Privacy Policy for Customers Submitting an Application

By submitting your application (also referred to as a request) to MAXIMA Eesti OÜ (hereinafter referred to as the “Company” or “us”), you trust us with your personal data and give us the right to process them in accordance with the conditions set out in this privacy policy (hereinafter referred to as the “Policy”). We handle all requests sent through our customer service in accordance with this Policy and in accordance with the General Data Protection Regulation and national legislation. 
 
If you do not agree to certain terms of this Policy, we unfortunately cannot guarantee fast and high-quality service, as in this case we will not be able to contact you and provide feedback on your request. 
 
The Policy contains all the information about what data we process, what we use it for, how long we keep it, etc. This information is important, so we hope you read it carefully. 
 
Please note that both the Policy and its conditions may be amended, supplemented or updated. 
 
Personal data is any information on the basis of which a person can be identified, as well as information about an already identified person. 
 
We respect your privacy - the security of your personal information is our priority. We use appropriate organizational and technical measures to ensure that your personal data is always securely protected and data processing operations meet the requirements of data protection legislation and our internal policy. 
 
We consistently adhere to the principle of data minimization and collect only the data that is necessary to resolve your request and provide you with feedback. 
 
If your request is related to a Thank You Card, we ask you to additionally provide your Thank You Card number, first and last name, and date of birth. The transfer of additional personal data is necessary for the reason that if you do not know the number of your Thank You Card and/or do not wish to provide us with the aforementioned personal data, as well as if the referenced personal data is not indicated on your Thank You Card application form, then unfortunately we will not be able to identify connection between the Thank You Card and you as a person, and therefore we will most likely not be able to resolve your request.

1. Submission of requests 
 
If you submit a request to us, we will use your personal data for the purpose of resolving it. In order to resolve your request, we ask you to provide your contact information, either a phone number or an e-mail address, at your choice, so that we can contact you and give feedback on your request.  If you do not provide any contact information, we will not be able to contact you. 

 

Personal data processed for the purpose of resolving requests: 
Categories of data e-mail address and (or) phone number; 
your Thank You Card number*, your first and last name*, date of birth*; 
your first and last name**, bank account number** 
Legal basis for data processing Data processing is necessary for us to fulfill the obligations stipulated by law in the case of a consumer complaint, and it is also based on our legitimate interest if you are our customer. 
Data retention period We may retain your data for the duration of the resolution of your request as well as longer if it is necessary for us to defend ourselves against demands, claims or lawsuits brought against us. We generally keep your data for 30 days from the day of registration of your request. In the case of a request treated as a consumer complaint, we will keep your data for 3 years from the day the application is registered. 

* Entering your name, date of birth and Thank You Card number is only necessary to resolve requests related to your Thank You Card. You can read more detailed information about the conditions related to your Thank You Card in the Privacy Policy of Maxima’s Loyalty Program “Thank You” at www.maxima.ee/aitah. 
** Entering your name and bank account number is only necessary if a payment to a bank account is necessary (for example, to compensate for a double transaction made with a bank card) and only if you wish. 
 
How and for what purposes do we use your personal data? 

 
Based on your contact information, we can contact you and provide feedback on your request. 


Based on your name, date of birth and Thank You Card number, we can identify you as the owner of the corresponding Thank You Card, for example when exchanging a worn or lost card for a new one, connecting cards, updating or changing data, etc. 

 
You can read more detailed information about the conditions related to your Thank You Card in the Privacy Policy of Maxima’s Loyalty Program “Thank You” at www.maxima.ee/aitah
 
It is very important that the personal data you provide is accurate and correct. If you provide false information or if you do not update changed information, we may have difficulty responding to your request in a timely manner or at all. 
 
Please read about updating changed personal data in section 5.2 of the Policy. 
 
The Company has no way to check the correctness and accuracy of the data you provide. When accepting your request, we assume that your information is accurate and correct. 
 

2. Sensitive personal data 

If you submit your request to us regarding an incident related to our Company's activities that had or will have an impact on your health, we may ask for additional information about your health in order to resolve such a request. We certainly only ask for personal data to the extent that is necessary to resolve the given request. 

Personal data processed for the purpose of resolving requests related to health impairment: 
Categories of data e-mail address and (or) phone number, first and last name, health information* 
Legal basis for data processing Data processing is necessary for us to fulfill the obligations stipulated by law and based on our legitimate interest. 
Data retention period We will keep your data for 3 years from the day the application is registered. We may retain your data for the duration of the resolution of your request as well as longer if it is necessary for us to defend ourselves against demands, claims or lawsuits brought against us. 

 
* Data on health are personal data belonging to the category of sensitive personal data and their processing is only necessary to resolve appeals related to alleged health damage. 
 

 

We get all your personal data only from you. You provide us with your contact information (e-mail address or phone number) either when you send us an e-mail to klienditugi@maxima.ee or call our customer support line +372 800 2121. You provide us with your social network username when you send us a message through that network. You also provide us with personal data when you fill out a paper customer application form in our store or office. 

In order to resolve your request, we may transfer your data to our contractual partners, such as a security company or a supplier, who are contractually obliged to process them in accordance with the data protection regulation. We do this only if necessary and we first ask for your consent to transfer data. We confirm that, on a case-by-case basis, we only transfer as much data to the data processor as is necessary to solve a specific question or provide a service. Data processors in contractual relations with us may only process your personal data in accordance with our instructions and may not use them for other purposes or pass them on to other parties without our consent. In addition, they must ensure the security of your data in accordance with applicable laws and written agreements with us. 
Data may also be forwarded to competent state and law enforcement authorities, such as the Consumer Protection Authority or supervisory institutions, but only at their request and only if it takes place in the cases and procedures prescribed by legislation with the aim of ensuring our rights and the safety of our customers, employees and resources.

We process your personal data only in the territory of the European Union. We do not intend to transfer and do not transfer your personal data to third countries.

Data protection legislation gives you many rights that you are free to exercise and we must ensure that you are able to exercise them. We provide information about your specific rights and their implementation in the sections below. Please read the information carefully.

 
1. The right to access the personal data we process

You have the right to confirmation from us that we are processing your personal data. You also have the right to get acquainted with our processed data and information about the purposes of data processing, categories, categories of data recipients, period of data processing, sources of data. 
If you wish to exercise the right mentioned in this point, you may contact us in the ways described in Chapter 6 of the Policy. 

 

2. Right to correct personal data

If the data provided during your contact has changed or you believe that the information we process about you is inaccurate or incorrect, you have the right to request that this information be changed, clarified or corrected. 
You can contact us in the ways described in Chapter 6 of this Policy and ask us to correct or clarify your data. 

 

3. Right to withdraw consent 

If we process your data based on your consent, you have the right to withdraw your consent at any time and the data processing based on your consent will cease. 
For example, you can withdraw your consent to the transfer of personal data to our contractual partners at any time. Withdrawing this consent does not prevent you from receiving feedback from us on your request, but it does mean that we cannot guarantee that your request will be resolved. 
You have the option to withdraw, correct (withdraw or re-give) your consent by contacting us in the ways described in Chapter 6 of the Policy. 
If consent is withdrawn or revoked, we will reliably and permanently destroy the processed data with your consent. 
In any event, we may retain your consent and proof of consent even after the request has been resolved, if it is necessary for us to defend ourselves against demands, claims or lawsuits. 

 

4. Right to file a complaint 

If you believe that we are violating the requirements of data protection legislation when processing your data, please contact us first. We believe that with our efforts we will be able to resolve all your requests, dispel doubts and correct possible errors. 
If you are not satisfied with our solution to the problem or if you find that we are not carrying out the necessary actions according to your wishes, you have the right to contact the supervisory authority, the Data Protection Inspectorate. 

 

5. Right to object to the processing of data if the processing is based on a legitimate interest

You have the right to object to the processing of personal data if it is processed based on our legitimate interest. If you do not agree to the processing of your data for the purpose described in this paragraph, we respect and value your decision. Considering the goals of our customer support service and the balance of the legitimate interests of both parties (both you, the data subject, and us, the data owner), your non-consent may mean that if you interrupt the processing of data based on our legitimate interest, we will not be able to find a solution to the request submitted to us and give you feedback. 
If you wish to exercise the right mentioned in this paragraph, please make a written request as described in Chapter 6 to our Data Protection Officer. 

 

6. Right to deletion of data (right to be forgotten) 

In the circumstances described in the legislation concerning data processing (personal data is processed unlawfully, there is no basis for data processing, etc.), you have the right to ask that we delete your personal data. If you wish to exercise this right, please make a written request to our Data Protection Officer as set out in Chapter 6. 
It is important to note that your personal data will be deleted without a separate request from you, if the purpose of collecting personal data is fulfilled, i.e. your request is resolved, and if the personal data storage period prescribed by law or determined by us expires. Depending on the content of your application, we may retain your personal data even after the request has been resolved, if it is necessary for us to be able to defend ourselves against demands, claims or lawsuits presented to us. 

 

7. Right to restrict data processing 

You also have the right to restrict the processing of your data in the circumstances described in the legislation concerning data processing (personal data is processed unlawfully, data accuracy is contested, data processing is not consented to based on our legitimate interest, etc.). However, we must note that the resolution of your request may be hindered or impossible due to the limitation of data processing and during the period of such limitation. 
If you wish to exercise the right mentioned in this paragraph, please make a written request as described in Chapter 6 to our Data Protection Officer. 

 

8. Right to data portability 

You have the right to request the transfer of your data to another data processor for what we process with your consent and for which automated means are used for processing. The data you want to transfer will be presented to you in the format used in our system and readable by a computer, and if you wish and if it is technically possible, we will transfer the data to another data processor named by you. 
If you wish to exercise the right to data portability, please submit a written request to our Data Protection Officer as described in Chapter 6. 

 

9. Application processing procedure 

 

In order to exercise the aforementioned rights, please submit a corresponding written request to our Data Protection Officer by e-mail: dpo@maxima.ee or to the address given in Chapter 6. In an effort to protect the data of all our customers from unlawful disclosure, we ask that you sign the application digitally or by hand so that we can verify your identity. 
In the case of requests related to a Thank You Card, such as a request to provide data or exercise your other rights, we have to make sure that the Thank You Card has been issued in your name. For this purpose, we may ask you to send us the data you provided on your registration form (such as name, date of birth, e-mail address or telephone number) so that we can compare whether the data you provided matches the corresponding form data. When performing the check, we can also send an electronic message on the basis of the contact data indicated on the registration form of the Thank You Card (by SMS or e-mail) and ask to perform an authorization operation. If the verification procedure fails (the data you have provided in the form do not match the data provided on the Thank You Card registration form or you do not verify the data according to the received SMS or e-mail notification), we are forced to conclude that you are not the subject of the requested data and we have to reject your request . 
You can read more detailed information about the conditions related to your Thank You Card in the Privacy Policy of Maxima’s Loyalty Program “Thank You” at www.maxima.ee/aitah. 
If you submit your request by electronic means, we will send you a response by electronic means, except in cases where this is not possible (such as due to the volume of information being too large) or if you request to respond in another way. 
We will refuse to satisfy your request if the relevant circumstances specified in the legislation are present. We will inform you of the non-satisfaction of your request under the aforementioned circumstances. 
 

For all data processing issues, you can contact us in the following ways: 
By e-mail: info@maxima.ee
  
Contact details of our Data Protection Officer: 
E-mail address: dpo@maxima.ee 
  
Our details as the data owner: 
MAXIMA Eesti OÜ 
Registry code: 10765896 
Location address: Peterburi tee 47, 11415 Tallinn, Estonia 
 

We use various security technologies and procedures in an effort to protect your personal information from unauthorized access, use or disclosure. We choose our partners carefully: we require them to use appropriate measures that protect your confidentiality and ensure the security of your personal information. When transmitting information via the Internet or mobile communications, security is never fully guaranteed - transmitting any information to us in the mentioned ways is your own responsibility. 
 

At the end of the period of data processing and storage established in this Policy, we will reliably and permanently destroy your data in the cases specified in the Policy as soon as possible, within a period reasonable and necessary to carry out such action. 
Retention of your data for a longer period than permitted by this Policy may only occur if: 
- there is a well-founded suspicion of illegal activity and an appropriate procedure has been initiated in the specific case; 
- your data is necessary for the correct resolution of a dispute or complaint; 
- there are other bases stipulated in legislation.

The Policy is valid from 25 May 2018. If the Policy is changed, we will publish the updated version on our website www.maxima.ee 
 

The Policy does not apply to services provided by us and other companies in our group, such as website www.maxima.ee , payment services, preparation of invoices, etc.