PRIVACY POLICY

Privacy policy (updated 28.06)

The Estonian Business and Innovation Agency (registry code 90006012, e-mail [email protected] and [email protected], hereinafter the Agency or us) complies with the requirements and principles set out in legal acts and the privacy policy of the Agency when processing personal data. The transparency of personal data protection and data security are important for us, which is why we establish this privacy policy to inform you of how, for what purposes and for how long we process personal data and how we ensure that the rights of data subjects are enforced. Please take the time to thoroughly familiarise yourself with the privacy policy.

When processing personal data, the Agency acts as a controller within the meaning of the General Data Protection Regulation (hereafter GDPR). As the controller, we define the purpose, basis and manner of the processing of personal data, as well as the volume of processed data. We inform the data subject about this and assist them with exercising their rights. However, in certain cases, the Agency also acts as the processor, for example, when responding to requests containing personal data or acting on behalf of another controller who has also defined the purpose and scope of data processing.

The privacy policy covers all the personal data processing operations of the Agency, including on all web pages managed by the Agency [1]. Different web pages may include some specifications in terms of how data or cookies are processed in addition to our general terms, if such a need arises from the purpose of the web page.

However, the following does not concern the processing of data of legal persons or the processing of personal data on external web pages referred to on the web page of the Agency but not managed by the Agency.

Contact details:
Estonian Business and Innovation Agency

Sepise 7, Tallinn 11415
www.eas.ee or www.kredex.ee

If you have any questions, concerns or complaints related to personal data, please contact our data protection specialist by email at [email protected] or [email protected].
 

Definitions

  • A data subject is a natural person whose personal data is processed (e.g. customer, support applicant, web page user).
  • Personal data means any information relating to an identified or identifiable natural person (data subject) (e.g. a name, an identification number, e-mail address, etc.).
  • Processing means any operation which is performed with personal data (e.g. alteration, viewing, storage, erasure).
     

[1] eas.ee, eas.ee/ettevotluseauhind, investinestonia.com, workinestonia.com, e-estonia.com, booking.e-estonia.com, digiexpo.e-estonia.com, brand.estonia.ee, estonia.ee, toolbox.estonia.ee, game.estonia.ee, tradewithestonia.com, events.estonia.ee, my.estonia.ee, ajujaht.ee, visitestonia.com, puhkaeestis.ee, e-resident.gov.ee, learn.e-resident.gov.ee, company.e-resident.gov.ee, visiidid.ee, careerhunt.eu, kredex.ee, startupestonia.ee, ekredex.ee.

 

Legal basis for personal data processing

We process personal data only for purposes that are necessary for the performance of the statutory tasks of the Agency or tasks assigned to us in the public interest, to fulfil our legal and contractual obligations, provide a service and to do so on a clear legal basis. The personal data we process helps us understand your needs and provide you with the best support and advice. The data is necessary for improving the quality of the services offered and the processing of support requests. Also, to fulfil legal obligations arising from law or attached to a legal act.

Depending on the purposes of data processing, we rely on the following legal bases for personal data processing established in the GDPR.

  • The Agency processes personal data for the preparation, execution and monitoring of contracts to which the data subject is party (including loan, guarantee, consultancy, cooperation, procurement and other contracts) (GDPR clause 6(1)(b)). In certain situations, the processing of personal data may also be necessary to prepare and defend a legal claim arising from a contract.
  • Processing is necessary for compliance with a legal obligation to which the controller is subject, for the purposes and to the extent stipulated in the relevant legal acts, for example, the Employment Contracts Act, tax laws, Money Laundering and Terrorist Financing Prevention Act, Auditors Activities Act or Accounting Act (GDPR clause 6(1)(c)).
  • We process personal data for the performance of a task in the public interest assigned to the Agency by a legal instrument or an administrative contract (GDPR clause 6(1)(e)).
  • The Agency can rely on a legitimate interest when processing personal data if it takes place outside the immediate performance of a public task, e.g. for the purpose of information security. We process personal data on the basis of a legitimate interest only if such interests are not overridden by the interests or fundamental rights of the data subject and there are no other grounds for processing of personal data (GDPR clause 6(1)(f)).
  • Less frequently we process personal data on the basis of the consent of the data subject (for example, to send a newsletter, for direct marketing purposes, in the event of campaign participation or when using photo and video materials). The data subject gives consent to the processing of personal data for the specific purposes voluntarily, knowingly, unequivocally and specifically with regard to the specified data – for example, by marking the corresponding box on the relevant form (GDPR clause 6(1)(a)).
Purposes and categories of personal data processing and storage of personal data in the case of different services and tasks

Personal data are processed only to the extent necessary for the realisation of the objectives established at the time when the data was collected and is stored for a specified period of time. They are then erased or destroyed.

We only process non-personalised data in order to create statistics illustrating the activities of the Agency. Statistics and summaries are published anonymously. From the collected information, we can make generalisations in an anonymous form and share them with our partners. In compliance with the restrictions set forth in the Public Information Act, we may also share the data collected during the performance of a public task with the person assigning the respective task.

If the term of data storage is determined by a legal act, we follow the term stated in the respective act. For example, documents obtained during the processing of support measures, including personal data, are stored for the period specified in the legal act applicable to the corresponding support measure. In other cases, we store correspondence for 5 years, materials related to contracts for 10 years from the expiry of the contract and accounting documents for 7 years. Documents that have exceeded the time limit are generally subject to destruction unless legal acts provide otherwise. For example, according to the Archives Act, the Agency must hand over the documents and their series deemed to be of archival value to the National Archives after the storage period has passed.

We only collect and process personal data the need for which we have clearly defined for ourselves in advance. For example, we collect, process and use contact data of the data subject in order to contact the data subject if necessary. The reasons for which personal data we process and why are primarily the following.

  • Authentication, i.e. verification of identity and identification – access to online channels that allow the use of the services of the Agency is only possible with user identification, for which we need your name and identification number. If you act as a representative of a third party and use the information systems created and/or managed by us, we will also ask for the data of the person being represented and the power of representation (power of attorney, position, etc.) during user registration and use, for the purpose of identification and keeping records of for whom and with what rights user accounts have been created, including for accessing the KredEx e-service environment or the Visit Estonia web environment, but also for providing loans, guarantees, risk and private capital investments, enabling support measures and implementing the activities of Startup Estonia and the e-Residency program.
  • In the process of applying for or using support measures or services we process data that is stipulated by the legal acts related to the relevant support measure or the internal rules of procedure supporting the proper execution of the public interest task assigned to the Agency. Depending on the support scheme, the processed data may be in the CV of a member of the project team of the applicant, employment agreement, etc. The processing of personal data for the purpose of processing applications is carried out on the basis of law. In order to be eligible for support, the applicant must provide the requested personal data. If the data is not provided, we will not be able to provide any support measures.


In order to obtain guarantees and subsidies, it is necessary for the data subject to fill in the corresponding forms in advance, the data in which is used to decide on guarantees and support. The data disclosed by the data subject through the forms is strictly limited to what is necessary to provide the corresponding service. For example, when assigning a housing benefit to families with children, the Agency processes the personal data of both the applicants and their children: name, identification number, e-mail address, residential address and data on income, custody and ownership.

Personal data is processed in a situation where it is necessary to assess whether the data subject meets the conditions for receiving a residential mortgage and guarantee, or whether the supplementary security provided by the data subject for the business loan is acceptable. The Agency has signed cooperation agreements with several banks and issued authorisations for concluding contracts of guarantee. As a result, the bank, not the Agency, assesses the creditworthiness of the data subject according to the provided data and also specifies the existence and size of the self-financing of the data subject and calculates the guarantee amount. In the event of a positive loan decision and the applicant meeting the guarantee terms, the bank concludes both a loan and guarantee contract with the data subject.

  • When visiting the e-Estonia Briefing Centre, we need your personal data to book the visit and determine your needs, as well as to register your presence in the premises of the briefing centre. The processing of personal data is necessary for security reasons in order to visit the premises of the briefing centre. Information about the e-Estonia Briefing Centre can be found here.
  • When using the services of Work in Estonia, including the International House, we need your data in order to offer various services and determine your needs. Depending on your interests in various services, it may be necessary to share your personal data with a specific partner who provides the corresponding consultancy service.
  • In the activities of the e-Residency program, we process personal data that is necessary to offer the service to e-residents and ensure better quality of said service and, if necessary, to provide input to the legislator for drafting or amending legislation on e-Residency. Information on applying for e-Residency can be found here. If you have any questions regarding the personal data processed by the e-Residency Programme team, please contact the e-Residency Programme at [email protected].
  • In public procurement, we process personal data to the extent that it is necessary for conducting public procurements and concluding public procurement contracts. Depending on the procurement procedure, the submission of CVs of team members of the tenderer may be required as part of the procurement procedure. In the procurement procedure, personal data is processed for the purpose of preparing the procurement contract. If it is necessary due to the nature of the service, we will conclude a data processing agreement with the successful tenderer within the meaning of Article 28 of the General Data Protection Regulation, so that secure processing of personal data is guaranteed during the performance of the procurement contract.
  • We process data during the performance of the contract, for example, to calculate fees related to the contract, for payments, to forward information and in other cases when it is necessary for the conclusion and performance of the contract (including by transferring data to processors).
  • We process personal data in order to verify, exercise, assign and defend legal claims based on the performance of a contract or the implementation of pre-contractual measures initiated at your request; as well as in fulfilling a legal obligation or protecting a legitimate interest to prevent, limit and investigate misuse or illegal use of services and support measures or disturbances in their functioning, including to ensure the quality of services and support measures and the operation of the security systems of the Agency. When conducting in-house training, we use the collected data in a non-personalised form.
  • We ask for your consent to process contact data if we want to send relevant news about the services of the Agency, invitations to events organised by the Agency and other information related to the activities of the Agency to customers and the target group of services provided in the public interest, as well as other persons who are interested in direct marketing communications. If you have agreed to receive e-mail newsletters and notifications, the Agency will also collect statistics, such as whether you opened the e-mail, which links were clicked and which devices you used (their technical characteristics).
  • We use your email address to send feedback or satisfaction surveys; forward invitations to press trips, business trips or foreign visits or other events, or to send information regarding such events, provided that you have consented to receiving such notices or if it is provided for by a legal act; when responding to information or clarification requests sent by you or when responding to investment inquiries.


We use survey and market research data to improve the quality of our support measures, services or e-environments.

  • The Agency is not obliged to keep a document register according to § 11 (1) of the Public Information Act, therefore we do not keep a public document register and do not display relevant data (including personal data of natural persons) publicly. An information request must be submitted to access the data. Our activity in terms of information concerning the use of funds provided for the performance of state or other public tasks or to be used as a support measure is public in accordance with paragraph 5 (2) of the Public Information Act and in some cases personal data – in particular the name and the fact of the application (in certain cases also its content) – may become known to third parties.


If you want access to a document or correspondence and submit an information request, we will check whether the requested document can be released in full or in part. However, documents are issued to third parties in full only in cases prescribed by law or in the presence of a power of attorney. Restricting access depends on the content of the document. Regardless of the access restriction, we will issue the document to an institution or a person who has a direct legal right to request it (e.g. investigative authority, extra-judicial body or court).

  • Your personal image or voice recording collected when you visit events, business trips or conventions organised by us, in order to inform the public about the organised events, or if you have given us the respective consent to use photo/video or other material.
  • In campaigns on our web pages in which you have participated, to the extent necessary to determine the winner (email, name, other contacts).
  • When you visit our social media accounts (Facebook, Instagram, LinkedIn, YouTube) and want to contact us there. Our pages and post comments are publicly visible to everyone. You can follow our accounts by making selecting the respective choice. If you share or like posts, we will be notified. We receive visitor statistics in a non-personalised form.
  • We process personal data when the data subject applies for a job at the Agency (CV and the information within, other documents required in the job ad, references, if necessary, data contained in the commercial register and criminal record information). The Agency does not store the documents related to the application for more than one year as of the competition for the post. With the consent of the data subject, we can store the data of the applicant for the agreed period even after the end of the application process with the perspective of making a job offer in the future. In addition to our employees, we may involve partners from outside the Agency in the suitability assessment.
  • The Agency processes personal data (name, email, other contact data) also in situations where the data subject addresses the Agency with clarification requests, applications or inquiries. If the corresponding communication takes place via e-mail, the Agency may also collect statistical data related to this correspondence, for example, regarding which service which questions arise, etc. In order to respond to inquiries, the prior processing of personal data is necessary to ensure the security and reliability of services, distinguish inquiries submitted by web crawlers from inquiries placed by humans and to enable consultants to provide you with the most appropriate answers and prepare the most appropriate value propositions when offering a personalised e-consultation service. We may also use the correspondence with the data subject internally to evaluate the quality of our work.


We only record customer phone calls when you call the general customer service number. The customer will be notified directly of the recording of the call. We use call recordings only for improving customer service and the recordings are deleted after a year at the latest.

  • We process the IP addresses of information system and web page users to ensure the security of the information system and web page and comply with the terms of use of the service. We use logs to ensure the security of information systems or web pages and the data contained therein and to ensure that data is processed only by authorised persons.
  • We use cookies when you visit our web pages. We collect and process data about the usage preferences of the data subject in order to improve the design, ease of use, etc. of our web pages. We use cookies online, which make it possible to make the functioning of the web page more efficient and thus provide the best experience when browsing the web page. We also use cookies to monitor web page usage statistics and actions performed on the web page, but each customer’s activity on the web page is not monitored individually. The information received is used to improve the usability and content of the web page. More information about the use of cookies on our web page. More information below.
Use of cookies

A cookie is a small text file that is stored on your computer, smartphone or other device with which you visit our web page. This may include information we need to ensure the technical functioning of our web page, improve user experience by storing user settings, perform statistical analysis and personalise marketing preferences.

Cookie options can always be changed through cookie preferences or web browser settings. You can delete previously installed cookies from your device either by changing your web browser settings or by manually deleting cookies.

  • Cookies used on our web page are divided into three categories according to their duration: temporary, time-limited and persistent cookies:
    • Temporary or session cookies are used only during the current session and are deleted when the web browser or its tab is closed.
    • Limited-time cookies have a fixed duration and are automatically deleted upon expiry.
    • Persistent cookies do not have an expiration date and are stored until their deletion.
  • According to the purpose, there are four categories of cookies:
    • Essential cookies ensure the functioning and security of the web page. These cannot be declined.
    • Functionality cookies allow the web page to remember the selections made by the visitor in the past in order to provide a better and more personalised user experience. These cookies collect information about browsing language, font size, contrast, etc.
    • By using statistical cookies we can perform a statistical analysis of the use of the web page. As a result of the analysis, we can improve user experience.
    • The purpose of marketing cookies is to display relevant ads to the visitor.
  • If you do not want cookies to be used on your devices, you can change the security settings of your web browser. From there, you can change the settings for cookie use notifications or block all cookies. You can also delete all cookies stored on your device. If you delete cookies from your web browser, our web page will treat you as a new visitor on your next visit. However, if all cookies are blocked, some functionalities of the web page may not work.
  • Over time, we may update and adjust cookies to improve service quality. Please note that our different web pages (e.g. e-estonia.ee, visitestonia.ee, etc.) may have special terms regarding the processing of cookies due to the nature and purpose of the web page, which means that the cookies used on the web pages may differ depending on the purpose of the page, as not all web pages always use all of the aforementioned cookies. More detailed information about the cookies used on each web page can be found on the corresponding page.
Rights of the data subject

Agency deems respecting the rights of the data subject important and therefore pays special attention to it. At the request of the data subject, the Agency may provide information about a specific data subject electronically, in writing or orally, making sure that the identity of the data subject is clear and verified.

This means that if there is any doubt while processing your request, the Agency may ask you to provide additional information to identify the data subject. We do this to be sure of the identity of the data subject and ensure that we are providing the right information to the right person.

The right to receive information about the scope and use of personal data

You have the right to access your personal data and receive information on what data the Agency processes about you. This allows you to be informed and check, if necessary, what personal data the Agency processes about you and how it is done. You can also contact the Agency and ask for which purpose we process your personal data, if you are not sure about the purpose or have additional questions for us. We will try to answer your questions as soon as possible, but we will try to do so at least within one month. In the event of more complex requests, it may be necessary to extend the time required to respond to the requests of the data subject by an additional two months. In this case, we will contact you about extending the response period and explain the reasons for the extension.

Copies

If it is necessary and justified, the Agency will generally provide you with a free copy of the documents related to you upon request. We issue data and documents upon request, either on paper or electronically. The Agency may refuse to disclose the data in the copy or to provide a copy if it disproportionately affects the rights and freedoms of other persons and it is not possible to apply less strict measures. We issue data and documents upon an information or clarification request, which we answer within the deadline provided by the Public Information Act or the Response to Memoranda and Requests for Explanations and Submission of Collective Proposals Act. If you want them to be issued in paper form, we can charge a fee for each issued page starting from page 21, according to paragraph 25 (2) of the Public Information Act. Electronic data and materials are transmitted in an encrypted form.

Right to rectification of personal data

All data subjects who notice that their personal data are not up-to-date, are incorrect or need to be rectified can contact the Agency to rectify or correct the data. You can also ask for the completion of your incomplete personal data. We guarantee that personal data will be corrected as soon as possible in case of justified and legitimate requests.

Right to personal data portability

If it is justified in the specific case and does not harm the rights and freedoms of others, the data subject has the right to receive the personal data concerning them that they have submitted to the controller, in a structured, commonly used format and in a machine-readable form, and the right to transmit this data to another controller, if the specific event of processing of personal data is based on consent or a contract and is processed automatically.

Right to personal data erasure

This right allows data subjects to request the erasure of their personal data if the personal data are no longer necessary or appropriate in relation to the purposes for which they were collected or processed. The right to erasure is not an absolute right and therefore your personal data erasure request may not mean that all your personal data will be deleted upon the request. Sometimes we have a legal obligation to retain data and in such cases we may not be able to comply with your request. The same may occur if we need to retain the relevant data for exercising or defending legal claims.

Right to restriction of processing

In justified cases, the Agency may, at your request, limit the processing of personal data for a period enabling the controller to verify the accuracy of the personal data until you dispute the accuracy of your personal data. The data subject has the right to request the restriction of personal data processing, for example while the Agency evaluates the implementation of the personal data erasure request.

Right to withdraw consent

If the personal data is processed on the basis of consent, you have the right to contact the Agency at any time and withdraw your consent to the processing of personal data. Withdrawal of consent does not have retroactive effect and does not retroactively affect the legality of personal data processing that has already taken place during the duration of consent.

Right to object

Should you find that the processing of personal data by the Agency violates your right to personal data protection or other rights and freedoms, you have the right to object to the processing of personal data.

Right to lodge a complaint with a data protection supervision authority

All data subjects have the right to lodge a complaint with the national data protection supervisor if the data subject considers that the processing of their personal data does not comply with the provisions of data protection laws and general data protection rules. In Estonia, the national supervisory authority is the Data Protection Inspectorate.

Recipients of personal data

In order to provide you with an excellent experience and provide an overview of everything we offer, it may be necessary to share your personal data with processors and joint or other independent controllers. For example, when adding a guarantee of the Agency to a housing loan from a credit institution, we require data similar to one required by a lender, which we both process as controllers. We will disclose your personal data to third parties if the obligation to do so arises from law or international agreement.

  • Due to the financing rules related to structural assistance of the European Union, we send the relevant data in the employment contracts and their appendices to the Ministry of Finance.
  • We transmit personal data related to work, work accidents and occupational diseases to the Health Insurance Fund, the Labour Inspectorate, the Tax and Customs Board, the Social Insurance Board or the Estonian Unemployment Insurance Fund in the extent specified in the legislation.
  • We transmit data to regional development centres, tourist information centres and visitor centres to fulfil the obligations arising from the administrative contract.
  • We transmit personal data to the e-environment of structural assistance in the areas stipulated by the legislation underlying the support measure.
  • We transmit the data necessary to initiate enforcement proceedings to the enforcement proceedings information system. We submit personal data to courts and other law enforcement authorities in cases prescribed by legislation and if necessary to protect our own legal interests.
  • We transmit personal data to the register of public procurements if it is necessary to add tenderers (including the representative of the tenderer or a tenderer who is a natural person) to the procurement proceeding.
  • We transmit personal data to the commercial register or land register if it is necessary in matters related to legal claims.
  • We share personal data with third parties and processors if it is necessary, for example, for the development of information systems, for co-operation partners to offer you a higher quality service or if you have given us your consent to transmit data.
  • We also transfer personal data to processors to fulfil contractual obligations.
  • We provide auditors, accounting service providers, legal and financial consultants with data that is necessary for the provision of the respective service.
Safeguards and notification

The Agency strictly maintains the confidentiality of personal data and protects it from unlawfully falling into the hands of third parties by implementing effective IT security measures and organisational and technical measures.

If a breach related to personal data occurs in the Agency and it presents a potential risk to the rights and freedoms of the data subject, we will notify the Data Protection Inspectorate. Additionally, we will take measures to eliminate the breach as soon as possible.

If the breach results in a potentially serious threat to the rights and freedoms of the data subject, we will also notify them of this. The purpose of the notification is to enable the data subject to take the necessary precautions to mitigate the potential risks arising from the situation.

Implementation provision

Considering potential changes in legislation, data protection laws and developments in technology ensuring a high level of personal data protection, the Agency reserves the right to make changes to the privacy policy. Therefore, the privacy policy is reviewed regularly and changes are made if necessary.