Skip to content
Home  /  Ethics & Compliance platform / Privacy policy

Privacy policy

Document number:

IS.PL-003

Version number:

1.1

Effective date:

15.08.2021

Update 15/05/2023

Next review date:

25.08.2024

Document Owner:

Data protection officer

Review Response:

Data protection officer

Version history links

IS.PL-003 PRIVACY POLICY-May23

1. DEFINITIONS

Ethicontrol   The conditional name of the company group, which includes the Estonian company “Ethicontrol OÜ” and the Ukrainian LLC “Ethicontrol”.
GDPR   The General Data Protection Regulation (EU) 2016/679 is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA).
Data controller (controller)   The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law
Data subjects   Any person whose personal data is being collected, held, or processed.
Processor   The natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
Data Protection Officer   The person responsible for ensuring that Ethicontrol follows its data protection policy and complies with the GDPR
Notification   Notifying The Data Protection Inspectorate about the data processing activities of Ethicontrol.
The Data Protection Inspectorate   National Data Protection Authority of Estonia.
Personal data processing (processing)   Any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

2. GENERAL

Ethicontrol — the conditional name of the company group, which includes the Estonian company “Ethicontrol OÜ” LLC and the Ukrainian LLC “Ethicontrol”.

Ethicontrol operates in the field of providing anti-corruption law enforcement services for European countries and the Middle East.

The Estonian company Ethicontrol OÜ is the head office that interacts with clients (except for Ukraine), and determines the development strategy and internal requirements of Ethicontrol, including personal data protection.

LLC “Ethicontrol” provides operational activities and interaction with Ukrainian customers.

Ethicontrol processes personal data for numerous purposes, and the means of collection, lawful basis of processing, use, disclosure, and retention periods for each purpose may differ.

When collecting and using personal data, our policy is to be transparent about why and how we process personal data.

Taking into account the area in which it operates, Ethicontrol understands the importance of ensuring personal data protection data that is processed by Ethicontrol's technical means.

Ethicontrol implements the requirements of the international standard for personal data protection:

  • ISO/EC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements
  • ISO/IEC 27701:2019 Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines.

3. POLICY PURPOSE

Ethicontrol is strongly committed to protecting personal data. This Policy describes why and how we collect and use personal data and provides information about individuals’ rights.

4. OUR PROCESSING ACTIVITIES

4.1. Data Controller

Ethicontrol is controller who processes the next categories of personal data:
  • personal data about marketing contacts and contractual activity;
  • personal data of recruitment applicants;
  • personal data of employees;
  • personal data of the company marketing site visitors.

Detailed information about processing is present below.

Ethicontrol is NOT a data controller for data stored by its clients within the Ethicontrol platform. Please refer to Section Data Processor.

4.1.1. Business contact person data

Data subject:  Contact person of existing and potential clients and/or individuals associated with them

Controller, Processor: “Ethicontrol OÜ” is a controller and processor for processing data of clients from the European Union and the Middle East.

“Ethicontrol” LLC is a controller and processor for processing data of Ukrainian clients.

Collection​ ​of​ ​personal​ data:

Ethicontrol processes personal data about contacts using a customer relationship management system (the “CRM”).

The collection of personal data about contacts and the addition of that personal data to the CRM is initiated by an Ethicontrol user and will include:

  • first, last name of contact person;
  • employer name,
  • contact title /position,
  • phone,
  • e-mail.

Use​ ​of​ ​personal​ data:

Personal data relating to business contacts may be visible to and used by Ethicontrol users to learn more about an account, client, or opportunity they have an interest in, and may be used for the following purposes:

  • developing our businesses and services;
  • providing information to you about us and our range of services;
  • making personal data available to Ethicontrol employees for performing services and for offering new services;
  • performing analytics such as on market trends, relationships maps, or sales opportunities.

Systems that process personal data are located in the EU.

Legal basis for processing:

We will process our business contacts’ personal data based on our legitimate business interests or the consent if the data subject has been requested to express one.

We have an interest in marketing our services or providing communications that we think will be of interest to recipients.

Data retention:

Personal data will be retained on the CRM for as long as it is necessary for the purposes set out above (e.g., for as long as we have, or need to keep a record of, a relationship with a business contact).

Data subject rights:

You have a number of legal rights in relation to the personal data that we hold about you and you can exercise your rights by contacting us using the details at the end of this document. These rights include:

  • the right to obtain information regarding the processing of your personal data and access to the personal data which we hold about you;
  • the right to request that we correct your personal data if it is inaccurate or incomplete the right to request that we erase your personal data in certain circumstances. Please note that there may be circumstances where you ask us to erase your personal data but we must retain it;
  • the right to request that we restrict our processing of your personal data in certain circumstances. Again, there may be circumstances where you ask us to restrict our processing of your personal data but we must refuse that request;
  • the right to lodge a complaint with the applicable data protection regulator;
  • the right to object to the processing and we must stop unless we have an overriding reason which will be communicated to you;
  • when we are processing on the grounds of consent, you have the right to erasure.

Data Sharing:

Employees of Ethicontrol LLC, located in Ukraine, have the authority to access the data of contact persons of clients from the European Union and the Middle East to achieve a specific purpose / goal of Ethicontrol processing.

In some circumstances, such as under a court order, we are legally obliged to share information.

Information about other third parties, that take part in the personal data processing, is provided in Appendix A.

Transfers of personal data:

Employees of Ethicontrol LLC, located in Ukraine, have the authority to access the data of contact persons to achieve a specific purpose / purpose of Ethicontrol processing. Access is provided on the basis of an agreement (Standard contractual clauses for international transfers) between “Ethicontrol OÜ” and “Ethicontrol” LLC. In this case, “Ethicontrol” LLC will be a sub-processor.

4.1.2. Recruitment applicants’ data

Data subject: Recruitment applicants.

Controller, Processor: For the “Ethicontrol OÜ” LLC recruitment applicant “Ethicontrol OÜ” LLC is a controller and processor directly.

Accordingly, “Ethicontrol” LLC is a controller and processor for employment in “Ethicontrol” LLС.

Collection​ ​of​ ​personal​ data:

As part of recruitment process, Ethicontrol collects and processes personal data relating to recruitment applicants such as:

  • name of recruitment applicant;
  • details of qualifications, skills, experience, and employment history;
  • information about current and desired levels of remuneration;
  • contact details, including email address and telephone number.

Ethicontrol may collect this information in a variety of ways. For example, data might be contained in application forms, CVs or resumes, or other identity documents, or collected through interviews or other forms of assessment.

Ethicontrol may also collect personal data about recruitment applicants from third parties, such as references supplied by former employers.

Use​ ​of​ ​personal​ data:

Processing data from recruitment applicants allows us to manage the recruitment process, assess and confirm a candidate's suitability for employment and decide to whom to offer a job.

We may also need to process your data to enter into a contract with you.

Legal basis for processing:

We have a legitimate interest in processing personal data during the recruitment process and for keeping records of the process.

If your application for employment is unsuccessful, Ethicontrol will ask for consent to hold your details in order to be considered for other positions or not.

Data retention:

Data will be stored in a range of different places: CRM system, and email system.

If your application for employment is unsuccessful, Ethicontrol will hold your data on file for 6 (six) months after the end of the relevant recruitment process. At the end of that period, or once you withdraw your consent, your data is deleted or destroyed.

If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your Human Resources file (electronic and paper based) and retained during your employment.

Data subject rights:

Recruitment applicants, as a data subject, has a number of rights:

  • access and obtain a copy of data on request;
  • require Ethicontrol to change incorrect or incomplete data;
  • require Ethicontrol to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing;
  • object to the processing of data where Ethicontrol is relying on its legitimate interests as the legal ground for processing.

Additionally, recruitment applicants are free to withdraw consent at any time if it was given.

Data Sharing:

Information about third parties that take part in the personal data processing, is provided in Appendix A.

Transfers of personal data:

We don't transfer recruitment applicant’s personal data overseas.

4.1.3. Employee’s data

Data subject: Employee

Controller, Processor: “Ethicontrol OÜ” LLC is a controller and processor for its own employees' data processing.

“Ethicontrol” LLC is a controller and processor for its own employees' data processing.

Collection of personal data:

We process the following categories of personal data:

1. Information related to your employment:
  • personal contact details such as your name, address, contact telephone numbers and personal email addresses;
  • your date of birth, gender, and ID number;
  • a copy of your passport or similar photographic identification;
  • marital status;
  • next of kin, emergency contacts, and their contact information;
  • employment and education history including your qualifications, job application, employment references, right to work information.
2. Information related to your salary, pension and loans:
  • Information about your job role and your employment contract including: your start and leave dates, salary (including grade and salary band), any changes to your employment contract, and working pattern (including any requests for flexible working);
  • details of your time spent working and any overtime, expenses, or other payments claimed, including details of any loans such as for travel season tickets;
  • details of any leave including sick leave, holidays, special leave, etc;
  • pension details including membership of both state and occupational pension schemes (current and previous);
  • your bank account details, payroll records, and tax status information;
  • details relating to Maternity, Paternity, Shared Parental and Adoption leave and pay.
3. Information relating to your performance and training:
  • information relating to your performance at work e.g. probation reviews, promotions;
  • investigations to which you may be a party or witness;
  • disciplinary records and documentation related to any investigations, hearings, and warnings/penalties issued;
  • information related to your training history and development needs.
4. Information relating to monitoring:
  • information about your access to data;
  • information derived from monitoring IT acceptable use standards.   

Use​ ​of​ ​personal​ data:

1. Information related to your employment:

We use the information to carry out the contract we have with you, provide you access to business services required for your role and manage our human resources processes.

2. Information related to your salary, pension and loans:

We process this information for the payment of your salary, pension and other employment-related benefits. We also process it for the administration of statutory and contractual leave entitlements such as a holiday or maternity leave.

3. Information relating to your performance and training:

We use this information to assess your performance, to conduct pay and grading reviews and to deal with any employer / employee related disputes. We also use it to meet the training and development needs required for your role.

4. Information relating to monitoring:

We use this information to assess your compliance with corporate policies and procedures and to ensure the security of our premises, IT systems and employees.

Legal basis for processing:

We will only collect, use, and share your personal information where we are satisfied that one or more of the following legal bases apply:

  • The processing is necessary for compliance with a legal obligation to which Ethicontrol is subject, for example, disclosing information to local tax authorities, making statutory payments, avoiding unlawful termination, avoiding unlawful discrimination, meeting statutory record-keeping requirements or health and safety obligations;
  • The processing is necessary for the performance of a contract to which you are a party;
  • The processing is necessary for the legitimate interests pursued by Ethicontrol or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms that require the protection of personal information. Ethicontrol considers that it has a legitimate interest in processing personal information for the purposes set out above, and to support the achievement of its immediate and long-term business goals and outcomes.

Data retention:

We will store your personal information for as long as is reasonably necessary for the purposes for which it was collected, as explained in this Policy.

In some circumstances we may store your personal information for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory, tax, accounting, or necessary technical requirements.

In specific circumstances we may store your personal information for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal information or dealings.

Data subject rights:

You have a number of legal rights in relation to the personal data that we hold about you and you can exercise your rights by contacting us using the details at the end of this document. These rights include:

  • the right to obtain information regarding the processing of your personal data and access to the personal data which we hold about you;
  • the right to request that we correct your personal data if it is inaccurate or incomplete the right to request that we erase your personal data in certain circumstances. Please note that there may be circumstances where you ask us to erase your personal data but we must retain it;
  • the right to request that we restrict our processing of your personal data in certain circumstances. Again, there may be circumstances where you ask us to restrict our processing of your personal data but we must refuse that request;
  • the right to lodge a complaint with the applicable data protection regulator;
  • when we are processing on the grounds of legitimate interest, you have the right to object to the processing and we must stop unless we have an overriding reason which will be communicated to you.

Data Sharing:

In some circumstances, such as under a court order, we are legally obliged to share information.

Information about third parties that take part in the personal data processing, is provided in Appendix A.

Transfers of personal data:

We don't transfer staff personal data overseas.

4.1.4 Website visitors’ data

Data subject: Website visitors

Controller, Processor: “Ethicontrol OÜ”

Collection​ ​of​ ​personal​ data:

Visitors to our websites are in control of the personal data shared with us. We may capture limited personal data automatically via the use of cookies on our website. Please see the "Cookie’s policy" for more information.

We receive personal data, such as name, title, company address, email address, and telephone numbers, from website visitors; for example, when an individual subscribes to updates from us or applies using a special form.

Visitors are also able to send an email to us through the website. Their messages will contain the user’s screen name and email address, as well as any additional information the user may wish to include in the message.

We ask that you do not provide sensitive information (such as race or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; physical or mental health; genetic data; biometric data; sexual life or sexual orientation; and, criminal records) to us when using our website; if you choose to provide sensitive information to us for any reason, the act of doing so constitutes your explicit consent for us to collect and use that information in the ways described in this Policy.

Use​ ​of​ ​personal​ data:

When a visitor provides personal data to us, we will use it for the purposes for which it was provided to us as stated at point of collection (or as obvious from the context of the collection). Personal data is collected to:

  • register for certain areas of the site;
  • subscribe to updates;
  • enquire for further information;
  • distribute requested reference materials;
  • submit curriculum vitae;
  • monitor and enforce compliance with our terms and conditions for use of our website;
  • administer and manage our website, including confirming and authenticating identity and preventing unauthorised access to restricted areas, premium content, or other services limited to registered users;
  • aggregate data for website analytics and improvements.

Unless we are asked not to, we may also use your data to contact you with information about Ethicontrol’s business, services and events, and other information that may be of interest to you. Should visitors subsequently choose to unsubscribe from mailing lists or any registrations, we will provide instructions on the appropriate webpage, in our communication to the individual, or the individual may contact us by email that is present below.

Our websites do not collect or compile personal data for dissemination or sale to outside parties for consumer marketing purposes or host mailings on behalf of third parties. If there is an instance where such information may be shared with a third party the visitor will be asked for their consent beforehand.

Legal basis for processing:

We will process personal data of visitors to our website based on our legitimate business interests or the consent, if the data subject has been requested to express one. For example, we have an interest in making sure our marketing is relevant for specified individuals, so we may process personal data to send our marketing that is tailored to the interests of a data subject.

Data retention:

Personal data collected via our websites will be retained by us for as long as it is necessary (e.g. for as long as we have a relationship with the relevant individual).

Data subject rights:

You have a number of legal rights in relation to the personal data that we hold about you and you can exercise your rights by contacting us using the details at the end of this document. These rights include:

  • the right to obtain information regarding the processing of your personal data and access to the personal data which we hold about you;
  • the right to request that we correct your personal data if it is inaccurate or incomplete the right to request that we erase your personal data in certain circumstances. Please note that there may be circumstances where you ask us to erase your personal data but we must retain it;
  • the right to request that we restrict our processing of your personal data in certain circumstances. Again, there may be circumstances where you ask us to restrict our processing of your personal data but we must refuse that request;
  • the right to lodge a complaint with the applicable data protection regulator;
  • the right to object to the processing and we must stop unless we have an overriding reason which will be communicated to you.
  • when we are processing on the grounds of consent, you have the right to erasure.

Data Sharing:

Employees of Ethicontrol LLC, located in Ukraine, have the authority to access the data of contact persons of clients from the European Union and the Middle East to achieve a specific purpose/goal of Ethicontrol processing.

In some circumstances, such as under a court order, we are legally obliged to share information.

Information about other third parties that take part in the personal data processing, is provided in Appendix A.

Transfers of personal data:

Employees of Ethicontrol LLC, located in Ukraine, have the authority to access the data of contact persons to achieve a specific purpose/purpose of Ethicontrol processing. Access is provided on the basis of an agreement (Standard contractual clauses for international transfers) between “Ethicontrol OÜ” and “Ethicontrol” LLC. In this case, “Ethicontrol” LLC will be a sub-processor.

4.2. Data processor

The main product of Ethicontrol is a multichannel platform, which is provided as an online service for working with reporters, incidents, and internal investigations.

“Ethicontrol OÜ” ensures the operation of the call centre (if required) and performs the administration of the Platform on the basis of an agreement with the Customer.

“Ethicontrol OÜ” is a processor according to this agreement. The following categories of personal data of the Customer's employees (users of the Platform, whistleblowers, witnesses, accused person) are subject to processing:   

  • identification data (name, surname, position, login of the Platform, photo);
  • contact details (phone number, e-mail);     
  • event log data (IP address, operating system, browser, date, and event description);         
  • whistleblower message.

The customer determines the purpose, legal basis for the processing of personal data, the existing rights of data subjects, the ways of their implementation, and the list of data recipients. That information is included in the Data processing agreement.

If it is necessary, specialists of “Ethicontrol” LLC may involve the terms of the agreement with the Customer. Involvement takes place on the basis of an agreement (Standard contractual clauses for international transfers) between “Ethicontrol OÜ” and “Ethicontrol” LLC. “Ethicontrol” LLC will be a sub-processor in this case. Employees of “Ethicontrol” LLC can perform the following tasks:

  • provide administration of the Platform's software;
  • provide services of call centre operators.        

Information about other third parties that take part in the personal data processing, is provided in Appendix A.

Physically, the data is stored in the European Union.

Detailed information on the processes of personal data processing is given in a separate document: GDPR handbook. This document can be obtained by potential and existing customers upon request.

5. COMPLAINTS

We hope that you won’t ever need to, but if you do want to complain about our use of personal data, please send an email with the details of your complaint to the Data protection officer (you can see his contact below). We will look into and respond to any complaints we receive.

You can complain to the Data Protection Inspectorate of Estonia too:

  • telephone: (from abroad add +372) 627 4135
  • e-mail: info[a]aki.ee

6. CONTACT INFO OF DATA PROTECTION OFFICER

If you have any questions about this Policy or how and why we process personal data, please contact us at:

  • e-mail privacy@ethicontrol.com

7. POLICY REVISION

We recognise that transparency is an ongoing responsibility, so we will keep this privacy statement under regular review.

Responsibility for amending the policy relies on the Data protection officer.

List of subprocessors

Subprocessor 
Tasks
Link 
Data location

Google Inc.

Providing cloud services (G Suite product):

  • e-mail
  • data storing

It relates to the next clauses of the Policy:

4.1.1 Contact person data 

4.1.2 Recruitment applicants’ data

Germany

Web-site activity analyzing:

  • Google Analytics
  • Google AdWords
  • Google Tag Manager
  • Google Fonts
  • Google Maps
  • Google Site Search
  • Google AdSense
  • Google Website Optimizer

It relates to the next clauses of the Policy:

4.1.4 Website visitors’ data

Germany

Hubspot

Customer Relationship Management system

It relates to the next clauses of the Policy:

4.1.1 Contact person data 

4.1.3 Employee’s data 

Germany

Digital Ocean Inc.

Hosting services.

It relates to the next clauses of the Policy:

4.2 Data processor

Germany

Linode, LLC.

Hosting services.

It relates to the next clauses of the Policy:

4.2 Data processor

Germany

Microsoft Inc.

Azure hosting services

It relates to the next clauses of the Policy:

4.2 Data processor

Germany, UAE,

Local

Amazon Inc

AWS hosting services

It relates to the next clauses of the Policy:

4.2 Data processor

Ireland

GigaCloud LLC

Hosting services

It relates to the next clauses of the Policy:

4.2 Data processor

Germany,

Local (Ukraine)

Cloudflare

Content Delivery Network

Used as a web infrastructure and website security, providing content delivery network services, DDoS mitigation, internet security, and distributed domain name server services

It relates to the next clauses of the Policy:

4.2 Data processor

4.1.4 Website visitors’ data

Local

Data Centers located all around the world. Traffic will be automatically routed to the nearest data center.

Freshdesk

Helpdesk portal for users. Knowledge base and articles

It relates to the next clauses of the Policy:

4.1.1 Contact person data 

4.1.3 Employee’s data 

Germany

Zadarma

Calling functionality

Used as a numbers and trunk provider for marketing phone lines as well as service hotlines

It relates to the next clauses of the Policy:

4.1.1 Contact person data 

4.1.3 Employee’s data 

4.2 Data processor 

Bulgaria

Stripe

Payment processing for international customers

It relates to the next clauses of the Policy:

4.1.1 Contact person data

Germany

Waveapps,

Wave Financial Inc

Accounting and billing for international customers

It relates to the next clauses of the Policy:

4.1.1 Contact person data 

Canada

Bo.in.ua

Accounting and billing of Ukrainian customers

It relates to the next clauses of the Policy:

4.1.1 Contact person data 

4.1.3 Employee’s data 

Ukraine

Mailgun

Transactional emails

Email intake channel

Marketing emails

It relates to the next clauses of the Policy:

4.2 Data processor 

EU

Usetiful

User onboarding

It relates to the next clauses of the Policy:

4.2 Data processor

Estonia

Ethicontrol,

Ethicontrol Ukraine

Payroll

Client help desk operations

Call center / Agents operations / Incoming calls processing

Customer Relationship

It relates to the next clauses of the Policy:

4.1.1 Contact person data

4.1.3 Employee’s data

4.1.2 Recruitment applicants’ data 

Ukraine,

Poland,

Germany