Privacy Policy

Valid as of 18 March 2024

This document describes how AS Solaris Keskus (registry code: 10674030, address: Estonia pst. 9, Tallinn, e-mail: info@solaris.ee, telephone: 61 55 125, hereinafter referred to as we, us, our or Solaris Keskus), as the controller, processes the data of its visitors and other natural persons in the course of operations of the shopping and lifestyle centre Solaris Keskus (hereinafter referred to as the Centre) at Estonia pst 9 (Tallinn).

This Privacy Policy is effective as of the date set out above. We have the right to unilaterally amend and modify the Privacy Policy, in which case we will upload the updated Privacy Policy to this website.

The protection of personal data is very important to us and in processing such data we follow the relevant legislation of the Republic of Estonia and of the European Union, including the EU General Data Protection Regulation 2016/679 (hereinafter referred to as the GDPR). For the purposes of this Privacy Policy, we use definitions (controller, personal data, processing, etc.) according to the GDPR.

When visiting our website or entering the Centre, the person confirms that they have examined and understand this Privacy Policy.

Purposes of personal data processing, categories, legal grounds and storage

Below we explain the purposes for which we process the personal data of visitors to our website and/or to the Centre and of other natural persons. We also explain which personal data are processed for the respective purpose, the legal ground for the processing and for how long we store the personal data.

Newsletter

We collect personal data in order to send a newsletter to persons who have given their prior consent thereto. Thus, the legal ground for the processing of personal data for this purpose is the consent given by the person (Article 6(1)(a) of the GDPR). By giving their consent, the person confirms that they are at least 13 years of age. To send a newsletter, we process the person’s name and e-mail. A person can withdraw their consent to subscribe to a newsletter at any time via the link in the newsletter or by contacting us. We process personal data related to a newsletter for the term of validity of the consent, i.e. we send newsletters until the consent is withdrawn.

Campaigns

We also process personal data for the purpose of conducting prize draw campaigns organised on our social media – in such an event the purpose is to conduct a campaign and deliver the prize to the winner. As part of this, we may process the name, contact details (including e-mail) of the person participating in the campaign and other personal data necessary for achieving this purpose. As a general rule, we do not disclose the full name of the winner – but if we do not have the e-mail address of the winner or any other possibility to contact them directly, we may, for example, publicly mention the winner on social media in order to deliver the prize to them. The legal ground for the processing of personal data is our legitimate interest, which is conducting campaigns for marketing purposes (Article 6(1)(f) of the GDPR). We store personal data for a maximum of three months after the end of the campaign.

Conduct of projects with cooperation partners

We also process the personal data of potential cooperation partners for making proposals concerning new projects – for example, in order to send a performance offer or a proposal for conducting a marketing campaign to the person. Thus, the processing of personal data for this purpose may include, for example, contacting speakers, public figures, influencers and media representatives and storing relevant data. Such personal data may include name, e-mail, telephone number and information related to the project. We have collected the respective contact details from public sources or our contractual partners (including PR agencies) on the assumption that these persons are interested in receiving notices or invitations from Solaris Keskus. The legal ground for the processing is our legitimate interest, which is boosting the popularity and visitor numbers of Solaris Keskus (Article 6(1)(f) of the GDPR). We store personal data until the purpose of processing is fulfilled.

If so agreed with the cooperation partner in the project, we also process personal data for conducting the project, which may also include the processing of personal data such as name, e-mail, telephone number and information related to the project. In such an event, the legal ground is the performance of a contract with the cooperation partner (Article 6(1)(b) of the GDPR) and we process personal data for this purpose until the project has been completed successfully.

Video surveillance

The external walls of the Centre, public rooms inside the building and offices have been provided with security cameras, which record video images. No camera is located in a private room (e.g. a toilet or shower room) and no camera records sound. The purpose of video surveillance is our legitimate interest, which is protecting the property of the persons staying in the Centre as well as protecting Solaris Keskus and the persons staying therein (Article 6(1)(f) of the GDPR). As a general rule, videos are recorded for a maximum of 30 days. Video recordings related to incidents that have occurred in Solaris Keskus (e.g. loss events, breaches of public order, etc.) are stored and processed on a case-by-case basis in accordance with our justified interest, that of our contractual partners and/or visitors to the Centre or in accordance with law. Video recordings related to such incidents are stored for a maximum of three years after the processing of the incident has ended.

Statistics

In addition, we generate anonymous statistics on visits to the Centre with the cameras located at the entrances of the Centre in order to develop the Centre further. These statistical data are not personal data and are anonymised, and the video stream on the basis of which these statistical anonymous data are generated is immediately deleted. The legal ground is our legitimate interest in generating visitor statistics to the Centre on the basis of which we can develop and improve the Centre (Article 6(1)(f) of the GDPR).

Display of personalised ads

The website of Solaris Keskus uses Facebook and Google Ads cookies that allow the website visitor to see personalised ads on the web according to the web usage of the person. In such an event, the personal data being processed are the person’s website use history and other technical data related to web visits. The website uses cookies and personalised ads are only displayed if the website visitor has given their prior consent thereto (Article 6(1)(a) of the GDPR). By giving their consent, the person confirms that they are at least 13 years of age. A person can withdraw their consent at any time by deleting such cookies or contacting us. We process the respective personal data for up to two years after the last visit to the website of Solaris Keskus (depending on the term of specific cookies) or less if the respective cookies are deleted.

Website analytics

The website of Solaris Keskus uses analytical cookies that collect data about the use of the website. The legal ground is our legitimate interest in generating visitor statistics to the website on the basis of which we can develop and improve the website (Article 6(1)(f) of the GDPR). We process the respective personal data for up to two years after the visit to the website of Solaris Keskus or less if the respective cookies are deleted.

Compliance with obligations

We also process personal data to comply with our obligations under applicable law (Article 6(1)(c) of the GDPR). In such an event, the personal data being processed and the persons whose personal data we process and the storage period of the respective personal data depend on the obligation that we are legally required to adhere to in accordance with the legislation in force. For example, pursuant to law, we must store accounting source documents (which may contain personal data) for seven years as of the end of the financial year when a business transaction was recorded in the accounting journals and ledgers on the basis of the source document.

Implementation of rights

We also process personal data in order to implement our rights arising from applicable law and the contracts entered into, in which event the legal ground for the processing of personal data is our legitimate interest in implementing and protecting our rights (Article 6(1)(c) of the GDPR). In such an event, the personal data being processed and the persons whose personal data we process depend on the right that we implement. As a general rule, we store personal data for this purpose for up to three years.

Business relations

We also process data of natural persons related to the legal persons with whom we have a business relationship (e.g. lessees of Solaris Keskus) for performing the respective contract. As a general rule, however, we process such personal data in the role of a processor and the legal person having a business relationship with us is the controller of such personal data. However, if we process these personal data, for example, for one of the purposes set out in this Privacy Policy (e.g. compliance with our obligations or implementation of our rights), we are controllers of the personal data.

Sources and collection of personal data

We process personal data that we collect from persons (data subjects) directly as well as obtain from third sources (e.g. social media). Disclosure of personal data to us is generally voluntary.

Personal data processors

If we transmit personal data to processors, all the processors ensure the protection of such personal data as required by the GDPR and other applicable legislation regulating the protection of personal data. If we transmit personal data to a country outside the European Economic Area, we apply appropriate safeguards which are in compliance with the GDPR – for example by entering into a relevant personal data processing agreement with the processor in accordance with the standard terms and conditions for the protection of personal data as approved by the European Commission.

We may transmit personal data to third parties, i.e. processors, in the following events:

  • As we store documents and the data contained therein with the cloud service provider, we may transmit the personal data to the respective service provider. Currently, this service provider is Dropbox, Inc., located in the US. Dropbox has joined the data exchange framework entered into between the European Union and the US, which ensures the protection of personal data at a level equivalent to that of the European Union and, if necessary, the standard terms and conditions for the protection of personal data as approved by the European Commission are also applied.

  • If a person has given their consent to receive a newsletter, we transmit the data of the person to the service provider who prepares, sends or makes it technically possible to send the newsletter. We currently use a service provider called Klaviyo, Inc, located in the US. Klaviyo has joined the data exchange framework entered into between the European Union and the US, which ensures the protection of personal data at a level equivalent to that of the European Union and, if necessary, the standard terms and conditions for the protection of personal data as approved by the European Commission are also applied.

  • We transmit the data processed for the purpose of video surveillance to the security service provider, which is currently AS G4S, located in Estonia.

  • In addition, we may make personal data available to other persons who provide services to us or if this is necessary for fulfilling any of the purposes of personal data processing as set out in this Privacy Policy. For example, we transmit accounting data to Directo OÜ, which offers business software and is located in Estonia.

In addition, we have the right to disclose personal data to an authority or person that has the right under applicable legislation to demand that we disclose personal data. We also have the right to disclose personal data to a third party who acquires Solaris Keskus or, in essence, all of its assets, if such acquisition occurs.

Ensuring security of personal data

Personal data are held and processed digitally and in secure environments in Solaris Keskus in cooperation with its contractual partners. Access to personal data is only provided to our employees and contractual partners who need process personal data based on the obligations arising from the contracts entered into with us. Contractual partners are required to observe legislation regulating the protection of personal data. We have established requirements in order to ensure the security of personal data processing by adopting both organisational and technical measures. The security measures for the processing of personal data are kept relevant and up to date and, if necessary, they are updated and modified.

Rights of data subject

A person has the right to make enquiries about the processing of personal data concerning them and to request rectification or erasure thereof or restriction of processing of personal data. A person also has the right to object to the processing of their personal data and request data portability, where technically possible. A person may withdraw consent for the processing of personal data based on consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. A person also has the right not to be subject to a decision based on automated processing. In addition, the data subject has the right to request additional information about our legitimate interest in the processing of data. In connection with the processing of personal data, a person has the right to file a complaint with the Estonian Data Protection Inspectorate (www.aki.ee; Tatari 39, 10134 Tallinn; e-mail address info@aki.ee).

In order to exercise rights related to the processing of personal data or to obtain further information, please contact us by e-mailing info@solaris.ee.

In accordance with the provisions of applicable law, we may have the right to refuse to comply with a person’s request or the right to comply with it to a limited extent, in which event we will explain it to the person.

Third-party websites

The website of Solaris Keskus may contain links to third-party websites. Third-party websites may be subject to terms and conditions different from this Privacy Policy, the implementation of which is beyond our control. We are not liable for the privacy policy of third-party websites or for the processing of personal data through third-party websites.

Cookies

We use cookies on our website. Cookies are small blocks of data in a text format that are stored in the user’s web browser or device when visiting a website. Some cookies are so-called first-party cookies and are linked to the website, but third-party cookies (e.g. Google Analytics) are also used.

In general, we use cookies to make the visitor experience to the website as smooth and convenient as possible and to collect data about visits to the website. To be more specific, we use the following cookies:

  • Strictly necessary cookies – i.e. cookies that are strictly necessary for the visitor to use the website and the website to function. As a general rule, such cookies are stored for 1-2 years.

  • Analytical cookies – i.e. cookies used to analyse the visit and use of the Website. The term for storing cookies varies depending on the specific cookie but, as a general rule, such cookies are stored for up to 2 years.

  • Advertising cookies – i.e. Facebook and Google advertising cookies used to display personalised ads to website visitors, which collect information about the website visit history and other technical information. The term for storing cookies varies depending on the specific cookie but, as a maximum, such cookies are stored for two years.

The website visitor has the rights of a data subject explained above in respect of the cookies that collect and process personal data. In any event, the website visitor has the right, in connection with cookies, to refuse to use cookies without giving consent or by withdrawing consent, to refuse to use cookies by selecting appropriate settings in the web browser and to delete cookies already stored on their device. However, strictly necessary cookies are used in any event without the visitor’s consent, because without them it is not possible to use the website. It is possible to use the website without other cookies, but in this event the website may not function in full and as intended.

Subscribe to the Solaris news and promotions!