ISACA Estonia Chapter Privacy Policy

 

Last Updated: February 2026

 

Welcome to the ISACA Estonia Chapter (the “Chapter,” “we,” “us,” or “our”). We are an independent chapter of ISACA, Inc. (referred to herein as “ISACA”), engaged in the promotion of the education of its members for the improvement and development of their capabilities relating to the auditing of, management consulting in, or direct management of, the fields of IT governance, IS audit, security, control and assurance.

 

This Privacy Policy describes how our Chapter collects, uses, shares, and retains personal data when you use our website at www.eisay.ee (the “Site”), or when you interact with us in person. Personal data is data that can be used to identify you directly or indirectly or to contact you including, but not limited to, your name, mailing address, email address, and telephone number. 

 

Please note that this Privacy Policy does not apply to information collected or used by ISACA International’s global websites, or mobile applications which is governed by the Privacy Notice located at https://www.isaca.org/privacy-policy. This Privacy Policy also does not cover the practices of any other ISACA Chapter, or any ISACA Chapter business partners (such as vendors, service providers, sponsors, or advertisers) and does not apply to personal data that we collect from or about our employees, consultants, contractors, vendors, sponsors, or advertisers.         

 

  1. Modifications to this Policy

From time to time, we may need to update or modify this Privacy Policy, including to address changes in the law, new issues or to reflect changes on our Site. When we update this Privacy Policy, we will change the “Last Updated” date at the top of the page so you know it has been updated. To the extent required by law, we will notify you of material changes to this Privacy Policy.

 

  1. Collection of Personal Data You Directly Provide

We collect personal data from you when you interact with our Site and when you use our services. We may collect personal data directly from you, for example through online and offline registration forms for events, exams or meetings. 

 

Events. We may host events that include in-person and virtual conferences, training, knowledge sharing and webinars. If you register for an event, we may collect the following information from you: first name, last name, email address, business address and name, your role in that business. We use this information to provide you with event services. To the extent the information requested is not required for your participation in a given ISACA Chapter program, you will be told which information is optional. Should you fail to provide optional information, certain Chapter programs or features may not be available to you. 


Presenter. If you are a presenter at one of our events, we will collect information about you such as your name, employer, contact information and photograph, and we may also collect information provided by event attendees who evaluated your performance as a presenter. 

 

Communications. If you communicate or correspond with us by email, through postal mail, via telephone or through other forms of communication, we may collect the information you provide as part of those communications.  For example, if you correspond with us through email, we may collect and store the email address you use to send the applicable correspondence and use it to respond to your inquiry; to notify you of other ISACA Chapter events; or to keep a record of your complaint, accommodation request, and similar purposes. 

 

We may also maintain information about you that you do not directly provide, whether it is information received from third parties, such as business partners who provide exam administration services, or information we collect about your activities. For example, we may keep track of which events you have attended, which exams you have taken, which boards and committees you have served on, and which offices you have held.

 

 

  1. Why We Collect Your Personal Data 

We may use your personal data to provide the following services, based upon the legal bases noted below:

  • We rely on your consent to process your personal data to:
    • Advise you with information about other events or services which we believe may be of interest to you; and
    • Respond to your requests.
  • We rely on legitimate interests to process your personal data to:
    • Improve our services and to detect, prevent and address technical issues. 

 

  1. Sharing Your Data

We may share your personal data with the following parties:

  • To our volunteers and board members to provide our services;
  • With ISACA as part of our ISACA affiliation agreement, and to provide our services;
  • When we believe it is necessary to cooperate with law enforcement or in response to a government request, including if specifically requested or required, as otherwise permitted by law, and for other valid Chapter business purposes.

 

  1. Data Retention 

For any other personal data we collect, we will retain the personal data for maximum up to 5 years to fulfil the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law (such as tax, legal, accounting or other purposes). When we have no justifiable business need to process your personal data, we will either delete or anonymize it.

 

  1. Security 

We use reasonable measures to safeguard your personal data and follow applicable laws regarding safeguarding such information under our control. We cannot guarantee, however, that your information will remain secure. The Internet is by its nature a public forum, and we encourage you to use caution when disclosing information online. Often, you are in the best situation to protect yourself online. You are responsible for protecting your username and password from any third party’s access, and for selecting passwords that are secure.

 

  1. Your Data Subject Rights

You have a number of rights in relation to your personal data. In relation to certain rights, we may ask you for information to confirm your identity and, where applicable, to help us to search for your personal data. You have the following rights in relation to your personal data:

  • Right of access to and rectification of your personal data. You have a right to request that we provide you a copy of your personal data held by us. This information will be provided without undue delay subject to some fee associated with the gathering of the information (as permitted by law), unless such provision adversely affects the rights and freedoms of others. You may also request us to rectify or update any of your personal data held by us that is inaccurate.
  • Right to erasure. You have the right to request erasure of your personal data that: (a) is no longer necessary in relation to the purposes for which it was collected or otherwise processed; (b) was collected in relation to processing to which you previously consented, but later withdrew such consent; or (c) was collected in relation to processing activities to which you object, and there are no overriding legitimate grounds for our processing. If we have made your personal data public and are obliged to erase the personal data, we will, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to inform other parties that are processing your personal data that you have requested the erasure of any links to, or copy or replication of your personal data. The above is subject to limitations by relevant data protection laws.
  • Right to data portability. If we process your personal data based on a contract with you or based on your consent, or the processing is carried out by automated means, you may request to receive your personal data in a structured, commonly used and machine-readable format, and to have it transferred directly to another “controller,” where technically feasible, unless the exercise of this right adversely affects the rights and freedoms of others.
  • Right to restrict processing. You have the right to restrict or object to processing your personal data where one of the following applies:
    • You contest the accuracy of your personal data that we processed. In such instances, we will restrict processing during the period necessary for us to verify the accuracy of your personal data.
    • The processing is unlawful and you oppose the erasure of your personal data and request the restriction of its use instead.
    • We no longer need your personal data for the purposes of the processing, but it is required by you to establish, exercise, or in defense of legal claims.
    • You have objected to the processing, pending verification of whether the legitimate grounds for our processing override your rights.
    • Restricted personal data shall only be processed with your consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. We will inform you if the restriction is lifted.
  • Right to withdraw consent. You have the right to withdraw your consent to the processing of personal data collected on the basis of your consent at any time. Your withdrawal will not affect the lawfulness of our processing based on consent before your withdrawal.
  • Right to object to processing. Where the processing of your personal data is based on consent, contract, or legitimate interests, you may restrict or object, at any time, to the processing of your personal data as permitted by applicable law. We can continue to process your personal data if it is necessary for the defense of legal claims or for any other exceptions permitted by applicable law.
  • Automated individual decision-making, including profiling. You have the right not to be subject to a decision based solely on automated processing of your personal data, including profiling, which produces legal or similarly significant effects on you, save for the exceptions applicable under relevant data protection laws. We do not engage in this type of automated processing.
  • Right to complain to a Supervisory Authority. You have the right to complain to the Supervisory Authority in the jurisdiction in which you reside if you are concerned about the way we have processed your personal data. If you are a resident of the EEA you can find the contact information for your Supervisory Authority here. If you are a resident of the United Kingdom, you can find the contact details for the Information Commissioner’s Office here.

 

To exercise your rights noted above, please contact us at info@eisay.ee

 

Marketing Communications. We will only contact you by electronic means (email) based on our legitimate interests, as permitted by applicable law or your consent. When we rely on legitimate interests, we will only send you information about our Sites or services that are similar to those which were the subject of a previous sale or negotiations of a sale to you. If you do not want us to use your personal data in this way or to disclose your personal data to third parties for marketing purposes, please click an unsubscribe link in your emails from us, or you can email us at info@eisay.ee. You can object to direct marketing at any time and free of charge. Direct marketing includes any communications to you that are only based on advertising or promoting products and services.

 

International Transfers. We will protect your personal data in accordance with this Privacy Policy wherever it is processed and will take appropriate contractual or other steps to protect the relevant personal data in accordance with applicable laws. These steps include implementing the European Commission's Standard Contractual Clauses for transfers of personal data to our service providers and business partners outside of the UK or EEA. To the extent applicable, we may rely on derogations as set forth in Article 49 of the UK GDPR/GDPR for the transfer of personal data collected from individuals in the UK and the EEA to the United States, and other countries that the European Commission views as not providing adequate levels of protection. Specifically, we may transfer such information to another party to perform a contract with you, with your explicit consent, or in a manner that does not outweigh your rights and freedoms. 

 

 

  1. Children

We do not knowingly collect personal data from persons under the age of 16. If you are a parent of a child under 16, and you believe that your child has provided us with information about him or herself, please contact us via the information in the Chapter and DPO Contact Information section below.

 

  1. Chapter and DPO Contact Information

If you have questions or concerns about this Privacy Policy or how we process your personal data, please email us at info@eisay.ee.