Privacy Policy

SA Muuseumikaart Privacy Policy

Valid from April 11, 2023.

This privacy policy describes how the SA Muuseumikaart (Telliskivi 60a/3, Tallinn 10412; hereinafter we) processes personal data as the controller.

The privacy policy applies to you if (i) you purchase the Museum Card (incl. exchanging the Gift Card for the Museum Card) or visit a place of visit with the Museum Card. The privacy policy also applies to you if (ii) you purchase the Gift Card online. The privacy policy also regulates the processing of your personal data if (iii) you subscribe to our newsletter, (iv) you contact us, (v) you are a representative or contact person of a legal entity related to us, or (vi) you visit our website.

The privacy policy is available at any time on the website www.muuseumikaart.ee/privaatsus.

Terms related to the processing of personal data have the same meaning as in the General Regulation of the EU 2016/679 on the protection of personal data (GDPR).

If you have any questions or requests regarding the privacy policy or the processing of your personal data, or if you want to exercise your rights related to your personal data please contact us at info@muuseumikaart.ee.

  1. Composition of personal data, purpose of processing and legal basis
  1. If you buy the Museum Card or use it to visit a place of visit

In such case we will process the following personal data:

We process your identification, contact, and payment data in order to sell you the Museum Card, personalize the Museum Card, and enable you to visit a place of visit (to check the validity and ownership of the Museum Card and register the visit). We process the data on the use of the Museum Card in order to pay the museums for your visit. We also use the data about visits (e.g. time and place of visit) to get statistics and analyze visitor profiles of different places (for this purpose we also process the age and gender of visitors). In addition to sending you a QR code we may use your e-mail to send you our feedback form and news (if you have expressed your wish to receive these).

We process personal data in order to enter into an agreement with you and to fulfill the concluded agreement (Article 6(1)b) of the GDPR) and based on our legitimate interest to keep records of visits to places, and to analyze and improve the use of our service, including creating visitor profiles (Article 6(1)f) of the GDPR). If you have expressed a wish to receive notifications about our activities and have allowed us to ask for feedback, we process personal data based on your consent (Article 6(1)a) of the GDPR).

We also process purchase data to fulfill our legal obligations (e.g. accounting and tax obligations (Article 6(1)c) of the GDPR). We also process personal data if it is necessary to protect our rights based on our legitimate interest (Article 6(1)f) of the GDPR).

Please not, that when you buy the Museum Card at a place of visit (museum) or make a visit with your Museum Card, the organization that manages that place of visit is also the co-processor of your personal data. This organization is also a co-controller if we process your personal data in connection with the use of the Museum Card at the place of visit in order to collect statistics and analyze feedback about the place of visit. The list and contacts of museums/organizations and places of visit that have joined the Museum Card can be found at www.muuseumikaart.ee/muuseumid. We have mutually agreed that we are the first contact in questions concerning the processing of personal data.

If you buy the Museum Card for someone else you confirm that you have the right to provide us with their personal data and that you have introduced this privacy policy to them.

  1. When you buy the Gift Card from the online store

In such cases we only process your first and last name, payment details, and e-mail address in order to sell and deliver the Gift Card to you. The legal basis for the processing of personal data is the conclusion of an agreement with you and the fulfillment of the concluded agreement (Article 6(1)b) of the GDPR). We also process purchase data to fulfill our legal obligations (e.g. accounting and tax obligations (Article 6(1)c) of the GDPR). We also process personal data if it is necessary to protect our rights based on our legitimate interest (Article 6(1)f) of the GDPR).

  1. When you subscribe to our newsletter

In such case, we will only process your name and e-mail address, which you provided to us when you subscribed to our newsletter on the website. The legal basis for the processing of personal data is your consent (Article 6(1)a) of the GDPR).

  1. When you contact us

In such case, we will process the personal data that you provide to us in your message and which is necessary to respond to and/or resolve your request. The legal basis for the processing of personal data is our legitimate interest in responding to you and/or acting as indicated in the request (Article 6(1)f) of the GDPR).

  1. If you are a representative or a contact person of our cooperation partner, service provider, or other legal entity

In such case, we may process your personal data, such as name, professional contact details, position, and communication data in order to fulfill and manage the agreements entered into with the legal entity related to you. It may also be necessary for cooperation with a legal entity, including for making contact. The legal basis for the processing of personal data is our legitimate interest in performing or managing an agreement concluded with a legal entity or cooperating in another way (Article 6(1)f) of the GDPR).

  1. When you visit our website

We use cookies on our website. You can get more information about cookies at www.muuseumikaart.ee/kupsised.

  1. Processing based on legitimate interest and consent

If we process personal data on the basis of a legitimate interest we have previously carried out a proper weighing of conflicting interests, assessing whether our interest in processing personal data outweighs your interests, rights, and freedoms for which personal data is protected. You always have the right to object to such processing. If you would like to file an objection or receive more information about the legitimate interest analysis, please contact us using the contact details below.

If we process personal data on the basis of your consent, you always have the right to withdraw the given consent (by clicking on the link at the end of the letter or by sending us an e-mail). Please note, however, that the withdrawal of consent does not affect the lawfulness of the processing that took place before the withdrawal.

  1. Retaining of personal data

We retain personal data as long as is necessary to fulfill the purpose for which we collected and processed it. In addition to retaining personal data while you are using the service, it may also be needed after you have concluded using the service. We must retain personal data in accordance with the terms set out in applicable legislation (e.g. accounting and tax related documents for seven years from the end of the relevant financial year). As a rule, we store other personal data for three years from the end of using the service. We process personal data on the basis of your consent until the consent is withdrawn if we have no other legal basis for processing such personal data.

  1. Transfer of personal data

Sometimes, when processing personal data for the aforementioned purposes, we may also need to give access to the data to third parties. For example, personal data may be accessed by our legal advisors. We also use various service providers for our day-to-day operations, who may gain access to your personal data by providing support services to us (e.g. sales platform provider).

We do not process personal data outside the European Economic Area.

  1. Your rights in relation to your personal data

If you have any questions about the processing of your personal data or you wish to exercise your rights, please contact us at info@muuseumikaart.ee.

You may exercise various rights in relation to your personal data. However, such rights are not absolute so we may not always have the obligation or ability to take the requested action. You have the right:

We will respond to the submitted request within one month unless there are circumstances due to which we need more time to respond to the request. In any case, we will notify you within one month.

In addition, you have the right to file a complaint with the Data Protection Inspectorate if you find that the processing of your personal data has not been carried out in accordance with the applicable data protection legislation and your rights have been violated (Data Protection Inspectorate, Tatari 39, 10134 Tallinn, phone +372 627 4135, e-mail: info@aki.ee). If your permanent residence, place of work or place of infringement is in another Member State of the EU, you have the right to file a complaint with the data protection supervisory authority of the respective country.

  1. Changes to the privacy policy

If we need to change the terms of the privacy policy we will always notify you of such changes on our website www.muuseumikaart.ee, and also by e-mail if we have your address.