Personal data processing
CONDITIONS FOR DATA PROCESSING OF ENTERPRISE ESTONIA
Published as of 14 March 2019
With regard to the General Data Protection Regulation (Regulation 2016/679 of the European Parliament and of the Council), which entered into force on 25 May 2018, we inform you about our data protection related activities. When collecting and processing the aforementioned data, Enterprise Estonia acts as a controller within the meaning of the General Data Protection Regulation; Enterprise Estonia as a controller is represented by a Management Board, the contact details of which can be found here.
The following does not apply to the storage of data of legal persons and the processing of personal data on foreign websites referred to on the websites of Enterprise Estonia (for example, Study in Estonia, Research in Estonia), for the management of which Enterprise Estonia is not responsible. Also, in national registers and information systems, where the management of online environment is not within the competence of Enterprise Estonia, the explanations do not include the purposes, extent, and methods for processing personal data, the conditions for making them public, and the rights and procedure for a person to view the data, which is the responsibility of the owner of the register.
The protection of personal data integrity is the top priority of Enterprise Estonia. We want to ensure that you are aware of which personal data Enterprise Estonia collects and why, how it uses the data, and what your choices and options are.
In order to provide you with application or service experience, which corresponds to your needs, it is necessary for Enterprise Estonia to process your personal information. Your personal information helps us to understand your needs and provide you with the best support and advice. At the same time, we need your information in order to improve the quality of our services and supports, or to comply with any obligations arising from law or legal action.
Principles of using data apply to Enterprise Estonia and any person using the services, grants or information systems of Enterprise Estonia.
Enterprise Estonia retains the right to change these principles of processing personal data at any time.
If you have any questions, concerns or complaints with regard to personal data, please feel free to contact Enterprise Estonia by sending an email to firstname.lastname@example.org. For questions about the personal data processed by the team of e-residency programme, please contact the e-residency programme by sending an email to email@example.com.
1. Your information is securely stored in Enterprise Estonia
1.1. Enterprise Estonia is committed to protecting your personal data. We consistently take appropriate technical and organisational measures to protect data against unauthorised access and to keep personal data secure. These measures include the protection of employees, information, IT infrastructure, the company’s internal and public networks, as well as office buildings and technical equipment.
1.2. The employees of Enterprise Estonia are subject to the rules on the confidentiality and protection of data. Data processors authorised by Enterprise Estonia are obligated to ensure the compliance with the same rules with regard to their employees.
1.3. However, you also need to use services, grants, information systems and online environments in a secure and careful manner, and ensure that the devices you use for them are secured. You are obligated to keep secret from others any passwords, user IDs or other identifiers required for your identification related to your device and the information systems and online environments of Enterprise Estonia.
1.4. You need to be aware and take into account the fact that Enterprise Estonia cannot ensure the security of data and is not responsible if the data is not protected due to your activities. In this case, you are solely responsible for any potential consequences.
1.5. The conditions of processing have been published on the website of Enterprise Estonia in Estonian, English and Russian. In case of divergence, the Estonian version will prevail.
2. What kind of personal data of your does Enterprise Estonia collect?
2.1. Personal data includes any information that can be linked to a person.
2.2. The categories of personal data that Enterprise Estonia mainly, but not exclusively, collects and processes are the following:
2.2.1. Personal identification data, e.g. name, personal identification code, time of birth, citizenship, data concerning the personal identification document (e.g. copy of a residence permit, passport, ID card, or a driving licence, or the digital ID of an e-resident).
2.2.2. Data regarding your family, for example, whether you have children and their time of birth, data on parents or siblings, or a person with whom you share a household.
2.2.3. Data regarding formal education, continuing education and acquired vocation.
2.2.4. Contact details, for example, address, telephone number, email address, communication language.
2.2.5. Social media profile, if you have liked any of the social media accounts of Enterprise Estonia, Enterprise Estonia will provide you with news about various events and activities of Enterprise Estonia based on your profile settings. Also when Enterprise Estonia forwards a job offer to you from application (e.g. LinkedIn).
2.2.6. Quotes, when we quote, in a press release or interview, something you have said.
2.2.7. Information about your relations with legal persons, for example, information submitted by you or obtained through public registers or third parties, for the purpose of making transactions on behalf of the corresponding legal person.
2.2.8. Professional data, for example, data about your education, professional career, professional correspondence or data generated regarding you during an employment relationship (incl. during provision of discounts or performance of obligations arising from the law).
2.2.9. Data about reliability and due diligence, for example, information about payment behaviour or about any damage caused to Enterprise Estonia or a third party.
2.2.10. Data obtained and/or generated during the performance of the obligation arising from the law, for example, any information arising from the inquiries made by investigating authorities, notaries, tax authority, courts, and bailiffs, or data from the criminal records database.
2.2.11. Data about your tax residency, for example, information about the country of residence, taxpayer identification number.
2.2.12. Data on fees, for example, service fee or remuneration received, bank details necessary for transactions.
2.2.13. Communication data and data regarding image of person, for example, visual and/or audio recordings, which are collected when you visit any occasions, events, business trips or fairs organised by Enterprise Estonia, or if you contact the anonymous hotline or communicate with Enterprise Estonia through email, messages and other communication mechanisms, for example, social media, or if you participate in feedback or satisfaction surveys or studies.
2.2.14. IP address when using information systems and websites.
2.2.15. Logs, for keeping track of your activities in the information systems or on the websites of Enterprise Estonia, or if you have a key card, monitoring your movements in Enterprise Estonia’s rooms or the materials you print.
2.2.16. Cookies, Enterprise Estonia collects data on your usage preferences when you use websites of Enterprise Estonia.
2.2.17. Health data, during your employment at Enterprise Estonia, Enterprise Estonia will collect and process your health data (e.g. time spent on sick leave, decisions of an occupational health doctor).
2.2.18. Holiday data, during your employment at Enterprise Estonia, Enterprise Estonia keeps track of your holidays.
2.2.19. Location data, for example when keeping a travel log.
2.2.20. User data is collected when you use information systems of Enterprise Estonia and create a user account for yourself.
2.2.21. Data concerning property, for example, in the case of a redemption claim of a mortgage registered in favour of Enterprise Estonia. In the case of material damage, an excerpt from video surveillance, the controller of which is Riigi Kinnisvara AS. If you as an employee or service provider receive compensation for costs related to the use of a personal passenger car, then this includes data concerning the car as well.
2.2.22. Characterisations, during your employment at Enterprise Estonia, Enterprise Estonia will collect and process characterisations concerning you, which have been collected from satisfaction surveys, performance and development interviews. When applying for a job at Enterprise Estonia, data concerning you will also be received from the references you have provided.
2.2.23. Data concerning services or grants, for example, the performance or failure to perform contracts, use of services or grants of Enterprise Estonia, evaluations provided in the framework of feedback, transactions conducted, applications submitted, inquiries and complaints. More information about the services and grants provided by Enterprise Estonia is available at https://www.eas.ee/teenused.
2.2.24. Information about participation in games and campaigns, for example, prizes won in games and campaigns.
2.2.25. Data related to civil, administrative, criminal or misdemeanour proceedings, or suspected corruption, if you have violated any obligations towards Enterprise Estonia and the collection and transfer of such data to law enforcement agencies is necessary for the protection of rights of Enterprise Estonia.
3. Why does Enterprise Estonia collect your personal data? How long is data collected about you stored?
3.1. The collection of data depends on the used service and specific information required to use such service.
3.2. The reasons why Enterprise Estonia collects your personal data may include (but are not limited to) the following:
3.2.1. Upon subscribing to a newsletter, your email address, name, and a list of newsletters you have subscribed to. All this to send you precisely the newsletters you are interested in.
3.2.2. On social media, your profile, provided that you have liked the Facebook page of Enterprise Estonia or a subpage of some unit of Enterprise Estonia. The purpose of this is to provide you with news about the activities of Enterprise Estonia through your newsfeed, or to tag you as a person who has participated at events organised by Enterprise Estonia or as a person interviewed by Enterprise Estonia. Enterprise Estonia also processes your social media profile if you use the website of My Estonia to generate a Facebook header and profile picture.
3.2.3. In the recruitment process, your CV with the information included therein, other documents required in job advertisements, referees, data contained in the commercial register, and an extract from the criminal records database. All this to ensure that Enterprise Estonia would employ an honest, impartial, as well as the best candidate.
3.2.4. If you contact us, including sending Enterprise Estonia an email (for example, media inquiry, request for information, request for explanation) or call us, requiring us to respond to you. We may publish summaries about inquiries by telephone in non-personalised form. Enterprise Estonia does not record phone calls of clients.
3.2.5. Data, which we receive from third parties, such as public registers (for example, land register, tax board or commercial register), if this is required for the performance of contract or ensuring the performance of contract, such processing of data has been prescribed by law or your consent serves as the basis for data processing.
3.2.6. Your visit details on the website of Enterprise Estonia at the establishment, in order to provide you with the best user experience or service. From the information we collect, we may prepare summaries in non-personalised way and share them with our partners and the public.
3.2.7. In the process of applying for or using a grant or service, any information as provided for in legislation related to the corresponding support measure. Depending on the grant scheme, these may include the CVs of the project team members of the applicants, agreements related to employment contract, etc. Processing of personal data as part of processing the applications takes place within the framework of carrying out a public law function and does not require your consent. You are obligated to submit the required personal data to receive a grant. Upon failure to submit data, Enterprise Estonia will not be able to give you a grant. Any information that is not provided for in legislation related to the support measure is requested from you based on your consent. Enterprise Estonia uses the received personal data for better, more transparent, and faster processing of grants, as well as for better development of future support measures for statistical purposes and in non-personalised form.
3.2.8. In a situation, where collection and processing is required by legislation or a legal act.
3.2.9. In public procurements, to the extent that is required for carrying out the public procurement and awarding a public contract (including the registration of attendance at briefing days and the making of audio recordings). Depending on the procurement procedure, it may require the submission of the CVs of the team members of tenderers. In procurement procedure, the processing of personal data takes place for purpose of preparing the procurement contract and does not require your consent. If it is necessary due to the nature of the service, Enterprise Estonia enters into a data processing contract with a successful tenderer within the meaning of Article 28 of the General Data Protection Regulation to ensure that the processing of your personal data would be secure. Information about the public procurements carried out by Enterprise Estonia can be found here.
3.2.10. In other contracts, in any parts where it is required to enter into and perform a contract.
3.2.11. Your email address to send you feedback or satisfaction surveys or invitations to a press trip, a business trip or a foreign visit or other event, and a notification thereof, provided that you have permitted to send these or if the sending of such is provided by law, or to reply to your requests for information, requests for explanation or investment inquiries.
Enterprise Estonia may also use data collected as part of questionnaires and market surveys to improve the quality of its grants, services or e-environments.
The processing of personal data when replying to investment inquiries is necessary in order to ensure the security and reliability of services, differentiate inquiries submitted by bots from those submitted by people, and to enable consultants to provide the client with adequately relevant answers and appropriate value offers when offering the service of personalised e-consultation.
3.2.12. Images or voice recordings of you, which are collected when you attend occasions, events, business trips or fairs organised by Enterprise Estonia, in order to notify interested parties of events organised by Enterprise Estonia.
3.2.13. In campaign games taking place on the websites of Enterprise Estonia to announce the winner.
3.2.14. Upon providing services and grants, where it is necessary to map your needs, provide you with better service, create personal user experience, and develop the websites of Enterprise Estonia while creating better user experience. For example, Enterprise Estonia may process your personal data if you visit Enterprise Estonia’s websites, register as a visitor of an event, etc. on Enterprise Estonia’s websites, place orders, respond to a feedback survey, or if we make an offer to you with regard to our other services on our websites.
3.2.15. In marketing activities, which may accompany the marketing of briefing days, events, participation in fairs, visits, foreign visits, trade missions, and other activities of Enterprise Estonia (hereinafter collectively as the “events”), where your attendance is registered on a registration sheet or you are photographed or filmed at some of the above-mentioned events. We record the events with the goal of informing you and our other customers about our activities through a newsletter or social media.
3.2.16. With regard to the activities of the e-residency programme, based on the data exchange contract entered into with the Police and Border Guard Board, the latter provides Enterprise Estonia with your name, email address, telephone, personal identification code, sex, citizenship, and the reason for applying for e-residency. All this to enable Enterprise Estonia to ensure the service offered to e-residents, market this among target group, and offer better quality service and, if required, provide the legislator with an input to enable the latter to prepare or amend any legislation on e-residency. Information about applying for e-residency can be found here. For questions about the personal data processed by the team of e-resident programme, please contact the e-residency programme by sending an email to firstname.lastname@example.org.
3.2.17. Upon visiting the e-Estonia Showroom, where Enterprise Estonia needs your personal data to book the visit and ascertain any needs, as well as register your attendance on the premises of the Showroom. Processing of personal data to visit the premises of the Showroom is required for security reasons. With your consent, we will also send you newsletters or feedback inquiries. Information about the e-Estonia Showroom can be found here.
3.2.18. Upon registering for the events organised by Enterprise Estonia, published in the section of events at www.eas.ee.
3.2.19. Upon protecting the legitimate interest of Enterprise Estonia to prevent, restrict, and investigate the misuse of the services and grants of Enterprise Estonia, to ensure their security, to detect unlawful use or any disturbances in their functioning, or to carry out internal training or to ensure the quality of these services and grants.
3.2.20. To prove, perform, divest, and protect legal requirements, which are based on the following: upon performing a contract or implementing the pre-contractual measures at your request or performing legal obligations or the legitimate interest of Enterprise Estonia to perform legal requirements.
3.2.21. To comply with obligations to perform international transactions through credit institutions, based on the following: upon performing a contract or implementing the pre-contractual measures at your request or performing legal obligations.
3.2.22. Upon preserving the assets of Enterprise Estonia if an employee leaves, and such preservation includes the employee’s email address, which is the property of the employer, and using it to solve work-related issues, if necessary. When an employee leaves Enterprise Estonia, their mailbox will be closed in a way that e-mails can no longer be sent to them.
3.2.24. Location data, for example, when keeping a travel low for fulfilling obligations arising from the Taxation Act.
3.2.26. Logs, in order to ensure the security of information systems or websites at the data therein, and to ensure that data processing is only conducted by authorised persons.
3.2.27. Cookies, Enterprise Estonia collects data on your usage preferences when you use websites of Enterprise Estonia, in order to improve the website design, user-friendliness, etc. of Enterprise Estonia.
3.2.28. Health and holiday data, during your employment at Enterprise Estonia, Enterprise Estonia will collect and process your health data (e.g. time spent on sick leave, decisions of an occupational health doctor), in order to fulfil obligations of Enterprise Estonia arising from legislation.
3.2.29. Characterisations, during your employment at Enterprise Estonia, Enterprise Estonia will collect and process characterisations concerning you, which have been collected from satisfaction surveys, performance and development interviews, in order to provide objective feedback concerning the results of your work.
3.2.30 With regard to the activities of the International House of Estonia programme, based on the data exchange contract entered into with the Police and Border Guard Board, Tallinn City, Integration Foundation, Estonian Unemployment Fund and Tax and Customs Board (hereinafter Partners), Enterprise Estonia will forward to Partners your personal data (name, citizenship, language skills, home address, contact information, job and work area, reason for stay in Estonia and existence of spouse and children, their date of birth) collected from you with your consent. Partners shall forward to Enterprise Estonia and to each other information about the use of International House of Estonia programme services (only the service that was consumed, not the details and documents related to it). When forwarding the service consumption information, the Partners shall indicate in the previously given list (business advice, career counseling, migration counseling, application for personal ID-code, residence registration, migration counseling, counseling related to employment in Estonia, network counseling, recruitment consultancy for employers) the name of the service that you used. This is all in order for EAS and Partners to be able to provide you with the services of the International House, to improve the quality of these services over time and, if necessary, to make proposals to the legislator to amend the legislation. For questions about the personal data processed by the team of International House of Estonia programme, please contact the International House of Estonia programme by sending an email to email@example.com or firstname.lastname@example.org.
3.3. Enterprise Estonia processes your data as little as possible. Your personal data will not be stored for longer than necessary for processing. Enterprise Estonia preserves the documents received during the processing of grant, including personal data, until the deadline provided for in legislation applicable to the support measure.
3.4. The information about retention periods can be found here. All documents that have exceeded the deadline are generally destroyed, unless otherwise stipulated by legislation.
3.5. We may process personal data for statistics only in non-personalised form. Correspondence with you can also be used internally to evaluate the quality of our work. We publish the statistics and summaries only in non-personalised form. From the information we collect, we may prepare summaries in non-personalised way and share them with our partners.
3.6. Enterprise Estonia does not sell, trade or lease your personal data to third persons.
3.7. From the information we collect, we may prepare summaries in non-personalised way and share them with our partners.
3.8. Enterprise Estonia may combine data collected in various ways if such information has been collected for the same purpose.
4. How does your name appear in the online document register?
4.1. Enterprise Estonia is not obligated to keep a document register according to subsection 11 (1) of the Public Information Act, therefore, Enterprise Estonia does not keep a public document register or display any information there (including the personal data of a natural person). The full name and contact details of a person are visible in the internal information system only to persons with relevant authorisation.
4.2. Upon contacting Enterprise Estonia, you should take into account that the activities of Enterprise Estonia with regard to information related to the use of resources granted for the performance of public law functions from the budget of the state or local government or given in the form of grant is public according to subsection 5 (2) of the Public Information Act, and in some cases, your personal data – in particular, your name and the fact of inquiry (in some cases, also its content) – may become available to third parties, or your name and the fact of inquiry may be disclosed in the document register of a third party or a data processor.
5. What kind of access restrictions are used for private communication?
5.1. Correspondence with natural persons is subject to access restrictions. In communication with a natural person, Enterprise Estonia uses access restrictions according to the provisions of the Public Information Act.
5.2. We use your personal data to respond to you. If we need to make inquiries from a third party to respond to you, we will only disclose minimum amount of your personal data, or in the amount that is vital.
5.3. If you have sent us a request for explanation or an application for action or a request for information to which the other authority has jurisdiction, we will forward it there. We will definitely also inform you about the transfer.
5.4. If someone wants to see your correspondence and files a request for information, then upon receiving such request, Enterprise Estonia verifies whether the requested document can be fully issued or should be partially issued. Note that documents are fully issued to third parties only in cases provided by law, or if there is an authorisation document. Restricting access depends on the content of the document.
5.5. Despite the access restriction, we will issue a document to an authority or a person who has a direct legal right to ask for it (for example, investigative body, body conducting extra-judicial proceedings or court).
5.6. To raise public awareness, we write news on the website of Enterprise Estonia or social media. When preparing news, we refrain from excessive infringing of the privacy of the relevant persons.
5.7. Correspondence with you can also be used internally to evaluate the quality of our work and for statistical purposes. We publish the statistics of correspondence and summaries only in non-personalised way.
6. Methods of sending a letter: whether simple or registered mail is used; whether encrypted or unencrypted email is used?
6.1. Paper documents, which contain private information and for which we have set an access restriction, are delivered to the addressee by registered mail. We will send documents by email only at the request of and with the consent of the private person.
6.2. We send documents related to natural persons to other public authorities through a secure document exchange centre.
6.3. From medical institutions, we receive notifications on occupational accidents and occupational diseases through the website of eesti.ee and the Labour Inspectorate.
6.4. A document that is sent to a natural person does not require a restriction on access, as the natural person is not a holder of information within the meaning of the Public Information Act. It is up to the person to decide whether or not to disclose information that has been restricted for reasons of privacy protection.
7. What kind of data is collected from the job candidates and how long is such data stored?
7.1. Information about vacancies and internships is available from the CV-Online portal. Recruitment to fill in positions is organised by employees who are responsible for personnel work at Enterprise Estonia.
7.2. Enterprise Estonia reserves the right to cancel the announced competition or change the conditions of the already announced competition. In this case, we will inform you by using the contact details submitted to Enterprise Estonia.
7.3. When applying for a job in Enterprise Estonia, the latter is guided by the information submitted by you and public sources. No separate provision of consent is necessary for the processing of data that you have submitted yourself. There is also no need for consent for collecting data on the basis of law or data that has been disclosed by the candidate.
7.4. Enterprise Estonia assumes that it is permitted to contact the persons indicated as referees by you, without an additional permission. We assume that you have given a permission to the referees included in the applications for candidacy to answer any questions concerning them, and the referees have also given their consent that Enterprise Estonia contacts them for information.
7.5. You have the right to know what information Enterprise Estonia has collected about you, to view the data collected by Enterprise Estonia, to provide explanations and objections. Your data will not be disclosed to other candidates, and we will not disclose data about other candidates to you.
7.6. Your documents are only reviewed by the employees who participate in the recruitment process. Your documents and data are not disclosed to third persons without legal basis.
7.7. In the recruitment process, Enterprise Estonia may organise several rounds – a document round, a written test, and an interview in which the processing of your personal data is carried out (for example, evaluation of test). If necessary, Enterprise Estonia may involve external experts in your evaluation process in addition to the employees of Enterprise Estonia.
7.8. If you turn out to be a successful candidate, you will have to fill in a data form of a new employee and a data form for an additional background check. The details requested in the additional background check form are required to verify the accuracy of such information and for the purpose of assessing your professional suitability and reliability. It is required to process the data provided in the employee’s form to prepare an employment contract for you and take into account the benefits offered to you by Enterprise Estonia.
7.9. Data of non-selected candidates is retained by Enterprise Estonia until the end of contestation period specified in legislation if a candidate who has not been selected has not given consent to the storage of data for the purpose of making future job offers.
9. When does Enterprise Estonia collect and process your data for the performance of a contract and for ensuring the performance of a contract?
9.1. Enterprise Estonia may use data based on legislation without your separate consent to perform the contract or to ensure the performance of contract at least in the following cases (including transferring data to data processors):
9.1.1. To identify your or your representative;
9.1.2. To provide you with services or to carry our any activities required for the sales of goods;
9.1.3. To provide you with services and to eliminate any failures;
9.1.4. To provide and develop the online environment, its services and functionalities, as well as high-quality personal user experience to you, and to send you information related to options for use and security of the online environment.;
9.1.5. To calculate service fees related to the contract, to prepare notifications and invoices, and to send them to you;
9.1.6. To send you notifications by post or email, and this does not assume the data to be used for marketing purposes;
9.1.7. To document business and service activities and for business information exchange (including to be submitted to auditors upon auditing Enterprise Estonia);
9.1.8. To provide you with better service, including to measure the quality, performance or customer satisfaction of the online environment and the services, as well as to develop the services and business activities;
9.1.9. To evaluate and prevent potential business risks or losses related to the provision of the service;
9.1.10. To ensure the performance of contract;
9.1.11. To protect any rights of Enterprise Estonia, which have been violated or disputed, and to collect any debts (including to forward information related to contractual violation and/or debts by Enterprise Estonia based on the contract to the persons providing collection service, lawyers, and other persons, who are authorised to process the corresponding data).
9.1.12. To forward your credit status report to the credit information companies authorised by Enterprise Estonia in case of breach of the contract.
11. What kind of third parties to we disclose your data to and what is the geographic region of data processing?
11.1. Based on law and/or contracts, Enterprise Estonia transfers and discloses your data to:
11.1.1. data processors upon complying with any contractual obligations;
11.1.3. database administrators;
11.1.4. a new creditor upon assigning the right of claim;
11.1.5. law enforcement agencies and courts;
11.1.6. state authorities and institutions (e.g. if you have sent us a request for explanation or a request for information to which another authority has jurisdiction, we will forward it there. We will definitely also inform you about the transfer. We forward personal data to the Health Insurance Fund, the Labour Inspectorate, the Tax Board, the Social Insurance Board or the Unemployment Insurance Fund (Töötukassa) with regard to work, occupational accidents and occupational diseases to the extent indicated in legislation. In the online environment of structural funds to the extent as it is established in legislation on which the support measure is based. In the information system of enforcement proceedings to the extent that is required to initiate enforcement proceedings. To the public procurement register to the extent that is required to add tenderers (including the tenderer’s representative or a tenderer who is a natural person) to the procurement procedure.)
11.1.7. To the regional development centres, tourist information centres, and visitor centres in performing their obligations under the contract under public law concluded by Enterprise Estonia and the relevant legal person.
11.1.8. auditors, legal and financial advisers;
11.1.9. debt collectors upon assigning the claims, to liquidators, rehabilitators, and trustees in bankruptcy;
11.1.10. persons who are linked with national, European, and international payment systems;
11.1.11. third persons who protect the rights of Enterprise Estonia if you have violated the contract;
11.1.12. third persons if we need to make inquiries from a third party to respond to you, disclosing only a minimum amount of your personal data, in the amount that is vital.
11.2. Upon making transactions in a foreign country or with foreign persons, customer data may also become available to the authorities of the corresponding country and data may be processed in accordance with the law of the corresponding country.
11.3. In general, your data is processed within the European Union / European Economic Area (EU/EEA), however, in some cases, these are transferred to and processed in countries outside the EU/EEA.
11.4. Transfer and processing of your data outside of the EU/EEA may take place, provided that there is a legal basis, for example, performance of a legal duty or your consent, and the relevant protection measures are applied. For example, the relevant protection measures are the following:
11.4.1. there is a valid contract, which includes the standard contractual terms and conditions developed by the EU or approved code of conduct, certification, and the like, which complies with the General Data Protection Regulation (GDPR).
11.4.2. in a country outside the EU/EEA, where the recipient is located, it is sufficient level of data protection according to the decision of the European Commission;
11.4.3. the recipient has been certified based on the Privacy Shield Framework (applicable to recipients located in the United States of America).
11.5. In case of an inquiry, you will receive more detailed information about the transfer of your data to the countries located outside the EU/EEA.
12. What are your rights? How can you view the information about you?
12.1. With regard to the processing of personal data, you have the following rights:
12.1.1. the right to access the information that Enterprise Estonia has collected about you. Enterprise Estonia issues data and documents based on a request for information or a request for explanation to which it respond within the deadline established in the Public Information Act or the Response to Memoranda and Requests for Explanations and Submission of Collective Addresses Act. Enterprise Estonia issues data and documents on request, either on paper or electronically. If you want them to be issued on paper, according to subsection 25 (2) of the Public Information Act, we may request a fee for each page issued from the 21st page.
12.1.2. the right to receive information as to whether Enterprise Estonia processes your personal data, and if so, to obtain access to the above-mentioned data;
12.1.3. the right to request the correction of inaccurate personal data if the data is insufficient, incomplete or inaccurate;
12.1.4. the right to object to the processing of personal data;
12.1.5. the right to request the deletion of personal data. Such right does not apply if the personal data requested to be deleted is also processed on other legal grounds;
12.1.6. the right to restrict the processing of personal data based on applicable law;
12.1.7. the right to receive your personal data that you have submitted yourself and which is processed based on consent or to perform a contract, in writing or in a publicly available electronic format;
12.1.8. the right to request the transfer of data to another service provider;
12.1.9. the right to withdraw consent with regard to the processing of personal data;
12.1.10. the right to submit a challenge about the use of personal data to the Estonian Data Protection Inspectorate or the court if you find that the processing of your personal data infringes your rights and interests under the applicable law.
12.1.11. the right to accept or prohibit the use of personal data for direct marketing or marketing purposes.
12.2. Enterprise Estonia refuses to comply with your request to see information if:
12.2.1. you have no right to demand to see the data;
12.2.2. this may harm the rights and freedoms of another person;
12.2.3. this may prevent the combating of a criminal offence or apprehension of a criminal offender;
12.2.4. this may impede the determination of truth in criminal proceedings;
12.2.5. this may endanger the protection of the confidentiality of the filiation of the child.
13. If a violation has occurred, how will information regarding this be forwarded to you?
13.1. If there is a violation related personal data that happens in Enterprise Estonia and it poses a potential threat to your rights and freedoms, we will prepare the corresponding documents required in legislation. We will definitely take measures to immediately end the violation.
13.2. If a violation results in a situation where you are likely to be at high risk with regard to your rights and freedoms, Enterprise Estonia will also inform you about it. The purpose of the notification is to enable you to take the necessary precautionary measures to mitigate the situation.