and ensure the protection of our rights.
We process personal data for the purpose of complying with legal obligations in order to ensure the protection of personal data rights, to comply with the Bar Association Act, to comply with the Money Laundering and Terrorist Financing Prevention Act (personal data is supplemented and amended with data from state registers, databases and other reliable sources), to retain personal data for fulfilment of any obligations arising from legislation and to fulfill other obligations arising from applicable law.
We process personal data on the basis of our legitimate interests in order to increase the quality of our legal services, to provide the client with information regarding our legal services, to assess the risks related to the provision of legal services to the client and to perform analyses.
We ask for consent for the processing of personal data for purposes not specified in the terms and conditions.
Disclosure and transfer of personal data
We disclose and transfer personal data only in the following cases and in the existence of a corresponding legal basis, including to processors under a valid contract. In the provision of legal services, personal data may be disclosed and transferred to third parties, eg courts, law firms, public authorities. In order to provide the service and ensure its quality, it may be necessary to transfer personal data to our partners, such as e-mail service providers, IT service providers, servers providers, software and software service providers, accountants, experts, bankruptcy trustees, etc. In order to fulfill the obligations arising from law, the disclosure and transfer of personal data may take place to such authorities, which have the right to demand the disclosure and transfer of personal data and to which we have the obligation to disclose and transfer the data. In order to protect our rights, we have the right to disclose personal data to, among others, legal service providers, auditors and persons providing debt collection services.
Retention of personal data
We retain personal data for as long as it is necessary for the fulfillment of the purposes described in the terms and conditions, for the protection of our rights (taking into account, inter alia, the statute of limitations provided by law) or for the fulfilment of our obligations arising from legislation. We follow the guidelines of the Estonian Bar Association.
In order to ensure the quality of the legal service, we store personal data for at least three years from the termination of the client contract, unless the mandatory retention period under applicable law is longer.
The source documents of accounting containing personal data shall be kept for seven years from the end of the financial year to which the personal data relate.
Personal data collected and processed for the performance of obligations arising from the Money Laundering and Terrorist Financing Prevention Act shall be stored for five years after the end of the respective client relationship to which the personal data is related. By precept of a competent supervisory authority, data relevant to the prevention, detection or investigation of money laundering or terrorist financing may be kept for a longer period, but not more than five years after the expiry of the initial period.
If an employment contract is not concluded with the data subject, we will keep the personal data collected in the process of negotiating the employment contract for two years in order to make a possible new job offer to the data subject. Two years after the start of the application process, the personal data of a data subject who has not entered into an employment contract will be deleted.
Security of personal data
We process personal data only if there is a legal basis and only for legitimate purposes. We use measures and store personal data in a way that ensures the security and confidentiality of personal data. Personal data is accessed only by persons for whom it is necessary in connection with the performance of work duties or to whom the disclosure of personal data is in accordance with the terms and conditions or legislation. We enter into data processing agreements with processors, in which we have determined the conditions, purpose and data protection requirements for the processing of personal data.
Rights of the data subject
Pursuant to legislation, a natural person has the right to request from us information about the processing of his or her personal data and, in certain cases, to demand the correction, deletion, restriction of processing or transfer of personal data or object to the use of personal data. In case we process personal data on the basis of consent, the natural person may withdraw its consent at any time, in which case the personal data will no longer be processed. This does not affect previous processing operations. We will respond to inquiries as soon as possible, taking into account the terms arising from the law.
Upon a breach related to the processing of your personal data breach that is likely to jeopardize your rights and freedoms, we will notify the Data Protection Inspectorate within 72 hours after becoming aware of the breach and you immediately, unless otherwise provided by applicable law.