APPROVED
Order No. 4
of Director of 12 January 2024
Annex
Information on the processing of personal data has been drawn up in order to comply with the requirements of the data controller as set out in Article 12 of the EU General Data Protection Regulation 2016/679 ‘Transparent information, communication and modalities for the exercise of the rights of the data subject’, and to inform natural persons about the principles and safeguards for the processing of
personal data.
Data controller:
Centre of Registers and Information Systems
Lubja 4, 19081 Tallinn
Phone: 680-3160
Email: [email protected]
Website: www.rik.ee
Data processor:
The computer workstation and server infrastructure service is provided to RIK by the Estonian Information and Communication Technology
Centre, whose contact details are:
Estonian Information and Communication Technology Centre
Lõõtsa 8a, 11415 Tallinn
Phone: (+372)-666-0166
Email: [email protected]
Website: www.rit.ee
1. These data protection conditions do not cover the following:
- the storage of legal entities’ data and processing of personal data on third party websites referred to on the RIK website (external links);
- The purposes, scope, and methods of public registers and information systems managed by RIK, and of processing of personal data, the conditions for making such data publicly available, and the rights and procedure for access to personal data provided by law (Land Register Act, Commercial Code, etc.) or regulations adopted under the statutory mandate (Regulation No. 24 of the Minister of Justice of 30 June 2010 ‘Rules of procedure of the land registry department of the court’, etc.).
2. RIK processes your personal data when you:
- visit the RIK website;
- visit the RIK social networking pages on Facebook, LinkedIn, Instagram or GitHub;
- apply to work for us (or have worked for us);
- submit a request for information, request for clarification or memorandum to us;
- contact customer support (NB: phone calls are recorded);
- visit the Centre of Registers and Information Systems;
- Your data have been entered into the accounting software e-Financials (we act as the data
controller of the database).
2.1 Visiting the RIK website
When you visit the RIK website, the personal data collected and stored about you are limited to the following:
- IP address of the computer or computer network used;
- web browser and operating system of the computer;
- time of visit (time of day, date, year).
RIK does not link the collected IP addresses to any particular visitor. Statistical data are collected on which part of the website you visit and how much time do you spend there. Such data are used to prepare visitor statistics, so that it can be used for improving the website and to make it more user-friendly. The data will be stored for three (3) months.
Cookies
For information security purposes (legal basis: clauses 7 (1) 1) and 3) of the Cybersecurity Act), we use the CloudFlare service on publicly accessible websites, which adds two (2) cookies (_cf_bm ja_ cfuvid) to the user’s computer. The purpose of setting cookies is to regulate traffic load in order to improve the performance of the website and prevent cyber incidents. Cloudflare’s own cookie policy does not identify an individual visitor or track their activity on the web. More information on the cookies referred to can be found here.
The service is mediated by the Information System Authority to the Centre of Registers and Information Systems.
The RIK website uses AddToAny platform, which allows you to share websites through different services. On this website you may be redirected to other websites which may use their own cookies. We have no control over the placement of cookies by other websites, even if you are directed to them
from this website.
The services of third parties for the collection of data are subject to their terms and conditions.
2.2 Use of social networking channels Facebook, LinkedIn, and Instagram
We have activated the following settings for the purposes of using our Facebook page and LinkedIn:
- the page is visible to everyone;
- we have limited the option of posting on our wall;
- comments can be added in all languages; we have also enabled automatic translation of posts to readers who speak other languages;
- people can contact us privately on Instagram and LinkedIn.
On Facebook, we have disabled messaging.
To use GitHub, we have made the following settings:
- the page is visible to everyone;
- to comment / make change proposals you have to create an account and the comments / change proposals will remain linked to your account;
- we process your personal data when you create a personalized account. In case of an anonymous account, no personal data are processed.
2.3 Applying for a job or internship at RIK
Information on job and internship vacancies can be found on the RIK website.
When you apply for a job or an internship at RIK, we use the personal data you have submitted only for the following purposes:
- to evaluate your job application;
- to evaluate your qualifications and to make decisions concerning the hiring process;
- to communicate with you, for example, to notify you of the potential dates of the job interview;
- to prepare basic reference materials, which are used in case you are hired.
The candidate’s personal data are processed by the employees participating in the recruiting process. Other employees of RIK have no access to the personal data of candidates.
Candidates’ personal data are collected when they submit the documents required in the call for applications, including:
- the data used originates from the information disclosed by the candidate themselves and from public sources (including social networks, blogs, public register data, such as from the Criminal Records Database, the Commercial Register, court decisions, etc.);
- the candidate has the right to know what kind of data RIK has collected about them;
- the candidate has the right to access the data collected by RIK, as well as provide explanations and submit objections;
- we assume that the candidate has provided their consent for the persons included in their references listed in the application documents to answer questions concerning the applicant, and that the references have consented to RIK contacting them for information.
- Your data will not be disclosed to other candidates and the data of other candidates will not be disclosed to you.
The data of candidates is considered to be data with a restriction on access to which third parties (including competent authorities) can access only in cases established in legislation.
We store correspondence concerning employment relationships, personnel, etc. for a period of five (5) years. We store internship contracts, authorisation agreements and employment contracts for a period of 10 (ten) years as of the termination of the contract.
2.4 Submitting a request for information, request for clarification, and memorandum
RIK uses your personal data in order to reply to you. Your inquiries are registered in the document management system of RIK
and forwarded to the appropriate employees for reply. If we need to make further inquiries from someone else in order to respond to you, we will disclose your personal data only to the extent necessary for this purpose.
If we need to disclose your restricted personal data in order to respond to you, we need to verify your identity. For this reason, you will need to sign your application in person or digitally.
Under the Public Information Act, the record of your application is visible in our document register.
For registered documents with a restriction on access, only the initials of the sender or recipient are visible from the public document register, not their name or the content of the document.
If you have sent us an inquiry that falls within the competence of another authority, we will forward it to the appropriate authority. We will notify you of having forwarded the inquiry as well.
If someone wants to view your correspondence, a restriction on access means that upon receipt of an information request, we will review whether the requested document can be issued and whether it can be done in part or in full.
Notwithstanding the access restriction, the data contained in your request may be accessed by the employees of the Estonian Information and Communication Technology Centre who have a direct need to do so in the performance of their duties related to the hosting, maintenance, and operation of the Delta document management system. To other persons/authorities, we may disclose your request or the data contained therein, notwithstanding the access restriction, only if they have a direct legal right to do so (for example, an investigative authority or a court) and a legitimate need to do so.
We may also use correspondence with you internally to evaluate the quality of our work.
Correspondence statistics and summaries are disclosed in an impersonal manner, without names.
Correspondence with private individuals is kept in our document management system for five (5) years. Documents exceeding this deadline will be destroyed and the information deleted.
Emails sent to official email addresses of the RIK staff that are not registered in the document management system are generally kept for one (1) year.
2.5 Contacting customer support
Calls received by the RIK customer support numbers +372-680-3160, +372-663-6374, and +372-663-6357 are recorded on the basis of a legitimate interest (Article 6(1)(f) of GDPR) and the caller is informed of the fact of recording the call at the beginning of the call. The recordings are used to ensure better service and are kept for three (3) months. Recordings are automatically destroyed by the recording system after a certain period of time.
If you do not want to be recorded, you can opt out of the call and choose another way to receive the information (e.g. by email or regular post).
Recordings can be accessed by the head of the customer support team and the specialist who answered the call.
In addition to our employees, data may also be accessed by employees of the Estonian Information and Communication Technology Centre who have a direct need to do so in the course of their duties related to the accommodation, maintenance, and execution of their work.
2.6 Visiting the Centre of Registers and Information Systems
When arriving for a meeting at RIK, visitors entering the building are first welcomed by a member of the security team working at the visitor entrance, who has previously been given the name of the person visiting the building. The member of the security team has the right to ask for your identity document to establish your identity. The visitor is provided with a visitor card, which gives the visitor access to the second floor, where the meeting rooms of RIK are located. The visitor can move around the building when accompanied by the person they have come to meet.
There is 24-hour video surveillance inside and around RIK. The movement of persons in the building and on the premises (parking lots, adjacent areas) is recorded for security reasons.
Video recordings and door card logs are managed by USS Security Eesti AS. The recordings are stored for 30 (thirty) calendar days and door card logs for one (1) year.
2.7 If your data has been entered into the accounting software e-Financials (we act as the data controller of the database)
Objective
e-Financials is a web-based accounting software that helps businesses to manage their accounting in a convenient way. The software is located on the Company Registration Portal of the e-Business Register and can be used by the entrepreneurs themselves or their authorised persons (such as accountants). e-Financials is aimed primarily at start-ups and small businesses, but also at non-profit associations and foundations.
The software consists of five (5) main parts: modules for invoicing, accounting, reporting, personnel and settings, and the entire environment can be used both in Estonian and English.
Legal basis
Use of the software requires the conclusion of a monthly contract. The contract between the legal person and RIK is digitally signed in the e-Financials environment of the Company Registration Portal.
Storage period
The Customer has the right to add unlimited amounts of data to e-Financials during the validity period of the contract for use of e-Financials. At the end of the contract period, the Customer will be offered the archiving service. RIK stores the Customer’s data in the archive of e-Financials for seven (7) years of the date of entering the data in e-Financials.
Upon expiry of the contract for the use of e-Financials, the members of the management board of the Customer retain the right to view and download the archived data for seven (7) years from the entry of the data. If the Customer fails to pay the archiving service fee on time or does not use the archiving service, RIK has the right to delete the data after 120 calendar days have passed from the termination of the contract.
Access to the e-Financials
According to the terms and conditions of the contract concluded between RIK and the Customer, we will ensure the confidentiality of information concerning e-Financials that is not publicly available. The obligation of confidentiality shall apply for an unlimited period to all persons and bodies (including state authorities).
As a representative of the Customer, a natural person who has been designated by the Customer as a user with the right to use e-Financials shall be entitled to use e-Financials on behalf and at the expense of the Customer.
Upon conclusion of the contract for use of the e-Financials, all members of the management board shall be granted user rights to e-Financials. The members of the management board can add more users and manage their rights. The Customer shall be responsible for all Users acting on their behalf and shall ensure that any User acting on behalf of the Customer shall comply with the terms and conditions of the contract for the use of e-Financials, as well as legislation and the requirements for using e-Financials established by RIK.
RIK is the data controller with regard to hosting, maintaining, and developing the database.
Therefore, the data are accessed by those RIK employees who have a direct need arising from their duties (including technical support for the database) to do so.
In addition to our employees, data may also be accessed by employees of the Estonian Information and Communication Technology Centre who have a direct need to do so in the course of their duties related to e-Financials accommodation, maintenance, and execution of their work.
More information about e-Financials
Cookies
For information security purposes (legal basis: clauses 7 (1) 1) and 3) of the Cybersecurity Act), we use the CloudFlare service on publicly accessible websites, which adds two (2) cookies (_cf_bm ja_ cfuvid) to the user’s computer. The purpose of setting cookies is to regulate traffic load in order to improve the performance of the website and prevent cyber incidents. Cloudflare’s own cookie policy does not identify an individual visitor or track their activity on the web. More information on the cookies referred to can be found here.
The service is mediated by the Information System Authority to the Centre of Registers and Information Systems.
On the e-Financials website, we also use three (3) additional cookies:
1) rmp_sid – it is a session cookie containing the session ID. A session ID is a unique identifier that is assigned to a user when they connect to a website. It is used to monitor or manage a user’s web session. The session duration is the time a user spends on a website; the duration of this cookie is 5 × the session time.
2) rmp_aup_cookie – a session cookie is a temporary cookie that is used during a session, i.e. during the time you are on the e-Financials website. This will be deleted from your browser when you close it.
3) __Host-rmpsso – a session cookie is a temporary cookie that is used during a session, i.e. during the time you are on the e-Financials website. This will be deleted from your browser when you close it.
These cookies cannot be disabled and are necessary to ensure secure authentication.
3. Rights of natural persons
You have the following rights in relation to any personal data we collect about you.
3.1 Right to access your data
A natural person has the right to obtain confirmation as to whether personal data concerning them are being processed and, if so, the right to request their disclosure. For access, you need to submit an application.
When we disclose personal data, we need to be sure of your identity. For this reason, you will need to sign your application in person or digitally. You can use our inquiry form to submit your request.
We will disclose the data in the way you want as soon as possible, but no later than one (1) month after receiving your application. If it is not possible to provide the data within one (1) month, we will inform you and extend the deadline for responding by up to two (2) months. For issuing data on paper, starting from page 21, we may charge a fee of up to EUR 0.19 for each page issued (unless the law provides for a state fee for issuing information).
NB: For access to your personal data held in the databases managed by RIK, please contact the data controller of the database. However, if you forward your request to RIK, we will forward your request to the data controller of the database, informing you accordingly.
3.2 Right to be informed about the processing of your personal data
If we have collected data about you, you have the right to find out what the purpose of collecting them is, to whom your personal data has been or will be disclosed, and how long the data will be stored and, if the data has not been collected from you, information about its source.
Your right to access your data and to obtain information about the persons to whom we have disclosed your personal data may be limited if the disclosure of the data or information to you may:
- adversely affect the rights and freedoms of another person;
- hamper the prevention of a criminal offence or the apprehension of a criminal offender;
- complicate the ascertaining of the truth in criminal proceedings;
- threaten the protection of the confidentiality of a child’s filiation.
3.3 Right to request correction of inaccurate data
If you discover that the information about you is inaccurate and does not correspond to reality, you have the right to request that the inaccurate personal data be corrected or supplemented. To do this, submit a hand-signed or digitally signed application, together with supporting evidence and a description of the circumstances. We will disclose the rectification, deletion or restriction of processing to anyone to whom the personal data have been disclosed, unless this proves impossible or involves a disproportionate effort.
3.4 Right to request restriction and cessation of data processing
If there are (no longer) legal grounds for processing, disclosure, use for a certain purpose or access to your personal data, you are entitled to request the restriction, termination or deletion of data, restriction or termination of data disclosure or access to data. To do this, submit a reasoned request signed by hand or digitally.
3.5 Right to object
You also have the right to object to the processing of your personal data. To do this, submit a reasoned request signed by hand or digitally.
3.6 Right to apply to a data protection supervisory authority and/or an administrative court
If you consider that your rights and freedoms have been infringed by the processing of your personal data, you have the right to refer the matter to the Data Protection Inspectorate or an administrative court.
4. Infringement related to the processing of personal data
Should an incident involving an infringement of personal data processing occur in RIK, we will record the incident and prepare the required documentation.
If the incident is a potential threat to your rights and freedoms, we will inform the Data Protection Inspectorate. You can read more about infringements that are likely to threaten your rights and freedoms from the Data Protection Inspectorate’s General Guidelines for Personal Data Processing.
If the infringement is likely to threaten your rights and freedoms, we will also notify you of the incident, so that you can take appropriate precautionary measures to mitigate the situation.
If the infringement has occurred or is still ongoing at the time of discovery, we will take all necessary measures to end the infringement and mitigate its consequences.
5. Contact details
If you have any questions related to the processing of your personal data by the Centre of Registers and Information Systems, please contact our Data Protection Officer by sending an email to [email protected].