1. Introduction

1.1. This privacy policy describes how Nordecon AS, registration code 10099962, (hereinafter “Nordecon“) processes personal data in connection with its economic activities (clients and partners, including real estate development), website usage, job or internship applications, whistleblowing, or other instances where Nordecon processes personal data.

1.2. The basis for Nordecon’s personal data processing is the European Parliament and Council Regulation (EU) 2016/679 of 27^th April on the protection of natural persons regarding the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), also known as “GDPR“.

1.3. The purpose of these terms is to provide our clients, partners (including their representatives), employees, and other persons who visit the website or provide Nordecon with personal data, clear and transparent information on how Nordecon may process your personal data.

1.4. If you have any specific questions about how we process your personal data or if you wish to submit a request for exercising your rights related to personal data processing, please contact us using the contact details provided below in the “Contact” section. Employees may also contact their direct supervisor or HR specialist.

2. Important Information Regarding Clients’ and Partners’ Personal Data

2.1. We inform you that we use the personal data of the contractual representatives of our partners only for the purpose of concluding and fulfilling contracts with the partners, and we retain this data until the end of the retention period for the concluded contracts. The personal data of partners’ representatives may include:

• first and last name;
• email address;
• phone number;
• employer and job title.

2.2. If you contact us regarding a real estate property of interest, we may use your personal data to make you an offer and, in the case of a real estate sale, to conclude and fulfil contracts. In such cases, we retain your personal data for one year after the initial contact. If you conclude a contract with us for the purchase of an apartment ownership, we retain your personal data until the end of the statutory liability period for the building. The aforementioned personal data may include:

• first and last name;
• email address;
• personal identification code and/or date of birth;
• phone number;
• residential or business address
• employer and job title.

2.3. The personal data provided to us by our partners or clients may be shared and processed by Nordecon and by third parties who provide services to Nordecon and act on behalf of Nordecon to the extent necessary to fulfil the contract with the client or partner. If expressly required by law, your personal data may also be shared with competent authorities.

2.4. Nordecon does not distribute, use, modify, or transmit personal data entrusted to Nordecon in any other unauthorized manner, except where there is an agreement with the client or partner or where such disclosure is required by applicable law. We take appropriate measures to protect personal data from accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure, or access.

2.5. If you receive offers from Nordecon without having provided your data or requested information, please notify us at the email address: privacy@nordecon.com.

3. Website Usage

3.1. When using the website, the following information may be collected and stored:

• internet address (IP address) of the computer or computer network;
• name and address of the internet service provider of the computer or computer network used;
• time of visit (time, date, year).

IP addresses are not linked to personally identifiable information. Data is collected about which parts of the website are visited and how long visitors stay there. The data is used to compile visit statistics to improve the website.

3.2. Nordecon aims to make its website as user-friendly as possible for its visitors. To achieve this, Nordecon needs to know which pages different visitors use, which browsers they use, and how they navigate between different web pages. To collect and analyse the data, the software “Google Analytics” is used. More detailed information about the information collected and analysis capabilities of Google Analytics can be found here.

3.3. If you do not want your visit data to be used for such analysis, you can add a relevant browser extension, which can be found here.

3.4. Cookies are information that the browser stores on the user’s device to save the user’s personal preferences (selected language, username, etc.). Users can disable cookies in their browser, but this may reduce the usability of the website. The lifespan of cookies on the user’s device is short, generally less than one month. If you want to disable or delete cookies, you can find help in your browser’s user manual. The data from users’ visits is anonymous, and only a limited number of Nordecon employees have access to it.

3.5. The servers hosting Nordecon’s website store data about requests, which is used only for technical purposes to ensure the proper functioning of the website and, if necessary, to find the cause(s) of any malfunctions. Access to this data is limited to Nordecon’s IT staff and technical staff of the company providing server hosting services.

4. Job or Internship Applications or Other User Inquiries

4.1. Additional inquiries can be submitted on Nordecon’s website by entering personal data during the process. This data is only used according to the needs arising from the inquiry and is stored according to the conditions permitted by the user when entering the data.

4.2. When applying for a job or internship or submitting any other inquiry to Nordecon, the personal data being processed may include:

• first and last name;
• phone number;
• email address;
• the content of the inquiry, if it contains personal data;
• the person’s CV, including any picture contained in the CV;
• personal identification code;
• employer and job title.

4.3. Nordecon does not retain documents related to job applications for more than one year from the date of the job competition.

5. Whistleblower line

5.1. As of 01.09.2024, the Act on Protection of Persons Who Report Work-Related Breaches of European Union Law (hereinafter “Whistleblower Act“) entered into force. The law establishes the legal basis for reporting violations of European Union law discovered during work activities and provides protection for the whistleblower. The aim of the law is to ensure protection for whistleblowers who report violations of European Union law discovered during work activities.

5.2. The Whistleblower Act applies to notifications of violations of requirements arising from European Union law in the following areas:

5.2.1. public procurement;

5.2.2. financial services, products, and markets, as well as the prevention of money laundering and terrorist financing;

5.2.3. product safety and compliance;

5.2.4. transport safety;

5.2.5. environmental protection;

5.2.6. radiation protection and nuclear safety;

5.2.7. food and feed safety, animal health, and welfare;

5.2.8. public health;

5.2.9. consumer protection;

5.2.10. privacy and personal data protection, and the security of network and information systems;

5.2.11. violations harming the financial interests of the European Union as specified in Article 325 of the Treaty on the Functioning of the European Union, which are specified in the relevant European Union measures;

5.2.12. violations related to the internal market, as referred to in Article 26(2) of the Treaty on the Functioning of the European Union, which concern activities that violate corporate tax rules and violations related to agreements aimed at obtaining tax benefits that are contrary to the objectives of the corporate tax legislation.

5.3. Personal data collected under the Whistleblower Act or based on legal acts issued pursuant to the Whistleblower Act, including special type of personal data, are processed to ensure the protection of the whistleblower in accordance with GDPR and the Personal Data Protection Act, considering the specifics of the Whistleblower Act. When processing personal data under the Whistleblower Act, the data controller restricts the rights of the data subject if it is necessary to ensure the confidentiality of the whistleblower

5.4.Nordecon’s website has a whistleblower line for the Nordecon Group (Nordecon AS, Embach Ehitus OÜ, AS Tariston). The whistleblower line is designed so that all persons mentioned in paragraph 3 of the Whistleblower Act can anonymously report possible violations mentioned in point 5.2.

5.5. Nordecon and the companies of the Nordecon Group fulfil all obligations arising from the Whistleblower Act. The whistleblower line management services are provided by an independent audit firm Ernst & Young Baltic AS. All reports submitted through the whistleblower line reach Ernst & Young Baltic AS, and the companies of the Nordecon Group do not have access to the content of the reports, the whistleblower’s data, and this information is not stored in the Nordecon website’s databases. Complete anonymity is ensured when using the whistleblower line in front of the companies of the Nordecon Group.

5.6. Ernst & Young Baltic AS checks and analyses incoming reports at least once a week and forwards the analysed reports (anonymously) to Nordecon’s contacts.

5.7. Ernst & Young Baltic AS retains all reports for at least 3 years from the date of submission, in accordance with paragraph 10(3) of the Whistleblower Act.

6. Data Subject Rights

6.1. Nordecon ensures all rights arising from applicable law for data subjects.

6.2. Every data subject has, among other things, the following rights:

• Right of access: the right to ask at any time whether Nordecon has personal data about them and to receive information about what personal data Nordecon processes about them;
• Right to rectification: the right to request the correction or updating of their personal data if it is incomplete, incorrect, or insufficient;
• Right to object: the right to object to the processing of their personal data;
• Right to erasure: the right to request the deletion of personal data, for example, when the personal data is processed based on the data subject’s consent, and the data subject has withdrawn their consent;
• Right to restrict processing: the right to request that Nordecon restricts the processing of personal data based on applicable law, for example, when Nordecon no longer needs the personal data for processing purposes or when the data subject has objected to the processing of personal data;
• Right to withdraw consent: if the processing of personal data is based on the consent of the data subject, the data subject has the right to withdraw their consent at any time
• Right to data portability: the right to receive from Nordecon personal data that the individual has submitted to Nordecon and that is processed on the basis of the consent of the data subject or for the performance of a contract with the data subject in writing or in a publicly available electronic format, if technically possible, and the right to request the transfer of that data to another controller if technically feasible;
• Right to lodge a complaint: if a person believes that their rights have been violated in the processing of personal data, they always have the right to file a complaint with the Data Protection Inspectorate – Tatari 39, 10134 Tallinn, info@aki.ee, aki.ee/en. If your permanent residence is in another EU member state, you can find the contact details of the relevant authority here;

6.3. The data subject rights listed in this chapter regarding the processing of their personal data are not exhaustive. In certain cases, other data subjects’ rights or Nordecon’s legal obligations may limit the rights of the data subject.

6.4. To exercise the rights related to personal data processing or to submit requests related to personal data processing, please contact us using the contact details provided below in the “Contact” section.

7. Data Security

7.1. Nordecon commits to ensuring the security of personal data processing to protect personal data from accidental or unauthorized processing, disclosure, or destruction.

7.2. Considering the latest developments in science and technology, the costs of implementation, the nature, scope, context, and purposes of personal data processing, as well as the varying likelihood and severity of risks to data subjects’ rights and freedoms, Nordecon implements appropriate technical and organizational measures to ensure the security of personal data processing. Nordecon implements reasonable organizational and technical security measures to protect personal data from accidental, unauthorized processing or disclosure. Personal data is not transferred outside the European Union.

7.3. Access to personal data is restricted to individuals who need access in connection with their job duties.

8. Contact

8.1. For questions related to the processing of personal data or to submit requests related to personal data processing, please contact Nordecon by phone, email, or mail using the contact details provided below:

 

Nordecon AS

Address: Toompuiestee 35 Tallinn, 10149

E-mail: privacy@nordecon.com

Phone: +372 615 4400