Estonian Internet foundation Data Protection Policy

Eesti Interneti SA (english: Estonian Internet Foundation, hereinafter as “EIS”), pursuant to the objectives set out in these Rules on the Use of Personal Data, clarifies users’ rights. The overall purpose of this document is to explain what EIS is doing to protect and respect privacy and how personal data are collected, used and protected by EIS. This document also aims to clarify the rights of data subjects with respect to their personal data.

When processing data, EIS will comply with national and EU legislation on data protection and security, and will use personal data only for the purpose for which they were collected and to the extent necessary for this specific purpose.

Each accredited .ee registrar (“.ee Registrar” separately or “.ee Registrars” jointly) will refer to these Rules on Use of Personal Data and to the .ee Domain Regulation when entering into a service contract with a registrant of an .ee domain. We will inform users of significant changes or notifications on the EIS website, if needed by email or by other reasonable means.


1.   What are personal data? Which personal data are processed by EIS and for which purposes?

Personal data (“Personal Data” and also “the Data”) means any information submitted to EIS in relation to the registration or use of a .ee domain name (such as the information concerning the registrant of the domain and their administrative or technical contacts) and operations related thereto (such as exchanging domain contact data) or provided otherwise, which can be used, directly or indirectly, to identify you as a private individual.

EIS may process your personal data as follows:

1.1.   personal data, such as your name, personal identification number, date of birth, identity document, bank account etc., in order to verify the identity and power of representation of the registrant of the domain and the identities and powers of representation of the administrative and technical contacts of the registrant;

1.2.   the names and contact information (phone number, email address) of registrants and their administrative and technical contacts, in order to provide information and enable the functioning of the domain register;

1.3.   the names and email addresses of natural person registrants and their administrative and technical contacts for publication on the internet by responding to WHOIS requests, only with the separate consent of the registrant;

1.4.   the names and email addresses of the administrative and technical contacts of natural person registrants for publication on the Internet by responding to WHOIS requests. See more here;

1.5.   domain-name servers of natural person registrants, in order to add a zone and make it publicly available;

1.6.   all Personal Data required to decide on or perform the registration of a domain name or any other operation falling within the competence of EIS;

1.7.   all Personal Data required in order to facilitate the resolution of disputes by the Domain Disputes Committee and in court;

1.8.   all Personal Data required in order to comply with applicable legislation or any other rule, instruction or practice affecting EIS as well as to defend our rights that have been either violated or disputed, in or out of court;

1.9.   if you contact EIS, by sending an email, for example, we will become a party to communication and will use and save the data provided in your email for its intended purposes (such as establishing facts, solving a problem, etc.). In such a case, the grounds for the collection of the Data is that you have provided the Data by contacting EIS;

1.10.   registrant’s log-in data provided for the purpose of identification, such as the IP address, personal identification code (users can log in only by using an ID card or Mobile ID), information about the operations performed, successful or failed operations and the time of making a request;

1.11.   For the above purposes, EIS may prepare lists of the Personal Data analysed (such as a list of domain registrants).

If you refuse to provide such Personal Data to EIS, you may not be able to use the services provided by EIS.

2.   Who processes the personal domain-related data of individuals?

EIS (registry code: 90010019), address Paldiski mnt 80, Tallinn 10617, acts as the controller, and processes your Personal Data as described in these Rules on Use of Personal Data. Where appropriate, EIS may give, in accordance with the GDPR and/or other legislation, the right to process Personal Data to its partner processors or third persons, who may use the Data only for the performance of the operations specified by EIS and under a contract concluded for this purpose.

Our main cooperation partners processing the Personal Data of individuals related to .ee domains on behalf of EIS are the .ee Registrars. EIS does not directly provide registration services related to .ee domains; the services are provided through .ee Registrars, which can be contacted in order to register an .ee domain or, for example, to change a registrar. EIS has given.ee Registrars the right and has imposed on them the obligation to provide registration services to .ee domain registrants and to charge a fee for the service in accordance with the contracts signed with the registrants.

A further important point to note is that the Personal Data provided by you in relation to your .ee domain can be accessed only by the relevant .ee registrar and by EIS. If your .ee registrar shares your Personal Data collected in accordance with these Rules on Use of Personal Data with any third persons that do not have a contractual relationship in place with EIS, the .ee registrar must notify you thereof. In such a case, the .ee registrar is the controller of your Personal Data and has the obligation to clarify your rights as well as the reasons for using your Personal Data in such a manner.

Information on those .ee registrars that possess the rights of a processor is available at: https://www.internet.ee/registripidajad/akrediteeritud-registripidajad.

EIS may also disclose the Data of private domain registrants and their representatives to the Estonian Information System Authority (RIA) and the Estonian police for cyber security purposes under the legal interest and relevant agreements. EIS may also disclose Personal Data if a court has issued a relevant judgment or order or if the relevant competent authority (the Consumer Protection Board) has a justified legitimate interest in such data.

3.   On what basis are your personal data collected by EIS?

Any processing of Personal Data must be duly substantiated. EIS processes Personal Data on the following four legal bases: performance of contract, performance of legal obligation, your consent and legitimate interest. We have classified all purposes for which Personal Data are processed in these four categories. Accordingly, different time limits for the storage of Personal Data apply to these legal bases. You have also different opportunities and rights to submit requests concerning your Personal Data.

3.1 On the basis of a contract

In order to apply for the registration of a .ee domain, you should submit an application to the .ee Registrar of your choice, which will prepare a contract for services to be concluded with you. The .ee Domain Regulation is a standard contractual clause and forms an integral part of the contract for services (see more: https://www.internet.ee/domeenid/ee-domeenireeglid).

For the purpose of the performance of the contract, the .ee Registrar and EIS will process Personal Data primarily in order to identify the registrant and their administrative and technical contacts and to verify their right of representation. In order to verify the right of representation, the .ee Registrar may require that the relevant authorisation is provided, or verify the registrant’s identity by requesting additional documentation. This also applies to a new .ee Registrar if you file an application for changing your registrar.

We also collect and process Personal Data for the purpose of exchanging information (for example, if your domain reaches its expiry date or there is a problem that needs to be addressed). This is also the case if an interested person wishes to contact you. See more here. Registrars may also collect your Personal Data for billing purposes.

3.2 Performance of statutory obligations

The performance of statutory obligations may be relevant to the processing of Personal Data where EIS as a service provider is required by a public authority to process Personal Data in accordance with law.

If the processing of Personal Data is necessary for the performance of a statutory obligation, EIS is unable to decide on the collection and storage of such Personal Data. Such data may be subject to processing where EIS receives a relevant enquiry from a public authority, is bound by an obligation under the Accounting Act, or processing is necessary to ensure the security of the network and information systems.

3.3 With the consent of the data subject

For instance, EIS processes data with the consent of the data subject, where the data concern a person who notifies the domain registrant though a special form provided by EIS (see here about the terms and conditions of using WHOIS).

3.4 Legitimate interest

Legitimate interest means, in particular, that EIS wishes to use the Data to provide and develop better services as well as for the purpose of communication where this is not strictly necessary for the purpose of the performance of a contract. Legitimate interest means a balance between the rights of EIS and those of the users, enabling us to provide our services in the manner in which the domain registrants and the public expect us to do.

For example, EIS has a legitimate interest in compiling various statistics on domains or preparing lists based on the Personal Data analysed (such as lists of domain registrants, etc.) which are necessary for the better functioning of the service and for decision-making. The processing of the Data on grounds relating to legitimate interest is not exhaustive, and EIS may for reasonable necessity and to a reasonable extent process the Data on grounds relating to the legitimate interest for other purposes as well.

EIS also publishes the Data (name and email address) of the representatives of domain registrants on the Internet through WHOIS on grounds relating to legitimate interest in order to contribute to ensuring a transparent DNS (Domain Name System) and Internet. For further information see here.

4. Where can you receive information about your personal data?

You have the right to receive information about your Personal Data processed by EIS and your .ee Registrar at any time from EIS and your .ee Registrar to whom you have applied for the registration of a domain name or the change of the registrant. EIS has a Data Protection Officer who can be contacted by writing to info@internet.ee or calling 727 1000.

5. How long will your personal data be stored?

We will store your Personal Data for the period necessary for the purposes for which the personal data are processed (see Paragraph 1 and 2) or as required by the EIS’s statutory obligations.

The table below presents a summary of the principles of the storage of Personal Data by EIS, together with examples.

 

Storage period

Examples

for one week

The Data provided by the interested person through the special contact form in order to contact the private domain registrant. EIS will store only the technical information of the sent email and not the content of it. The aim is to ensure access to the technical information provided in the event of possible problems, incidents, complaints or other legal claims.

for three years

Emails and notices sent by private individuals to EIS. Also, email communication concerning any disputes referred to and notices sent to the Domain Disputes Committee. The aim is to ensure that EIS has access to the messages in the event of possible problems, incidents, complaints or other legal claims, as well as for the purposes of monitoring, compiling statistics, etc.

for ten years

The Data collected in the course of and related to registering a domain (e.g. name, contact details, personal identification code, date of birth, etc.). The aim is to ensure that law enforcement authorities have access to the Data after the domain registration has expired in order to ensure cyber security. As Data related to domains are important for law enforcement authorities, they are stored after the expiry of domain registration until the expiry of the limitation period for a crime in the first degree.


 
6. How does EIS ensure the secure processing of your data?

EIS will take all necessary organisational, physical and IT measures to ensure the integrity, availability and confidentiality of the Data. These measures include the protection of employees, information, IT infrastructure, internal devices and technical equipment of EIS.

Information security activities are aimed at the implementation of the relevant information protection level, risk management and prevention of threats. EIS will ensure security in accordance with the terms and conditions applicable to the provision of EIS services and in compliance with legal requirements. The necessary measures are established by the internal security rules of EIS.

EIS employees are subject to the requirements of data confidentiality and protection and are responsible for complying with these requirements. EIS processors (in particular your .ee Registrar) and their employees have an obligation to ensure compliance with the requirements of personal data protection.

7. Which rights do you have in relation to your personal data?

7.1 The right to request access to personal data

You have the right to access Personal Data that have been collected by EIS or your .ee registrar concerning you and to receive information about the purposes of the processing and the time limits for the storage of Personal Data. To access your Personal Data, you should contact EIS or your .ee registrar. To grant access to your Data, they need to verify your identity and, where appropriate, your right of representation. EIS and the .ee Registrar have the right to respond to your request within 30 days.

7.2 The right to rectification of personal data

If you discover that your Personal Data are incorrect, or your Personal Data have changed, you can submit a relevant statement at any time. Since the registration services are provided and your Personal Data are collected through .ee Registrars, you first need to submit your request to your .ee Registrar (with whom you have registered your .ee domain). If you are unable to contact your .ee Registrar, or have any other problems, you can always contact EIS.

7.3 The right to be forgotten

In certain cases, you can request that your Personal Data are erased. This concerns, for example, the processing of your Data with your consent. Complete erasure of your Personal Data may not always be possible, because EIS may use the Data for other legal purposes in relation to which the erasure of the Data is not permitted, to ensure the performance of contractual or statutory obligations.

7.4 The right to object

You have the right to object at any time to the processing of your Personal Data. Upon receipt of your objection, EIS will consider your legal rights and, if possible, will stop the processing of your Data. If your objection concerns Data the processing of which is required by EIS, EIS may refuse to act on your request. This may be the case where EIS must protect, prepare, or submit a legal claim.

7.5 The right to restriction of processing

In certain cases, you have the right to restrict the processing of your Personal Data by explicitly notifying EIS. You can restrict the processing of your Personal Data in particular: to verify the accuracy of the Personal Data or the grounds for processing if you have contested the accuracy of your Personal Data; if you need your Personal Data to prepare, submit or defend a legal claim. If you wish to restrict the processing of your Personal Data, you must clearly state the purpose of and reasons for such a restriction.

7.6 The right to data portability

You have the right to receive your Personal Data from EIS in a machine-readable format. The right to data portability applies in particular to the Data used by EIS and the .ee registrar for the purpose of performing a contract. You also need to understand that EIS cannot ensure that the other service provider to whom you wish to transfer your Data is able to receive your Personal Data, neither will EIS be liable therefor.

7.7 The right to lodge a complaint

If you have any complaints concerning the processing of your Personal Data by your .ee registrar, you have the right to lodge a complaint with EIS at any time, since EIS supervises operations and services carried out by .ee Registrars. If you have any complaints concerning the activities of EIS, please write about your concerns to us. Also you have the right to apply to the Estonian Data Protection Inspectorate or to the courts.

In case of any wording misapprehensions between the English and Estonian version, wording in Estonian is superior and legally binding.