This Policy outlines how Viru Keskus AS (registry code 10932986, address Viru Väljak 4, 10111 Tallinn; hereinafter: Viru Keskus or we) as the controller processes personal data of visitors and other persons in connection with the operation of the shopping and entertainment centre Viru Keskus, located at Viru Väljak 4/6, 10111 Tallinn (hereinafter: Centre).

Protection of personal data is very important for us, and we take it very seriously. We are committed to being a reliable partner in personal data processing and, in doing so, we are guided by applicable European and Estonian legislation, as well as principles of secure processing of personal data.

Purposes of personal data   processing

Video surveillance

On the grounds of our legitimate interest and performance of a task in the public interest, video surveillance is used inside the Centre and on its outer perimeter for protection of public safety, persons and property; the footage can be monitored in real time by the personnel of the company providing us with security services. Video recordings are stored in a high security and limited access environment for the minimum period specified in the Law Enforcement Act. Video recordings connected to specific incidents in the Centre (e.g., loss events, etc.) are stored and processed on a case-by-case basis on the grounds of our legitimate interests or, as the case may be, those of our contractual partners and/or visitors of the Centre. Video recordings connected to specific incidents are stored for up to 3 years after termination of the proceedings on the case.


On the grounds of our legitimate interest or acquired consent, we may, in certain cases, process personal data for our marketing purposes in order to increase the popularity and visitor numbers of the Centre. For example, we may collect and process personal data (in particular, name and email address, but sometimes also postal address) of public figures, influencers or media representatives from public sources or our contractual partners (incl. PR agencies) for the purpose of transmitting invitations to our events, press releases or other relevant media communications. We only use personal data obtained from public sources if it can be deduced from the way and circumstances of its disclosure that the person in question is willing to receive notifications or invitations from Viru Keskus. Please make sure to notify us if this is not the case. We only store processed personal data for a period required for the purpose of processing of that data.

We can also collect personal data during our prize draw campaigns in social media, and our contractual partner sends us the details of the customer who wins the prize draw in our customer satisfaction survey. In connection with such prize draws, we only use personal data for the purposes of organizing the prize draw and awarding the prize to the winner; the respective personal data will be deleted after those purposes have been achieved.

Viru Food Hall App

Viru Keskus has developed an app for the visitors of the Viru Food Hall located in the Centre (hereinafter: App), which enables registered users (hereinafter: Users) to benefit from special and discount offers from Viru Keskus and to submit their orders to the restaurants. Viru Keskus processes the personal data of Users in connection with the use of the App (incl. first and last name, email address, telephone number, preferred language, and details of orders submitted in the App) on the grounds of a contractual relationship between the User and Viru Keskus (according to the Terms and Conditions of the App). The personal data are processed for the purposes of registration and management of a User account, sending orders to restaurants and fulfilling the orders (incl. release to the User).

On the grounds of a separate consent, Viru Keskus processes additional personal data of Users (incl. User’s gender and date of birth if a User has entered them in the App) for the purpose of making special and discount offers and transmitting personalised marketing information to Users.

The personal data linked with a User account will be stored in the App until the User account is closed. However, if a User account is closed less than 3 years after fulfilment of the last order, the order information will be stored for 3 years after fulfilment of the order.

Payment details associated with payments for the orders to the restaurants are processed in addition to the aforementioned personal data. The payment solution provider processes the required payment data on behalf of Viru Keskus as an authorised processor.  For more information on personal data processing by the payment solution provider, go to: The payment solution provider stores the personal data collected in the course of the payment initiation service in a personalised format for 1 year after providing the service.

Processing of personal data in business relations

For the purpose of building and managing business relations of Viru Keskus, we collect and process personal data of natural persons connected to legal persons (such as representatives, contact persons, specific employees, etc.) and individuals who have established business relations with us. Respective processing of personal data can be based on a contract (if a contract involving respective natural person exists or is planned), compliance with a legal obligation or legitimate interests of Viru Keskus.

We store processed personal data for a period required for the purpose of processing of that data. Personal data may be stored for a longer period if such longer period is required by applicable legislation or for the purpose of enforcing, using or defending legal rights.

Other cases

In addition to the above, Viru Keskus may process personal data for additional purposes and on other legal grounds, subject to notifying the affected persons at the time of collecting respective personal data.

Processors of personal data

We use contractual partners who process personal data for us, on our behalf, and only for the purposes, to the extent and in a manner prescribed by Viru Keskus. Additionally, board and staff members of Viru Keskus are authorised to process personal data to the extent required for the performance of their duties. Furthermore, we may disclose personal data to third parties in order to comply with a legal obligation or, if necessary, to defend our legal interests and claims.

Rights associated with the processing of personal data

In order to exercise your rights associated with the processing of personal data (for more information, see, to submit any other requests or applications related to the processing of personal data, or to ask for more information on the processing of personal data by Viru Keskus, please contact us by email

The rights associated with the processing of personal data are not unlimited and, in certain cases, the exercise of your rights may be limited by the rights of other persons, the legitimate interests and/or obligations of Viru Keskus. Viru Keskus intends to ensure lawful and transparent processing of personal data, respecting the rights of data subjects; therefore, please inform us immediately if you suspect that Viru Keskus has been involved in unlawful processing of personal data or violation of data subjects’ rights.

Ensuring security of personal data

Viru Keskus stores and processes personal data, in cooperation with its contractual partners, in a digital format and in physically secure locations. Personal data can be accessed only by our employees and contractual partners who need the data for performing the duties associated with the purposes of data processing as specified by Viru Keskus and who are under the obligation to comply with the requirements of the legislation governing data processing and with the rules of this Policy.  We have established guidelines and rules to ensure secure processing of personal data through appropriate organisational and technical measures. We make sure that our security measures for the processing of personal data are up to date by renewing and supplementing them as required.