Contact us
Confidentiality Policy

Data Protection and Confidentiality Policy

1. Data management

Avatar OÜ is committed to protecting the confidentiality, integrity, and security of all personal and sensitive data processed during translation projects. This policy outlines our data protection measures in compliance with relevant legal frameworks, including the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC) and other applicable laws. Data protection is a fundamental right enshrined in EU primary and secondary law. We follow and adhere to all the requirements and guidelines regarding personal data within the context of the GDPR. We also process personal data pursuant to Article 16 of the Treaty on the Functioning of the European Union (TFEU), which constitutes a specific legal basis for adopting legislative acts on data protection.

The translation agency has carried out a self-assessment regarding the implementation of CIS 20 security measures.

When collecting sensitive data, we consciously evaluate how much data is actually needed and carefully consider privacy and confidentiality in the acquisition process. We try to avoid acquiring sensitive data unless absolutely necessary. We believe one of the best ways to mitigate the confidentiality risk is to minimise the amount of sensitive data being collected in the first place.

In accordance with the GDPR, all data subjects have the following rights:

1)  right to be informed – to know what personal data is collected about them, why, who is collecting their data, how long it will be retained, how they can file a complaint, and with whom the data will be shared.

2)  right of access – to submit subject access requests and attain information from us about whether their personal data is being processed.

3)  right to rectification – to ask us to update any inaccurate or incomplete data we have collected on them.

4)  right to erasure – to ask us to erase all personal data or withdraw previously given consent.

5)  right to restriction of processing – to limit the usage of personal data.

6)  right to data portability – to obtain personal data they have previously provided to us in a structured, commonly used, and machine-readable format.

7)  right to object – to raise objections to the processing of personal data at any time, which applies in certain situations and depends on the purpose of processing and the lawful base for processing.

8)  rights in relation to automated decision-making and profiling.

2. Data access, collection, and processing

This policy applies to all employees, freelance translators, subcontractors, and any third parties handling customer data on behalf of Avatar OÜ. Avatar OÜ only collects and processes personal data necessary for the provision of translation services. Data handling follows these principles:

lawfulness, fairness, and transparency
purpose limitation – data is collected for specified, legitimate purposes
data minimisation – only the necessary data is collected and retained
accuracy – data is kept up to date and corrected if needed
storage limitation – data is retained only for as long as necessary

Controlling confidentiality means, in large part, controlling who has access to data. Ensuring that access is only authorised and granted to those who have a need to know goes a long way in limiting unnecessary exposure. Users are required to authenticate their access with strong passwords. All individuals involved in translation projects must:

sign a confidentiality agreement before accessing any customer data.
maintain strict confidentiality regarding all customer information, documents, and translations.
refrain from sharing, disclosing, or discussing confidential data with unauthorised parties.
ensure the secure storage and disposal of sensitive documents.

Your personal data will be processed for the following purposes:

to enable you to use our CAT tools;
for future communication, including sending you marketing materials about Avatar and its services by email (unless you have indicated that you do not want to receive these marketing materials).

3. Data security measures

To protect customer data, we implement the following measures:

secure IT systems with encryption and access controls
restricted access based on roles and responsibilities
secure file transfer methods (e.g. encrypted emails, password-protected documents)
regular security audits and risk assessments

We will always keep your personal data for the period of our cooperation. We will also keep your personal data if required by law. Otherwise, we will delete your data within 3 months from the moment your account no longer contains any tasks, projects, translation memories, termbases, or other content.

4. Tools for reporting data breaches and measures for resolving incidents

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. All incidents which result in a data breach will be investigated internally and examined to see if a personal data breach which is likely to result in a risk to the rights and freedoms of natural persons has occurred.

Measures for preventing and resolving data breaches:

We conduct regular external and internal penetration tests to identify security vulnerabilities and attack vectors that can be used to successfully attack company systems.
Avatar OÜ has a written incident response plan that defines the roles of personnel and the steps for incident response and management.
We have divided responsibilities to specific individuals to handle computer and network incidents, and incident resolution is tracked and documented throughout the process.
We have developed organisation-wide standards regarding the time frames for system administrators and other personnel to report an anomalous event and which reporting mechanisms and information must be included in the notification.
We have created an incident evaluation and prioritisation scheme based on the known or potential impact on our organisation.

In the event of a data breach situation, we first:

a. secure our operations and interview people who discovered the breach inimesi, kes rikkumise avastasid
b. stop any additional data loss
c. refrain from destroying any evidence

Second, we fix any vulnerabilities and:

a. check our network system
b. notify law enforcement
c. notify the customer or persons affected by the data breach

5. Rights of customers

Customers have the right to:

access their data and request modifications or deletions
withdraw their consent for data processing at any time
lodge complaints regarding data processing practices

If you have questions or requests regarding the processing of your personal data, or if you require additional information, please contact: avatar@avatar.ee.

+372 553 3218
info@avatar.ee