Privacy Statement of the Arvo Pärt Centre

1 General
1.1 This Privacy Statement (‘the Statement’) of the Arvo Pärt Centre applies to you whenever:

  • You visit the Arvo Pärt Centre (‘the Centre’), incl. attending events;
  • You contact the Centre through network devices, incl. when you request access to the Centre’s archival material as a researcher, book a tour, reserve a reading room, notify the Centre in advance about a group visit or special needs;
  • Materials containing your data are added to the Centre’s archives;
  • You browse the Centre’s website https://www.arvopart.ee/ (‘the Website’);
  • You browse the Centre’s online shop at https://shop.arvopart.ee/ (‘the online shop’), and make purchases there;
  • You make donations;
  • You subscribe to the newsletter;
  • You buy a ticket.

1.2 You can find out more about the personal data collected by the Arvo Pärt Centre during the above operations, their legal bases, and the objectives of data processing in Chapter 4 of the Statement.

2  Personal Data Controller
2.1 For processing the personal data described in the Statement, the controller of your personal data is:
Arvo Pärt Centre Foundation
Reg. no. 90003870
Address: Kellasalu tee 3, 76702 Laulasmaa, Lääne-Harju vald
e-mail: info@arvopart.ee
2.2 The Arvo Pärt Centre Foundation (‘the Controller’ or ‘we’, ‘our’) defines the objectives and means of processing your personal data.

3 Categories and sources of personal data
3.1 Personal data denotes information with which we can uniquely identify you, directly or indirectly, as a natural person (‘Personal Data’). The source of the personal data we process depends on how you interact with us.
3.1.1 Basic data: name, phone number, e-mail address (‘Basic Data’).
Source: The Personal Data you disclose to the Controller when contacting us, or which the ticket sales platform forwards to us when you use it to purchase tickets to the Centre.
3.1.2 When you contact us via e-mail, social media, or Website forms, we will process the following Personal Data related to you: Basic Data or public social media account data, and message contents (‘Communications Data’).
Source: The Personal Data that you disclose to the Controller by contacting us.
3.1.3 To provide access to the Centre’s archives to you as a researcher, we will process the following Personal Data related to you: Basic Data, educational institution / profession, a letter of certification if necessary (issued by the educational or research institution), information related to the extent of the researcher’s assignment (‘Researcher Data’).
Source: The Personal Data you disclose to the Controller when requesting access to the Centre’s archives.
3.1.4 By supplementing the Centre’s archives with materials that contain your data, incl. the following Personal Data: Basic Data, mailing address, data published in the content of the materials (e.g. letters), and the date of communication (‘Archive Materials’).
Source: The Personal Data you disclose to the Controller by contacting the Controller and forwarding materials for publication in the Centre’s archives, or which are forwarded by the creator of the archive (i.e. Arvo Pärt and his future heirs) to the Centre as the organizer of the personal archive.
3.1.5 By contributing towards the Centre’s activities with a donation, we will process the following data from you: Basic Data, date of birth, address, personal ID code, donation type, sum, country, supported project, bank account number (‘Donor Data’).
Source: The Personal Data you disclose to the Controller by filling in the donation form on the Website.
3.1.6 For marketing notifications, we will process the following Personal Data from you: name, e-mail address (‘Marketing Data’).
Source: The Personal Data you disclose to the Controller by filling in the corresponding form on the Website, the online shop, or at the front desk of the Centre.
3.1.7 For purchases made in the online shop, we will process the following Personal Data from you: Basic Data, any notes you have included with your order, delivery details (selected parcel machine, address), the selected payment method (‘Purchase Data’).
Source: The Personal Data you disclose to the Controller by making a purchase in the online shop,
3.1.8 For accounting requirements, we will process the following Personal Data from you: the source document of the transaction, the payment details, the bank account number, and the delivery details (‘Accountancy Data’).
Source: The Personal Data you disclose to the Controller when purchasing a ticket to the Centre by e-mail or via a ticket sales platform, making purchases in the online shop, or donating to the Centre.
3.1.9 When you visit the Centre, we will process the following Personal Data from you: footage of you in our video surveillance system recordings (‘Security Data’).
Source: The Personal Data collected by the Controller through video surveillance cameras and other technical solutions.
3.1.10 When you browse the Website and the online shop, we will process the following data about you: the IP address of the device, a log file with the time and date of the website visit, browser version, device OS, the URL from which you came to the Website or the online shop (‘Technical Data’).
Source: When you browse the Website or the online shop, the Controller’s online server automatically collects Technical Data from your device.
3.1.11   The Controller uses web cookies on the Website and the online shop to optimise your user experience. Web cookies may collect Personal Data (‘Web Cookie Data’). For more information, see Chapter 8 of the Statement.

4  The purposes of and legal bases for the processing of Personal Data
4.1 The legal basis for the processing of Personal Data depends on the purpose and activity for which we use your Personal Data. The table below provides an overview of the purposes and the legal bases regarding the processing of specific categories of your Personal Data:

The purpose of the processing

The legal basis for the processing

Categories of personal data processed by the Controller for this purpose

Ensuring the safety of the Centre’s visitors, premises, and property (incl. archival material)

The legitimate interest of the Controller to prevent and identify violations related to the protection of the property and threats to the interests of the Centre’s visitors

Security Data

Booking tickets to the Centre by e-mail or via a sales platform

Adoption, conclusion, and implementation of precontractual measures

        

Basic Data, Communications Data


Contacting with regard to changes in the programme

Registration of a group visit to the Centre (incl. registration for an educational programme)

Reserving a reading room at the Centre

Pre-ordering food from the Centre’s café

Notifying the Centre in advance about a visitor with special needs

Adoption, conclusion, and implementation of precontractual measures; and processing various types of personal data disclosed by the data subject

Basic Data, Communications Data (incl. different types of Personal Data regarding any visitor with special needs)

Enabling access to the Centre’s archives and its digital user environment, the Arvo Pärt Information System

Completion of the ‘Procedure for the access to and the use of archival documents’, concluded between a Researcher and the Controller

Basic Data, Communications Data, Researcher Data, Archive Materials

 

Evaluation and completion of a researcher’s application (incl. for releasing materials from the Centre’s archives or for publishing works)

Storing a researcher’s scientific work in the Centre’s archives

Researcher status management (incl. granting or revoking the status of a researcher, imposing additional restrictions or conditions), and researcher registry management

Basic Data, Researcher Data

Storing, organising, publishing Archive Materials in the Arvo Pärt Information System of the Centre’s archive, in accordance with the procedure specified in the document ‘Procedure for the access to and the use of archival documents’

The Controller and the archivist’s legitimate interest to archive, organise, and publish Archive Materials in the Arvo Pärt Information System, and to enable their use for scientific or historical research purposes

Archive Materials, Communications Data

Responding to queries and feedback, communicating with visitors

The Controller’s legitimate interest to ensure efficient customer communications

Basic Data, Communications Data

Completing orders submitted to the online shop

Adoption, conclusion, and implementation of precontractual measures 

Basic Data, Purchase Data,

Online shop customer relationship management and customer communications

Basic Data, Purchase Data, Communications Data

Keeping the Controller’s accounts

Fulfilling a statutory obligation

Purchase Data, Accountancy Data, Donor Data

Publishing the donor’s name on the Website, in publications or otherwise.

Consent

Basic Data (name only)

Sending a newsletter

Marketing Data

Managing the list of donors

Fulfilling a statutory obligation

Donor Data, Accountancy Data

Communications with supporters (incl. sending concert invitations and information about upcoming events to members of the Arvo Pärt Society)

The Controller’s legitimate interest to ensure the exchange of information with the Centre’s supports with regards to the development of the Centre

Basic Data, Donor Data, Communications Data

Troubleshooting and repairing problems with the Website and the online shop

The Controller’s legitimate interest to ensure the safety of Personal Data and to prevent unlawful activities

Technical Data, Web Cookie Data

Analysis of the statistical data related to the use of the Website and the online shop

Consent

Technical Data, Web Cookie Data

Backing up documents and materials

The Controller’s legitimate interest in storing documents and materials in back-up systems

All data categories listed in Section 3.1 of the Statement

Disclosure of personal data to a payment service provider

Adoption, conclusion, and implementation of precontractual measures

Purchase Data, Accountancy Data

Disclosing personal data to public authorities and law enforcement authorities

Fulfilling a statutory obligation

All data categories listed in Section 3.1 of the Statement, as necessary

Disclosing personal data to professional consultants

The Controller’s legitimate interest to ensure that economic activities are carried out correctly, and drafting, submitting, or defending legal claims

All data categories listed in Section 3.1 of the Statement, as necessary

Consent management

Fulfilling a statutory obligation

Basic Data, Web Cookie Data, Technical Data, Marketing Data


4.2 Please note that we may process your Personal Data for other purposes besides those specified above. In this case, we will notify you of the new purpose of the processing and provide other relevant information before processing the Personal Data for other purposes.
4.3 If you do not disclose the Personal Data requested in the forms to us, we will not be able to provide you with the service you have requested or enter into an agreement with you, for example, to fill any online shop purchase orders or enable access to the Centre's archives.

5 Retention of Personal Data
5.1 We will retain your Personal Data until reasonably necessary to achieve the objectives stated in Section 4.2 of the Statement, unless otherwise stipulated in the applicable legislation or below:
5.1.1 We will retain Communications Data for up to 10 years from the beginning of the year following the end of the respective communications thread.
5.1.2 We will retain Accountancy Data for up to 7 years from the end of the financial year when the transaction was recorded in our accounting system.
5.1.3 We will retain Marketing Data until you revoke your consent. We will retain data about giving and revoking consent for up to 3 years from the beginning of the following year from when you withdrew your consent.
5.1.4 We will retain Researcher Data (excl. the register of researchers) for up to 3 years from the start of the calendar year following the termination of the researcher status of a particular researcher. We will retain researchers’ applications for publishing works and documentation related to the permit until the end of the copyright term of the respective work.
5.1.5 We will acknowledge donors by name on the Website until you revoke your consent. We will retain data about giving and revoking consent for up to 10 years from the beginning of the following year from when you withdrew your consent. We will retain Donor Data in the form of a register of supporters in 10-year intervals from the start of the Centre’s operations.
5.1.6 We will retain Security Data in 3-month intervals, from the start of the Centre’s operations.
5.1.7 We will retain Technical Data for up to 45 days after its collection.
5.1.8 Purchase Data is retained for as long as they are necessary for data processing purposes or fulfilling legislative obligations. When determining the retention period of data, we take into consideration the amount, the nature, and the sensitivity of Personal Data, as well as the potential risks related to the processing of this data.
5.2 After the Personal Data retention period specified in Section 5.1 of the Statement, we may retain your Personal Data for longer than is necessary to fulfil legislative obligations or requirements, to resolve legal disputes, or to enforce an agreement entered into with us.
5.3 At the end of the Personal Data retention period specified in Section 5.1 of the Statement, or when the legal basis regarding the purpose of processing Personal Data is no longer valid, we may retain materials containing your Personal Data in back-up systems, from which they will be deleted at the end of the back-up cycle. We take appropriate measures to ensure the safety of materials backed up during the back-up period. Backed-up materials are discarded, not processed for any purpose, and deleted as soon as possible, i.e. at the end of the back-up cycle.

6  Your rights regarding data protection
6.1 You have the following rights with regards to the Controller’s processing of Personal Data:
6.1.1 The right of access to Personal Data. You have the right to request access to all Personal Data we process about you. For example, this includes the right to information about whether we process your Personal Data, and which categories of Personal Data we process and for what purpose.
6.1.2 The right to rectification of Personal Data. You have the right to request that your Personal Data be corrected and updated, if you think we have incorrect data concerning you.
6.1.3 The right to erasure of Personal Data. You have the right to request that your Personal Data be erased, if it is no longer necessary for the purpose for which we collected it, the deletion is necessary to comply with a legal requirement, or you consider the processing of the Personal Data to be unlawful;
6.1.4 The right to revoke consent. If the legal basis for processing your Personal Data is consent, you have the right to revoke that consent at any time. Revoking your consent does not affect the lawfulness of processing Personal Data prior to the time the consent was revoked;
6.1.5  The right to object. You have the right to object to the processing of Personal Data which is based on our legitimate interest or which we process for marketing purposes.
6.1.6 The right to transfer Personal Data. You have the right to request the transfer of your Personal Data that you have provided to us and for which the legal basis of the processing is your consent, or the preparation, conclusion, and performance of an agreement between the parties. You can request that Personal Data be transferred to yourself or to another Controller only if such transfer of Personal Data is technically feasible.
6.1.7 The right to request a restriction on the processing of Personal Data You have the right to request a restriction on the processing of Personal Data, for example if you want to (i) challenge the accuracy of Personal Data; (ii) record unlawful data processing; (iii) receive or prevent the erasure of Personal Data, i.e. you need the Personal Data to make, file, or defend a legal claim; or (iv) object to a legitimate interest and you wish to restrict the processing of the data in question until a decision is made.
6.1.8 The right to contact the Estonian Data Protection Inspectorate. You have the right to contact the Estonian Data Protection Inspectorate (www.aki.ee) if you think your Personal Data has been processed without any justification or in conflict with applicable legislation.
6.2 To exercise the above rights, please make contact in accordance with Chapter 9 of the Statement.
6.3 We affirm that we process your Personal Data in accordance with applicable EU and Estonian legislation and instructions from supervisory authorities. We implement all reasonable technical and organisational security measures to protect any collected Personal Data against loss, unlawful use, and alteration.

7  Transmission and recipients of Personal Data
7.1 Your Personal Data is processed by duly authorised employees of the Controller who have the right and the need to process Personal Data due to their job responsibilities.
7.2 If necessary, we will only disclose your Personal Data to the following categories of Personal Data recipients who will process your Personal Data as separate Controllers:

Personal Data recipient category

Reason for disclosing Personal Data

Public authorities and law enforcement agencies

If necessary, we will disclose your Personal Data to public authorities and law enforcement agencies to comply with a legal obligation, a court order, or, in other circumstances, to prevent and deter unlawful activities.

Researchers requesting access to the Centre’s archives

At the request of a researcher, we provide access to Archival Materials in the Arvo Pärt Information System in accordance with the procedure outlined in the document ‘Procedure for the access to and the use of archival documents’ with the aim of enabling scientific and historical research.

Professional consultants (subject to a statutory obligation of confidentiality)

If necessary, we will disclose your Personal Data to professional consultants to support the Centre’s activities, such as auditors and legal advisers.

Payment service providers

Financial transactions related to purchases made through the online shop are processed by payment service providers to the extent necessary to manage your payments, refunds, and complaints.

7.3 For the operation of the Website and the online shop, we may involve and use authorised processors for the processing of Personal Data who will get access to your Personal Data only for the purpose of fulfilling the contract concluded with us, and who will implement the necessary level of organisational safeguards for the processing of Personal Data. The authorised processors we involve belong to the following categories:

IT service providers

For the operation of the Website and the online shop, our IT service providers (e.g. web hosting, online shop platform, and e-mail service providers) who manage and enable us to use the technical infrastructure, may have access to your Personal Data.

Accounting service provider

In connection with the services provided at the Centre and the management of the online shop, our accounting service provider may have access to your Personal Data.

7.4           Some of the authorised processors and recipients we involve in data processing may be located outside of the European Union or the European Economic Area, so when we disclose Personal Data to them, we may be transferring your Personal Data outside of that territory. In this case, we will ensure that adequate safeguards are in place to protect your Personal Data. You have the right to receive further information regarding the protection measures taken by contacting us, using the contact details provided in Section 9 of the Statement.

8  Using web cookies
8.1 To improve and optimise your user experience on the Website and in the online shop, we use web cookies and other similar technologies. Web cookies are small text files that our Website and online shop ask your browser (e.g. Internet Explorer, Chrome, Firefox, Safari, Opera) to store on your computer or mobile device. The web cookie remembers your activities and preferences, enabling us to offer you a pleasant user experience on our Website and online shop. Without web cookies, not all of the functions of our Website and online shop are available. The Controller does not collect Personal Data through web cookies.
8.2 Web cookies are used to identify you as a user who has already visited the Website and the online shop, as well as to facilitate the collection of traffic statistics for the Website and the online shop, and to improve the navigation experience for users. For this purpose, we use the following types of web cookies:
8.2.1 Web cookies strictly necessary for the operation of the Website and the online shop are applied as soon as you open the Website or the online shop in your web browser. Without strictly necessary web cookies, we cannot provide you with Website or online shop content. Such cookies include web cookies installed by WP Cerber (Cerber Tech Inc.) that ensure the security of the Website and the online shop.
8.2.2 Functional web cookies, which are necessary for the functioning of the Website and the online shop, enabling us to present and transmit content. These web cookies store the correct formatting and other settings of the Website and the online shop to adapt to the parameters of your device.
8.2.3 Analytical web cookies that allow us to collect information about the use of the Website and the online shop, and about visitors. Analytical web cookies are only used with your consent. The following Google Analytics web cookies are used on the Website and the online shop:

Cookie name

Purpose

Activity period

_ga

An analytical web cookie installed by Google Analytics that associates a unique ID with you, enabling us to collect statistical data about the Website and online shop users. Only used with your consent.

2 years

_gid

1 day

_gat

A cookie installed by Google Analytics to reduce the number of queries. Only used with your consent.

1 day

Google Analytics web analytics web cookies are provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043. Information generated from these web cookies is generally transmitted to a Google server in the United States. You can prevent the installation of Google Analytics web cookies by using a special plug-in in your browser.
8.3 Permanent cookies with a fixed activity period become passive (i.e. do not collect data) after the end of the activity period and are deleted if you decide to remove them from your device using a method described in Section 8.4 of the Statement. Session cookies are deleted when you close your browser.
8.4 You can adjust your browser’s web cookie settings. Your browser’s web cookie settings affect all websites you visit online. Find out more how to change web cookie settings here.

9 CONTACT INFORMATION
9.1 If you have any questions regarding the processing of your Personal Data, if you wish to exercise the above-mentioned rights or to file a complaint, please contact us by e-mail: info@arvopart.ee.

10 Making changes to the Privacy Policy
10.1 We may change the Privacy Policy from time to time to reflect the processing of your Personal Data accurately. In case of a significant change, we will notify you via the Website or the online shop. We recommend reading the Statement again before disclosing your Personal Data.