Privacy Policy
SA Muuseumikaart Privacy Policy
Valid from April 11, 2023.
This privacy policy describes how the SA Muuseumikaart (Telliskivi 60a/3, Tallinn 10412; hereinafter we) processes personal data as the controller.
The privacy policy applies to you if (i) you purchase the Museum Card (incl. exchanging the Gift Card for the Museum Card) or visit a place of visit with the Museum Card. The privacy policy also applies to you if (ii) you purchase the Gift Card online. The privacy policy also regulates the processing of your personal data if (iii) you subscribe to our newsletter, (iv) you contact us, (v) you are a representative or contact person of a legal entity related to us, or (vi) you visit our website.
The privacy policy is available at any time on the website www.muuseumikaart.ee/privaatsus.
Terms related to the processing of personal data have the same meaning as in the General Regulation of the EU 2016/679 on the protection of personal data (GDPR).
If you have any questions or requests regarding the privacy policy or the processing of your personal data, or if you want to exercise your rights related to your personal data please contact us at info@muuseumikaart.ee.
- Composition of personal data, purpose of processing and legal basis
- If you buy the Museum Card or use it to visit a place of visit
In such case we will process the following personal data:
- Identification data: first and last name, identity code (including age and gender for statistical purposes), data of ID document (when using the Museum Card, your identity is checked on the place of visit without saving the data)
- Contact details: e-mail (only when purchasing the Museum Card and with your consent in asking for feedback and sending notifications about our activities)
- Payment data: time of payment, payment card details (only when purchasing the Museum Card)
- Data on the use of the Museum Card: places visited, time of visit, validity of the Museum Card
We process your identification, contact, and payment data in order to sell you the Museum Card, personalize the Museum Card, and enable you to visit a place of visit (to check the validity and ownership of the Museum Card and register the visit). We process the data on the use of the Museum Card in order to pay the museums for your visit. We also use the data about visits (e.g. time and place of visit) to get statistics and analyze visitor profiles of different places (for this purpose we also process the age and gender of visitors). In addition to sending you a QR code we may use your e-mail to send you our feedback form and news (if you have expressed your wish to receive these).
We process personal data in order to enter into an agreement with you and to fulfill the concluded agreement (Article 6(1)b) of the GDPR) and based on our legitimate interest to keep records of visits to places, and to analyze and improve the use of our service, including creating visitor profiles (Article 6(1)f) of the GDPR). If you have expressed a wish to receive notifications about our activities and have allowed us to ask for feedback, we process personal data based on your consent (Article 6(1)a) of the GDPR).
We also process purchase data to fulfill our legal obligations (e.g. accounting and tax obligations (Article 6(1)c) of the GDPR). We also process personal data if it is necessary to protect our rights based on our legitimate interest (Article 6(1)f) of the GDPR).
Please not, that when you buy the Museum Card at a place of visit (museum) or make a visit with your Museum Card, the organization that manages that place of visit is also the co-processor of your personal data. This organization is also a co-controller if we process your personal data in connection with the use of the Museum Card at the place of visit in order to collect statistics and analyze feedback about the place of visit. The list and contacts of museums/organizations and places of visit that have joined the Museum Card can be found at www.muuseumikaart.ee/muuseumid. We have mutually agreed that we are the first contact in questions concerning the processing of personal data.
If you buy the Museum Card for someone else you confirm that you have the right to provide us with their personal data and that you have introduced this privacy policy to them.
- When you buy the Gift Card from the online store
In such cases we only process your first and last name, payment details, and e-mail address in order to sell and deliver the Gift Card to you. The legal basis for the processing of personal data is the conclusion of an agreement with you and the fulfillment of the concluded agreement (Article 6(1)b) of the GDPR). We also process purchase data to fulfill our legal obligations (e.g. accounting and tax obligations (Article 6(1)c) of the GDPR). We also process personal data if it is necessary to protect our rights based on our legitimate interest (Article 6(1)f) of the GDPR).
- When you subscribe to our newsletter
In such case, we will only process your name and e-mail address, which you provided to us when you subscribed to our newsletter on the website. The legal basis for the processing of personal data is your consent (Article 6(1)a) of the GDPR).
- When you contact us
In such case, we will process the personal data that you provide to us in your message and which is necessary to respond to and/or resolve your request. The legal basis for the processing of personal data is our legitimate interest in responding to you and/or acting as indicated in the request (Article 6(1)f) of the GDPR).
- If you are a representative or a contact person of our cooperation partner, service provider, or other legal entity
In such case, we may process your personal data, such as name, professional contact details, position, and communication data in order to fulfill and manage the agreements entered into with the legal entity related to you. It may also be necessary for cooperation with a legal entity, including for making contact. The legal basis for the processing of personal data is our legitimate interest in performing or managing an agreement concluded with a legal entity or cooperating in another way (Article 6(1)f) of the GDPR).
- When you visit our website
We use cookies on our website. You can get more information about cookies at www.muuseumikaart.ee/kupsised.
- Processing based on legitimate interest and consent
If we process personal data on the basis of a legitimate interest we have previously carried out a proper weighing of conflicting interests, assessing whether our interest in processing personal data outweighs your interests, rights, and freedoms for which personal data is protected. You always have the right to object to such processing. If you would like to file an objection or receive more information about the legitimate interest analysis, please contact us using the contact details below.
If we process personal data on the basis of your consent, you always have the right to withdraw the given consent (by clicking on the link at the end of the letter or by sending us an e-mail). Please note, however, that the withdrawal of consent does not affect the lawfulness of the processing that took place before the withdrawal.
- Retaining of personal data
We retain personal data as long as is necessary to fulfill the purpose for which we collected and processed it. In addition to retaining personal data while you are using the service, it may also be needed after you have concluded using the service. We must retain personal data in accordance with the terms set out in applicable legislation (e.g. accounting and tax related documents for seven years from the end of the relevant financial year). As a rule, we store other personal data for three years from the end of using the service. We process personal data on the basis of your consent until the consent is withdrawn if we have no other legal basis for processing such personal data.
- Transfer of personal data
Sometimes, when processing personal data for the aforementioned purposes, we may also need to give access to the data to third parties. For example, personal data may be accessed by our legal advisors. We also use various service providers for our day-to-day operations, who may gain access to your personal data by providing support services to us (e.g. sales platform provider).
We do not process personal data outside the European Economic Area.
- Your rights in relation to your personal data
If you have any questions about the processing of your personal data or you wish to exercise your rights, please contact us at info@muuseumikaart.ee.
You may exercise various rights in relation to your personal data. However, such rights are not absolute so we may not always have the obligation or ability to take the requested action. You have the right:
- To ask us to provide any personal data we process about you. For this purpose please specify whether you would like to get a confirmation on what personal data we have about you, and/or to get a copy of your personal data.
- To request to correct your personal data. This assumes that your personal data is incorrect or incomplete. In such case we will correct and/or supplement your personal data. For this purpose please specify the personal data that needs correction.
- To request the deletion of your personal data. You may request this if (i) we no longer need the personal data for the purpose for which we collected it; (ii) you withdraw your consent to the processing of personal data and we have no other legal basis on which to continue processing; (iii) you object to the processing of your personal data and we do not have an overriding legitimate reason to continue processing; (iv) we have processed your personal data unlawfully; (v) your personal data must be deleted in order to fulfill an obligation arising from legislation. If, despite the above, we still need to process personal data in order to fulfill our legal obligations or protect our rights we may not be able to delete your personal data. In any case, we will explain why we cannot delete your personal data.
- To request to restrict the processing of your personal data. This is the case if (i) you have pointed out that the personal data are incorrect and we need to check that; (ii) the processing of personal data is illegal and you do not want to delete the data but to limit the processing; (iii) we no longer need the personal data for processing purposes, but you need it to prepare, file or defend against legal claims; (iv) you have objected to the processing of the personal data and we need to check whether our legitimate reasons for processing outweigh the reasons why you want the processing to stop. Even if the processing of personal data is limited we may process that data if (i) you have given your consent; (ii) the data is necessary for us to prepare, file or defend ourselves against legal claims; (iii) the data is necessary for us to protect the rights of a natural or legal person; or (iv) it is necessary to process the data in connection with an important public interest.
- To request the transfer of your personal data. You may request your personal data to be issued in a structured, commonly used format and in a machine-readable form and transfer this data to another data controller (or request that we transfer the data) if the processing of personal data is based on your consent or an agreement between us and the personal data is processed automatically.
- To object to the processing of personal data. You have the right to object to the processing of personal data if we process it on the basis of our own or a third party’s legitimate interest. In the event of an objection we will not process the personal data further unless we prove that the personal data is processed for a valid legitimate reason that outweighs your interests, rights, and freedoms, or for the purpose of preparing, presenting or defending legal claims.
- To withdraw the consent given for the processing of personal data. If the processing of your personal data is based on your consent you have the right to withdraw that consent at any time. Please note, however, that this does not affect the lawfulness of the processing that took place before the withdrawal of consent.
We will respond to the submitted request within one month unless there are circumstances due to which we need more time to respond to the request. In any case, we will notify you within one month.
In addition, you have the right to file a complaint with the Data Protection Inspectorate if you find that the processing of your personal data has not been carried out in accordance with the applicable data protection legislation and your rights have been violated (Data Protection Inspectorate, Tatari 39, 10134 Tallinn, phone +372 627 4135, e-mail: info@aki.ee). If your permanent residence, place of work or place of infringement is in another Member State of the EU, you have the right to file a complaint with the data protection supervisory authority of the respective country.
- Changes to the privacy policy
If we need to change the terms of the privacy policy we will always notify you of such changes on our website www.muuseumikaart.ee, and also by e-mail if we have your address.