1. INTRODUCTION

We, at Boomerang, know that protecting personal data is critical to everyone whose data we process. Therefore, we are extremely responsible and careful to protect the confidentiality of data subjects. When processing personal data, Boomerang proceeds from the General Data Protection Regulation (EU 2016/679) of the EU and other applicable legal acts.

This privacy policy contains information about the processing we perform mainly as a data controller. Although this privacy policy refers to “Boomerang”, “we” or “us”, only an individual Boomerang´s company is and can be the data controller for each individual processing of personal data. We also process personal data as a Data Processor (i.e. when another party determines the purposes and means of the processing and thereby acts as Data Controller). In instances where we are a Data Processor, we process personal data based on the Controller’s instructions. We act in the role of a Data Processor towards personal data which we get from our clients, retail companies. More information about processing of a personal data as a Data Processor, you can find in section 3. 

2. DEFINITIONS

„Boomerang“ or „Boomerang Group“ means Boomerang Logistic Group OÜ and all legal entities which Boomerang Logistic Group OÜ controls (the subsidiaries). As of august 2022, the following legal entities belong to Boomerang Group: Boomerang Distribution OÜ, Boomerang Return Management OÜ, Boomerang Return Processing OÜ and Boomerang Distribution s.r.o (Czech).

„Candidate“ means any natural person who is applying/has applied for a position at Boomerang. “Personal data” means any information relating to an individual who is identified or identifiable, such as name, address, email, phone number, country of residence, citizenship. It may also mean any other information you have provided us upon applying for a position at Boomerang, or we have collected about you during your employment, such as education, professional career and duration, job title, training data and training certificates, assessment of performance at work, promotions, personal development plans, behaviour and disciplinary data, data about habits, preferences and satisfaction, salary data, bank account details, other financial data such as debt commitments, income, solvency, data of memberships in trade union, sensitive data such as Special categories of Personal Data etc.

„Data Controller“ means anyone who alone or jointly with others determines the purposes and means of the Processing of Personal Data. 

„Data Processor“ means anyone who Processes Personal Data on behalf of the Data Controller.

„Employee“ means any natural person who is working for any of Boomerang companies.

„Processing“ means any operation or set of operations performed regarding Personal Data (such as collection, recording, storing, erasure, sharing).

„Recipient“ means a natural or legal person, public authority or another body, to whom Boomerang is entitled to disclose Personal Data. 

„GDPR“ means General Data Protection Regulation (EU 2016/679) of the EU.

Boomerang´s website may contain links to websites of our partners, third parties and affiliates. They are merely for informational purposes. If you follow a link to any of these applications and/or websites, please bear in mind that they have their own privacy policies and that we assume no responsibility or liability arising whatsoever nor endorse any practices from their policies.

3. DATA SUBJECTS WHOSE PERSONAL DATA WE PROCESS 

We process personal data about data subjects listed below.

3.1. Individuals (data subjects) who contact us or access us by any means for any purposes, except representatives of our Clients or service providers. For the sake of clarity, we do not consider processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person to be covered with this Policy.

3.2. Individuals who work for us or apply for a job at our companies.

3.3. Private customers of our Clients or Individials acting on behalf of a private or corporate customers of our Clients ( e.g. representatives, contact persons etc). Their personal data we process according to Data Controller’s instructions.

Boomerang is the Data Controller of the personal data You (data subject) provide us.

We receive and store any information You give us through contacting us for any reasons, like requesting quotation for services, requestioning information, applying for job etc. This may include information about your name, phone number, e-mail address, contact address etc. 

Boomerang is the Data Processor of the personal data we receive from our Clients.

Our „Clients“ are e-commerce companies, who sell their products via electronical means. Our role is to provide our Clients return handling and 3PL order management services, such as warehousing, pick & pack, order fulfilment, organizing order delivery and returns etc.

We may receive information about You from our Clients, from who You have purchased their products. Upon receiving Your personal data from our Clients, our Clients are Data Controllers who determine the purpose and means of the processing and we, Data Processors, follow their instructions. 

The data we receive from our Clients may contain your personal data such as your name, contact number, delivery address, email address and / or other order/delivery-related information.

If you have ordered items from such Client (e-commerce company), and are interested in how we process your personal data as a data processor, please contact your seller.

4. LEGAL GROUND AND PURPOSES OF OUR PROCESSING AND USING YOUR PERSONAL DATA

Your personal data is processed by Boomerang on the lawful basis. Boomerang ensures the confidentiality and legality of the processing of Your personal data with regard to applicable law and implements appropriate technical and organisational measures to protect Your personal data from unauthorised access, unlawful processing or disclosure and accidental loss, alteration or destruction.

In the majority of cases, processing of your personal data will be justified on one of the following bases: (a) It is necessary for us to comply with a legal obligation (such as fulfilment of our obligatons arising from law); or

• It is necessary for us for the performance of a contract to which you (the data subject) are a party

(such as fulfiment of our contractual obligations as an employer); or

• Whether you (the data subject) have given us consent to the processing of your personal data for one or more specific purposes; or
• It is in our legitimate interests as a business.

4.1. Data processing for the fulfilment of a legal obligation

The fulfilment of obligations arising from the law includes such processing of data that we are obligated to carry out, as we are required to do so by law. If the processing of data is required for fulfilling a legal obligation, we at Boomerang cannot decide on the processing of such personal data, and neither can you. On this legal basis, we process your personal data for the purposes below.

–     accounting to comply with the accounting obligation arising from law; –            mandatory personal identification (e.g. upon hiring) etc.

4.2. Data processing for the performance of the contract

The processing of personal data for the performance of the contract is necessary for Boomerang to perform the contract entered with you or to perform the necessary activities before entering such a contract. This includes the following processing purposes:

• pre-contractual relations. Processing of personal data within the recruitment process in order to administer candidate’s identification, evaluation and selection for vacancies available. Background research from public records and through online search engines;
• processing of personal data required for performing our contractual obligations as an employer (such as related activities to providing vacation, training, health check etc).

4.3. Data processing based on the consent given by you

The processing of your personal data takes place on your given consent and acknowledgement. Your consent is valid until you withdraw it or until your contract concluded with us expire. You can give and withdraw your consent at any time by sending an application to contacts listed below in writing or in a format that can be reproduced in writing. We ask for your consent mainly for improving our services or in employment-related issues, such as:

• conducting surveys;
• using employees photo or contact data (such as mobile phone number) on Boomerang´s webpage or in advertising materials;
• sharing information with employees by sending data, such as power of attorneys, training or medical check appointments, information about monthly payments (payslips) etc to employees personal e-mail address.

4.4. Data processing on the basis of a legitimate interest

Legitimate interest means that we want to use your personal data to improve our internal processes and fulfill our statutory duties. This data is needed to make better decisions in our work related processes and in risk management. This way we can improve our activities as an employer and provide our Clients with better and faster services and price solutions etc, and fulfil our duties in front of state authorities and Clients.

Boomerang processes Your personal data in order to:

• comply with legal obligations, policies and procedures, organize internal processes and for internal administrative and analytics purposes;
• protect Boomerang´s information systems and assets of Boomerang, its employees and Clients (e.g. video surveillance);
• avert losses incurring to Boomerang, solve disputes with Service providers or Clients, if circumstances of the dispute can be identified using the recording of video surveillance;
• defend its violated and contested rights in actual or threatened legal proceedings;
• process information or claims in connection with incidents at our facilities or related to our business, etc.

In the event that data, including personal data, is processed for a new puprose than the one for which the data was originally collected, or is not based on your consent, Boomerang will assess admissibility of such new processing separately.

4.5. Data processing we carry out as a Data Processor

Boomerang processes your personal data as a data processor for the following purposes:

• receiving of an order and fulfilling it in accordance with the agreement concluded with our Client;
• planning and ordering delivery for order;
• organizing customs declaration and communication with relevant third-party service provider or customs board, if necessary;
• communication with transport servie provider(s) and Client upon occurring problems upon delivery.

5. SHARING YOUR PERSONAL DATA

Boomerang may, for the purposes of offering its services or processing personal data, engage contractual partners, that during processing are obligated to follow these principles and Boomerang’s instructions, implement appropriate security measures and ensure the legality and confidentiality of processing of personal data. Boomerang ensures that contractual partners process personal data based on Boomerang’s instructions and applicable law and implement appropriate security measures. If we have received your personal data from our Client, who remain Data Controller, we agree on terms of processing personal data with our Client and forward given instructions to our contractual partners. Contractual partners have the right to process your personal data only to the extent necessary for fulfilling objectives specified by Boomerang. We may share share your personal data (concerning mainly employees) also within the Boomerang Group companies for making corporate management and business decisions. In some cases, it may be necessary for us to share personal data with other parties outside the EU/EEA, especially in situations where we fulfill our duties in front of our Clients. For example, we may need to share your personal data with transport service providers and other partners involved in the delivery of order. In relation to partners outside the EU/EEA, specific safeguards are taken, such as signing agreements that include the standard contractual clauses for data transfers adopted by the European Commission and available on the European Commission’s website, we also ask for confirmations about the adequacy of the corresponding protection and oblige themto guarantee the corresponding protection, but we cannot in any way guarantee the adequacy of such measure and compliance with GDPR requirements. Howevery, if we cannot reach an agreement with the respective service provider regarding the compliance level of personal data with the requirements of GDPR, we warn you that the level of protection of personal data in the respective country may not be at the same good level as that of the GDPR, which may result in a greater risk of possible illegal data processing. We consider very carefully the conditions under which your data will be subsequently processed and stored after the above transfer. Your data will be transferred to these recipients only to the extent necessary to fulfill our contract concluded with the Data Controller.

We may transfer or disclose Your personal information to the following recipients:

• transportation companies, when we act as a Data Processor;
• providers of technical services & software (incl electronic storage providers);
• state authorities where required by applicable law; (d)other service providers (such as customs agencies etc).

Please note that some service providers (such as transport service providers etc) consider themselves to be Data Controllers in certain activities they conduct.  As an example, transport service providers, who we use in providing our services, consider themselves to be data controllers when trying to offer an efficient, optimized and customized transport service in line with their own standards and routines. When acting as a Data Controller, they have several obligations and responsibilities arising from law, and taking such a role, they are responsible for correct and lawful processing of a personal data. 

6. SECURITY OF PERSONAL DATA

Any kind of processing of personal data must be justified. Therefore, we collect and process your personal data to the extent necessary for specific purposes and for as long as it is necessary to fulfil such specified purposes. We maintain appropriate physical, technical, and administrative security measures with a view to protecting personal data against theft; accidental loss; unauthorised alteration; unauthorised or accidental access, processing, erasure, use, disclosure or copying; and/or accidental or unlawful destruction.

7. RETENTION OF PERSONAL DATA

Boomerang retains your personal data for the time necessary to achieve the purposes established in this Privacy Policy or until an obligation imposed by law states it should be retained. It should be noted that in certain cases there are exceptions to the normal retention times. For example, some automatic terms of erasure do not apply in case of debts and disputes. Furthermore, the retention of anonymous data is not subject to these rules, as in this case, it is no longer personal data. Boomerang takes the necessary measures to ensure that outdated data is erased or made anonymous. The following table summarises our retention principles for personal data. 

8. WHAT ARE YOUR RIGHTS?

You have the right under applicable law to access, obtain a copy and correct personal data concerning you, subject to limited exceptions that may be prescribed by applicable laws. Where justified and mandated by applicable law, you may also require that your personal data be deleted or blocked, or you may be entitled to obtain information about the processing of your data, or object to further processing of your data.

Please contact us by sending an email to the following address:

gdpr@boomerang.ee

Or sending letter by post to:

Att. Data Protection Officer

Boomerang Logistic Group OÜ

Aasa tee 1

74201 Jõelähtme vald

Harjumaa

You have also the right to lodge complaints pertaining to the processing of your personal data with the relevant data protection supervisory authority.

9. VALIDITY AND AMENDMENT OF PRINCIPLES

Boomerang is entitled to unilaterally amend this Policy at any time, in compliance with the regulatory Legislation. Amendments shall be published on Boomerang´s webpage and internal server at least ten (10) days before entering into force.

This Policy is drafted in English and translated into Estonian, Russian and Czech languages. In the event of disputes, arguments or claims of linguistic nature or concerning interpretation, the version of Policy in local official language is legally binding.

Policy enters into force on 15th of August, 2022, and is available on website www.boomerang.ee and in Boomerang´s internal server, and also in HR departments of Boomerang.