CYBERS processing of customer’s personal data


In force from 07 May 2021

These CYBERS’ Principles for the Processing of Personal Data describe the principles on the basis of which CYBERS processes the personal data of Clients.



1.1. “CYBERS” – Security Software OÜ, a company registered in the Republic of Estonia with the registry code 11924368.

1.2. “Principles” – these CYBERS’ Principles for the Processing of Personal Data.

1.3. “Client” – Client is any natural or legal person who uses, has used, or has expressed a wish to use the services of CYBERS or is otherwise connected with these.

1.4. “Data Controller” – CYBERS.

1.5. “Data Processor” – Data Processor means any natural or legal person who processes personal data on behalf of the Data Controller.

1.6. “Data Protection Legislation” – all data protection legislation that CYBERS is required to comply with, including the General Data Protection Regulation of the European Union and the national legislation implementing the General Regulation.

1.7. “Personal Data” – Personal data means any data that CYBERS knows about a Client or their representatives.



2.1. These principles describe how CYBERS processes the Clients’ personal data. Additional terms and conditions for the processing of personal data may also be described in the contracts and other documents related to the services of CYBERS.

2.2. CYBERS shall ensure the confidentiality of personal data in accordance with Data Protection Legislation and shall take the necessary measures to protect Personal Data against unauthorized access, unlawful processing or disclosure, accidental loss, alteration, or destruction.

2.3. CYBERS uses Data Processors for the processing of Personal Data and ensures that the Data Processors process Personal Data in accordance with the instructions of CYBERS and in compliance with Data Protection Legislation and apply appropriate security measures



3.1. CYBERS collects Personal Data in the course of customer service and from external sources, such as public and private registries, and other third parties.

3.2. CYBERS chiefly processes the data of persons who have entered into or have expressed a wish to enter into a contractual relationship with CYBERS. CYBERS also collects Personal Data from prospective clients, trustees, legal representatives, representatives of undertakings, authorized persons, shareholders, contact persons, members of the management board, and beneficial owners.

3.3. CYBERS process the following forms of personal data:

3.3.1. identification and contact details, e.g. name, personal identification number, date of birth, details of the identity document (e.g. a copy of passport or ID-card), postal address, telephone number, e-mail address, residency;

3.3.2. professional data, such as education or employment data;

3.3.3. data on the Client’s relations with legal persons;

3.3.4. data on the tax residency of the Client, e.g. data on the country of residence, taxable person, identification number, citizenship;

3.3.5. data relating to services, such as performance or non-performance of contracts, contracts concluded and terminated, applications submitted, inquiries, and complaints.



4.1. CYBERS may process personal data on the basis of the consent obtained by the Client, the purpose of performance of the contract, the purpose of performance of legal obligations, or legitimate interest.

4.2. The main purpose for processing personal data is to fulfill and manage the contracts entered into with the Client. The purposes for data processing in this regard are, inter alia:

4.2.1. taking the necessary measures before entering into the contract, as well as entering into the contract with the Client, performing and terminating the contract that has been entered into;

4.2.2. customer relationship management, ensuring, organizing, and controlling authorized access to services.

4.3. In addition to the above, CYBERS may process personal data to meet statutory
obligations. The purposes for data processing in this regard are, inter alia:

4.3.1. identification and verification of the Client’s identity and updating and ensuring the correctness of personal data;

4.3.2. detection, investigation, and reporting of money laundering and terrorist financing;

4.3.3. compliance with accounting, tax information exchange, and risk management obligations and rules.

4.4.     CYBERS processes personal data within the limits of its legitimate interest. Legitimate interest is the commercial interest of CYBERS, in the remits of which processing of personal data is necessary, and which is considered to outweigh the Client’s right to data protection. The purposes for data processing in this regard are, inter alia:

4.4.1. provision of ancillary services through personalized offers;

4.4.2. development, research, and improvement of the customer experience through analysis, statistics, and studies;

4.4.3. protection of the interests of the Client, CYBERS, including the taking of security measures;

4.4.4. prevention, restriction, and investigation of the misuse, illegal use, or disruption of services;

4.4.5. ensuring the security of the provision of services, including data related to the services;

4.4.6. improvement, development, and maintenance of technical systems and IT infrastructure;

4.4.7. drafting, submitting, or defending legal claims and handling complaints.

4.5.     CYBERS may request the Client to consent to the processing of personal data. Consent includes
information on this specific processing of data. CYBERS processes personal data, e.g.
to send direct marketing messages. The Client may always withdraw their consent.



5. 1. When processing Personal Data, CYBERS may share personal data with recipients such as public authorities, data processors, and business partners. CYBERS does not disclose Personal Data beyond what is necessary for the purpose of the disclosure.

5.2. Recipients of Personal Data may process Personal Data as data processors or data controllers. If the recipient processes Personal Data in their own name as a data controller, the recipient shall be liable for providing information on the processing of such personal data.

5.3. CYBERS shares Personal Data e.g. with the following recipients:

5.3.1. public authorities (e.g. law enforcement agencies, enforcement agents, notaries, tax authorities, supervisory authorities, and the Financial Intelligence Unit);

5.3.2. auditors, legal and financial advisers, or other data processors of CYBERS;

5.3.3. other persons involved in the provision of CYBERS’ services, such as archiving and postal service providers.



6.1. Generally, Personal Data is processed in countries of the European Union or the European Economic Area, but in some cases, these are transferred to and processed in countries outside the European Union or the European Economic Area.

6.2. Personal Data may be transferred to and processed in countries outside the European Union or the European Economic Area, provided that there is a legal basis for doing so and one of the following conditions is met:

6.2.1. there is an adequate level of data protection in the country outside the European Union or the European Economic Area where the recipient is located, in accordance with a decision of the European Commission;

6.2.2. the Data Controller or the Data Processor has put in place appropriate safeguards, such as the introduction of standard European Union contract terms and conditions or other terms and conditions, approved codes of conduct or certification mechanisms;

6.2.3. exceptions are in place for specific situations, such as the express consent of the Client, the performance of a contract entered into with the Client, or conclusion or performance of a contract entered into in the interests of the Client, use or defense of legal claims, overriding reasons due to public interest.



7.1.   Personal Data are not retained longer than is necessary for the purposes for which the Personal Data were processed or longer than is required by data protection law.



8.1.     The Client has the following rights pursuant to Data Protection Legislation:

8.1.1. request the correction of their data if these are insufficient, incomplete, or incorrect;

8.1.2. object to the processing of their Personal Data if the use of Personal Data is based on legitimate interest;

8.1.3. request the erasure of personal data, e.g. if their personal data is processed with their consent and they have withdrawn their consent. This right does not apply if the Personal Data concerned are also processed on other grounds, such as under a contract or for the performance of legal obligations;

8.1.4. restrict the processing of their Personal Data;

8.1.5. receive information on whether CYBERS processes their personal data and if so, to gain access to the aforementioned data;

8.1.6. receive their data, which they have provided and which are processed under consent or for the performance of a contract, in writing or in a publicly available electronic format;

8.1.7. withdraw their consent to the processing of their Personal Data.

8.2.     The Client has the right to submit complaints regarding the use of data to the Estonian Data Protection
Inspectorate (, if they find that the processing of their data infringes their
rights and interests under data protection law.



9.1. The Client may contact CYBERS in connection with inquiries and withdrawal of consent, and the Client may also demand the exercise of their rights in the processing of Personal Data and file complaints regarding the use of Personal Data.

9.2. CYBERS requests the Client to contact us by e-mail at in case of any issues related to the matters regulated in these Principles.



10.1. CYBERS may unilaterally change these Principles as necessary (e.g. if the purposes of data processing change, new types of data are going to be collected).

10.2. The latest (valid) version of the Principles is available on the website:

These CYBERS’ Principles for the Processing of Personal Data are valid from 07.05.2021.