Data Protection Requirements

How do we protect your personal data?

The authorities of the city of Tallinn mainly process your personal data to fulfil their legal obligations. We prioritise the following of all personal data processing principles and have taken security measures to protect your personal data from involuntary or unauthorised processing, disclosure, and destruction.

More detailed information about the processing of personal data by city authorities is available in the following Data Protection Requirements of the City of Tallinn. If you have any questions, please contact the authority concerned through their general e-mail address or the city’s Data Protection Specialist by e-mail at andmekaitse@tallinnlv.ee.

Data Protection Requirements of the City of Tallinn

1. On what grounds is your personal data processed?

We process your personal data (such as your given name and surname, personal identification code, date of birth, address, and contact information) under the following circumstances:

  • for fulfilling public law functions (such as the designation of a place at school or childbirth allowance),
  • for fulfilling legal obligations (such as forwarding information to banks for the payment of salaries, storing invoices for accounting),
  • for the fulfilment of contracts concluded with you.

If we wish to process your personal data on grounds not listed above, we will ask for your permission and specify the personal data to be processed. Should you not grant your permission or withdraw it, we will not process your personal data.

Upon the processing of personal data, we mainly rely on the following legal acts:

2. Who processes your personal data?

The data controller is a city authority responsible for a specific public duty, legal obligation, or the fulfilment of a contract or an authority that has asked for your permission to process your personal data. Your personal data is accessible only to the civil servants who use your personal data for fulfilling their duties.

The data controller may forward your personal data to a data processor (such as an information system manager), who has concluded a relevant contract with the city authority. The data processor must observe the purposes and practices specified in the contract and the guidelines of the city authority.

3. What are our principles for disclosing personal data?

We will not disclose your personal data without legal grounds, for example:

  • the names in letters received from private persons by Tallinn city authorities will be replaced by initials in document registries and the content of the letters will not be displayed;
  • the content of legal acts designated for internal use of an authority will not be displayed in Tallinn’s legal act registry;
  • upon the issuing of a document containing personal data to third persons, the personal data in the document will be rendered illegible.

We will issue and disclose personal data only when required by legal acts, such as under the following circumstances:

  • personal data will be disclosed to a body conducting pre-trial procedure or to the court or on the basis of clause 152 (1) 3) of the Vital Statistics Registration Act or sections 71 or 72 of the Population Register Act;
  • personal data will be disclosed in Public Announcements if required so by specific law or legal acts provided on the basis thereof.

We will not disclose personal data as open data, i.e. as openly and publicly available machine-readable data. We will only do this if this does not harm you and you have been notified that the collected data is public during its collection.

4. For how long is your data stored?

We will store your data until:

  • the passing of the legally required retention period of a document or
  • for as long as it is necessary for fulfilling a legal obligation or
  • until the passing of the limitation period of a legal claim.

Data with no archival value will be processed until the passing of the retention period. Data with archival value will be transferred to the public archive for storing; the processing of transferred data will be ended.

5. How do we protect your personal data?

Our goal is to prevent unauthorised processing of personal data, to ensure access to personal data upon request, and to prevent unauthorised disclosure of personal data. To achieve this, we implement organisational, physical, as well as information technology-related security measures, i.e. a relevant level of data protection. The civil servants of city authorities are obligated to follow all legal data protection rules and to use security measures when processing personal data.

Upon the processing of personal data, a data processor, such as the keeper of an information system, must ensure at least the same level of security as a city authority would provide.

6. What kind of rights do you have?

  • You have the right to receive information about the details of your personal data being processed and the ways we are processing it. To receive this information, you need to verify your identity and submit a preferably digitally signed inquiry to the city authority you want the information from. Your inquiry will be responded to within a reasonable time period (within 30 days at the latest). Considering the complexity of responding to an inquiry and the capacity of the requested data, the authority can extend the term of their response by 60 days on the basis of subsection 12 (3) of the General Data Protection Regulation. The city authority will notify you of an extension of the term of their response and causes of the delay within 30 days as at the receipt of your inquiry. If a city authority refuses to respond to an inquiry, it will explain the grounds and reasons of their refusal.
  • If your personal data is processed on the basis of your consent, you have the right to withdraw your consent at any time. In order to withdraw your consent, please submit an application to the city authority you have given the permission for processing your personal data to. The city authority will stop processing your personal data as soon as it has been informed of the withdrawal of your consent.
  • You have the right to request the deletion of your personal data if your personal data is processed on the basis of your prior consent and you have withdrawn your consent or if the retention date of the data has expired and the data does not need to be archived.
  • You have the right to request the correction of your personal data if it has changed or is insufficient, incomplete, or incorrect for any other reason.
  • If a city authority plans to continue processing personal data on any other purposes than those they were collected for, then it will forward you information about the purposes of further processing of your personal data beforehand.
  • You have the right to turn to the Data Protection Inspectorate or the court for the protection of your rights.

7. Whom to contact?

The city authority who processes your personal data is responsible for the lawfulness of the processing of your personal data and will provide information about data protection conditions and the process of data processing. Each city authority has a contact person for data protection, whose task is to coordinate the resolution of data protection issues within their establishment. In case of any questions related to data protection in city authorities, please take contact through the general e-mail address of the authority.

The tasks of the Data Protection Specialist for city authorities is fulfilled by the Data Protection Specialist of the City Secretary’s Office of Tallinn City Office. The city’s Data Protection Specialist coordinates the fulfilment of data protection requirements in city authorities and, if necessary, prepares guidelines and document templates for city authorities to fulfil legal requirements in the field of data protection and to develop a common management practice for city authorities.

The city’s Data Protection Specialist is available by e-mail at andmekaitse@tallinnlv.ee.

Last updated: 15.06.2018