Privacy policy

The personal data processing information has been prepared to meet the requirements of the controller set forth in Article 12 of the EU General Regulation on the Protection of Personal Data 2016/679 "Clear information, notification and the procedure for exercising the rights of the data subject" and to inform natural persons about the principles of personal data processing and the guarantee of rights.
DATA PROCESSOR:


Data Protection Inspectorate
Tatari 39, Tallinn, 10134
Phone: +372 6274135
Data protection specialist contact: andmekaitsespetsialist[a]aki.ee 

AUTHORIZED DATA PROCESSORS:


Centre of Registers and Information Systems (RIK)
Lubja 4
Tallinn 19081
rik[a]rik.ee
Website information technology management, procurement, supply, development, operation and maintenance of information and communication systems, transmit newsletter, newsletter technical support.

Ministry of Justice
Suur-Ameerika 1
Tallinn 10122
info[a]just.ee
Organization of personnel work

Competition Authority
Tatari 39
Tallinn 10134
info[a]konkurentsiamet.ee
Administrative organization, management of state assets and funds, information management, organization of financial accounting and reporting, and organization of occupational health and safety work

General principles of personal data processing

The activities of the state institution are public. Our documents can be consulted through the document register or by submitting an information request. We also publish on our website the injunctions and appeal decisions that have come into force. These explanations do not concern the storage of data by legal entities and other institutions. They also do not include the processing of personal data on foreign websites that are referred to on our website (external links).

In the course of work, e.g. when you write to us or are a party to a procedure, we also collect personal data, including special types of personal data.

  • Personal data is any information about an identified or identifiable natural person (data subject). In particular, a natural person can be identified on the basis of an identification feature (name, social security code, place of residence, location, e-mail address, telephone number, network identifier) or one or more physical, physiological, genetic, mental, economic, cultural or social characteristics.
  • Special types of personal data are data that contain racial or ethnic origin, political views, religious or philosophical beliefs or trade union membership, genetic data, biometric data used for the unique identification of a natural person, health data or data about a natural person's sex life and sexual orientation. The list of special gender personal data is given in the General Regulation on the Protection of Personal Data.

With our internal work organization, we also try to ensure that your privacy is invaded as little as possible. The processing of personal data is legal, fair and transparent; processing is based on the principles of expediency and minimality; we implement security measures that protect personal data from illegal access and accidental loss and destruction.

You have the right to ask for confirmation about the processing of your data and to consult the data we have collected about you. For this, we need to identify your identity, and you must submit a (digitally) signed application or a signed paper application. We will respond as soon as possible, but no later than one month. We will issue your data either on paper or electronically as you wish.

If we have collected data about you, you have the right to know the purpose of their collection, to whom your personal data has been disclosed or will be disclosed, how long the data will be stored and, if the data has not been collected from you, information about their source.

We will refuse to comply with your access request and right to information only if it may:

  • harm the rights and freedoms of another person;
  • harm national security;
  • hinder or impair the prevention, detection, prosecution or execution of an offence.
  • endanger the protection of the secret of the child's parentage.

If you discover that the information we have about you is incorrect or needs to be supplemented, submit a (digitally) signed or paper signed and justified request to correct or supplement the incorrect data.

You also have the right to request restriction of personal data processing (for example, for the period when you have contested the correctness of the data), termination or deletion when there is no longer a legal basis for processing the data. To do this, submit a justified and (digitally) signed or paper signed application.

You have the right to object to the processing of your data. To do this, submit a justified and (digitally) signed or paper signed application.

You have the right to object to our decisions and actions as a dispute or to appeal to an administrative court.

In all questions related to the processing of your personal data in the inspection, you will receive an answer from our data protection specialist. Please write to data protection specialist[a]aki.ee.

Most of the information related to personal data is in digital form. In the document register and procedural information published on our website, the names of private individuals are visible as initials. The inspection collects information to fulfill the tasks assigned to the agency by law, and the public information law applies to the information we have. This law stipulates that anyone can reuse information without access restrictions on the website and in public databases for their own commercial or other private interests. For re-use, information can be downloaded as machine-readable and mixed with information collected elsewhere.

We also process your personal data in the following cases:

You can send us a request for clarification, a memo or a request for information by e-mail, paper letter or through the contact environment, which is available on the website of the inspectorate.

To submit an application through the application environment, you must authenticate yourself with an ID card, Mobile ID or Smart ID. In addition to the name and social security number, an e-mail address and, if desired, a telephone number must also be provided in the environment.

We use your personal data to respond to you. If we have to make inquiries from someone else to answer you, we will only disclose your personal data to the minimum extent necessary.

If you have sent us a request for clarification/request for intervention/request for information, the answer to which is within the competence of another institution, we will forward it there. We will certainly notify you of the transfer.

We may also use the correspondence with you internally to evaluate the quality of our work. We publish statistics and summaries of correspondence impersonally, without names.

According to the law, the database of correspondence is visible in our public document register. It shows the initials of the sender or receiver of the letter, not the name. We display the title of the document on the Internet as "Request for clarification", "Request for intervention" or "Request for information". A more detailed title can only be seen within the institution. We do this to protect your privacy, as we are often written about sensitive topics.

If you are writing to us on behalf of a legal entity or institution (for example, as a journalist working for a press publication), please use your professional contact information, not your private one. These contact details are public in the document register.

Correspondence with private individuals is restricted in access. If someone wants to get acquainted with your correspondence and makes a request for information, upon receiving the request for information, we will check whether the requested document can be released in full or whether it must be released in part. Restricting access depends on the content of the document. Possible grounds for access restrictions are given in § 35 of the Public Information Act.

Regardless of the access restriction, we will issue the document to an institution or a person who has a direct legal right to request it (e.g. investigative body, extrajudicial procedure or court).

The law allows us to disclose the circumstances of correspondence if there is an obvious public interest (§ 38 subsection 1, § 30 subsection 4 of the Public Information Act). We use this right only in very exceptional cases and refrain from excessively intruding on the privacy of the parties involved. Among other things, we reserve the right to provide explanations to the public about our activities if a person himself brings procedural information to the public. We do not disclose information to a greater extent than the person has previously disclosed.

We keep correspondence with private individuals for 5 years. Documents that have exceeded this deadline are generally subject to destruction. The exact period of data storage about you can be found in the list of documents (PDF) by the serial number of the document, or index. In the appeal environment, your forwarded appeal is visible for 1 year from the date of sending the letter.

You can submit a request for intervention (complaint, dispute, memo) to us by e-mail, paper letter or through the contact environment available on the inspection's website.

You must authenticate yourself with an ID card, Mobile ID, or Smart ID in order to submit an application through the application environment. In addition to the name and social security number, an e-mail address and, if desired, a telephone number must also be provided in the environment.

We use your personal data to resolve the matter. We only disclose the personal data of the applicant for intervention to the other party to the minimum extent necessary to resolve the matter.

If you have sent us a request for intervention, the review of which is within the competence of another authority, we will forward it there. We will certainly notify you of the transfer.

If your personal data processor is located in another European Union member state or the case also involves citizens of other European Union member states, it may be necessary to forward the information in the intervention request to the supervisory authority of the other country. Read more here. We can also use the request for intervention and the materials of its review internally to evaluate the quality of our work. We publish statistics and summaries impersonally, without names.

Procedural documents are delivered to the parties:

a) by e-mail (as a rule, we do not encrypt e-mails);
b) by post as a simple or registered letter (postal risk lies with the postal service provider and the recipient of the letter).

For delivery, we primarily use address data that the party to the proceedings has disclosed to us or that is available from the population or business register. We also use the person's official e-mail address ([email protected], [email protected]).

If the delivery is not successful, we ask the police or a foreign embassy for official assistance. We may also publish the resolutive part of the injunction or appeal decision in a newspaper with nationwide circulation or, in cases provided by law, in the official publication Ametlikud Teadaanded. The resolutive part is the part of the administrative act that obliges someone to do something. If the publication of the resolutive part may unduly encroach on your private life as the applicant for intervention, we will ask for your opinion before publication.

The database of intervention requests is visible in our public document register according to the law. It shows the initials of the sender or receiver of the letter, not the name. We show "Request for intervention" as the title of the document on the internet. A more detailed title can only be seen within the institution. We do this to protect your privacy, as we are often written about sensitive topics.

Intervention requests and related correspondence are restricted access. If someone wants to get acquainted with it and submits a request for information, upon receiving the request for information, we will check whether the requested document can be partially or fully released. Restricting access depends on the content of the document. Possible grounds for access restrictions are given in § 35 of the Public Information Act.

Regardless of the access restriction, we will issue the document to an institution or a person who has a direct legal right to request it (e.g. investigative body, extrajudicial procedure or court).

We keep intervention requests and related correspondence for 5 years. Documents that have exceeded this deadline are generally subject to destruction. In the referral environment, the request for intervention you forwarded will be visible for 1 year from the time it was sent.

On our website, we publish appeal decisions and rulings for the sake of transparency of practice. As a rule, we publish the data of the addressee of the appeal decision/injunction. We do not publish the name, personal identification number and address of the private person submitting the intervention request in them. In order to protect privacy, we may also withhold the location of the event. Other access-restricted circumstances (e.g. descriptions of security measures) remain unpublished.

The law allows us to disclose the circumstances of the correspondence if there is an obvious public interest (§ 38 subsection 1, § 30 subsection 4 of the Public Information Act). We use this right only in very exceptional cases and refrain from excessively intruding on the privacy of the parties involved. Among other things, we reserve the right to provide explanations to the public about our activities if a person himself brings procedural information to the public. We do not disclose information to a greater extent than the person has previously disclosed

Conduct of misdemeanor proceedings is regulated in detail by the Misdemeanor Procedure Code together with the Criminal Procedure Code.

We disclose the data of the whistleblower to the other parties to the proceedings to the extent prescribed by the procedural codes and necessary to resolve the matter. The parties to the proceedings can familiarize themselves with the materials in accordance with the procedure prescribed in the Code of Procedure. According to the Misdemeanor Procedure Code, the complainant/misdemeanor report is not considered a party to the proceedings. The parties to the proceedings are the person subject to the proceedings and his counsel. Witness anonymity is not guaranteed in misdemeanor proceedings.

Our institution has joined the e-file information system. We use it to conduct misdemeanor proceedings, including data exchange with other authorities (e.g. when transferring sentence data to the Criminal Registry). According to the basic regulation, the e-file information system is closed. You can enter only by logging in with an ID card. Only competent officials have the right of access. Also, the party to the proceedings can view his own procedural data and submit and receive procedural documents.

In our public document register, we indicate the recipient/sender of the document only in an unpersonalized form, and not by name, in correspondence with private individuals regarding misdemeanor proceedings. Such documentation has an access restriction - when submitting a request for information, we will check whether the document can be partially or fully issued. Restricting access depends on the content of the document. Possible grounds for access restrictions are given in § 35 of the Public Information Act.

Unlike injunctions and appeal decisions, we do not publish misdemeanor decisions on our website. Violation of misdemeanor decisions can be requested by submitting a request for information. An entered misdemeanor decision may also have access restrictions. The name and personal identification number of the person punished as a misdemeanor is public, the data of other persons are not disclosed.

The law allows us to disclose circumstances related to misdemeanor proceedings only in exceptional cases (§ 62 of the Misdemeanor Procedure Code). We intend to use this right only when absolutely necessary and without excessively intruding on the privacy of the parties involved. Among other things, we reserve the right to provide explanations to the public about our activities if a person himself brings procedural information to the public. We do not disclose information to a greater extent than the person has previously disclosed.

Effective misdemeanor convictions are registered in the criminal record. You can request all register data about yourself and for free. Information about the misdemeanor punishment of another person is provided to the inquirer if the fine is at least 50 fine units or the misdemeanor has been committed repeatedly. When requesting criminal record information about another person, a fee must be paid for an electronic request and a state fee for a paper document. Certain personal data (address, citizenship, etc.) and juvenile criminal records will not be issued.

Persons and institutions to whom this right is granted by law can request criminal information free of charge and to a greater extent.

If a year has passed since the payment of the fine imposed for the misdemeanor, the penalty data is transferred from the register to the archive. There is no longer public access to the archived penalty data.

The exact requirements for access to criminal records are in Chapter 3 of the Criminal Records Act.

According to the general regulation on the protection of personal data, the data processor must inform the inspectorate of a violation of security requirements. Breach notification can be submitted via email encrypted or unencrypted. Regarding personal data, we ask for the name and contact details of the contact person (data protection specialist) on the breach notification form. We only use the personal data provided in the infringement notice to process the given case. If the whistleblower is located in another European Union member state or the case involves the data of citizens of other European Union member states, it may be necessary to transfer the information contained in the violation notice to the supervisory authority of another country.

We can also use the infringement report and the materials of its review internally to evaluate the quality of our work. We publish statistics and summaries impersonally, without names.

We keep infringement notices for 5 years.

The appointed data protection specialist can be reported in the Entrepreneur Portal. For the data protection specialist, the first and last name, personal identification number and professional contact information are requested. In the company portal, we only disclose the first and last name and contact details of the valid data protection specialist. We keep invalid entries in the archive for 5 years.

Professional activities are not completely excluded from the concept of private life. Therefore, we do not publish the data of designated data protection specialists as open data for re-use.

When you visit our website, we collect the following data about you:

  • The Internet address (IP address) of the computer or computer network you use, from which it is possible to derive the name and address of the Internet service provider of the computer or computer network you use;
  • The software version of the web browser and operating system of the computer you are using;
  • time of visiting the website (time, date, year).
  • For information security purposes (legal basis: Cyber Security Act § 7 (1) points 1 and 3) we use the CloudFlare application online, which adds 2 cookies (_cf_bm and_ cfuvid) to the user's computer. The purpose of setting cookies is to regulate the traffic load for the better functioning of the website and to prevent cyber incidents, and they do not in any way identify the individual visitor and do not track his activities on the web. More information about the referred cookies can be found here.

We do not associate IP addresses with other personally identifiable information. We collect and store data about which part of the website you visit and how long you stay there. We use this data to compile visit statistics in order to develop the website based on it and make it more visitor-friendly. We store the data for 1 year after visiting the website, and the data is deleted after the deadline. In addition to our employees, RIK employees who have a direct need to do so due to the performance of tasks related to the operation and maintenance of our information and communication systems may gain access to the data. We can transfer your data to other persons/institutions only if they have a direct legal right to do so (for example, a court or pre-trial procedure) and a justified need.

When registering for our events via the online form, we only use your personal data to register for the events and, if necessary, provide you with information or respond. The amount of data required for registration depends on the event and we specify it separately each time during registration, we can ask for e.g. name, e-mail address, but also the place of work if necessary.

Calls to our helpline are anonymous and we do not record phone calls. We publish summaries of calls to the helpline in an impersonal form.

If you use the video surveillance tag generator on the inspection website, the cookie only collects data in a non-personalized form for the functional functioning of the session, and it is not stored after the end of the session.

USE OF COMMUNICATION NETWORKS (LINKEDIN, YOUTUBE)

Using our LinkedIn page has the following settings:

  • the Data Protection Inspectorate page is visible to Linkedin account owners,
  • you can join the page by sending us an invitation,
  • you can start following the page if you make the appropriate choice,
  • anyone can comment under a post on the page,
  • our working language is English, but you can comment on posts and contact us in Estonian,
  • anyone can contact us privately,
  • if you share posts, like them, we will receive notifications about activities,
  • when you visit the account, a third party collects data about you for us, and we have no control over them,
  • we receive visitor statistics in a non-personalized form.


Our Youtube channel has the following settings:

  • account's AKI channel is visible to everyone,
  • account can be ordered,
  • anyone can post a comment under the videos on the account,
  • anyone can like and share videos,
  • our working language is Estonian,
  • when you visit the account, a third party collects data about you for us, and we have no control over them,
  • we receive statistics on visitation in a non-personalized form.

In the following, we describe the procedure for the recruitment and selection of the inspector's officials, which is not established by the Civil Service Act or legislation issued on its basis.

Competitions and recruitment to fill positions, including evaluation of candidates, are organized by the unit responsible for personnel work of the Ministry of Justice under the authority of the Data Protection Inspectorate. The organization of the public competition is announced on the website of the inspectorate and on job offer portals.

We reserve the right to withdraw from the announced competition or change the conditions of the already announced competition. In this case, we inform the candidates through the contact information provided to the inspectorate and the public at the place of publication of the competition notice.

In the recruitment process, candidates go through three rounds – document round, written test and interview. After successfully passing the document round, we invite you to a written test or give it to be solved at home. Based on the sample paper, we select the candidates whom we invite to the interview round. If necessary, we include experts from outside the institution in addition to the inspector's officials in the evaluation of the candidates.

In the recruitment process, additional information about the candidate may be collected from public sources. The candidate has the right to familiarize himself with the received information and submit his own explanations and objections.

We assume that the applicant has given consent to the recommenders presented in the application documents to answer questions about themselves, and the recommenders have also agreed that the inspection will contact them for information.

We offer the position to the candidate whose education, work experience, knowledge and skills most closely meet the requirements established for the performance of service tasks.

If there is more than one candidate who meets the established requirements for the performance of service duties, a ranking may be made of them.

The next best candidate can be appointed to the position in the cases provided for in § 18 point 10 of the Public Service Act. In this case, a new tender will not be announced.

We will immediately inform those who participated in the competition about the results of the competition in writing or in another agreed way.

We retain the documents obtained during the competition for the following purposes:

  • to resolve possible legal disputes arising in the recruitment process - until the claim expires (1 year);
  • to propose the position to the next candidate in the ranking (150 days after the proposal to take the position to the person who won the competition);
  • with the candidate's consent, to propose participation in a competition organized in the future.

Candidate data is access-restricted information to which third parties can access only in cases provided by law.

  • The newsletter contains various news and announcements about AKI's activities.
  • Subscription to the newsletter is based on consent (IKÜM art. 6 paragraph 1 p. 1).
  • Consent to subscribe to the newsletter can be withdrawn at any time. If you wish to withdraw your consent, please inform [email protected] or press the "unsubscribe" button under the newsletter.
  • To subscribe to the newsletter, you must enter an e-mail address.
  • The e-mail address entered to subscribe to the newsletter is used only for the purpose of sending newsletters.
  • Email addresses collected for the purpose of sending the newsletter will be stored until consent is withdrawn for the purpose of unsubscribing. If the consent is not withdrawn, it will be stored until the Data Protection Inspectorate delivers the newsletters.
  • When the newsletter is delivered, subscribers are not shown the contacts of other subscribers.
  • In addition to our employees, RIK employees who have a direct need to do so due to the performance of tasks related to the operation and maintenance of our information and communication systems may gain access to the data. We can transfer your data to other persons/institutions only if they have a direct legal right to do so (for example, a court or pre-trial procedure) and a justified need.
  • Subscription to the newsletter is free.

For questions related to the newsletter, please contact [email protected].

Last updated: 04.03.2024