Privacy Policy

1. General provisions

HR Eesti processes personal data in accordance with all applicable data protection legislation, including Regulation (EU) 2016/679 of the European Parliament and of the Council, the General Data Protection Regulation (GDPR), and the Estonian Personal Data Protection Act.

Personal data is processed only on a legal basis, for specified purposes, in accordance with the principles of data minimisation and transparency, and by applying appropriate technical and organisational security measures to prevent unauthorised processing, disclosure or loss of data.

2. Data controller and contact details

Data controller: HR Eesti OÜ

Phone: +372 566 888 31

Email: info@hreesti.ee

HR Eesti has not appointed a Data Protection Officer, as the company’s activities do not fall within the scope of Article 37(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR).

All data protection questions, requests and enquiries, including requests related to the exercise of personal data rights, may be submitted using the contact details provided above.

3. Principles of personal data processing

HR Eesti processes personal data in accordance with the GDPR and the Estonian Personal Data Protection Act, following the principles below:

• Lawfulness, fairness and transparency. Personal data is always processed on a legal basis, fairly and in a manner that is understandable and transparent to data subjects.
• Purpose limitation. Personal data is collected for specified, clearly defined and legitimate purposes and is not processed in a manner incompatible with those purposes.
• Data minimisation and accuracy. The personal data processed is relevant and limited to what is necessary for achieving the intended purposes. Where necessary, data is kept up to date.
• Security and confidentiality. HR Eesti applies appropriate technical and organisational security measures, including encryption, access restrictions, pseudonymisation, firewalls and regular security testing.

4. Personal data processed

HR Eesti processes personal data only to the extent necessary for providing services, fulfilling legal obligations or pursuing other legitimate purposes.

• Data required for personal identification: first name and surname, personal identification code or another unique identification number.
• Contact details: email address, phone number and postal address, where relevant.
• Professional information: professional and educational background, data included in a CV, language skills, work experience, qualifications, diplomas and certificates.
• Reference data: names and contact details of referees and references provided, where relevant and where the data subject has given consent.
• Training-related data: participation in training, information related to training fees, including billing data but excluding bank card details, feedback and assessment results.
• Website and social media usage statistics: website and digital platform usage logs, IP addresses, device data, and data collected through cookies and other analytics tools.

5. Purposes and legal bases for processing personal data

HR Eesti processes personal data for the following purposes and on the following legal bases in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR):

• Provision of HR services. The processing of personal data is necessary for providing HR services and fulfilling contractual obligations. Legal basis: performance of a contract — GDPR Article 6(1)(b).
• Provision of training and consulting services. Data is processed for organising training and consulting services and registering participants. Legal basis: performance of a contract — GDPR Article 6(1)(b).
• Marketing and communication activities. Newsletters, offers and other marketing materials are sent only with the data subject’s consent. Legal basis: consent — GDPR Article 6(1)(a).
• Improving website user experience and analytics. Website and social media usage statistics are collected through cookies and analytics tools to improve user experience and services. Legal basis: consent — GDPR Article 6(1)(a).
• Compliance with legal obligations. Data processing is necessary for complying with legal obligations, for example accounting, tax or employment law requirements. Legal basis: compliance with a legal obligation — GDPR Article 6(1)(c).
• Legitimate interest. HR Eesti also processes personal data where necessary to protect the company’s legitimate interests, for example ensuring IT security, preventing fraud, protecting the company’s assets and systems, or improving service quality. Legal basis: legitimate interest — GDPR Article 6(1)(f).
• Legitimate interest assessment. The data subject has the right to receive information about the legitimate interest assessment carried out by HR Eesti and to object to the processing of their personal data on the basis of legitimate interest.

6. Transfer of personal data

HR Eesti may transfer personal data only in the cases described below and in accordance with applicable data protection legislation.

• To cooperation partners and service providers. HR Eesti may transfer personal data to cooperation partners and service providers, such as IT service providers, accounting service providers and training partners who provide technical support or process data on behalf of HR Eesti.
• To employers and recruitment service clients. Personal data may be transferred to employers or HR Eesti’s clients within the framework of recruitment and employment mediation services only where the data subject has given explicit and informed consent.
• To public authorities. HR Eesti may transfer personal data to public authorities, such as the Estonian Tax and Customs Board, the Labour Inspectorate, the Estonian Data Protection Inspectorate or law enforcement authorities, where necessary to comply with legal obligations or lawful requests from authorities.
• Transfer of data outside the European Economic Area. HR Eesti transfers personal data to third countries only where the European Commission has adopted an adequacy decision, standard contractual clauses or other appropriate safeguards are applied, or where the data subject has given explicit consent to the transfer.

All data transfers are carried out in accordance with the principles of minimisation and security, applying the necessary technical and organisational security measures to ensure the confidentiality and integrity of the data.

7. Personal data retention periods

HR Eesti retains personal data only for as long as necessary to achieve the defined purposes or to comply with obligations arising from legislation.

• Accounting and tax-related data is retained for 7 years from the end of the financial year in accordance with the Estonian Accounting Act and tax legislation.
• Data related to legal claims is retained for up to 10 years where necessary for resolving potential legal disputes or for establishing, exercising or defending claims.
• Marketing-related data is retained until the data subject withdraws their consent. Upon withdrawal of consent, data processing is stopped and the data is deleted, unless retention is necessary on another legal basis.
• Talent database data is retained for 3 years from the last active communication with the data subject or until the data subject submits a deletion request.

When personal data is no longer necessary, it is securely deleted or anonymised to prevent the identification of individuals.

8. Rights related to personal data

Under the General Data Protection Regulation of the European Union (GDPR), the data subject has the following rights:

• Right of access to personal data. The data subject has the right to obtain confirmation as to whether their personal data is being processed and to receive a copy of the personal data being processed and information about such processing.
• Right to rectification. The data subject has the right to request the correction or completion of inaccurate or incomplete personal data.
• Right to erasure, or the “right to be forgotten”. The data subject has the right to request the deletion of their personal data where there is no legal basis for processing or where the data subject withdraws consent and there is no other legal basis for processing.
• Right to object. The data subject has the right to object to the processing of their personal data where the processing is based on HR Eesti’s legitimate interest or is carried out for direct marketing purposes.
• Right to restriction of processing. The data subject may request the restriction of the processing of their personal data where the data is inaccurate, the processing is unlawful, HR Eesti no longer needs the data, or the data subject has objected to the processing.
• Right to data portability. The data subject has the right to receive the personal data they have provided in a structured, commonly used and machine-readable format and to transmit that data to another controller.
• Right to withdraw consent. Where personal data is processed on the basis of consent, the data subject may withdraw their consent at any time without affecting the lawfulness of processing carried out before the withdrawal.

The data subject may exercise their rights by submitting a request to info@hreesti.ee. Requests will be responded to without undue delay and no later than within one month in accordance with GDPR Article 12.

In the case of more complex requests, the response period may be extended by two months, of which the data subject will be informed separately.

9. Right to lodge a complaint

If the data subject believes that the processing of their personal data violates applicable data protection legislation, they have the right to lodge a complaint with the Estonian Data Protection Inspectorate or with the competent supervisory authority in their country of residence.

Estonian Data Protection Inspectorate
Address: Tatari 39, 10134 Tallinn, Estonia
Email: info@aki.ee
Website: www.aki.ee

10. Cookies

The HR Eesti website uses cookies and similar technologies to improve user experience, ensure website functionality and analyse website traffic.

• Use of cookies. Cookies help improve the functioning of the website and analyse its use.
• Consent-based use. Analytics and marketing cookies are placed on the user’s device only on the basis of the user’s explicit consent. Necessary cookies may be enabled without user consent where they are essential for the proper functioning of the website.
• Managing and deleting cookies. The user can manage and delete cookies in their web browser settings. If cookies are blocked, some website functions may not work partially or fully.
• Additional information. More information about the cookies used by HR Eesti, including their types, purposes and retention periods, is available in the website’s Cookie Policy.

11. Data security

HR Eesti applies appropriate technical and organisational measures to ensure the security of personal data and to protect it against unauthorised access, processing, alteration, disclosure or destruction.

• Encryption. Sensitive data and communication channels are protected by encryption to ensure confidentiality.
• Access restrictions. Personal data can be accessed only by authorised employees and cooperation partners who have a legitimate need for such access.
• Regular updates to security measures. HR Eesti regularly assesses and updates its security policy and implemented protection measures.
• Pseudonymisation and anonymisation. Where necessary, pseudonymisation or anonymisation is used to reduce risks related to personal data.
• Firewalls and antivirus protection. Modern firewall and antivirus solutions are used to protect information systems against cyber threats.
• Regular security testing and audits. HR Eesti carries out regular security checks and risk assessments to ensure the security of data processing.

Despite the security measures applied, it cannot be guaranteed that data transmission over the internet is completely secure. Therefore, HR Eesti encourages data subjects to exercise caution and to use secure connections and strong passwords to protect their data.

12. Changes to the Privacy Policy

HR Eesti reserves the right to amend this Privacy Policy in order to ensure its compliance with applicable legislation, data protection practices and the company’s operational needs.

All changes to the Privacy Policy will be published on the HR Eesti website www.hreesti.ee and will take effect from the date of publication, unless otherwise specified in the amendment.

Data subjects will be notified by email or by another appropriate method of any significant changes affecting their rights or the legal bases for data processing.

Data subjects are advised to review updates to the Privacy Policy from time to time in order to stay informed about the principles and terms of personal data processing.