Skip links
Contact us today
HR Eesti

PRIVACY POLICY

Effective as of: 01.02.2025

HR Eesti OÜ (registration code 17081557, hereinafter “HR Eesti”) is committed to protecting the personal data of its clients, business partners, and other data subjects, ensuring confidentiality, security, and processing in full compliance with applicable legislation. HR Eesti processes personal data in accordance with all applicable data protection laws, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, GDPR), as well as the Estonian Personal Data Protection Act. Personal data is processed solely on a lawful basis, adhering to the principles of purpose limitation, data minimisation, and transparency. HR Eesti implements appropriate technical and organisational security measures to prevent unauthorised processing, disclosure, or loss of data.

Data Controller and Contact Information

Data Controller: HR Eesti OÜ

Phone: +372 566 888 31

Email: info@hreesti.ee

HR Eesti has not appointed a Data Protection Officer, as the company’s activities do not fall within the scope of Article 37(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR). All data protection-related questions, requests, and inquiries, including the exercise of rights related to personal data, can be submitted via the contact details provided above.

  • Principles of Personal Data Processing

HR Eesti processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) and the Estonian Personal Data Protection Act, adhering to the following principles:

  1. Lawfulness, fairness, and transparency – The processing of personal data is always carried out on a lawful basis, fairly, and in a manner that is clear and transparent to data subjects.
  2. Purpose limitation – Personal data is collected for specific, clearly defined, and legitimate purposes and is not processed in a manner that is incompatible with those purposes.
  3. Data minimisation and accuracy – The personal data processed is relevant and limited to what is necessary to achieve the specified purposes. Data is updated as needed to ensure its correctness and accuracy.
  4. Security and confidentiality – HR Eesti implements appropriate technical and organisational security measures, including encryption, access restrictions, pseudonymisation, firewalls, and regular security testing to protect personal data against unauthorised access, disclosure, alteration, or destruction.

Processed Personal Data

HR Eesti processes personal data only to the extent necessary for the provision of services, fulfilment of legal obligations, or other legitimate purposes. The processed personal data may include the following:

  1. Data necessary for personal identification – first and last name, personal identification code or other unique identification number.
  2. Contact details – email address, phone number, postal address (if applicable).
  3. Professional information – professional and educational background, data provided in the CV, language skills, work experience, qualifications, diplomas, and certificates.
  4. Referees’ information – referees’ names, contact details, and provided references (if applicable and if the data subject has given consent).
  5. Training-related data – participation in training courses, training payment information (including billing details but excluding bank card data), feedback, and evaluation results.
  6. Website and social media usage statistics – logs of website and digital platform usage, IP addresses, device data, information collected through cookies and other analytics tools (in accordance with the applicable cookie policy).

Purposes and Legal Basis for Personal Data Processing

HR Eesti processes personal data for the following purposes and on the legal bases outlined below in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR):

  1. Provision of HR services  – the processing of personal data is necessary for the provision of HR services and the performance of contractual obligations (legal basis: performance of a contract — GDPR Art 6(1)(b)).
  2. Provision of training and consulting services – data is processed for the organisation of training and consulting services and for participant registration (legal basis: performance of a contract — GDPR Art 6(1)(b)).
  3. Marketing and communication activities – the sending of newsletters, offers, and other marketing materials, as well as the conduct of other communication activities, is carried out only with the data subject’s consent (legal basis: data subject’s consent — GDPR Art 6(1)(a)).
  4. Improving website user experience and analytics – collecting website and social media usage statistics through cookies and analytical tools to improve user experience and services (legal basis: data subject’s consent — GDPR Art 6(1)(a)).
  5. Compliance with legal obligations – data processing is necessary for the fulfilment of legal obligations, such as compliance with accounting, tax, or employment law requirements (legal basis: compliance with a legal obligation — GDPR Art 6(1)(c)).
  6. Legitimate interest – HR Eesti also processes personal data when it is necessary for the protection of the company’s legitimate interests, such as ensuring IT security, preventing fraud, protecting company assets and systems, or improving service quality. In the case of legitimate interest, the potential impact on the rights and interests of the data subject is always assessed (legal basis: legitimate interest — GDPR Art 6(1)(f)).
  7. Legitimate interest assessment – the data subject has the right to obtain information about the legitimate interest assessment conducted by HR Eesti and to object to the processing of their personal data based on legitimate interest.

Transfer of personal data

HR Eesti may transfer personal data only in the cases described below and in accordance with applicable data protection laws.

  1. To partners and service providers – HR Eesti may transfer personal data to partners and service providers (such as IT service providers, accounting service providers, training partners) who provide technical support or process data on behalf of HR Eesti. In such cases, agreements are concluded with data processors requiring them to comply with data protection requirements.
  2. To employers and recruitment service clients – personal data may be transferred to employers or HR Eesti clients in the context of recruitment and employment services only if the data subject has provided explicit and informed consent.
  3. To public authorities – HR Eesti may transfer personal data to public authorities (such as the Tax and Customs Board, Labour Inspectorate, Data Protection Inspectorate, or law enforcement authorities) only when necessary for fulfilling legal obligations or complying with legitimate requests from public authorities.
  4. Transfer of data outside the European Economic Area (EEA) – HR Eesti transfers personal data to third countries (i.e., countries outside the European Economic Area) only under the following conditions:
  • If the European Commission has adopted an adequacy decision confirming that the data protection level of the receiving country is adequate (GDPR Article 45);
  • If the European Commission’s approved Standard Contractual Clauses (SCC) are applied; or other appropriate safeguards are applied (GDPR Article 46);
  • If the data subject has given explicit consent for the transfer. (GDPR Article 49).

All data transfers are carried out in accordance with the principles of data minimisation and security, applying the necessary technical and organisational measures to ensure the confidentiality and integrity of the data.

Personal data retention periods

HR Eesti retains personal data only for as long as necessary to achieve the defined purposes or to fulfil obligations arising from legal requirements. The retention periods are as follows:

  1. Accounting and tax-related data – retained for 7 years from the end of the financial year in accordance with the Estonian Accounting Act and tax legislation.
  2. Data related to legal claims - retained until 10 years, if necessary for the resolution of potential legal disputes, for the establishment of claims, or for their defence, in accordance with the limitation periods established by the General Part of the Civil Code.
  3. Marketing-related data - retained until the data subject withdraws their consent. In the event of consent withdrawal, data processing will be terminated, and the data will be deleted, unless their retention is required on another legal basis.
  4. Talent pool data – retained 3 years from the last active interaction with the data subject or until the data subject submits a deletion request. If no active interaction has occurred within 3 years, the data will be automatically deleted, unless the data subject has given consent for longer retention.

All retention periods comply with the principles of data minimisation and storage limitation under the GDPR. When personal data is no longer necessary, it is securely deleted or anonymised to prevent the identification of individuals.

Rights related to personal data

The data subject has the following rights under the European Union General Data Protection Regulation (GDPR):

  1. Right to access your personal data – the data subject has the right to obtain confirmation as to whether their personal data is being processed, as well as a copy of the processed data and information about its processing.
  2. Right to rectification of data – the data subject has the right to request the rectification or completion of inaccurate or incomplete personal data.
  3. Right to erasure of data (“right to be forgotten”) – the data subject has the right to request the deletion of their personal data if there is no legal basis for processing or if the data subject has withdrawn their consent and no other legal basis exists. This right does not apply if data processing is necessary for compliance with legal obligations or for the establishment, exercise, or defence of legal claims.
  4. Right to object to processing – the data subject has the right to object to the processing of their personal data if the processing is based on HR Eesti’s legitimate interest or is carried out for direct marketing purposes.
  5. Right to restriction of processing – the data subject may request the restriction of the processing of their personal data if:
  • the personal data is inaccurate and its accuracy is being verified
  • the processing is unlawful, but the data subject does not wish the data to be deleted
  • HR Eesti no longer needs the data, but the data subject requires it for the establishment, exercise, or defence of legal claims
  • the data subject has objected to the processing, and an assessment is pending to determine whether HR Eesti’s legitimate interests override the rights of the data subject.
  1. Right to data portability – the data subject has the right to receive the personal data they have provided in a structured, commonly used, and machine-readable format and to transmit those data to another controller where the processing is based on consent or a contract and is carried out by automated means.
  2. Right to withdraw consent – where the processing of personal data is based on consent, the data subject may withdraw their consent at any time without affecting the lawfulness of processing carried out before the withdrawal.

The data subject may exercise their rights by submitting a request to the email address info@hreesti.ee. Requests will be responded to without undue delay, but no later than within one month, in accordance with GDPR Article 12. In the case of complex requests, the response time may be extended by two months, with separate notification provided to the data subject.

If the data subject believes that the processing of their personal data violates applicable data protection laws, they have the right to lodge a complaint to the Data Protection Inspectorate (Tatari 39, 10134 Tallinn, email: info@aki.ee, website: www.aki.ee) or to the competent supervisory authority in their country of residence.

Cookies

  1. Use of cookies – The HR Eesti website uses cookies and similar technologies to enhance the user experience, ensure website functionality, and analyse web traffic.
  2. Consent-based use – certain cookies, such as analytics and marketing cookies, are placed on the user’s device only with their explicit consent. Essential cookies that ensure the core functionality of the website (e.g., session cookies) may be allowed without user consent, as they are necessary for the proper functioning of the website.
  3. Managing and deleting cookies – the user can manage and delete cookies in their web browser settings. Blocking cookies may result in some website functions working partially or not at all. Instructions for managing cookies can be found on the official support pages of popular web browsers (e.g., Google Chrome, Mozilla Firefox, Microsoft Edge, Safari).
  4. Additional information – more information about the cookies used by HR Eesti, including their types, purposes, and retention periods, is available in the website’s cookie policy.

Data security

HR Eesti implements appropriate technical and organisational measures to ensure the security of personal data and protect it against unauthorised access, processing, alteration, disclosure, or destruction. The following measures are applied:

  • Encryption – sensitive data and communication channels are protected by encryption to ensure their confidentiality.
  • Access restrictions – access to personal data is granted only to authorised employees and partners who have a legitimate need, and they are subject to strict confidentiality obligations.
  • Regular updates of security measures – HR Eesti regularly reviews and updates its security policy and implemented safeguards to prevent potential threats and vulnerabilities.
  • Pseudonymisation and anonymisation – pseudonymisation or anonymisation is applied when necessary to reduce risks associated with personal data.
  • Firewalls and antivirus protection – modern firewall and antivirus solutions are used to protect information systems against cyber threats.
  • Regular security tests and audits – HR Eesti conducts regular security checks and risk assessments to ensure the security of data processing.

Despite the implemented security measures, it is not possible to guarantee that data transmission over the internet is completely secure. Therefore, HR Eesti encourages data subjects to exercise caution and to use secure connections and strong passwords to protect their data.

Privacy Policy changes

  1. HR Eesti reserves the right to amend the privacy policy to ensure its compliance with applicable laws, data protection practices, and the company’s operational needs.
  2. All changes to the privacy policy will be published on the HR Eesti website. www.hreesti.ee and will take effect from the date of publication unless otherwise specified in the amendment. Data subjects will be informed of any significant changes affecting their rights or the basis for data processing via email or other appropriate means.
  3. Data subjects are advised to review the privacy policy updates from time to time to stay informed about the principles and conditions of personal data processing.

Contact and complaints submission

If you have any questions, requests, or complaints regarding the processing of personal data, please contact us:

Email: info@hreesti.ee
Website: www.hreesti.ee

If you are not satisfied with HR Eesti’s response or believe that the processing of your personal data violates applicable data protection laws, you have the right to lodge a complaint with the Data Protection Inspectorate:

Data Protection Inspectorate
Address: Tatari 39, 10134 Tallinn, Estonia
Email: info@aki.ee
Website: www.aki.ee
Phone: +372 627 4135

You also have the right to contact the supervisory authority of your country of residence or to use other legal remedies to protect your rights.

This website uses cookies to enhance your online experience.
en_USEN
etET ru_RURU en_USEN
Discover
Move