Data Protection Policy


Name Definition
Organisation Go Wombat OÜ
Highly sensitive data Data about racial and ethnic origin, political opinions, religious or philosophical beliefs, union membership, or the health and sexual life of the data subject.
Personal data All information about certain or definable natural persons.
Processing personal Means any process manual or automotive that collect, store, organize, retain, modify, query, use, forward, transmit, combine, and compare data.
Data Controller Person or entity that owns data and determines the scope of data usage.
Third countries All nations outside the European Union/EEA. This does not include countries with a data protection level that is considered sufficient by the EU Commission
Third parties Anyone apart from the data subject and the Data Controller
Anonymized data Personal identity can never be traced by anyone, or the personal identity could be recreated only with an unreasonable amount of time, expense, and labor.
Consent A voluntary, legally binding agreement to data processing.
Data protection incidents All events that break the legal procedure of the data process.
Data subject A natural person whose data can be processed.
The European Economic Area(EEA) The economic region associated with the EU, and includes Norway, Iceland, and Liechtenstein.
Data Protection Officer(DPO) A person with expert knowledge of data protection law and practices should assist the controller or processor to monitor internal compliance with this Regulation.
Data Protection Agreement(DPA) A legal document between an organization and a customer that establishes the terms of how personal data will be used. This agreement includes who has access to the information, what can happen with it, and if it needs to be removed from their system at any point in time.

1. Aim of Data Protection Policy

In order to fulfill its social responsibilities, Go Wombat OÜ is committed to international compliance with data protection laws. The Data Protection Policy applies worldwide and is based on internationally accepted, basic principles of data protection. Ensuring data protection is the cornerstone of reliable business partnerships and the Go Wombat OÜ’s reputation as a desirable employer.

2. Scope of Data Protection Policy

This Data Protection Policy applies to all Go Wombat OÜ employees, and third parties associated with the Organisation. This means that Go Wombat OÜ employees are enforced to work under the principles specified in the Data Protection Policy. The Organisation enforces the adoption of the company’s Data Protection Policy or extends a third party’s existing policies by agreement.

The Data Protection Policy extends to all processing of personal data. In countries where the data of legal entities is protected to the same extent as personal data, this Data Protection Policy applies equally to the data of legal entities. Anonymized data, e.g. for statistical evaluations or studies, is not subject to this Data Protection Policy.

Additional Data Protection Policies can be created only if required by applicable national laws.

3. Application of National Laws

This Data Protection Policy comprises the internationally accepted data privacy principles without replacing the existing national laws. It supplements the national data privacy laws. The relevant national law will take precedence if it conflicts with this Data Protection Policy or it has stricter requirements than this Policy. The content of this Data Protection Policy must also be observed in the absence of corresponding national legislation. The reporting requirements for data processing under national laws must be observed.

4. Principles for Processing Personal Data

4.1. Fairness and lawfulness

When processing personal data, the individual rights of the data subjects must be protected. Personal data must be collected and processed in a legal and fair manner.

4.2. Restriction to a specific purpose

Personal data can be processed only for the purpose that was defined before the data was collected. Subsequent changes to the purpose are only possible to a limited extent and require substantiation.

4.3. Transparency

The data subject must be informed of how his/her data is being handled. In general, personal data must be collected directly from the individual concerned. When the data is collected, the data subject must either be aware of or informed of:

  • The identity of the Data Controller
  • The purpose of data processing
  • Third parties or categories of third parties to whom the data might be transmitted

4.4. Data reduction and data economy

Before processing personal data, it must be determined whether and to what extent the processing of personal data is necessary in order to achieve the purpose for which it is undertaken. Where the purpose allows and where the expense involved is in proportion with the goal being pursued, anonymized or statistical data must be used. Personal data may not be collected in advance and stored for potential future purposes unless required or permitted by national law.

4.5. Deletion

Personal data that is no longer needed after the expiration of legal or business process-related periods must be deleted. There may be an indication of interests that merit protection or historical significance of this data in individual cases. If so, the data must remain on file until the interests that merit protection have been clarified legally, or the corporate archive has evaluated the data to determine whether it must be retained for historical purposes.

4.6. Factual accuracy; up-to-dateness of data

Personal data on file must be correct, complete, and – if necessary – kept up to date. Suitable steps must be taken to ensure that inaccurate or incomplete data are deleted, corrected, supplemented, or updated.

4.7. Confidentiality and data security

Personal data is subject to data secrecy. It must be treated as confidential on a personal level and secured with suitable organizational and technical measures to prevent unauthorized access, illegal processing or distribution, as well as accidental loss, modification, or destruction.

5. Reliability of Data Processing

5.1. Customer and Partner Data processing for a contractual relationship

Personal data of the relevant prospects, customers, and partners can be processed in order to establish, execute and terminate a contract. This also includes advisory services for the partner under the contract if this is related to the contractual purpose. Prior to a contract and during the contract initiation phase – personal data can be processed to prepare bids or purchase orders or to fulfill other requests of the prospect that relate to the contract conclusion. Prospects can be contacted during the contract preparation process using the information that they have provided. Any restrictions requested by the prospects must be complied with. For advertising measures beyond that, requirements under V.1.2 must be followed.

5.2 Data processing for advertising purposes

If the data subject contacts Go Wombat OÜ to request information (e.g. request to receive information material about a product), data processing to meet this request is permitted.

Customer loyalty or advertising measures are subject to further legal requirements. Personal data can be processed for advertising purposes or market and opinion research, provided that this is consistent with the purpose for which the data was originally collected. The data subject must be informed about the use of their data for advertising purposes. If data is collected only for advertising purposes, the disclosure from the data subject is voluntary. The data subject shall be informed that providing data for this purpose is voluntary. When communicating with the data subject, consent shall be obtained from him/her to process the data for advertising purposes. When giving consent, the data subject should be given a choice among available forms of contact such as regular mail, e-mail, and phone (Consent, see V.1.3).

If the data subject refuses the use of their data for advertising purposes, it can no longer be used for these purposes and must be blocked from use for these purposes. Any other restrictions from specific countries regarding the use of data for advertising purposes must be observed.

Data can be processed following consent from the data subject. Before giving consent, the data subject must be informed in accordance with IV.3. of this Data Protection Policy. The declaration of consent must be obtained in writing or electronically for the purposes of documentation. In some circumstances, such as telephone conversations, consent can be given verbally. The granting of consent must be documented.

The processing of personal data is also permitted if national legislation requests, requires, or allows this. The type and extent of data processing must be necessary for the legally authorized data processing activity and must comply with the relevant statutory provisions.

5.5 Data processing pursuant to a legitimate interest

Personal data can also be processed if it is necessary for the legitimate interest of the Go Wombat OÜ team. Legitimate interests are generally of legal (e.g. collection of outstanding receivables) or commercial nature (e.g. avoiding breaches of contract). Personal data may not be processed for the purposes of a legitimate interest if, in individual cases, there is evidence that the interests of the data subject merit protection, and that this takes precedence. Before data is processed, it is necessary to determine whether there are interests that merit protection.

5.6 Processing of highly sensitive data

Go Wombat OÜ does not collect, store or process any Sensitive Information. This category of information according to DPA is related to data associated with:

(a) the racial or ethnic origin of the data subject;

(b) political opinions;

(c) his religious beliefs or other beliefs of a similar nature;

(d) whether he is a member of a trade union;

(e) his physical or mental health or condition;

(f) his sexual life;

(g) the commission or alleged commission by him of any offense; or

(h) any proceedings for any offense committed or alleged to have been committed by him, the disposal of such proceedings, or the sentence of any court in such proceedings.

5.7 Automated individual decisions

Go Wombat OÜ team does not use any tools for making automated decisions. All of the data subjects go through the manual human resource selection according to guidelines.

5.8 User data and internet

If personal data is collected, processed, and used on websites or in apps, the data subjects must be informed of this in a privacy statement and, if applicable, information about cookies. The privacy statement and any cookie information must be integrated so that it is easy to identify, directly accessible, and consistently available for the data subjects.

If user profiles are created (tracking) to evaluate the use of websites and apps, the data subjects must always be informed accordingly in the privacy statement. Personal tracking may only be affected if it is permitted under national law or upon the consent of the data subject. If tracking uses a pseudonym, the data subject should be given the chance to opt out within the privacy statement.

If websites or apps can access personal data in an area restricted to registered users, the identification and authentication of the data subject must offer sufficient protection during access.

6. Transmission of Personal Data

Transmission of personal data to recipients outside or inside the Go Wombat OÜ team is subject to the authorization requirements for processing personal data under section “Reliability of data processing”. The data recipient must be required to use the data only for defined purposes.

In the event that data is transmitted to a recipient outside the Go Wombat OÜ team to a third country, this country must agree to maintain a data protection level equivalent to this Data Protection Policy. When the transmission is legally required, this rule does not apply. The laws of the Go Wombat OÜ sending the data's domiciliary nation may be the basis for such legal duty. Alternately, the laws of the Go Wombat OÜ domicile nation may recognize the transmission of data for a purpose based on a third country's legal requirement.

If Go Wombat OÜ receives data from a third party, it must be guaranteed that the data can be utilized for that purpose.

If personal data is transferred from a Go Wombat OÜ company with its registered office in the European Union/European Economic Area to an office outside of the European Economic Area (third country), the offices importing the data are obligated to cooperate with any inquiries made by the relevant supervisory authority in the country in which the party exporting the data has its registered office, and to comply with any observations made by the supervisory authority with regard to the processing of the transmitted data. The same applies to data transmission by Go Wombat OÜ from other countries.

In the event that a data subject claims that this Data Protection Policy has been breached by the Go Wombat OÜ offices located in a third country that is importing the data, the office located in the European Economic Area that is exporting the data agrees to support the party concerned, whose data was collected in the European Economic Area, in establishing the facts of the matter and also asserting his/her rights in accordance with this Policy against the Go Wombat OÜ importing the data. In addition, the data subject is also entitled to assert his or her rights against the Go Wombat OÜ exporting the data. In the event of claims of a violation, Go Wombat OÜ must document to the data subject that the company offices importing the data in a third country (in the event that the data is further processed after receipt) did not violate this Data Protection Policy.

In the case of personal data being transmitted from a Go Wombat OÜ offices located in the European Economic Area to Go Wombat OÜ offices located in a third country, the data controller transmitting the data shall be held liable for any violations of this Policy committed by the offices located in a third country with regard to the data subject whose data was collected in the European Economic Area, as if the violation had been committed by the data controller transmitting the data. The legal venue is the responsible court where the company exporting the data is located.

7. Rights of the Data Subject

Every data subject has the following rights. Their assertion is to be handled immediately by the responsible unit and cannot pose any disadvantage to the data subject.

  1. The data subject may request information on which personal data relating to him/her has been stored, how the data was collected, and for what purpose. If there are further rights to view the employer’s documents (e.g. personnel file) for the employment relationship under

the relevant employment laws, these will remain unaffected. 2. If personal data is transmitted to third parties, information must be given about the identity of the recipient or the categories of recipients. 3. If personal data is incorrect or incomplete, the data subject can demand that it be corrected or supplemented. 4. The data subject can object to the processing of his or her data for purposes of advertising or market/opinion research. The data must be blocked from these types of use. 5. The data subject may request his/her data to be deleted if the processing of such data has no legal basis, or if the legal basis has ceased to apply. The same applies if the purpose behind the data processing has lapsed or ceased to be applicable for other reasons. Existing retention periods and conflicting interests meriting protection must be observed. 6. The data subject generally has a right to object to his/her data being processed, and this must be taken into account if the protection of his/her interests takes precedence over the interest of the data controller owing to a particular personal situation. This does not apply if a legal provision requires the data to be processed.

8. Confidentiality of Data Processing

Personal data has protected access. This means that all unauthorized collection, processing, or use by the employees is prohibited. Any activities performed with the data that are going out of legislation are considered unauthorized. Employees should be granted access based on their task scope definition. This requires careful breakdown and separation, as well as the implementation of roles and responsibilities.

Employees are forbidden to use any personal data outside of the initial task purpose. The employee is not authorized to disclose any personal data. Supervisors must inform their employees at the start of the employment relationships about the obligation to protect data secrecy. This obligation shall remain in force even after employment has ended.

9. Processing Security

Personal data must be protected from unauthorized access and unlawful processing or disclosure, as well as accidental loss, modification, or destruction. This applies to both electronic and paper form processing of personal data. Before implementing a new IT system, a thorough security evaluation should be performed.

The technical and organizational measures for protecting personal data are part of Corporate Information Security Management and must be adjusted continuously to the technical developments and organizational changes.

A report of the taken measures and evaluations of their effectiveness should be created by the Data Protection Officer or Information Security manager.

10. Data Protection Control

Compliance with Data Protection Policy and the applicable data protection laws must be checked regularly with data protection audits and other controls. The performance of these controls is the responsibility of the Data Protection Officer or external auditors hired by Go Wombat OÜ. By the end of the audit, the report must be created and all the high management staff should be aware of it. On request, the results of data protection controls will be made available to the responsible data protection authority. The responsible data protection authority can perform its own controls of compliance within the regulations of this Policy, as permitted under national law.

11. Data Protection Incidents

Supervisors, Information Security Officers, or higher state management, must be informed immediately about cases of violations against this Data Protection Policy or other regulations on the protection of personal data (data protection incidents).

The manager responsible for the function or the unit is required to inform the Information Security Officer or higher state management immediately about data protection incidents.

In cases of:

  • improper transmission of personal data to third parties
  • improper access by third parties to personal data
  • loss of personal data

The required company reports (Information Security Incident Management) must be made immediately so that any reporting duties under national law can be complied with.

12. Responsibilities and Sanctions

The executives are responsible for data processing in their area of responsibility. Therefore, they are required to ensure that the legal requirements and those contained in the Data Protection Policy, for data protection are met (e.g. national reporting duties). The management staff is responsible for ensuring that organizational, HR, and technical measures are in place so that any data processing is carried out in accordance with data protection. Compliance with these requirements is the responsibility of the relevant employees.

If official agencies perform data protection controls, the Information Security Officer must be informed immediately.

The management staff can perform checks and familiarise employees with policies. The relevant management is required to assist the Information Security Officer with their efforts.

The departments responsible for business processes and projects must inform the data protection coordinators in good time about the new processing of personal data. For data processing plans that may pose special risks to the individual rights of the data subjects, the Information Security Officer must be informed before processing begins. This applies in particular to extremely sensitive personal data. The managers must ensure that their employees are sufficiently trained in data protection.

Improper processing of personal data, or other violations of the data protection laws, can be criminally prosecuted in many countries and result in claims for compensation of damage. Violations for which individual employees are responsible can lead to sanctions under employment law.

13. Data Protection Officer

A Data Protection Officer is independent of professional orders and works towards compliance with national and international data protection regulations. The DPO is responsible for Data Protection Policy and supervises its compliance.

Any data subject may approach a Data Protection Officer at any time to raise concerns, ask questions, request information, or make complaints relating to data protection or data security issues. If requested, concerns and complaints will be handled confidentially.

The management of the organization in concern must support the Data Protection Officer’s decisions to address data protection violations. Supervisory authorities must always contact the Data Protection Officer with their concerns.

For raising concerns, ask questions, request information, or make complaints relating to data protection or data security, you can contact a Data Protection Officer with the contact information given below:


This Policy has been approved by Go Wombat OÜ as of [5th of August, 2022] and comes into effect immediately. It could be reviewed regularly.