At Eesti Firma (legal name Eesti Firma OÜ, registration number 14164797, address Vesivärava 50, 10152 Tallinn, Estonia), protecting your personal data is our highest priority. Our commitment to privacy is based on the key principles established in the General Data Protection Regulation (EU) 2016/679 (GDPR).
These principles guide all our decisions regarding how we process your data and underpin our internal procedures. Below, we detail each principle, explaining how it applies in practice and outlining your rights as a data subject. Please note: detailed information about specific data processing methods and protection measures is provided in our Privacy Policy.
Lawfulness, Fairness, and Transparency
We process personal data lawfully, fairly, and transparently in relation to you. This means any data processing is conducted based on lawful grounds, honestly, and openly toward you as the data subject. Within this principle, we adhere to the following approaches:
- Lawfulness: We collect and use your personal data only if there is a clear and lawful basis. In other words, every data operation strictly complies with the law. Our legal grounds include your informed consent (where required), performance of contractual obligations, compliance with legal requirements, or our legitimate business interests, which do not infringe your rights. You will always be informed of the legal basis for processing your data.
- Fairness: We ensure fairness in data processing. This means we do not collect data deceitfully nor use it to your detriment. We never mislead you about the purposes of collecting information or how it will be used. Furthermore, we consider your interests and rights—for example, we guarantee the non-discriminatory exercise of your rights (such as the right to access your data), regardless of terms of service. Data processing is performed to avoid unjustified harm to your privacy.
- Transparency: We communicate openly and clearly about why and how your data is used. All processing information is provided in plain language, avoiding excessive legal jargon. Our privacy policy and other notices are always easily accessible so you can find out at any time what data we collect, on what grounds, and for what purposes. When necessary, we use a multi-layered approach to informing you—we highlight key points and provide details through additional links or tooltips. We regularly update our information to keep it current and inform you of any significant changes. This transparency ensures you know exactly how your personal data is processed.
Purpose Limitation
We collect and use personal data only for specific, pre-defined, and lawful purposes, of which you are notified in advance. This means your data will be used exclusively for the purposes for which it was collected. We do not use personal information in any new way incompatible with the original purposes. For example, if you provide your email address to receive updates about our service, we will not share it with a partner for advertising without your knowledge and consent.
All processing purposes are clearly documented—in our internal records and public documents (such as the Privacy Policy), we specify the reasons for collecting certain data. If there is a need to use data for a new purpose inconsistent with the original one, we will obtain separate consent from you beforehand or ensure another lawful basis for processing. Thus, you can be assured your personal data will not be used unexpectedly or beyond the initially stated purposes.
Data Minimization
We adhere to the principle of data minimization, meaning we collect only the personal information truly necessary for the declared processing purposes. In practice, this is implemented as follows:
- We request only the minimal amount of data necessary to provide the requested service or fulfill a contract. Forms and surveys on our website are designed not to collect unnecessary information. For instance, if registering for a webinar requires only your name and email, we will not request additional unrelated data.
- The “nothing extra” principle helps us reduce risks to your privacy. The less data stored and processed, the lower the likelihood of leaks or unauthorized access. We do not collect information “just in case,” accumulating data that might someday be useful. All information requests are carefully justified by specific necessity.
- We also regularly review the data we collect, removing any fields or requests that are not essential. Thus, we ensure that, in all interactions, we request only information genuinely necessary to achieve the specified purposes.
Accuracy
Keeping personal data accurate and up-to-date is another key principle we follow. We make every reasonable effort to ensure the information we hold about you is correct, complete, and current, as this affects the quality of our services and your trust. To ensure accuracy, we implement the following measures:
- Regular Updates: If your personal data has changed (for example, you’ve updated your contact number or address), we promptly reflect these changes in our systems. We aim to prevent decisions from being based on outdated or incorrect information.
- Error Correction: If you discover that any of your details are incorrect or outdated, you can always notify us – we will promptly correct the errors. Moreover, you have the right to rectification (correction) of inaccurate data, which we fully respect, providing convenient ways for you to inform us of any inaccuracies.
- Verification of Critical Data: In cases where data accuracy is particularly important (e.g., for financial transactions or provision of legally significant services), we may undertake additional steps to verify and confirm information. This could involve requesting supporting documents or cross-checking data with you. All these measures ensure our databases contain only accurate information.
- Deletion of Inaccurate Data: According to GDPR requirements, inaccurate or incomplete data that cannot be corrected must be deleted without undue delay. We adhere to this rule: if any information is found inaccurate in relation to its processing purposes and cannot be corrected, we will delete it promptly to prevent possible negative consequences.
Your cooperation is also crucial in maintaining accuracy: please inform us if any of your personal data has changed or needs correction. We appreciate your proactiveness, as accurate data is essential for effective service delivery and safeguarding your rights.
Storage Limitation
We store personal data for no longer than is necessary to achieve the purposes for which they were collected. This principle of storage limitation means that each category of data has a defined retention period, after which the information is securely deleted or anonymized. Here’s how we ensure this:
- Clearly Defined Retention Periods: We establish reasonable retention periods for various types of personal data, considering processing purposes, our legal and contractual obligations, and applicable legal requirements. For example, transaction data may be retained as required by tax or accounting regulations, whereas data collected for a one-time service will be kept for a shorter duration. All retention periods are reflected in our internal policies, and we strictly adhere to them.
- Regular Reviews: We periodically review our data retention policies to ensure they remain current. If business processes change or laws are updated, we adjust data retention periods accordingly. Such audits help identify personal data that is no longer required. We conduct reviews to detect unused or outdated data and delete it if it is not needed for any lawful purpose.
- Secure Deletion: Upon expiry of retention periods (or earlier, if data becomes unnecessary), we delete personal data in a way that makes it impossible to restore or identify. In some cases, if immediate deletion isn’t possible due to technical constraints, we first anonymize the data (separating it from your identity) and then delete it when feasible. We may also retain data beyond the established retention period only if permitted by law – for instance, if the data is retained for archival purposes in the public interest or for scientific or statistical purposes pursuant to Article 89(1) GDPR. Even in these cases, we ensure appropriate confidentiality safeguards.
By minimizing the retention period for personal data, we reduce the risk of data misuse or vulnerability to breaches over time. You can be assured that we do not retain your data longer than necessary and strictly comply with established timelines.
Integrity and Confidentiality
We take all measures to ensure the integrity and confidentiality of your personal data, protecting it from unauthorized access, alteration, disclosure, or destruction. This principle of data security is implemented comprehensively – through both technical and organizational means. Here’s how we protect your data:
- Modern Security Technologies: We apply appropriate technical security measures to protect personal information, including data encryption, firewalls, antivirus solutions, intrusion detection systems, and other cybersecurity tools. These measures are proportionate to the nature and volume of processed data and potential risks. For example, sensitive data may be stored encrypted, and access to systems containing personal data is strictly limited to authorized individuals. We regularly assess risks and update security measures to counter emerging threats. Our IT infrastructure is monitored for vulnerabilities, and we promptly install updates and patches to prevent incidents.
- Organizational Measures and Access Control: Besides technology, we implement strict organizational rules for data handling. Access to your personal data is limited exclusively to employees or authorized persons who need it to perform their duties (principle of “least privilege”). Each employee acts within their authority and receives training on data security requirements. We enter into non-disclosure agreements (NDAs) with all employees and third-party contractors who may access information, legally binding them to maintain confidentiality. Regular training sessions and briefings on data protection best practices are conducted to ensure staff awareness of current threats and prevention strategies.
- Incident Response and Monitoring: We have internal procedures in place for responding to security incidents. In the unlikely event of a data breach or integrity violation, we have a response plan: from immediate vulnerability remediation to notifying supervisory authorities and affected data subjects when required by law. We maintain records of all personal data incidents, analyzing their causes to prevent recurrence. Additionally, our security system is regularly audited – we conduct internal and external audits, penetration tests, and other assessments to ensure our security standards remain robust and up-to-date.
By adhering to this principle, we ensure that your personal data is stored and processed with the highest security standards. Data integrity ensures that information remains unchanged and accurate within the system, while confidentiality ensures that unauthorized individuals cannot access it. Together, these measures help us maintain a high level of trust and security.
Accountability
Eesti Firma OÜ fully acknowledges its responsibility for complying with GDPR principles and can demonstrate this compliance. The principle of accountability means we not only adhere to the regulations but can also provide practical and documented evidence of our compliance. Here is how accountability is implemented in our company:
- Built-in compliance: We have integrated GDPR requirements into all business processes. Every employee who handles personal data understands and adheres to data protection principles. We have clear policies and guidelines regulating data collection, use, transfer, and storage, and these documents are communicated to staff. GDPR principles are embedded into our corporate culture, ensuring consistently high standards of data management at all levels.
- Designated Data Protection Officer: In compliance with legislation, we have appointed a Data Protection Officer (DPO) – Ilja Nikiforov, whose contact information is provided below. His responsibilities include monitoring GDPR compliance within the company, advising employees on privacy matters, and serving as a point of contact for you and supervisory authorities. The presence of a DPO is evidence of our accountability and serious commitment to data protection.
- Internal audits and risk assessments: We regularly conduct internal audits (and involve external auditors when necessary) to ensure our practices comply with GDPR requirements. Potential risks to security and privacy are analyzed, and corrective measures are taken based on audit findings. This continuous monitoring and improvement approach helps us keep data protection measures up-to-date and adapt swiftly to changes – whether new threats, increasing data volume, or regulatory updates.
- Training and awareness: We invest in employee education on data protection topics. Training sessions, newsletters, and knowledge assessments are periodically conducted to ensure everyone is informed of the latest industry developments and requirements. Data security significantly depends on individual actions, so we foster a culture in which everyone understands their role and responsibilities.
- Readiness for reporting: At any moment, we are prepared to demonstrate GDPR compliance to you as well as supervisory authorities. Our transparency extends to this area: you may request information regarding your data, and we will provide all necessary details. Similarly, in the event of a supervisory audit, we have prepared documentation and processes that confirm our accountability. We recognize client trust depends directly on our accountability, making this principle a cornerstone of our company’s operations.
Conclusion
Our fundamental commitment to protecting your privacy and maintaining your trust means GDPR compliance is more than a formality – it is integral to our daily operations. Adhering to all the principles mentioned above – lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, as well as accountability – ensures your personal data is processed in the most correct and secure manner possible. We go beyond legal requirements because we value your trust.
In keeping with the spirit of GDPR, we continue to enhance our data protection practices and respond swiftly to changes in regulatory requirements. You can be confident your personal information is in safe hands, and we continuously work to ensure this remains true.
Updates and Legal Information
We reserve the right to periodically update or modify this document to reflect changes in our data processing practices, legislation, or regulatory requirements. All updates will be published on this page, and the date of the last update (indicated below) will be adjusted accordingly. We recommend periodically reviewing this section to stay informed about the current version of our GDPR compliance principles.
Please note this document supplements our Privacy Policy and other related documents but does not replace them. In the event of any discrepancies, the Privacy Policy shall prevail. This document is for informational purposes and aims to clarify our approach to GDPR compliance.
Contact Information
If you have any questions, comments, or requests concerning personal data protection or how we process your information, please contact us. We are always ready to assist you and appreciate your feedback.
- Company: Eesti Firma OÜ
- Data Protection Officer (DPO): Ilja Nikiforov
- Email: info@eestifirma.ee
- Phone: +372 641 7777
- Address: Vesivärava 50, Tallinn, Estonia, 10152
We strive to respond promptly and comprehensively to all inquiries. If you request information about your data or the exercise of your rights, we will respond within the timeframe established by GDPR (typically within one month). Thank you for entrusting Eesti Firma OÜ with your data protection – we, in turn, do everything possible to justify that trust.
