Privacy Policy

You have reached our Privacy Policy page. Please find detailed information regarding you privacy below.

This Privacy Notice describes how the e-Residency project team at Ettevõtluse Arendamise Sihtasutus (registry code 90006006; Lasnamäe 2, 11412 Tallinn; hereinafter EAS or we) processes Your personal data.

This Privacy Notice applies to You if you are an e-resident, who has given their consent to the Police and Boarder Guard Board (hereinafter PBGB) to transmit personal data from Your e-residency application to EAS. In addition, this Privacy Notice applies to You, if You have visited our website e-resident.gov.ee, subscribed to our newsletter on our website e-resident.gov.ee, contacted the e-Residency support team through electronic means (e.g. through the support form at learn.e-resident.gov.ee, by email e-resident@gov.ee, through chatbot on e-resident.gov.ee, through social media channel) or if you are a representative or contact person of our partner.

As we may process Your personal data in the course of performing different activities, depending on your relationship with us. We have prepared this Privacy Notice in such a way that each person who interacts with us, can find under section 1 a specific description of the conditions applicable to the processing activity that is applicable to that person, while sections 2 – 8 describe principles that apply to all of our data processing activities regardless of which data subject category You belong to.
The terms and definitions used in this Privacy Notice should be construed as in the General Data Protection Regulation of the European Union (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC; General Data Protection Regulation; hereinafter the GDPR).

1. Categories of Personal Data, Purposes and Legal Bases for Processing, and Retention of Personal Data

I am an e-resident
I am a subscriber to e-Residency newsletter
I am a visitor to the e.resident.gov.ee website
I am contacting the e-Residency support team
I am a representative or a contact person of EAS’s partner

General Principles

1.1. I am an e-Resident

If You are an e-resident, we process the personal data that You have provided on Your e-residency application and that has been transmitted to us by PBGB. Such personal data includes:

  • name
  • gender, date of birth, Estonian personal identification code
  • contact data (email address, telephone number)
  • country and city of residence
  • citizenship
  • location of issuing e-residency digi-ID, date of the decision to grant e-residency, date of expiry of the e-resident’s digi-ID
  • reasons for having submitted the application

We process Your personal data for the following purposes:

  • to send You e-Residency communications, personalized offers and information to assist You in starting and operating business in Estonia (including information about the e-services available in Estonia);
  • to help establish contact with service providers according to the e-resident’s interests;
  • to develop the e-Residency program and to fulfil the purposes of the program (including asking for feedback).

The legal basis for such processing is Your consent that You have given when You have applied for e-resident digi-ID (GDPR art 6(1)(a)). You have the right to withdraw Your consent at any time by contacting us on the contact details below. The withdrawal of consent does not affect the lawfulness of the processing based on consent before its withdrawal.

We may also process Your personal data to fulfil our legal obligations (GDPR art 6 (1) (c)) and to protect our legal rights (e.g. to file claims, to protect ourselves from claims), in which case the legal basis for such processing is our legitimate interest that overrides Your interests and fundamental rights and freedoms which require protection of personal data (GDPR art 6(1)(f)).

1.2. I am a Subscriber to e-Residency Newsletter

If You are a newsletter subscriber, we process the personal data that we have received from yourself when You subscribe to our newsletter. If you are an e-resident we process your name, email address and citizenship. If you have subscribed to our newsletter directly from our website, we process your email address and country of residence.

If You are a newsletter subscriber, we process Your personal data to send You our newsletter and special offers (GDPR art 6(1)(a)). The legal basis for such processing is Your consent that You have given when subscribing to our newsletter. You have the right to withdraw your consent at any time by contacting us on the contact details below. The withdrawal of consent does not affect the lawfulness of the processing based on consent before its withdrawal.

We may also process Your personal data to fulfil our legal obligations (GDPR art 6 (1) (c)) and to protect our legal rights (e.g. to file claims, to protect ourselves from claims), in which case the legal basis for such processing is our legitimate interest that overrides Your interests and fundamental rights and freedoms which require protection of personal data (GDPR art 6(1)(f)).

1.3. I am a Visitor to the e.resident.gov.ee Website

If You are a visitor to the e.resident.gov.ee website, we may collect some personal data automatically via cookies on our website. Click here for more information about which cookies we use and how we use the data gathered via cookies.

1.4. I am Contacting the e-Residency Support Team

If You are contacting the e-Residency support through electronic means (e.g. through the support form at learn.e-resident.gov.ee, by email e-resident@gov.ee, through chatbot on e-resident.gov.ee, through social media channel), we process the personal data that you have provided us. Such personal data includes:

  • name
  • contact details (e.g. email address, information about social media account)
  • data that you provide us in the course of our communication
  • automatic data such as server and HTTP logs, data transmitted by Actions on Google API and usage information

We kindly ask You to not provide us any special categories of personal data in your inquiry (e.g. data about race, ethnic origin, political opinions, religious beliefs, health, sexual orientation).

If You are contacting us, we process your personal data to reply to your inquiry. We may forward your inquiry with the respective authority, if they possess the information that is necessary to reply to your inquiry (e.g. PBGB, respective embassy, Estonian Ministry of Foreign Affairs, other public authorities). The legal basis for such processing is our legitimate interest that overrides Your interests and fundamental rights and freedoms which require protection of personal data (GDPR art 6(1)(f)).

In addition, we process your personal data to analyse and improve our customer service. For that purpose we may share your information (email, content of your inquiry) with third party service providers who process your personal data on behalf of us in order to help us make our customer service faster and more effective. For statistical purposes, we analyze the personal data in anonymized form. The legal basis for such processing is our legitimate business interest that overrides Your interests and fundamental rights and freedoms which require protection of personal data (GDPR art 6(1)(f)).

We believe that as You have initiated contact with us, our interests override Your interests and fundamental rights and freedoms which require protection of personal data. You have the right to object to such processing in which case we will stop processing Your personal data unless we can demonstrate compelling legitimate grounds for the processing which override Your interests, rights and freedoms or unless we are processing Your personal data to protect our legal rights.

We may also process Your personal data to fulfil our legal obligations (GDPR art 6 (1) (c)) and to protect our legal rights (e.g. to file claims, to protect ourselves from claims), in which case the legal basis for such processing is our legitimate interest that overrides Your interests and fundamental rights and freedoms which require protection of personal data (GDPR art 6(1)(f)).

1.5. I am a Representative or a Contact Person of Our Partner

If You are a representative or a contact person of our partner, we process the personal data that we have received from yourself or from the partner. Such personal data includes:

  • name
  • position
  • contact data (email address, telephone number)

If You are a representative or a contact person of our partner, we process Your personal data to contact our partner in order to perform the contracts concluded between us or to cooperate in other ways. The legal basis for such processing is our legitimate interest to administer the relationship with our partner (GDPR art 6(1)(f)). We believe that as You are the representative or contact person of our partner, our business interests override Your interests and fundamental rights and freedoms which require protection of personal data. You have the right to object to such processing in which case we will stop processing Your personal data unless we can demonstrate compelling legitimate grounds for the processing which override Your interests, rights and freedoms or unless we are processing Your personal data to protect our legal rights.

We may also process Your personal data to fulfil our legal obligations (GDPR art 6 (1) (c)) and to protect our legal rights (e.g. to file claims, to protect ourselves from claims), in which case the legal basis for such processing is our legitimate interest that overrides Your interests and fundamental rights and freedoms which require protection of personal data (GDPR art 6(1)(f)).

2. Access to Personal Data and Transmission of Personal Data

Only members of the e-Residency program team who have justified need for processing Your personal data have access to Your personal data. We share Your personal data with third parties only if we have justified need, to the justified extent and only if we have a legal basis for such transmission.

We use service providers that may have access to Your personal data. These service providers shall be considered as data processors. For example such data processors include cloud service providers, email service providers, data analytics service providers etc. We use only data processors who provide sufficient guarantees that they apply appropriate technical and organizational measures in order to ensure the protection of Your personal data. We have concluded appropriate data processing agreements with the service providers and shall remain responsible for their actions in respect of the processing of Your personal data.

We may also transmit Your personal data to the following third parties who act as independent controllers with regard to Your personal data:

  • to third parties who possess information that is necessary to reply to data subject’s inquiry (e.g. PBGB, embassies, Estonian Ministry of Foreign Affairs, other public authorities), in which case the legal basis for the transmission of personal data is our legitimate interest to extent which in our assessment overrides your interests and fundamental rights and freedoms which require protection of personal data
  • to third parties who protect our legal rights (e.g. our legal consultants), in which case the legal basis for the transmission of personal data is our legitimate interest to the extent which in our assessment overrides your interests and fundamental rights and freedoms which require protection of personal data
  • to third parties who audit us, in which case the legal basis for the transmission of personal data is our legitimate interest to the extent which in our assessment overrides your interests and fundamental rights and freedoms which require protection of personal data
  • to third parties to whom we are obligated to transmit personal data in accordance with law or other legal acts (e.g. supervisory authorities), in which case the legal basis for transmission is the fulfilment of our obligations arising from law

Should You require more detailed information as regards the data processors or independent third parties who might process Your personal data, please contact us on the contact details below.

3. Transmission of Personal Data Outside the European Economic Area

Our data processors (e.g. cloud service providers) may process Your personal data outside the European Economic Area (EEA). Usually we do not transmit Your personal data outside the EEA, but if we find it necessary, we transmit data only if we have a legal basis to do so, including to data recipients: (i) who are located in a country where sufficient level of personal data protection is ensured in the assessment of the European Commission (including organisations certified under the Privacy Shield) or (ii) on the basis of an agreement which meets the EU requirements for the transmission of personal data to personal data processors located outside the EEA.

Should you require more detailed information as regards transferring your personal data outside the EEA (e.g. the names of the recipients and the exact legal basis for any such transfer), please contact us on the contact details below.

4. Retention of Personal Data

We retain Your personal data until it is necessary depending on the purposes for which we collected the data.

We retain personal data of e-residents until You withdraw Your consent. If You do not withdraw Your consent, we retain the personal data of e-residents as long as we are cooperating with the Police and Boarder Guard Board to carry out the purposes of the e-Residency program.

We retain personal data of newsletter subscribers until You withdraw Your consent.

We retain personal data of people who have contacted our support team indefinitely.

We retain personal data of representatives and contact persons of our partners as long as we have a relationship with the partner and in case of any legal disputes up to 10 years after the end of the relationship to protect our rights.

5. Security

We implement sufficient technical and organizational security measures to protect Your personal data, taking into account: (i) the level of technology, (ii) the costs of implementation, (iii) the nature, scope, context and purposes, and (iv) the possible risks to You that may arise from data processing.

6. Your Rights

With regard to Your personal data, You have all the rights prescribed by legal acts, including the GDPR, on the terms and conditions and to the extent established therein:

  • the right to request access to Your personal data (including to receive a copy of Your personal data)
  • the right to request the rectification of personal data
  • the right to request the deletion of personal data
  • the right to request the restriction of the processing of personal data
  • the right to the portability of personal data
  • the right to withdraw your consent, if we process your personal data on the basis of Your consent
  • the right to submit objections if personal data is being processed on the basis of our legitimate interest.

If You wish to exercise the rights specified above or should You have any questions about the processing of Your personal data, please contact us on the contact details provided below. We will answer to Your request as soon as possible, but at least within 1 month of receipt of Your request and inform You about the measures we have taken. For reasons of complexity or large scope of Your request, it may take us longer to process Your request (up to 3 months), in which case we will inform You of such circumstances.

If You believe that Your rights have been violated or Your personal data have not been processed in accordance with this Privacy Notice, we kindly recommend You to contact us on the contact details provided below. In case of a violation, You also have the right to turn to a competent data protection supervisory authority (in Estonia the Estonian Data Protection Inspectorate) or the court.

7. Amendment of the Privacy Notice

If our personal data processing practices shall change or we need to change the Privacy Notice due to changes in the applicable data protection related legal acts, other legal acts, case-law or guidelines or practices of competent authorities, we have the right to unilaterally amend the Privacy Notice. If the amendments affect You significantly, we shall notify You before the amendments enter into force by email.

8. Applicable Law

EAS is a legal entity registered in the Republic of Estonia and the processing of Your personal data is therefore subject to the laws of the Republic of Estonia.

Contact Details

If You have any questions concerning the processing of Your personal data or if You wish to exercise Your rights with regard to Your personal data, please contact our data protection officer using the following contact details:

  • Mariann Stein: andmekaitse@eas.ee
  • or contact the e-Residency Team of Enterprise Estonia by our general contact details: e-resident@gov.ee