1. General Provisions
1.1. This privacy policy governs the principles of the collection, processing, and storage of personal data. Personal data is collected, processed, and stored by the data controller, the Tartu Academic Male Choir (MTÜ Tartu Akadeemiline Meeskoor) (hereinafter referred to as the data processor).
1.2. A data subject, within the meaning of this privacy policy, is a natural person whose personal data is processed by the data processor.
1.3. A client, within the meaning of this privacy policy, is anyone who participates in the activities of the data processor or uses the data processor’s website.
1.4. The data processor follows the data processing principles established by legislation and processes personal data lawfully, fairly, and securely. The data processor is able to confirm that personal data has been processed in accordance with the applicable legal requirements.
2. Collection, Processing, and Storage of Personal Data
2.1. Personal data collected, processed, and stored by the data processor is primarily gathered electronically through the website and via email.
2.2. By sharing their personal data, the data subject gives the data processor the right to collect, organize, use, and manage the personal data as defined in this privacy policy. This includes data shared directly or indirectly through the website.
2.3. The data subject is responsible for ensuring that the data provided is accurate, correct, and complete. Knowingly providing false information is considered a breach of this privacy policy. The data subject must inform the data processor immediately of any changes to the submitted data.
2.4. The data processor is not responsible for damages caused to the data subject or third parties due to the provision of incorrect data by the data subject.
3. Processing of Clients’ Personal Data
3.1. The data processor may process the following personal data of the data subject:
• 3.1.1. First and last name
• 3.1.2. Date of birth
• 3.1.3. Phone number
• 3.1.4. Email address
• 3.1.5. Address
• 3.1.6. Personal identification code
3.2. In addition, the data processor may collect data about the client that is available in public registers.
3.3. The legal basis for personal data processing is set out in Article 6(1) (a), (b), (c), and (f) of the General Data Protection Regulation (GDPR):
• (a) The data subject has given consent for the processing of their personal data for one or more specific purposes;
• (b) Processing is necessary for compliance with a legal obligation to which the data controller is subject;
• (c) Processing is necessary for the purposes of the legitimate interests pursued by the data controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, especially where the data subject is a child.
3.4. Data processing purposes and corresponding retention periods:
• 3.4.1. Purpose: Security and safety
Retention period: As defined by law
• 3.4.2. Purpose: Fulfilling the association’s statutory activities and goals
Retention period: Until 5 years after termination of membership or alumni status
• 3.4.3. Purpose: Financial activity, accounting
Retention period: As defined by law
3.5. The data processor may share personal data with third parties, such as authorized data processors (e.g. Maksekeskus AS), accountants, the choir’s partners, and umbrella organizations.
3.6. In processing and storing personal data, the data processor applies organizational and technical measures to protect data from accidental or unlawful destruction, alteration, disclosure, or any other form of illegal processing.
3.7. The data processor retains personal data depending on the processing purpose, but not longer than 20 years.
4. Rights of the Data Subject
4.1. The data subject has the right to access their personal data and review it.
4.2. The data subject has the right to receive information about the processing of their personal data.
4.3. The data subject has the right to correct or supplement inaccurate data.
4.4. The data subject has the right to request the deletion of their personal data.
4.5. If the data is processed based on the data subject’s consent, the data subject has the right to withdraw consent at any time.
4.6. To exercise their rights, the data subject may contact the data processor at tam@tam.eu.
4.7. The data subject also has the right to file a complaint with the Data Protection Inspectorate.
5. Final Provisions
5.1. This privacy policy is prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation), the Personal Data Protection Act of the Republic of Estonia, and other applicable EU and Estonian laws.
5.2. The data processor has the right to partially or fully modify this privacy policy, notifying data subjects via the website at tam.eu.