1DOX Digital OÜ
1. General Information
1.1. Our Data Protection Policy describes which of your personal data that we collect and process, why and on which terms we process the data. Your privacy and protection of your data is very important for us. We are acting in compliance with the data protection regulations effective in Estonia and the European Union. At present, our service is available in its test version and therefore we will be improving our service and the Data Protection Policy to match the progress of our development efforts.
1.3. The service is intended, in particular, for representatives of legal entities who wish to use the services for the companies they are related with.
Types of data used by the 1DOX portal
Open data: The website (1dox.site) uses open data (incl. Commercial register data, such as: the company’s name, e-mail, address, VAT number, etc.). The source of said data is the Commercial Register Link. 1DOX re-publishes data previously published by the Commercial Register, and relies on the open data of the Commercial Register.
Public personal data: 1DOX uses public personal data where they are linked with a legal entity. 1DOX re-publishes data previously published by the Commercial Register. As access to data of corporate representatives in the Commercial Register is restricted (i.e., protected by a security code), the 1DOX portal does also not provide direct access to the names, dates of birth and personal codes of corporate representatives, and said data can only be accessed after logging in, and only for the purpose of using the services. According to § 28(1) of the Commercial Code, these data are public and therefore 1DOX exercises the right of freedom of information. The purpose of processing such data is to simplify the provision of the service to customers, and facilitate preparation, signing and ordering of documents. These data are processed on the basis of point (f) of Article 6(1) of GDPR. The assessment of the legitimate interest has been carried out is and available in the respective document.
In such case, the data subjects involved are not informed of the processing of public data, because the 1DOX services portal does not collect or process any other personal contact data of data subjects, without data subjects’ consent.
Published data: In order to provide the 1DOX service, the following personal data need to be collected and processed:
Unless we have received your personal data from the Commercial Register, we process the data provided by you – your e-mail address, given name and surname, personal ID code (incl. date of birth) the country of your ID code or residence, telephone number. We act as the controller of these data. We use such data for the performance of the contract to which you are a party, and to provide you the digital signature service in the manner that is the most convenient for you. The contract with you is deemed to have been concluded when you start using the services that we offer on our website. We need these data to provide you the service. Without disclosing such data, we would not be able to provide you this service.
The data uploaded by you (Content Data) – e.g., the names, e-mail addresses and personal ID codes of third parties that you have entered into your account, their signature data and data of all the uploaded documents. The Content Data that you disclose to us are confidential and protected – we do not review the Contact Data unless you expressly ask us to in the course of providing the service (e.g., when you ask our assistance when using the service). However, we have limited access to the Content Data. Content Data can be only viewed by you (the owner of the Content Data) and the persons to whom you have granted the right of access to them.
In respect of the Content Data, we act as the data processor, and the processing of the Content Data is regulated by the data processing agreement (see Section “Terms and Conditions of Data Processing Agreement”). Content Data that include names and personal ID codes of natural persons can be processed in our web environment only by persons who have gone through the identification process.
In addition to using your personal data to provide the service, we may transfer them to public authorities (incl. for instance, the Police and Border Guard Board, the Tax and Customs Board) and law enforcement authorities if we have a statutory obligation to do this or if this is necessary to protect our legal rights.
We keep your data and Content Data in a secure manner. We manage our IT infrastructure (incl. servers and storing devices) ourselves and no third party has access to our IT infrastructure. In order to ensure technical protection of personal data we use the best technical solutions available to us.
We do not transfer your personal data beyond the EU. The personal data are not used for profiling.
We process both content data, as well as personal data disclosed by you under point (a) and point (b) of Article 6(1) of GDPR – with your consent and for the performance of the contract to which you are a party.
3. Your Rights Relating to Personal Data.
You may not share passwords, user names or means of identification or signing with any other persons. When you intentionally or accidentally give other persons access to your account, Content Data or Content Data backed up on the e-mail, you make it possible for other persons to review or process said data. We cannot assume responsibility for any violations or damages caused by such unreasonable actions.
You have the right to receive information about our personal data processing policies, and about whether and which of your personal data we process. To get this information you need to review your user account information. You have the right to access your personal data and correct the personal data you have provided us.
You have the right to restrict processing of your personal data. You have the right to request transferring of your data, which we shall do, when possible. You can submit this request either on your account or the web browser and, if necessary, you may also contact us.
You have the right to be forgotten and the right to request deletion of your personal data. Please note that the documents you have signed will remain valid and legally effective. The data you have added by signing them cannot be erased (the right to be forgotten cannot be exercised fully). Digital signatures and possibilities of other persons to see your digital signature data will not be erased even when you delete the account.
You have the right to contact us, the supervision authority or the court of law. You can contact us by using the contact data provided below. In Estonia, the duties of the supervision authority are fulfilled by the Data Protection Inspectorate.
4. Principles of Data Storage.
Digital signature data (name and personal ID code) will be stored with the signed documents indefinitely.
Documents signed digitally and stored in our system can be permanently deleted only if all signatories, as well as the owner of the document have done it.
Your name and personal ID code cannot be deleted, if you are connected with a company registered in the Commercial Register, or if a document stored with us bears your digital signature, or if any person is waiting for your digital signature.
Otherwise, we store your data for the following terms:
Term of storage
Content or example of data
After 3 years
Your account data (applicable from the date of deletion of your account)
After 5 years
Data collected for the prevention of money laundering and terrorist financing (applicable from the date of deletion of your account)
Data relating to the use of the service
Stored until deletion by the actual owner of the Content Data
Stored until the user requests deletion of their personal data
Your data (the name and personal ID code)
30 days from completing the provision of the service or cancellation of the data protection policies, unless otherwise specified by law
5. Terms and Conditions of Data Processing Agreement.
The party providing the Content Data is the controller in respect of Content Data, and we act as the processor of said data. We process the Content Data to render the service.
We process only such types and categories of personal data that you provide. We process them from the moment the Content Data are uploaded until you delete the Content Data. We are not responsible for processing Content Data backed up on e-mail. Therefore, the responsibility for the data provided to us, any risks associated with data, incl. whose personal data, which type and which category of personal data you provide us, how long you store them, or any excess data that you may have provided, will rest with you. As the controller, you warrant that you have the right (incl. the required consent, etc.) to provide Content Data.
We process Content Data to a limited extent only when you have expressly requested us to do so, while we provide you the service, i.e., we process the data based on your instructions. When processing, we follow all the guidelines specified in this data processing agreement.
We keep the Content Data provided to us confidential, and no third parties, who are not mentioned in this Data Protection Policy, have access to them, unless you give such third parties access or unless our obligation to disclose information arises from law.
We will notify you of our obligation to disclose data, unless it is prohibited by law. When providing the service we shall ensure confidentiality, integrity, availability and resilience of data by the technical and organisational measures we have selected.
You as the controller allow us to outsource certain services, if we need to do so to provide you our service, and such service providers will also act as data processors. We shall make sure that our cooperation partners honour your right to data protection.
We cooperate with you to fulfil the obligations specified in Articles 32 to 36 of GDPR. If possible, we shall provide you the information needed to comply with these obligations.
From time to time and at our own discretion we may inspect the processing of data relating to our service, and its security.
We use temporary cookies, i.e., session cookies. These are stored in visitors’ computers temporarily while they use the website, and the computer will erase them after the user closes the site. Such cookies are necessary to ensure performance of the website and its functionalities.
You may opt out from using the cookies by making the required settings in your web browser. However, in this case you should be aware that some of the functionalities of the website might not be available to you. By using the website, you give your consent to processing of your personal data in the manner and for the purposes described above.
We are governed by laws of the Republic of Estonia and any disputes with us will be settled in courts of the Republic of Estonia.
8. Possible Amendments.