Processing of personal data

Valid from 25.08.2020

The information on the processing of personal data has been compiled in order to comply with the requirements for the controller from Article 12 of the EU General Data Protection Regulation 2016/679 “Transparent information, communication and modalities for the exercise of the rights of the data subject” and to inform natural persons about the principles of personal data processing and the guarantee of rights.

1. What is personal data and in which cases do we process it?
1.1 Personal data is any information about an identified or identifiable natural person (data subject). In particular, a natural person is identifiable by an identifier (name, personal identification number, residence, location, email address, telephone number, network identifier) or by one or more physical, physiological, genetic, mental, economic, cultural or social characteristics.

1.2 We process your personal data if:
     1.2.1    you visit our website;
     1.2.2.   you rate our website (IP address, rating given, comment added, email address, phone number and rating time are stored);
     1.2.3    you provide feedback on our website (we record the IP address, title and content of the question / suggestion, name and institution of the submitter, details of the preferred communication channel (telephone or email), language of the website, time of submission of the question / suggestion).
1.3  The email address / telephone number is used only if the person needs to be answered.
1.4  ​​​​​​The email address will not be passed on to third parties.
1.5  ​​​​​​The website may use cookies for the purpose of analysing the use of the site.
1.6  General statistics may be compiled on visits to the website and the ratings given. Also, the World Bank team involved in this project uses statistics on visits and ratings only for general analysis. Only generalized analyzes are published.

2. Principles of personal data processing
2.1  The processing of personal data is lawful, fair and transparent. Personal data is collected and processed purposefully and minimally. Personal data is correct and will be corrected.
2.2  Personal data will be kept for as long as it is necessary to process the question / proposal and then deleted.
2.3  The processing of personal data shall be subject to security measures to protect against unauthorized access and accidental loss.

3. Rights of a natural person
3.1 Access to personal data
     3.1.1   A natural person has the right to receive confirmation as to whether personal data concerning him or her are being processed and, if so, to access it. To access it we recommend that you submit an application, which we will respond to within 1 month at the latest. If it is not possible to release the data within 1 month, we will notify the natural person and extend the deadline for replying.
     3.1.2   In the event of unreasonable or excessive requests for access to personal data, we have the right to charge a reasonable fee or refuse to release the data.
     3.1.3   We will refuse to comply with a request if its fulfillment could adversely affect the rights or freedoms of another person.

3.2 Rectification of personal data
     3.2.1   A natural person has the right to request the rectification and supplementation of data if they are incorrect or incomplete.

3.3 Notification of rectification, erasure or restriction of the processing of personal data
     3.3.1   We will provide information on the rectification, erasure or restriction of the processing of personal data to all persons to whom the personal data has been disclosed, unless this proves impossible or requires a disproportionate effort.

3.4 Presenting an objection
     3.4.1   A natural person has the right to object at any time to the processing of personal data for the performance of a task in the public interest or for the exercise of public authority by the controller or in the case of a legitimate interest.

3.5 Restrictions on the processing of personal data
     3.5.1   A natural person has the right to request a restriction on the processing of personal data, for example while we are assessing the implementation of the request to delete personal data.

3.6 Withdrawal of consent
     3.6.1   A natural person has the right to withdraw his or her consent to the processing of personal data at any time.

3.7 Deletion of personal data
     3.7.1   A natural person has the right to request the deletion of his or her personal data.
     3.7.2   We will delete personal data if: a natural person withdraws the consent given for the processing of data; personal data is no longer required for such a purpose; there is no legal basis for data processing; personal data has been processed illegally; it is necessary to fulfill a legal obligation.
If personal data is processed on a legal basis which does not allow for the deletion of the data, the data will not be deleted.

4. Open data
4.1  We do not publish ratings or questions / suggestions submitted through the website as open data.

5. Violations of personal data processing
5.1  We document all personal data breaches, including the circumstances and effects of the breach, and actions taken.
5.2  We will notify the supervisory authority (Data Protection Inspectorate) of the violation without undue delay and, if possible, within 72 hours of becoming aware of it, unless the violation is not likely to endanger the rights and freedoms of natural persons.
5.3  In the event of a serious threat to the data subject's rights and freedoms, the data subject shall be informed.
5.4  The supervisory authority (Data Protection Inspectorate) may assess that it is not necessary to inform data subjects.

6. Contact details
6.1  You can obtain additional information on the processing of personal data from the Data Protection Specialist:

7. Filing a complaint
7.1 If you are not satisfied with the information or solution provided by the Data Protection Specialist, please contact:
Ministry of Finance
Suur-Ameerika 1 10122 TALLINN
Telephone: +372 611 3558
Faks: +372 611 3664
7.2  A natural person has the right to apply to the supervisory authority (Data Protection Inspectorate) if he or she finds that the processing of personal data infringes his or her rights.

Last updated: 17. July 2020