Data Protection Policy

Data Protection Policy of the Estonian Aviation Academy

Introduction

1. This data protection policy explains in summary the procedure for processing personal data and the data concerning the private life of individuals at the Estonian Aviation Academy (hereinafter "Academy"; registry code 70005699, address Lennu 40, Reola Village, Kambja Rural Municipality, 61707 Tartu County, e-mail eava@eava.ee) and here You can find information about Your rights to access Your data. The described principles do not apply to the processing of data of legal entities or other institutions, and do not include the processing of personal data on websites unrelated to us, which are referred to from our website (external web links).

Personal data

2. Personal data are any data concerning an identified or identifiable natural person that reveal the person’s physical, mental, physiological, economic, cultural or social identity, relations and affiliation. Processing of personal data means any operation performed with personal data, including the collection, recording, organisation, storage, alteration, disclosure, granting access to, consultation and retrieval, use and transmission of personal data.

Processing of personal data in the Academy

3. The Academy processes personal data based on the General Data Protection Regulation of the European Parliament and of the Council and the Personal Data Protection Act, the Academy's Personal Data Processing Instructions and Data Protection Policy.

4. The Academy processes personal data for the purposes set out in the statute and to fulfill the tasks assigned by legislation. According to the statute of the Academy, the purpose of the Academy is to develop the field of aviation and prepare specialists in this field. In order to fulfill the stated goal, the Academy conducts, among other things, vocational and applied higher education, further training and research and development work.

5. The Academy processes personal data only if there is a legal basis for it and only for as long as necessary to achieve the objective of processing or to comply with legal obligations. The Academy applies all relevant organisational, physical and technical security measures to protect the personal data that are at the Academy’s disposal from unauthorised and non-compliant use, disclosure or destruction.

Personal data in correspondence

6. The Academy’s activity is of public character. In performing its duties, the Academy receives personal data also through correspondence or in cases where a person is a party to any proceedings. The processing of electronic and paper documents (including the terms of storage) and the rights of access are governed at the Academy mainly by legal acts.

7. Personal data are also used for responding to queries. If the Academy needs to request information from any third parties for that purpose, only the minimum amount of personal data are disclosed that is absolutely necessary.

8. In accordance with the Public Information Act, the Academy must publish the document register on its website. Consequently, the data concerning correspondence can be found in the public document register. In order to examine any documents that are not visible in the public view of the document register but have no restrictions on access, a request for information needs to be submitted.

9. Access to the correspondence with private persons is restricted. The public document register only reveals the initials of the sender or recipient of a letter, not their name. If a request for information is submitted for examining correspondence with a person, the content of the requested document is reviewed and a decision is made on whether the document can be revealed in part or in whole. From the revealed document, any personal contact details, such as e-mail address, postal address or phone number, will be removed (unless the correspondence concerns a representative of a legal person or an institution).

10. In other cases, granting access to a document depends on the content of the document. Possible grounds for imposing restrictions on access have been set forth in the Public Information Act. The Academy stores any correspondence with a private person for five years.

11. The Academy issues restricted documents solely to the institutions and persons who have a lawful right to receive it (for example, persons conducting pretrial procedure or the court). If a request for restricted information is submitted by a third party, the Academy will decide on a case-by-case basis whether the document may be issued in part or in whole.

12. After the expiry of the term of storage, documents are generally destroyed.

Processing of personal data in advanced studies

13. As a controller, the Academy processes the data of persons who apply for studies in professional higher education and vocational training, and the data of persons who have started to study at the mentioned educational levels (hereinafter student). The Academy processes the personal data of student applicants through the admissions information system (SAIS for curricula taught in Estonian), the forms available at the website of the Academy or on the basis of consent submitted through the international application system DreamApply. The scope and principles of processing personal data which is submitted through the SAIS can be found here. The same principles for DreamApply can be found here.

14. The personal data of the student applicant reaches SAIS through national registers (population register, Estonian education information system (EHIS) and examination information system (EIS)) or is entered into the system by the applicant herself/himself or by an Academy employee based on (paper) documents submitted by the applicant. The student applicant consents to the processing of his/her personal data in SAIS both in the event that she/he enters the data there herself/himself, and in the event that the Academy enters it there on the basis of her/his paper or electronic application. The Academy can submit queries to national registers in SAIS to verify data. The Academy may also repeat the register inquiries to check the completion of the studies that were ongoing at the time the application was submitted or to update the applicant's name based on the notification, if it has changed. The Academy may check the validity and authenticity of the documents submitted by the applicant (e.g. international language certificates) from the relevant registers and submit the foreign student applicant's personal data, including educational data based on the applicant's consent, to the Estonian ENIC/NARIC Center (Academic Recognition Info Center), a structural unit of the Education and Youth Board, for qualification assessment.

15. After a positive admission decision, the Academy enters the personal data of a student in the study information system Tahvel (SIS) and processes them on the basis of the principles described in the following chapter.

Personal data of the student applicants and of the students

16. As a controller of personal data, the Academy processes the following personal data of the student applicants and of the students through the study information system (SIS) and other information systems that support teaching and studies:

16.1. personal identification data (e.g., first name and last name, personal identification code, date of birth, country of origin, citizenship) and contact details (mobile phone or phone number, address, e-mail address). The main aim of processing these data results from the Statutes of the Estonian Aviation Academy and the Higher Education Act, processing is necessary for the purpose of identifying the student, organising studies, creating a user account for the student in the Academy’s computer system and issuing academic documents;

16.2. the Academy also uses contact details to send invitations to participate in the Academy’s surveys and to communicate important information about the Academy’s organisations (for example, the Student Council) and the activity of the Academy (e.g., events, alumni activities);

16.3. educational data required for organising studies, such as data on previous education, data on currently acquired education (curriculum and electives, form of study and workload, date of start and end of studies, study results) and work experience, for international students also a transcript of records from the student’s home university, a certificate proving their knowledge of English, a copy of an identification document;

16.4. data required to apply for and verify grants, stipends, exemption from tuition fee, and academic leave, including financial data, e.g., bank account number, data on family members and data on military service;

16.5. special categories of personal data contained, for example, in medical certificates submitted to apply for exemption from tuition fee and to give reasons for failure to appear for an exam, and applications for an academic leave, applications for the right to take part in studies during academic leave, and stipend applications;

16.6. data for the provision of academic, career and mental health counselling services;

16.7. data concerning surveys;

16.8. information about a person's state of health, for example health examination decisions of applicants for the aircraft piloting or air traffic services curriculum (the health examination is based on § 24-1 of the Aviation Act);

16.9. the performances for admission and the evaluations given to them.

16.9.1. all student applicants must meet the requirements to pass a background check. When submitting the application, the student candidate confirms that he/she has no obstacles to successfully pass the background check described in § 46-9 of the Aviation Act;

16.9.2. applicants for the aircraft piloting or air traffic services curriculum must meet the prerequisites for both a positive background check and a positive health screening. The medical examination is based on § 24-1 of the Aviation Act. The background check is based on § 46-9 of the Aviation Act.

17. The legal basis for processing student data is the Academy’s legal obligation and/or task carried out in the public interest (organisation of studies). The legal basis arises form national legislation (e.g., the Aviation Act, the Higher Education Act, the Higher Education Standard, the Study allowances and Study Loans Act, the Professions Act, the Aliens Act) the compliance with which is governed by government regulations (e.g., the Regulation on State Scholarships, the Unified Assessment System for Higher Education and the Conditions and Procedure for Awarding Diplomas and Academic Transcripts, the Statutes of the Estonian Education Information System) and legal acts of the Academy (e.g., the Admission Rules, the Study Regulations, the Conditions and Procedure for Applying for, Awarding and Paying a Performance Scholarship, the Conditions and Procedure for Applying for, Awarding and Paying a Need-Based Special Support, the Study Regulations and Procedure for Reimbursement of Study Costs).

18. The Academy processes the student’s personal data in several information systems: SIS, EHIS, Office 365, Google (if it is related to the Academy´s domain), document management information system EKIS, e-learning environment Moodle, Zoom and in the library software RIKSWEB). For using Moodle, students do not need to provide any additional information. Users of e-learning environments may supplement their user profile with voluntary information (e.g., a photo, city, interests), which helps to make the environment more convenient to use. The legal basis for processing these data is the student’s consent. The student has the right to edit or delete these data at any time.

19. After the student has graduated from degree studies, the Academy publishes the student’s name in the alumni list on the Academy’s website. Based on legitimate interest, the Academy may use the graduates’ contact details to promote further education opportunities and alumni activities and and for conducting analysis.

Personal data of continuing education learners

20. As a controller, the Academy processes the personal data of those who wish to study in continuing education courses and the personal data of persons attending continuing education courses (e.g., continuing education programmes, degree courses as continuing education), including guest students and foreign guest students. For the purpose of organising continuing education, preparing documents and reporting, the Academy processes primarily the following personal data of those who wish to study in continuing education courses and personal data of continuing education learners:

20.1. first name and last name, personal identification code, contact details, place of work, information on education and professional experience, payer details;

20.2. data that continuing education learners have provided on the application form and their study results on completion of continuing education programmes;

20.3. other personal data of continuing education learners. The Academy collects these data on the basis of the consent of the continuing education learner and at the request of the financer of continuing education depending on the contract for commissioned education. The Academy informs the continuing education learner separately of collecting these data.

21. Depending on the type of continuing education, the legal basis for processing of continuing education learners’ data is either the Academy’s legal obligation and/or a task carried out in the public interest. The legal basis results from law (e.g., the Adult Education Act, the Aliens Act), the compliance with which is governed by regulations of the Governance (e.g., the Statutes of the Estonian Education Information System) and legal acts of the Academy (e.g., the Study Regulations, the Procedure for Reimbursement of Study Costs, the Procedure for Ensuring the Quality of Continuing Education Training´s and in Continuing Education Activities). In the case of a paid course, the legal basis for processing personal data may be the contract signed with the continuing education learner. The Academy processes the personal data of the continuing education learner for the purpose of organizing continuing education training, preparing documents and reporting. If the continuing education learner has registered for the Academy's training, her/his data becomes visible to the Academy's employees who have a legitimate interest in the data, e.g., the employee responsible for the training.

22. If the continuing education learner gives a specific consent, the Academy:

22.1. uses the continuing education learner’s e-mail address to send information on other training courses organised by the Academy by including the continuing education learner in the relevant mailing list. Continuing education learners may remove themselves from the mailing list at any time.

22.2. processes the personal data supplied voluntarily by the continuing education learner (e.g., their other data included in the free text field) to perform the contract concluded with the learner and/or to comply with a legal obligation.

23. The Academy may use the contact details of continuing education learners who have participated in continuing education, on the basis of their consent, in its marketing activities to offer them opportunities for further education in the Academy’s degree programmes.

24. In the case of legitimate interest, the Academy may communicate information concerning a continuing education learner to the third party who has paid for the continuing education (e.g., to the continuing education learner’s employer).

25. The Academy processes the personal data of continuing education learners pursuant to clause 18. in several information systems: the document management system and e-learning environment Moodle.

26. If the continuing education learner has registered to a training course at the Academy in the Juhan, what is the information system of continuing education training, her/his data will be transferred to the Academy as an authorized processor. After the training, the Academy sends the learning results to the information system Juhan. For this purpose, the Academy is authorized on the basis of the consent given by the continuing education learner when registering as a user of the information system Juhan, and on the basis of the application for joining, which is the basis for the Academy's cooperation with the operator of the information system Juhan (see also the conditions of use of the Juhan).

27. Course materials that contain personal data (e.g., registration sheets) are destroyed after the expiry of the time limit for contestation and for the financer of the training course to file a claim.

Personal data of job applicants

28. As a controller, the Academy processes the following data provided to us by a person applying for a job at the Academy:

28.1. data required for identification, primarily the first name and last name and personal identification code;

28.2. data required to contact the person: e-mail address, telephone number and postal address;

28.3. data required for employment, e.g., information on education, continuing education and professional experience, research and development, including a list of scientific publications;

28.4. data on citizenship and, if necessary, the legal grounds for living and working in Estonia.

29. If the person has submitted information required for application, the Academy presumes that the person agrees to processing their personal data for the purpose of employment. By submitting information on referees in the application documents, the person is presumed to agree that the Academy may contact them.

30. If an applicant who is rejected gives a separate consent, the Academy may propose the applicant to take part, if suitable, in another competition for a job announced by the Academy. Based on legitimate interest, the Academy keeps the application documents of an applicant who is rejected to resolve possible legal disputes.

31. The Academy keeps the application documents for six months from the rejecting decision.

32. For the preselection of applicants, the Academy may use psychometric tests (e.g., mental fitness test and personality test) if the applicants have consented to that in the test environment. Based on the interpretation of test results, the Academy may receive more personal data (e.g., personal characteristics) of the applicant from the test organiser, who is the processor of personal data. The Academy does not make any decisions in relation to applicants based solely on automated processing.

33. Upon recruitment, the personal data of academic and non-academic staff are processed differently.

33.1. When non-academic staff are recruited, only employees involved in the recruitment process review the relevant application documents. The documents and personal data contained in them are not disclosed to third parties. The applicant’s personal data means restricted information to which third parties (including competent authorities) gain access only in cases provided by law. The competition is organized based on the Academy's Recruitment Procedure.

33.2. The positions of academic staff are generally filled by the Academy by public recruitment procedure and the selection takes place in several stages (the selection is carried out by the competition committee, and the employment is confirmed by the Academy Council), in the course of which personal data are processed differently from the way it is done upon the recruitment of non-academic staff. The public recruitment procedure is organised in accordance with the Procedure of Academic Staff Employment Relations.

Personal data of employees

34. In order to comply with the obligations arising from the law (e.g., tax laws, employment laws, the Accounting Act) and on the basis of the employment contract and on the basis of contracts entered into under the Law of Obligations Act, the Academy as a controller processes the following personal data of employees:

34.1. data required for identification: first name and last name, personal identification code and citizenship;

34.2. data required to enter into and perform the employment contract: e-mail address, telephone number and postal address;

34.3. family and social data, e.g., data regarding the employee’s children for providing child-related leave, contact details of a close person voluntarily provided by the employee to inform about the circumstances related to the employee, death certificate of an employee or employee’s next of kin for paying funeral grant, to receive compensation for the use of a personal car, a certificate of the obligation of the national defence obligation or a certificate of the obligation national defence obligation in reservist training;

34.4. financial data, e.g., bank account number, application for calculation of basic exemption;

34.5. data regarding the employment relationship, e.g., data about education and qualifications, data concerning self-improvement, appraisal interviews and surveys;

34.6. data on the employee’s state of health, e.g., health certificates, decisions of medical examination boards, data on accidents at work and occupational diseases.

35. The Academy processes the employee's personal data in several information systems: in the SAP business software, in the state employee self-service portal (RTIP) and in the document management information system EKIS.

36. The e-mail addresses, telephone numbers and photos of employees, information on expert areas, LinkedIn accounts, ETIS accounts created for professional communication of Academy employees are disclosed on the website of the Academy on the basis of legitimate interest, so that students and cooperation partners can contact employees.

37. Introductions of the thesis supervisors of the Academy (e-mail addresses created for employees for professional communication, office numbers and photos of employees, information on areas of expertise, biography) are published on the website of the Academy as a brochure on the basis of legitimate interest, so that students can contact thesis supervisors. The purpose of the supervisors' brochure is to introduce the Academy's theses supervisors.

38. The Academy also processes personal data for the purposes of legitimate interests to perform its administrative duties and ensure security (also upon the registration of employees’ data in databases).

Personal data and use of video surveillance system

39. For the purpose of guarding the buildings and rooms owned and used by the Academy, and protecting the people and property in them, the Academy has a legitimate interest to use a video surveillance system. In doing so, the Academy follows the Regulations for Using Surveillance Equipment.

40. When video surveillance equipment is installed, the Academy ensures that the surveillance covers the immediate surroundings of and entrances to the building, accesses to other floors and, if necessary, doors to special-purpose rooms. The use of the video surveillance system is indicated with a sign placed on the front door of the building.

41. Access to the video recordings and real-time video images is available to the Academy's vice rector for administration, the head of the IT department and the IT specialist for the performance of their duties.

42. Third parties, including other employees of the Academy, have no access to the video recordings and real-time video images. The Academy transfers video recordings to third parties (mainly to the Police and Border Guard Board) based on a formal request and upon a legal obligation.

43. The video surveillance system stores the video recordings on the Academy’s video server where they are kept for 30 calendar days.

Personal data in the case of recording events

44. The Academy has the right to photograph and film without asking the person's permission if it is part of educational or research activities (such as conferences and lectures). The Academy records its public events (graduation ceremonies, conferences, seminars, open days, career days) and allows third parties to view video and photo materials of public interest on the Academy’s website. The controller of the personal data created as a result of video and photo recording, primarily the images of persons, is the Academy.

45. Photos taken at public events may be used by the Academy in the social media (e.g., Facebook, Instagram) and advertising campaigns without asking the consent of the person.

46. For historical-cultural purposes, the Academy preserves the image and video material of the most important events indefinitely.

47. In cases other than those described in this point, photographing or filming a person is permitted only with the consent of the person or on other grounds specified in the law, and if the filming and photographing are in accordance with the principles of personal data protection processing.

User data of the website www.lennuakadeemia.ee

48. The following data are collected upon visiting a website:

48.1. the internet address (IP-address) of the used computer or computer network;

48.2. the web browser, software version of the operating system and resolution of the screen;

48.3. visiting time and duration (time, date, year);

48.4. selected language (Estonian or English).

49. IP-addresses will not be linked to the data identifying a person. Data are collected on the website visited and the time spent on the website. The Academy uses collected data for producing website traffic statistics in order to improve the functioning and the user convenience of the website.

50. The Academy's website uses persistent and session cookies in order to provide a better user experience and content and to improve the website. Cookies may also be created by various external service providers whose services the Academy uses to improve its website (e.g., Facebook or Google).

51. The user is considered to have allowed cookies if these are permitted in the web browser settings. If visitors do not allow cookies, their access to some functions provided on the website may be restricted.

Processing of personal data of contractual partners of the Academy and users of the service provided by the Academy

52. In the course of the joint activities of the Academy and its cooperation partners, we process the personal data of data subjects for the provision of the service agreed in the contract between the Academy and the cooperation partner.

53. We process Your personal data when You use the services we offer. We process data that You provide to us Yourself or that is provided on Your behalf or that we acquire independently within the scope of providing a high-quality service. We collect personal data in order to fulfill our obligations to You.

54. The services and the personal data processed during them are generally as follows:

54.1. technical service of the event or organization of the event with video transmission and follow-up (first name, last name, personal identification number, e-mail, contact phone number, information about food and special needs, video image, video and audio recordings, photos);

54.2. laboratory service (first name, last name, personal identification number, e-mail, contact phone number);

54.3. sale of books (first name, last name, e-mail, social security code and postal address to receive an invoice, contact phone number if You want a book for sending a parcel);

54.4. putting the flight training device of an airplane or the flight training device of a helicopter into use (first name, last name, personal identification number, e-mail, contact phone number);

54.5. training service (first name, last name, personal identification number, e-mail, contact phone number);

54.6. putting the premises into use (first name, last name, personal identification number, e-mail, contact phone number);

54.7. issuance of access certificates (first name, last name, personal code for issuing access certificates, in the case of security services, also data proving qualification);

54.8. management of the information displayed by the Academy's monitoring devices (personal image, logs of the use of access credentials).

We also process Your personal data if:

55. When participating in a survey/contest/competition (e.g., a drawing competition), data is published only in non-personalized form for statistical purposes. In the case of surveys/contests/competitions, to which prizes are drawn among the respondents, we process Your personal data to contact You.

56. When ordering personal notifications, we process Your personal data only to send the ordered notifications.

57. We will only send You newsletters if You have expressed Your wish to receive newsletters. Newsletters are sent based on Your consent. We use the Mailchimp marketing automation and e‑mail marketing platform to send newsletters. Mailchimp's privacy policy can be found here.

58. When registering for events, we process Your personal data to compile a list of event participants and to contact You if necessary.

59. When You call the Academy's phone, we process Your personal data only to the extent that You have disclosed it for the purpose of providing You with information.

60. You have liked our Facebook page or You have started following our Instagram page or our LinkedIn page or you have subscribed to our YouTube channel. This is in order to deliver news about our activities to Your news feed or to tag You as a person who participated in an event organized by us. When You like our page on Facebook, you also transmit relevant information to Facebook, when You follow our page on Instagram or LinkedIn, You transmit relevant information to Instagram or LinkedIn, respectively, and when You subscribe to our channel on YouTube, You transmit relevant information to YouTube, for which the Academy is not responsible.

61. We also process Your personal data in order to fulfill our legal obligations. We also prove, exercise, assign or defend our legal claims based on the performance of a contract with You or arising from non-contractual relations.

Your rights

62. According to the General Data Protection Regulation, the data subject has the following rights:

62.1. the right of access to personal data which have been collected concerning the data subject;

62.2. the right to object to processing (for example for direct marketing);

62.3. the right to data transfer;

62.4. the right to file a complaint with the Academy, the Data Protection Inspectorate or the court about data processing by the responsible processor;

62.5. the right to object to the processing of personal data concerning the data subject;

62.6. the right to update her/his personal data;

62.7. the right to be forgotten (deletion of data).

The right to access Your data

63. Upon request, You can receive more information about the processing of Your personal data. Everyone has the right of access to personal data collected about them and to demand correction of incorrect personal data. If access to personal data is restricted, the Academy must first verify the identity of the person.

64. If there is no longer a legal basis for processing Your personal data or providing access to it, You may request the restriction or termination of their use, deletion or termination of access to the data. It is possible to ask for correction or removal of data about You that are incorrect or that You do not wish to be stored.

65. If You have any questions related to the processing of personal data, please contact the lawyer-quality manager Martin Pedosk, who performs the duties of a data protection specialist, at the e‑mail address martin.pedosk@eava.ee.

66. A person is not allowed to consult the data collected about her/him in the Academy if the data can:

66.1. harm the rights and freedoms of another person;

66.2. prevent the prevention of a crime or the apprehension of a criminal;

66.3. make it difficult to find out the truth in criminal proceedings;

66.4. endanger the protection of the secret of the child's parentage.

67. The principles described above do not cover the processing of personal data on websites that are referred to on the Academy's website, but which are not managed by the Academy.

Filing complaints

68. If the data subject finds that the Academy has violated her/his rights when processing personal data, she/he has the right to contact the Data Protection Inspectorate (e-mail info@aki.ee, phone 627 4135) or the court at any time for the protection of her/his rights.

69. If Your permanent residence is in another EU member state, You can find the contact information of the relevant authority on the website of the European Data Protection Board (EDPB), more precisely here.

70. The Academy reserves the right to unilaterally change the data protection conditions at any time.

Violations related to the processing of personal data

71. If a violation related to the processing of personal data occurs in the academy, which represents a probable threat to the rights and freedoms of the data subject, the academy will complete the required documents and take measures to immediately stop the violation.

72. If the violation greatly threatens the rights and freedoms of the data subject, the Academy must inform her/him so that she/he can take the necessary precautions to alleviate the situation.

Useful reading:

• Personal data in the employment relationship and rules for work organization (Labour Inspectorate, 2014)
• Implementation of the General Regulation on the Protection of Personal Data in educational institutions (HITSA, 2018)
• Instructions of the Data Protection Inspectorate