EIF's Data Protection Policy

Estonian Internet Foundation Data Protection Policy

Estonian Internet Foundation Data Protection Policy


Eesti Interneti SA (english: Estonian Internet Foundation, hereinafter as “EIS”), pursuant to the objectives set out in these Rules on the Use of Personal Data, clarifies users’ rights. The overall purpose of this document is to explain what EIS is doing to protect and respect privacy and how personal data are collected, used and protected by EIS. This document also aims to clarify the rights of data subjects with respect to their personal data.

When processing data, EIS will comply with national and EU legislation on data protection and security, and will use personal data only for the purpose for which they were collected and to the extent necessary for this specific purpose.

Each accredited .ee registrar (“.ee Registrar” separately or “.ee Registrars” jointly) will refer to these Rules on Use of Personal Data and to the .ee Domain Regulation when entering into a service contract with a registrant of an .ee domain. We will inform users of significant changes or notifications on the EIS website, if needed by email or by other reasonable means.


In case of any wording misapprehensions between the English and Estonian version, wording in Estonian is superior and legally binding.

Personal data (“Personal Data” and also “the Data”) means any information submitted to EIS in relation to the registration or use of a .ee domain name (such as the information concerning the registrant of the domain and their administrative or technical contacts) and operations related thereto (such as exchanging domain contact data) or provided otherwise, which can be used, directly or indirectly, to identify you as a private individual.

EIS may process your personal data as follows:

1.1.   personal data, such as your name, personal identification number, date of birth, identity document, bank account etc., in order to verify the identity and power of representation of the registrant of the domain and the identities and powers of representation of the administrative and technical contacts of the registrant;

1.2.   the names and contact information (phone number, email address) of registrants and their administrative and technical contacts, in order to provide information and enable the functioning of the domain register;

1.3.   the names and email addresses of natural person registrants and their administrative and technical contacts for publication on the internet by responding to WHOIS requests, only with the separate consent of the registrant;

1.4.   the names and email addresses of the administrative and technical contacts of natural person registrants for publication on the Internet by responding to WHOIS requests. See more here;

1.5.   domain-name servers of natural person registrants, in order to add a zone and make it publicly available;

1.6.   all Personal Data required to decide on or perform the registration of a domain name or any other operation falling within the competence of EIS;

1.7.   all Personal Data required in order to facilitate the resolution of disputes by the Domain Disputes Committee and in court;

1.8.   all Personal Data required in order to comply with applicable legislation or any other rule, instruction or practice affecting EIS as well as to defend our rights that have been either violated or disputed, in or out of court;

1.9.   if you contact EIS, by sending an email, for example, we will become a party to communication and will use and save the data provided in your email for its intended purposes (such as establishing facts, solving a problem, etc.). In such a case, the grounds for the collection of the Data is that you have provided the Data by contacting EIS;

1.10.   registrant’s log-in data provided for the purpose of identification, such as the IP address, personal identification code (users can log in only by using an ID card or Mobile ID), information about the operations performed, successful or failed operations and the time of making a request;

1.11.   For the above purposes, EIS may prepare lists of the Personal Data analysed (such as a list of domain registrants).

If you refuse to provide such Personal Data to EIS, you may not be able to use the services provided by EIS.

You have the right to receive information about your Personal Data processed by EIS and your .ee Registrar at any time from EIS and your .ee Registrar to whom you have applied for the registration of a domain name or the change of the registrant. EIS has a Data Protection Officer who can be contacted by writing to info@internet.ee or calling 727 1000.

We will store your Personal Data for the period necessary for the purposes for which the personal data are processed (see Paragraph 1 and 2) or as required by the EIS’s statutory obligations.

The table below presents a summary of the principles of the storage of Personal Data by EIS, together with examples.

Storage period

Examples

for one week

The Data provided by the interested person through the special contact form in order to contact the private domain registrant. EIS will store only the technical information of the sent email and not the content of it. The aim is to ensure access to the technical information provided in the event of possible problems, incidents, complaints or other legal claims.

for three years

Emails and notices sent by private individuals to EIS. Also, email communication concerning any disputes referred to and notices sent to the Domain Disputes Committee. The aim is to ensure that EIS has access to the messages in the event of possible problems, incidents, complaints or other legal claims, as well as for the purposes of monitoring, compiling statistics, etc.

for ten years

The Data collected in the course of and related to registering a domain (e.g. name, contact details, personal identification code, date of birth, etc.). The aim is to ensure that law enforcement authorities have access to the Data after the domain registration has expired in order to ensure cyber security. As Data related to domains are important for law enforcement authorities, they are stored after the expiry of domain registration until the expiry of the limitation period for a crime in the first degree.

EIS will take all necessary organisational, physical and IT measures to ensure the integrity, availability and confidentiality of the Data. These measures include the protection of employees, information, IT infrastructure, internal devices and technical equipment of EIS.

Information security activities are aimed at the implementation of the relevant information protection level, risk management and prevention of threats. EIS will ensure security in accordance with the terms and conditions applicable to the provision of EIS services and in compliance with legal requirements. The necessary measures are established by the internal security rules of EIS. 

EIS employees are subject to the requirements of data confidentiality and protection and are responsible for complying with these requirements. EIS processors (in particular your .ee Registrar) and their employees have an obligation to ensure compliance with the requirements of personal data protection.

7.1. The right to request access to personal data

You have the right to access Personal Data that have been collected by EIS or your .ee registrar concerning you and to receive information about the purposes of the processing and the time limits for the storage of Personal Data. To access your Personal Data, you should contact EIS or your .ee registrar. To grant access to your Data, they need to verify your identity and, where appropriate, your right of representation. EIS and the .ee Registrar have the right to respond to your request within 30 days.

7.2. The right to rectification of personal data

If you discover that your Personal Data are incorrect, or your Personal Data have changed, you can submit a relevant statement at any time. Since the registration services are provided and your Personal Data are collected through .ee Registrars, you first need to submit your request to your .ee Registrar (with whom you have registered your .ee domain). If you are unable to contact your .ee Registrar, or have any other problems, you can always contact EIS.

7.3. The right to be forgotten

In certain cases, you can request that your Personal Data are erased. This concerns, for example, the processing of your Data with your consent. Complete erasure of your Personal Data may not always be possible, because EIS may use the Data for other legal purposes in relation to which the erasure of the Data is not permitted, to ensure the performance of contractual or statutory obligations.

7.4. The right to object

You have the right to object at any time to the processing of your Personal Data. Upon receipt of your objection, EIS will consider your legal rights and, if possible, will stop the processing of your Data. If your objection concerns Data the processing of which is required by EIS, EIS may refuse to act on your request. This may be the case where EIS must protect, prepare, or submit a legal claim.

7.5. The right to restriction of processing

In certain cases, you have the right to restrict the processing of your Personal Data by explicitly notifying EIS. You can restrict the processing of your Personal Data in particular: to verify the accuracy of the Personal Data or the grounds for processing if you have contested the accuracy of your Personal Data; if you need your Personal Data to prepare, submit or defend a legal claim. If you wish to restrict the processing of your Personal Data, you must clearly state the purpose of and reasons for such a restriction.

7.6. The right to data portability

You have the right to receive your Personal Data from EIS in a machine-readable format. The right to data portability applies in particular to the Data used by EIS and the .ee registrar for the purpose of performing a contract. You also need to understand that EIS cannot ensure that the other service provider to whom you wish to transfer your Data is able to receive your Personal Data, neither will EIS be liable therefor.

7.7. The right to lodge a complaint

If you have any complaints concerning the processing of your Personal Data by your .ee registrar, you have the right to lodge a complaint with EIS at any time, since EIS supervises operations and services carried out by .ee Registrars. If you have any complaints concerning the activities of EIS, please write about your concerns to us. Also you have the right to apply to the Estonian Data Protection Inspectorate or to the courts. 

In case of any wording misapprehensions between the English and Estonian version, wording in Estonian is superior and legally binding.