My website address is: http://ilonanurmela.mediator.ee
I aim to be as clear as possible about how and why I use information about you, so that you can be confident that your privacy is protected. This policy describes the information that I collect and how I manage your information when you use my services.
This information includes personal information (data) as defined in Regulation (EU) 2016/679 (General Data Protection Regulation) and the subsequent Estonian Personal Data Protection Act of 12.12.2018.
The policy describes how I manage your information when you use my service, visit my website, if you contact me or I contact you. I use the information I collect in accordance with all laws concerning the protection of personal data, including the Estonian Personal Data Protection Act 2018 and the GDPR 2016. As per these laws, I am the data controller for the information that you give to me. My contact details can be found on my website.
In order to carry out an effective consultation, mediation, coaching or training, I need to collect information about you and/or your team so that I may:
Communicate with you by email or phone. The legal basis for this is a legitimate interest.
Deliver services to you and your team, for example by preparing a relevant assessment and providing well informed training for your team. The legal basis is the contract with you.
Legitimate interest. The reason that I need to process your personal data is to provide coaching and/or mediation and/or consultation and/or training services to you or your team. My legitimate interest to hold and process your personal data so I can determine whether it is appropriate for me to provide services to you. It is important for me to know you and/or your team’s situation and what the concerns are that led to coaching/training/mediation being requested. Inevitably, coaching, mediation and a tailor-made training programme may involve sharing in-depth personal circumstances and thus coaching, mediation, consultation and training may involve the processing of special category data, including information, for example about your or your team’s health, cognitive and mental functioning, social and emotional issues, personality traits, family and/or work history (including personal and work conflicts) or personal/work change aspirations. I have a legitimate interest to collect such personal data for the purpose of helping you and your team make well-informed decisions about your and their future and behaviour. This data is usually collected by phone with notes being made by me on paper. Some clients may choose to provide additional information in more detail in writing (e.g. by email). By writing to me to request my services you are consenting for the collection of personal data about you and/or your team even if you decide not to take on my services later. I will only collect information from you that is relevant for the process of providing the services you have requested, e.g. to prepare a relevant coaching or training programme for you and/or your team or how to structure a mediation so as to decide what tools and approaches to use.
In case of coaching – our initial session (whether or not in results in a coaching services) signifies your consent to divulge personal data that I agree to keep confidential.
In case of tailor-made trainings – by approving the offered programme your email is considered consent to enlist my services as well as consent to process you and your team’s personal information for the sole purpose of performing the training.
When a mediation or a consultation is requested, the client is asked to read and sign my terms and conditions for this type fo service. That document describes the work I will undertake and, by signing the document, you enter into a contact with me to do the work. I will process all personal data that you share with me (for the purpose of completing an assessment or consultation) lawfully, fairly and in a transparent manner. It will be necessary for me to process your personal data in order to fulfil the contract with you.
I will only contact you in response to a request for coaching, training or mediation services that has been initiated either by you or by your employer/company. This would usually include emails or calls to discuss your current concerns and arrange appointments or trainings. I will also email you with resulting training programme offers and invoice or payment details.
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
Where your employer/company have agreed for me to contact you, your team and its members, the date of the phone call, appointment or mediation session will be arranged directly between myself and you or your team members, with the employer/company being informed of this date either through my communication with them or (in the case where the employer/company has commissioned my involvement in e.g. work mediation) through communication from the employer/company. Alternatively, the employer/company may arrange a date with me if during working hours and check with you to ensure it is a mutually convenient date.
Coaching and mediation services are confidential, i.e. even though the employer/company may have commissioned the service for its employee(s), I will not be reporting on the content of our coaching/mediation meetings. In case of mediation I will only be reporting as to the result of the mediation – whether a resolution has been achieved or not and if yes, then what has been agreed. With trainings information provided by the clients and trainees will be used only for the purpose of the training and no report will be issued.
If as a result of our contractual coaching, consultation or mediation services a third party (e.g. the Police) requests access to your data – I will ask for your consent to share information and outline who they are, what they will do with your data and why I need to provide them with the information. There are two legal bases where I do not need to ask for your consent to share the data with a third party: if there is a risk to undermine an ongoing anti-money-laundering investigation or if I have a legal obligation to share the data (e.g. when I become aware of a crime being committed).
Visitor comments may be checked through an automated spam detection service.
Data is usually received by phone or by email.
Paper records will be filed and kept in a locked filing box/cabinet.
When data is received by email, attachments will be saved in an electronic file. If you feel you’re sending sensitive data, please use Digidoc encryption services and inform me accordingly for the key.
Electronic information will be stored on a MacBook at the office of Ilona Nurmela, which is password protected.
All personal data relating to clients will be backed up by being stored on an external hard drive and in iCloud/OneDrive which are GDPR compliant.
If a data breach occurs, and breach is deemed to be a high risk for the rights and freedoms of the data subject, the Estonian Data Protection Office (DPO) and all affected clients will be notified within 72 hours. The nature of the breach will be explained along with the steps I am taking to deal with it.
Client paper files and electronic files will be securely destroyed within ten years following cessation of service provision unless there are strong reasons for retaining historical data (e.g. legal cases.)
If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.
For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.
As I possess your personal data, you have certain rights. These are rights of access, a right of rectification, a right of erasure, a right to data portability and a right to restrict processing.
You can make an access request by contacting me. I may require additional verification that you are who you say you are to process this request. Please make such a request in writing or by email to me, Ilona Nurmela at the contact shown on this website. Please provide the following information: your name, address, telephone number, email address and details of the information about yourself that you require.
I may withhold such personal information to the extent permitted by law. In practice, this means that I may not provide information if I consider that providing the information will violate your vital interests.
You may request a copy of your data at any time. If you believe any of the personal data I hold on you or your team is inaccurate or incomplete, please contact me directly and any necessary corrections to your data will be made without undue delay.
If you believe I should erase your data, please contact me, Ilona Nurmela at the contacts shown on this website. However, there are some circumstances when I do not have to delete your data, for example if I have safeguarding obligations that override your data protection rights.
Where you have provided explicit consent for me to use your data, you have a right to withdraw this consent at any time.
If you wish to use a different coach or mediator or consultant, you have a right to have the data transferred to them.
If your questions are not fully answered by this policy, please contact me directly. If you are not satisfied with the answers I provide, you may contact the Estonian Data Protection Office (DPO) https://www.aki.ee/en.
In the event of my unexpected death all client data will be confidentially destroyed by the appointed executor.