This privacy policy describes Sarto’s principles for processing personal data. The purpose of these data protection terms is to provide clear and transparent information on how Sarto may process your personal data when you use our services, interact with us or visit our website.
In accordance with changes in legislation or practice, Sarto reserves the right to amend the data protection terms, which will be published immediately on our website. If you have specific questions about how we process your personal data, or if you wish to submit requests to exercise your rights related to personal data processing, please contact us using the contact details provided in the “Contact” section below.
„data subject“
A natural person whose personal data is processed by Sarto;
„GDPR“
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
„personal data“
Any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
„applicable law“
All applicable European Union legislation and all applicable laws of the Republic of Estonia, including, but not limited to, national implementing acts of the GDPR in force at the time of these terms or coming into effect thereafter;
„Sarto“
Sarto Capital Management OÜ, registrikood 16432606, Viru väljak 2, 10111 Tallinn või Sarto Holding OÜ, registrikood 10812288, Viru väljak 2, 10111 Talinn;
„website“
The website through which you interact with Sarto, use our services or engage with Sarto in any way;
„privacy policy“
This personal data processing document;
„controller“
A natural or legal person, public authority, agency, or other body which alone or jointly with others determines the purposes and means of the processing of personal data. For the purposes of this privacy policy, Sarto Capital Management OÜ or Sarto Holding OÜ is the controller of personal data;
„processor“
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
2.1 Sarto, as a controller, processes personal data for the purposes outlined in these data protection terms. Sarto bases personal data processing on applicable law, including the Personal Data Protection Act and other legislation concerning the processing of personal data.
2.2 Sarto adheres to the principles of personal data protection, including the principle of data minimization, under which we only process data necessary to provide the service and achieve the stated purposes.
2.3 Data processing to fulfill a contract. Sarto processes personal data primarily to provide services to its clients and to fulfill contractual obligations to them. If the Sarto client is a data subject, the legal basis for processing personal data is GDPR Article 6(1)(b) (processing is necessary for the performance of a contract to which the data subject is a party or to take steps prior to entering into a contract at the data subject’s request). If the client or partner is a legal entity, we process the data necessary to determine representation rights.
2.4 Data processing to comply with legal obligations. Sarto also processes personal data when necessary to comply with legal obligations. For example, situations where personal data is requested by a court order or other legal act or must be retained under applicable legislation (e.g., accounting laws). The legal basis for such processing is GDPR Article 6(1)(c) (processing is necessary for compliance with a legal obligation to which the controller is subject).
2.5 Data processing based on legitimate interests. Sarto may process personal data when necessary for its legitimate interests, provided that these interests are not overridden by the interests, fundamental rights, or freedoms of the data subject. Only data obtained from the data subject or generated in the course of fulfilling a contract is processed under this basis. The legal basis is GDPR Article 6(1)(f).
Sarto may have a legitimate interest in processing personal data to prepare, present, or defend legal claims, e.g., if a data subject has breached a contract. Data processed under legitimate interest is retained according to statutory deadlines, generally up to 3 years after the provision of the service.
Sarto may process personal data for the purpose of responding to client inquiries and requests. The personal data processed may include contact details (such as name, email address, and phone number) as well as the content of the message. The data are obtained directly from the data subject (or, in the case of legal entity clients, their authorised or legal representative). The processing is based on our legitimate interest pursuant to GDPR Article 6(1)(f). Personal data are retained for up to three years from the resolution of the inquiry.
3.1 Sarto does not disclose personal data to third parties, except where legally entitled to do so. Sarto does not transfer personal data outside the European Economic Area.
3.2 Sarto may use authorized processors to process personal data. Authorized processors designated by Sarto may, in limited cases, process personal data, e.g., IT service providers (server providers, software developers) or other support service providers.
3.3 Sarto uses only those partners as authorized processors in whom it has confidence and who have committed to process personal data in accordance with applicable law.
4.1 Sarto ensures all rights granted to the data subject under applicable law.
4.2 Each data subject has among others the following rights:
4.2.1 right of access: the right to inquire at any time whether Sarto has personal data about the data subject and to obtain information on which personal data is processed;
4.2.2 right to rectification: the right to request Sarto to correct or complete inaccurate or incomplete personal data;
4.2.3 right to object: the right to object to the processing of personal data, e.g., where the use of personal data is based on Sarto’s legitimate interest;
4.2.4 right to erasure: the right to request the deletion of personal data, e.g., if processed based on the data subject’s consent and the consent has been withdrawn;
4.2.5 right to restrict processing: the right to request Sarto to restrict the processing of personal data under applicable law, e.g., when personal data is no longer needed or the data subject has objected;
4.2.6 right to withdraw consent: if processing is based on consent, the data subject may withdraw consent at any time;
4.2.7 right to data portability: the right to receive personal data provided to Sarto by the data subject and processed based on consent or for the performance of a contract, in a structured, commonly used, machine-readable format, and, if technically feasible, to request that Sarto transfers the data to another controller;
4.2.8 right to lodge a complaint: if a data subject finds that their rights have been violated during personal data processing, they have the right to contact the Estonian Data Protection Inspectorate at Tatari 39, 10134 Tallinn, info@aki.ee, www.aki.ee.
4.3 The rights listed in this section are not exhaustive. In certain cases, other data subjects’ rights or Sarto’s legal obligations may limit the data subject’s rights.4.2 Each data subject has among others the following rights:
4.4 To exercise rights related to personal data processing or to submit related requests, please contact us using the contact details in the “Contact” section below.
5.1 Sarto undertakes to ensure the security of personal data to protect it against accidental or unauthorized processing, disclosure or destruction.
5.2 Taking into account the latest developments in science and technology, implementation costs, the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of data subjects, Sarto applies appropriate technical and organizational measures to ensure the security of personal data.
6.1 For questions regarding personal data processing or for submitting requests related to personal data processing, please contact Sarto at the following:
Sarto contact details:
Viru väljak 2, 10111 Tallinn
info@sartocapital.com