Processing of personal data at the academy

Contact details of the personal data controller
The controller: The Estonian Academy of Security Sciences
Kase 61, 12012 Tallinn 
Registration code: 70004465 
Telephone: +372 6126800 
Data protection specialist: Gaili Parts
e-mail: petsialist@s 

Introduction 

The following is a summary of the principles and means of data processing used to protect personal data at the Academy of Security Sciences (hereinafter the academy). 

The academy processes personal data pursuant to the The General Data Protection Regulation of the European Parliament and the Council and Personal Data Protection Act. The processing of both electronic and paper documents (including retention periods) and access rights at the academy are mainly regulated by the following legal acts: 

1. The Procedure for Processing Personal Data at the Estonian Academy of Security Sciences; 
2. The Information Management Procedure at the Estonian Academy of Security Sciences; 
3. The List of Documents of the Estonian Academy of Security Sciences. 

The academy reserves the right to change the personal data processing conditions by making the changes available on the website www.sisekaitse.ee. Changes in the terms and conditions may be necessary primarily to keep them up to date and in compliance with all personal data protection requirements. 

The academy processes personal data for the purposes set out in the  statutes and for the performance of the tasks set by the legislation. According to the statutes, the aim of the academy is to develop the area of internal security and prepare qualified specialists for the field. In order to fulfil the given aim, the academy conducts vocational, professional higher education and Master’s studies, also continuing training and research and development activities. The academy is also the provider of several occupational qualifications, see more in the register of occupational qualifications. Similarly, it is the aim of the academy to promote higher and vocational education in its fields of activities. 

The academy processes personal data only if there is a legal basis for it and only as long as it is necessary to fulfil its purpose or comply with legal requirements. The academy shall protect the personal data it uses from unauthorised and unpurposed use. In order to ensure the protection and lawful processing of personal data, the academy shall implement organisational and technical measures. 

The data protection terms and conditions do not address the ways the academy processes the data of legal persons or how other entities process personal data. They also exclude the processing of personal data on other websites that are referred to by external links on the academy website. 

 1. Processing of the personal data of learners applying for higher education 

As the data controller, the academy shall process the personal data of persons who have applied for vocational, applied higher education and Master’s studies (hereinafter student applicants). The personal data of student applicants are processed by the academy in the Estonian Admission Information System (SAIS) pursuant to the consent given by the student applicants. Further information about the extent and principles of personal data submitted via SAIS is here.  

The academy processes the student applicant’s personal data in order to determine their compliance with enrolment conditions and decide on their matriculation. The academy also processes the student applicant’s personal data for the purpose of reporting and statistics (public information obligations). The following personal data of student applicants are processed by the academy: 

1. first and last name, personal identification code or date of birth; 
2. identity card number; 
3. citizenship; 
4. contact details, incl. e-mail, home address, telephone number; 
5. language skills; 
6. level of education; 
7. state examination results; 
8. professional activity; 
9. sports achievements; 
10. academic results; 
11. completion of military service; 
12. other data specified in the admission form.  

The student applicant’s personal data reach SAIS via national registers (Population Register, Estonian Education Information System (EHIS) and Examination Information System (EIS)) or they are entered into the system or submitted on the admission form by the student applicants themselves. The academy may submit queries to national registers in SAIS to verify data. The academy may repeat the register inquiries to check the termination of studies continuing at the time of submission of the application or to update the student applicant’s name based on a respective notification in case it has changed.  

In case it is specified in the admission conditions, student applicants shall take physical and other admission tests. The results of the admission tests are processed by the academy on the basis of the consent given by the student applicant in SAIS. Student applicants for the specialities of Police Officer, Police Service, Emergency Dispatcher, Rescue Service, Corrections and Prison Officer must pass a background and health check. In the course of the background check, personal data are processed pursuant to §42 of Police and Border Guard Act, §114 of Imprisonment Act and §7 of Rescue Service Act, and in the course of the health check, personal data are processed pursuant to §71 of Police and Border Guard Act, §146 of Imprisonment Act and §7 subsection 4 of Rescue Service Act. The legal basis for processing the results of background and health checks is the fulfilment of a legal obligation stipulated by law. 

The personal data of an external student are processed by the academy on the basis of the student’s application. An external student who has been expelled from degree studies must have the consent of the respective authority to participate in the internship and to take the final exam or defend their graduation thesis. The academy may request confirmation of consent from the relevant authority. 

The academy as the data controller shall process the personal data of student applicants in various information systems, including on SAIS, document management information system DELTA, Office 365, on their network drive and  MS Teams. 

2. Processing of the personal data of students of degree studies 

As the data controller, the academy shall process the personal data of students of degree studies, including external students, on the basis of the principles described below. 

The academy processes the personal data of students of degree studies in order to fulfil a legal obligation or the public law function (conducting instruction) stipulated by law. The academy also processes the personal data of the students of degree studies to fulfil contracts (for instance, rental agreement, external studies agreement, part-time studies agreement, library services agreement etc.). In exceptional cases, based on consent or legitimate interest.  

The academy mainly processes the following personal data of students of degree studies: 

1.  first and last name, personal identification code, date of birth, citizenship and contact details. The main purpose of processing the respective personal data derives from the  Statute of the Estonian Academy of Security Sciences, Vocational Educational Institutions Act and Higher Education Act, and the processing is necessary for the student personalisation, organisation of study activities, creating a student’s user account on the academy computer network, ensuring health insurance and issuing academic documents.  
2. educational data for the organisation of studies, for instance, data on earlier education, education to be acquired (curriculum and the choices made therein, form of studies, the period of studies, academic results etc.); 
3. the data necessary for granting scholarships, reimbursing transport expenses, academic leave, student meals and accommodation, and keeping records on study expenses (for instance, participation in classes, the number of days with meals and accommodation, bank account number, reasons for exmatriculation, military service); 
4. sensitive personal data that include, for instance, applications for absence from instruction, taking an academic leave, being exempted from the reimbursement of tuition fees, receiving food allowance and the respective certificates, including medical certificates. In addition, for the purpose of checking the student’s compliance with the health requirements for the selected speciality, the student’s health data will also be processed by the occupational health doctor pursuant to the agreement made with the academy. 
5. the student’s body measurements for issuing the uniform in case the student is required to wear a uniform. 
6. recording the performance of academic tasks (e.g. uniform cameras) for the purpose of analysing instruction.  

The legal basis for processing the above-mentioned data is the academy’s statutory obligation and/or tasks in the public interest (organising instruction). The legal basis derives from national legal acts (for example Higher Education Act, Vocational Educational Institutions Act, Police and Border Guard Act, Imprisonment Act, Rescue Service Act, Professions Act), the enforcement of which is regulated by regulations (for instance, Statute of the Estonian Academy of Security Sciences, Comprehensive Assessment System in Higher Education with Conditions to be Awarded a Diploma, Statutes of EHIS, The Terms and Conditions for the Tuition Costs and their Reimbursement Rate at a Professional Higher Education Institution of Internal Security.  The Amount of the Allowances Paid to the Students and Cadets of the Academy of Security Sciences and the Terms and Procedures for Payment Thereof, The Amount of the Allowance of the Prison Officer Candidate and the Terms and Procedures for Payment Thereof) and the academy’s regulations (for instance Rules for Student Admission, Study Regulations, Statute of the Special Scholarship, The Procedure for the Motivational Scholarship for Students of the Prison Service College and the Provision of Accommodation and Meals, the Rules for the Provision of Meals and Reimbursing Meal Expenses, the Rules for Reimbursing Travel Costs for Students Acquiring Vocational Education). 

The academy processes the personal data of students of degree studies (e.g. name, identification code, contact information etc. needed for the fulfilment of contract) for the conclusion and fulfilment of the rental agreement for the dormitory room, the external study agreement or the agreement for the reimbursement of tuition costs concluded with the student. Also, for the purpose of submitting claims in case debts arise. 

Contact details of a graduate of degree studies may be used by the academy on the basis of legitimate interest for the purpose of conducting studies, presenting further training opportunities and alumni activities. 

The academy may also process the student’s personal data on the basis of their voluntary consent (for marketing, supervision of instruction). In such cases, the purpose of the use and categories of personal data will be referred to in the consent. The academy will inform the student thereof separately. 

In the e-learning environments, students can add voluntary information (e.g., photos, interests) to their user profile to improve the user-friendliness of the environment. The legal basis for processing the given data is the student’s consent. The student has the right to change and delete these data at any time. 

Student data is access-restricted information that third parties can access only in cases provided by law. The academy may transfer the student’s personal data either to the student’s employer or other third party to fulfil a legal obligation or to perform a task in the public interest (e.g., for the completion of internship, for recruitment). The academy may also transfer the personal data of a student of degree studies on the basis of the student’s voluntary consent. 

The personal data related to students that do not need to be stored will be destroyed securely after the retention period has expired pursuant to the list of the academy documents. 

The academy processes the personal data of students in various information systems, including Tahvel, document management information system Delta, Office 365,  MS Teams, rental agreement information system Kampus, academy’s intranet, network drives, student database Stud, e-learning environment Moodle and library software Ester. 

 3. Processing the personal data of students of continuing learning 

As the data controller, the academy processes the personal data of students and applicants of continuing education, including auditor students and students of micro-credentials.  

The personal data of students of continuing education are processed by the academy in order to fulfil a statutory legal obligation and/or a task performed in the public interest. The academy also processes the personal data of students in continuing education to fulfil the contract concluded with the student (e.g., the use of library services, dormitory room, participation in continuing training for a fee).  

The obligation to process personal data of the students of continuing education to fulfil a legal obligation and/or to perform a task in the public interest arises from national legal acts (e.g., Adult Education Act), with its execution regulated by regulations (e.g., the statute of EHIS, continuing education standard) and the academy’s legal acts (e.g., Regulations for Continuing Education of the Academy).  

For the purpose of organising continuing education, preparing documents and reporting, the academy will process primarily the following personal data of the students of continuing training: 

1. first and last name; 
2. personal identification code; 
3. contact details (e-mail, telephone); 
4. details of the institution of the employed person (in case of institutional referral); 
5. in case of a tuition fee, the details of the payer (name, personal identification code, address); 
6. approvals for participation in continuing training; 
7. academic results of continuing training; 
8. the personal data of a student of continuing training (excl. academic results of continuing training) are collected through the registration form. 

Other personal data of the student of continuing education are collected and processed by the academy on the basis of the student’s consent and at the request of the payer of the tuition fee. The academy will inform the student of continuing education thereof separately. 

If the applicant and student of continuing education provides their consent for the processing of personal data, the academy may use their contact information (e.g., e-mail address) in marketing activities to offer training information in continuing or degree studies. The student of continuing studies can unsubscribe to the information at any time via the link provided in the e-mail. The following privacy notice is included in the registration form of continuing education:  

“When registering for this training, your personal data will be processed only for the activities related to this training, including sharing information and conducting instruction, and preparing the documents to prove the completion of the training. The terms and conditions of the processing and protection of personal data can be found on the page Data Protection Conditions for Continuing Education, link provided.” 

Data on participation in continuing education may be transferred to the student’s employer or other third party in the case of legitimate interest, in order to comply with a legal obligation or to fulfil a task performed in the public interest. For example, to an employer who has paid for the training or has referred the student to the training, or to a person who commissioned the training and requires the information to meet funding requirements. The academy may also transfer the personal data of a student of continuing training on the basis of the student’s voluntary consent. 

Continuing education student data are access-restricted information that third parties can access only in cases provided by law. 

Training materials containing personal data (e.g., registration sheets) will be destroyed after the expiry of the deadline for contesting and submitting claims by the payer for the training. Other documents and data containing the personal data of the student of continuing education that do not need to be permanently stored will be destroyed after the expiry of the retention period and the period for contesting and submitting claims by the payer for the training pursuant to the list of academy documents. 

The academy processes the personal data of students of continuing education in various information systems: Juhan, the Information System for Continuing Education, document management information system Delta and the academy website and e-learning environments, incl. Moodle and Office 365 and MS Teams. 

In case the student of continuing education registered for the training at the academy in the training information system Juhan, their data will be forwarded to the academy as the authorised processor. After the training, the academy will send the academic results to the information system Juhan. The academy is authorised to do so on the basis of the consent given by the student upon their registration as the user of the information system Juhan and of the agreement that the academy has concluded with the operator of the information system Juhan (see also the  terms of use of the continuing education information system Juhan). 

4. Processing the personal data of applicants of professional qualification 

As the data controller, the academy shall process the personal data of persons who apply for a professional qualification to fulfil a legal obligation and/or to perform a task in the public interest. The legal obligation and/or a task in the public interest arise from the  Vocational Act, Statutes of the Estonian Register of Professions, the Procedure for Awarding Professional Qualification and other documents of the academy related to awarding professional qualifications. 

 As the data controller, the academy shall process primarily the following personal data of applicants of professional qualification: 

1. the data given in the professional qualification application form (first and last name, personal identification code, contact details, e-mail address, recipient of the invoice);  
2. professional exam performance.  

For the revalidation of professional qualification, the academy shall process the following personal data: 

1. the data given in the professional qualification revalidation application form (first and last name, personal identification code, contact details, e-mail address, recipient of the invoice); 
2. data on professional self-development from the beginning of the period of validity of the previous qualification; 
3. career data (service record); 
4. identity document data.  

When awarding the qualification, the academy will transmit the following personal data of the person awarded the qualification for the purposes of making entries to the Professional Register and issuing a professional certificate: 

1. first and last name and personal identification code, in the absence thereof, date of birth;  
2. the registration number of the professional qualification certificate issued to the person;  
3. the issuer and date of issue of the professional qualification certificate;  
4. the level of the awarded qualification; 
5. the period of validity of the professional qualification.  

The data of the Professional Register are public. The person has the right to refuse the disclosure of their data in the Professional Register by indicating their wish in the application for a professional qualification. The person may also suspend the publication of their data in the Professional Register by sending an application to the address a@kutse. 

The academy processes the personal data of applicants for a professional qualification in several information systems: document management information system Delta and e-learning environments, incl. Moodle and Office 365 and MS Teams. 

 5. Processing the personal data of applicants for employment or service 

As the data controller, the Internal Security Career Centre shall process the personal data of persons applying for employment or service at the Academy. You can read about the principles of personal data processing at the Internal Security Career Centre HERE.

6. Processing the personal data of employees 

As the data controller, the academy shall process the personal data of people working at the academy or in the service there (hereinafter the employee) to fulfil the employment contract, to fulfil a legal obligation or the public law function. A legal obligation and performance of a task in the public interest arise from the Public Service Act, Police and Border Guard Act, the Imprisonment Act  and the Rescue Service Act and other legal acts (for instance, tax laws, labour acts,  Accounting Act), Government Regulation “Establishment of the State Human Resources and Payroll Database and its Statutes“). 

The academy primarily processes the following personal data of employees: 

1. first and last name and personal identification code; 
2. bank account number; 
3. gender: 
4. citizenship; 
5. address; 
6. education and qualification; 
7. years of service; 
8. data concerning the service or employment; 
9. the fixed or negotiated and paid salary, remuneration, allowances and benefits; 
10. data on the notifications and restrictions on engaging in side activities and restriction of competition; 
11. data on the time of conducting the health check; 
12. completed trainings and the administrative contracts or agreements for training cost reimbursement for participating in a resource-intensive training; 
13. incentives, warnings and disciplinary sanctions; 
14. business trips; 
15. transfers; 
16. the time of the suspension of the right to exercise public authority and the time when the employee has the right to refuse to perform work; 
17. compliance of the health condition with the requirements of the position, in case the requirements arise from the law; 
18. the time and place of taking the oath of office; 
19.  the permits needed for the performance of service or work duties; 
20. data on the working time accounting; 
21. the name and personal identification number of the employee, their minor children and other dependants if it is necessary to fulfil the obligations arising from the law (e.g., to provide a leave, pay funeral allowance); 
22. the certificate for the obligation to attend reservist training; 
23. data about the employee’s personal vehicle if the employee uses the vehicle for work trips; 
24. data given in the documentation on performance and development interviews and evaluation results;  
25. data on the employee’s uniform, including measurements, if the employee is required to wear a uniform; 
26. data on the employee’s health status, such as medical certificates, health examination decisions, data on work accidents and occupational diseases. 

The e-mail addresses and telephone numbers created for the employees for work-related communication are published on the academy website and intranet, also the information on the beginning, change and termination of employment relationship is given in the weekly newsletter for the employees on the basis of legitimate interest in order to allow the staff to contact them. 

Personal data are also processed by the academy on the basis of legitimate interest to perform administrative tasks and ensure security (incl. when registering employee data in databases, using video surveillance and fingerprint recognition system (personal image, biometric data, access card logs), granting entry to the academy’s premises and territory).  

With the employee’s consent, the academy processes the employee’s date of birth and years of service, also the date of birth of the employee’s minor children to organise events and congratulate the employee. 

The academy processes the employee’s personal data in several databases: business software SAP, the self-service portal of state employees and the document management information system DELTA, on the network drive, Office 365 and MS Teams. 

 7. Processing the personal data of contractual cooperation partners 

In the course of joint activities between the academy and its cooperation partners, the personal data of natural persons are processed to conclude contracts between parties and to provide the agreed service.  

The services related to cooperation partners and the personal data processed in the course of the services are mainly as follows: 

1. renting or leasing premises (first name, last name, personal identification code, telephone number); 
2. educational service contracts concluded with (visiting) lecturers (first and last name, personal identification code, bank details, education, other data certifying qualification); 
3. service contracts (the contractor’s first and last name, personal identification code, education, work experience or other data and documents to certify their qualification in case the given requirement is stipulated in the procurement documents of the service contract); 
4. issuing access cards (first and last name, personal identification code or date of birth, work place); 
5. management of the information displayed by surveillance equipment (personal image, access card logs).

Pursuant to §759 of the Police and Border Guard Act, the academy has the right to require a background check of the persons providing services to the academy. The service provider will be notified of the need for a background check in advance. In order to perform a background check, the service provider will submit to the Police and Border Guard Board the data specified in the personal form approved by Regulation no 1-1/22 of the Minister of the Interior. The Police and Border Guard Board will notify the academy of the results of the background check. 

The academy processes the personal data of cooperation partners in several information systems: business software SAP, public procurement register, rental agreement information system KAMPUS, and the document management information system DELTA, Office 365 and MS Teams. 

8. Conducting conferences and events 

The academy processes the personal data of event participants for conducting and improving the organisation of conferences and other events (hereinafter events). For this purpose, the academy processes the participants’ names and contact details, if necessary, also other information, for example, about the represented institution. The academy stores registration forms with participant details as accounting reference documents and their contact information to send event materials and ask for feedback. 

If the event is recorded or photographed, the purpose of processing personal data (personal images) is to inform the public. Photos and clips from the recordings are used for promotional purposes to introduce the work of the academy and to promote the vocational and higher education as well as research and development activities in its sector. 

The basis of the collection of data is the fulfilment of the contract (mutual responsibilities) and legitimate interest (asking for feedback, statistics). In the case of recordings and photographing, it is also based on the participant consent – if the event is recorded or photographed, participants are notified thereof and they may indicate that they do not wish to be recorded or photographed and thus choose their seat accordingly. 

If the event is broadcast, recorded or photographed, it will be separately notified during the event. The recordings may be published on the academy website and social media channels. 

In case the event is funded by structural funds, sign-in sheets certifying participation are given to the appropriate unit at the State Support Service Centre. 

The academy processes the personal data of event participants in several information systems: network drive, Office 365 and MS Teams. 

9. Using the surveillance system 

For the purpose of safeguarding the buildings and premises used by the academy and the protection of the people and property therein, the academy uses a surveillance system both due to legitimate interest and the fulfilment of a legal obligation. 

When installing video surveillance equipment, the academy will ensure that it would cover the immediate surroundings and entrances of the building, accesses to various floors, if necessary, the doors of special-purpose rooms. The use of the video surveillance system in the building is indicated on a sign on the front door. 

Access to video recordings and real-time video images is restricted to the security staff, the head of the academy’s administrative department, student support officer and other employees for the performance of their duties. Video recordings of the video surveillance system may be transmitted to persons or entities not mentioned above only in case of a formal claim and legal obligation. 

The video surveillance system stores the recordings on the academy server where they are stored for 30 calendar days. 

10. Photographing and filming  

The academy has the right to photograph and film without asking people’s permission if it is part of an academic or research activity (e.g., conferences, lectures) or a public event (e.g., the start of the year ceremony). 

The academy records its most important events and also allows third parties to view the visual material of interest via the academy’s website and social media channels. The academy may use photos taken at public events on the website and social media without asking the individual’s consent. 

For historical and cultural purposes, the academy shall preserve the visual material of its most relevant events indefinitely. 

In cases other than those described in this clause, photographing or filming of a person is permitted only on the basis of the person’s consent or otherwise specified in the legislation and if the filming and photographing are in accordance with the principles of data protection. 

The academy processes the photographic and video recordings in several information systems: network drive, Office 365 and MS Teams. 

11. Responding to requests for explanation, memoranda, requests for information and other correspondence 

Personal data (name, e-mail address, postal address) are used to respond to inquiries. Where the response to the letter is within the competence of another institution, it will be forwarded to the authority responsible for replying to it and the sender will be notified thereof. 

Correspondence with private individuals is subject to access restrictions if disclosure can significantly damage the integrity of the person’s private life.  Restricted information, including documents containing personal data, is issued by the academy only to those institutions and persons who have a direct legal right to receive it (e.g., pre-trial officer or court). If a third party submits a request for information in order to access restricted information, the academy shall decide on a case-by-case basis whether the document may be released in part or in full. 

12. Visiting the website www.sisekaitse.ee 

The academy uses cookies on its website www.sisekaitse.ee. The purpose of using cookies is to distinguish the user from other persons using the website and to increase the ease of use of the website on the basis of the information obtained. The cookie stores information about the user’s IP, the type and version of the browser, the time and duration of visiting www.sisekaitse.ee, the user’s preferences and interests etc. 

The cookies used on the academy website www.sisekaitse.ee: 

• Technical and functional cookies enable the visitors to use the website and make the use more convenient for them. 
• Analytical cookies (Google Analytics) help to maintain statistics on the usability and traffic on the website and analyse the behaviour of the visitors on the site. The academy uses the information received to comprehensively improve and enhance the website services. 
• Commercial cookies are used to present and target advertising. During the admission campaign period, the academy may target advertisements to the visitors of www.sisekaitse.ee based on the IP address. 

If the visitor does not want cookies to be stored on the visitor’s computer, it may be blocked in the visitor’s browser settings. Refusing cookies may limit the use of the academy’s website and some services or parts of the website may not work as expected. 

It should also be noted that the academy’s website contains links to other websites and the academy is not responsible for sharing data on other websites or the privacy policies of other websites. 

13. Storing personal data 

The academy stores personal data in dedicated information systems or on paper where personal data cannot be accessed and used by unauthorised persons. All organisational and technical measures required for safe and lawful processing resulting from the Personal Data Protection Regulation and the Personal Data Protection Act are applied to the collected and stored personal data. 

The academy does not store or retain personal data longer than necessary. The retention periods for documents containing personal data are stipulated in the list of academy’s documents. Personal data will be deleted when the need for storage ends or the legal basis for storage is terminated or the consent is withdrawn. The retention period may result from a contract concluded with a person, from valid legislation (e.g., accounting regulations, limitation period laws, other private laws) or from legitimate interest of the academy. If the person wishes to be forgotten, the academy will delete the data to the extent not regulated by law. 

14. Disclosure of personal data to third parties 

The academy shall disclose personal data to third parties, including other internal security authorities only where there is a legal basis for it, for instance, when it is needed for the academy or the third party to perform the tasks assigned to it by law and only to the minimum extent necessary. 

If, in any case, it is necessary to transfer data outside the European Union or its equivalent territories, Article 45 of the Protection of Personal Data Regulation provides for the need to guarantee an equivalent level of personal data protection outside the EU at least to the same level as within the EU. If, to the best of our knowledge, the level of personal data protection in the territory of the destination country is not to the level in force in the EU, the academy will inform the person concerned in writing and the person can provide an appropriate approval or refusal to transfer their data. 

15. Rights of the natural person whose personal data are processed (hereinafter the data subject) 

Depending on the legal basis of personal data processing, the data subject has the right to: 

1. get confirmation whether the academy processes their personal data and access the personal data collected about them. The academy as the data controller may reject the data subject’s requests the purpose of which is not to be aware of the processing and to check its legality: 
2. request the correction of incorrect personal data or the completion of incomplete personal data collected about them. 
3. request that the academy delete without undue delay their personal data for which the academy no longer has a legal basis or which the academy no longer needs for the purposes for which the data were collected or otherwise processed; 
4. withdraw their consent at any time if the processing of personal data is based on consent. It will not affect the lawfulness of the data processing carried out before the withdrawal of the consent; 
5. request that the academy limit the processing of personal data, if: 
   
   - the data subject has disputed the correctness of the personal data. The academy will limit the processing for a period of time allowing it to check the accuracy of the personal data; 
   -  the processing of personal data is unlawful but the data subject does not request the deletion of personal data;
   - the academy no longer needs personal data for processing purposes but the data subject needs them to prepare, present or defend legal claims; 
   - the data subject has objected to the processing of personal data. The academy will restrict the processing until it is verified if the academy’s legitimate reasons outweigh the reasons of the data subject. 
    
6. receive their personal data submitted to the academy and transmit them to other data controllers. The right to transfer data applies only to personal data that the person has given to the academy themselves and that the academy processes on the basis of consent or contract; 
7. object to the processing of their personal data if the basis of the data processing is legitimate interest or if the processing is necessary for the performance of public tasks or in the public interest. 

For all questions relating to the processing of personal data and the use of the data subject’s aforementioned rights, the data subject may contact the academy’s data protection specialist at the e-mail address petsialist@s.  

Upon receiving a request from a data subject, the academy may ask the data subject to specify the information or processing operations the request is related to. The academy will respond to the request within 30 days of receiving it. If it becomes apparent that more time is needed to respond to the request, the academy may extend the response deadline by a reasonable period of time. A copy of the processed personal data will be issued to the data subject free of charge. 

If in the data subject’s opinion the way in which the academy processes their personal data violates the legislation regulating the processing of personal data, they have the right to turn to Data Protection Inspectorate (e-mail @aki, telephone 627 4135) or to another institution, in particular to a competent supervisory authority in their place of work or residence. 

16. Conducting of feedback surveys

If necessary, the academy shall conduct feedback surveys, participation in which is voluntary.  The Estonian Academy of Security Sciences processes personal data (name, surname, e-mail) on the basis of consent in order to send the feedback survey link to the e-mail address provided.  Feedback surveys are conducted electronically and responses are anonymous. Responses are retained for 6 months and then deleted.

17. Violations

If there occurs a violation at the academy related to the processing of personal data that poses a likely threat to the rights and freedoms of the data subject, the academy shall draw up the required documents (incl. registers the violation) and take measures to stop the violation immediately. 

In case the breach poses a serious threat to the rights and freedoms of the data subject, the academy must inform them to take the necessary precautions to mitigate the situation.