Last update 29.11.2019




This document describes how Scanfil Oü (hereinafter ”Scanfil”) and its staff process the personal data of the representatives of Scanfil’s business contacts. Scanfil acts as a controller to such personal data. 

As a controller, Scanfil is responsible for such personal data, and for the processing of such personal data. Protecting the data subjects’ privacy and personal data is of utmost importance to Scanfil. Scanfil is committed to complying with the requirements of data protection regulation applicable to us in the processing of your personal data. The means and purposes of processing the personal data are described in more detail in this document.


Data Controller

Scanfil Oü
(Business ID: 10179589)
Vana-Sauga 40
80010 Pärnu
Tel.: +372 44 26800

Contact Person

Daniela Kond
c/o Scanfil Oü
Tel.: +372 51 999 722


The EU General Data Protection Regulation (EU) 2016/679 (“GDPR”) applies to all processing of personal data as a general law. Processing of personal data must always be based on a legal ground set forth in the GDPR, throughout the entire processing time from collecting of data till anonymization of data.

Processing of business contact representatives’ data is based on the following grounds:

  • Contract between Scanfil and organization represented by the data subject, and/or data subject
  • Scanfil’s legal obligation
  • Data subject’s consent under applicable legislation
  • The performance of a contract between the data subject or an organization represented by the data subject and Scanfil, or other relevant connection between them, in which case the legal ground for processing is legitimate interest of Scanfil or a third party (such as current or future business partners, suppliers or customers), or other legitimate interest pursued by Scanfil or by a third party (such as current or future business partners, suppliers or customers). 

A legitimate interest may be, for instance, Scanfil’s groupwide information sharing, marketing and CRM administration activities, prevention of fraud or misuse of IT systems or money laundering, physical as well as IT and network security, as well as potential merger and acquisition activities.

The provision of personal data of the relevant business contact representative as described in this document is necessary for the conclusion and/or performance of the relevant agreement entered into between Scanfil and its business partner. If the relevant representative does not provide personal data to Scanfil, it may no longer be able to manage and administer the contractual relationship with the business partner in question, in which case Scanfil may have to terminate the relevant agreement.


Scanfil processes the following business contact representatives’ personal data for the purposes of operating, managing and improving business contact relationships, sending releases to analysts and media, communicating with business contact representatives as well as for managing registrations for different occasions.

Business contact representatives’ personal data processed by Scanfil:

  • name
  • gender
  • employer
  • title
  • address
  • email address
  • phone number

Furthermore, Scanfil may process change data of the above mentioned data categories. 


Scanfil collects data concerning business contact representatives primarily from the business contact representative him/herself. Data is also collected from systems that record data processed in the register as well as from other permitted sources, including public sources as allowed in applicable legislation.

In addition, Scanfil may collect data from other sources based on the business contact representative’s consent.


Scanfil may transfer business contact representatives’ personal data to third parties in the following manner in order to fulfil the purposes of processing described in this document. When personal data are transferred to a body which processes personal data on behalf of Scanfil (i.e. data processor) Scanfil has through contractual arrangements ensured that personal data is processed only in accordance with Scanfil’s written instructions and merely for the purposes described in this document and that access to personal data is only allowed for persons who need access to data based on their tasks.

  • Data processors: Scanfil may transfer personal data to processors in order that the processors perform services and tasks assigned to them. Data processors’ tasks relate, for instance, to data systems and software as well as offering other data processing services.
  • Transfers or disclosures to Group companies

Some of the data processors used by Scanfil are located outside the EU or EEA area. Scanfil has contractually ensured that these entities undertake to apply an appropriate level of data protection in their processing practices, and thus the data transfers are subject to appropriate safeguards. More information on cross border transfers of personal data and on the appropriate safeguards applied thereto from time to time is available from the contact person mentioned under Section 2 of this document. 

In addition, Scanfil discloses personal data with the entities belonging to the same group of companies with Scanfil for a number of different purposes (such as centralized group functions, including without limitation globally accessible business contact management services, intra-group communication, coordination and reporting). Such an exchange of information involves intra-group transfers of personal data between Scanfil group entities located in different parts of the world. Scanfil may additionally disclose personal data for instance to authorities within the limits allowed or required in currently applicable legislation. 


Scanfil or such data processor that processes personal data on behalf of Scanfil retains personal data in accordance with applicable legislation for as long as data retention is necessary for the purposes of processing. When Scanfil no longer needs the data for the purposes described in this document, the data are removed from Scanfil’s and/or processors’ data systems and other data files and irrevocably anonymized. The aforementioned does not, however, apply to data subject to statutory retention period. Business contact representatives’ personal data are principally removed at request and at the latest when personal data is no longer necessary for the purposes of processing.

Where the personal data is collected on the basis of an obligation based on applicable law, the retention time of personal data may also be subject to explicit statutory requirement. Scanfil may also retain certain personal data after the termination of the initial processing purpose, should such retention of personal data be necessary to comply with other applicable laws or should Scanfil need the personal data to establish, exercise or defend a legal claim, on a need to know basis only.


Scanfil ensures the safety and protection of business contact representatives’ personal data against security breaches with firewalls, passwords and other technical safeguards. Data systems and their backups are located in locked facilities. Access is allowed only for persons who need access to the data in order to perform tasks or for fulfilling the purposes of processing. Persons processing the data are not allowed to disclose these data to third parties.


The General Data Protection Regulation provides the data subject with several rights based on which the data subject can in many situation himself/herself decide on the processing of his/her personal data. The data subject may use the following rights with regard to Scanfil to the extent Scanfil acts as the controller to the personal data of the data subject in question.

  • Right of access: The data subject has the right to obtain a confirmation from the controller on whether the controller processes personal data concerning the data subject and the right to access such data. The data controller may ask the data subject to specify his/her access request, amongst others, with regard to the details of the data to be delivered.
  • Right to rectification: The data subject has the right to obtain from the controller the rectification of inaccurate personal data concerning him/her processed by the controller, or to have incomplete personal data processed by the controller to be completed.
  • Right to be forgotten: The data subject has the right to obtain from controller the erasure of personal data related to him/her and the controller has the obligation to erase such data in case there is no longer a legal ground for the processing of such data or, where the legal or contractual obligation binding the controller related to the storing of the personal data has ended or, where the data subject has withdrawn his/her consent to the processing of his/her personal data.
  • Restriction of processing: In certain cases, where so prescribed by law, the data subject may have the right to obtain from the controller restriction of processing of his/her personal data.
  • Right to data portability: The data subject may, subject to certain conditions prescribed by law, have the right to receive the personal data concerning him/her processed by the controller in a commonly used and machinereadable format, and the right to transmit those data to another controller without hindrance from the original controller. 
  • Right to object to processing of his/her personal data: In certain cases, the data subject may have the right to object to processing of personal data concerning him or her. The right to object is applicable in such situations in particular where the processing of personal data is based on the controller’s legitimate interest. In such situations the controller has to follow the data subject’s request, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
  • To the extent the processing of personal data has been based on the data subject’s unambiguous consent, the data subject has, at any time, the right to withdraw his/her consent regarding the processing.

Requests relating to the aforementioned rights shall be directed to the contact person mentioned in section 2 of this document. 

In addition, the data subject has the right to lodge a complaint with the supervisory authority on the processing of the personal data by the controller. The complaint shall be made to the competent supervisory authority, in Estonia to the Estonian Data Protection Inspectorate, in accordance with its instructions. The website of the Estonian Data Protection Inspectorate can be found here.


Scanfil may, from time to time, change this document. You can tell when changes have been made to this document by referring to the “Last Updated” legend at the top of each page of this document. Scanfil encourages you to review this document regularly for any changes.

© Copyright Scanfil 2018. All rights reserved.

Invest to the
future growth