Skip to content

    privacy policy

    This Privacy Notice describes how the e-⁠Residency project team at Ettevõtluse ja Innovatsiooni SA (registry code 90006012; Sepise 7, 11415, Tallinn, Estonia; hereinafter we; formerly Ettevõtluse Arendamise Sihtasutus or EAS) processes Your personal data.

    This Privacy Notice applies to You if you are an e-⁠resident, who has given their consent to the Police and Boarder Guard Board (hereinafter PBGB) to transmit personal data from Your e-⁠residency application to Ettevõtluse ja Innovatsiooni SA. In addition, this Privacy Notice applies to You, if You have visited our website e-⁠resident.gov.ee, subscribed to our newsletter on our website e-⁠resident.gov.ee, contacted the e-⁠Residency support team through electronic means (e.g. through the support form at learn.e-⁠resident.gov.ee, by email e-⁠resident@gov.ee, through social media channel) or if you are a representative or contact person of our partner.

    As we may process Your personal data in the course of performing different activities, depending on your relationship with us. We have prepared this Privacy Notice in such a way that each person who interacts with us, can find under section 1 a specific description of the conditions applicable to the processing activity that is applicable to that person, while sections 2 – 8 describe principles that apply to all of our data processing activities regardless of which data subject category You belong to.

    The terms and definitions used in this Privacy Notice should be construed as in the General Data Protection Regulation of the European Union (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC; General Data Protection Regulation; hereinafter the GDPR).

    1.1. I am an e-⁠Resident

    If You are an e-⁠resident, we process the personal data that You have provided on Your e-⁠residency application and that has been transmitted to us by PBGB. Such personal data includes:

    • name
    • gender, date of birth, Estonian personal identification code
    • contact data (email address, telephone number)
    • country and city of residence
    • citizenship
    • location of issuing e-⁠residency digi-ID, date of the decision to grant e-⁠residency, date of expiry of the e-⁠resident’s digi-ID
    • reasons for having submitted the application

    We process Your personal data (including in cooperation with the Business Registry and Tax and Customs Board of the Republic of Estonia) for the following purposes:

    • to send You e-⁠Residency communications, personalized offers and information to inform You about e-⁠Residency and Estonian e-services and about the latest updates and developments, also to assist You in starting and operating business in Estonia;
    • to send you personalized offers and value proposals that will help you start and manage Your Estonian based company;
    • to help establish contact with service providers according to the e-⁠resident’s interests;
    • to develop the e-⁠Residency program through e-⁠residents’ profiles and through the creation of timelines for the use of the service to fulfil the purposes of the program (including asking for feedback).
    • to understand better which the focus groups and countries of e-⁠Residency are.
    • to measure and analyze the effectiveness of e-⁠residents’ lifecycle, motivation and needs to further develop and improve the application process, services and value offerings for e-⁠residents;
    • to improve e-⁠Residency as a service and to improve our communication;
    • to analyze the need for different pick-up location, also to offer alternatives for e-⁠residents to pick up their documents.

    The legal basis for such processing is Your consent that You have given when You have applied for e-⁠resident digi-ID (GDPR art 6(1)(a)). You have the right to withdraw Your consent at any time by contacting us on the contact details below. The withdrawal of consent does not affect the lawfulness of the processing based on consent before its withdrawal.

    We may also process Your personal data to fulfil our legal obligations (GDPR art 6 (1) (c)) and to protect our legal rights (e.g. to file claims, to protect ourselves from claims), in which case the legal basis for such processing is our legitimate interest that overrides Your interests and fundamental rights and freedoms which require protection of personal data (GDPR art 6(1)(f)).

    1.2. I am a Subscriber to e-⁠Residency Newsletter

    If You are a newsletter subscriber, we process the personal data that we have received from yourself when You subscribe to our newsletter. If you are an e-⁠resident we process your name, email address and citizenship. If you have subscribed to our newsletter directly from our website, we process your email address and country of residence.

    If You are a newsletter subscriber, we process Your personal data to send You our newsletter and special offers (GDPR art 6(1)(a)). The legal basis for such processing is Your consent that You have given when subscribing to our newsletter. You have the right to withdraw your consent at any time by contacting us on e-⁠resident@gov.ee or by clicking the “unsubscribe” link provided in all of our Newsletter e-mails. The withdrawal of consent does not affect the lawfulness of the processing based on consent before its withdrawal.

    We may also process Your personal data to fulfil our legal obligations (GDPR art 6 (1) (c)) and to protect our legal rights (e.g. to file claims, to protect ourselves from claims), in which case the legal basis for such processing is our legitimate interest that overrides Your interests and fundamental rights and freedoms which require protection of personal data (GDPR art 6(1)(f)).

    1.3. I am a Visitor to the e.resident.gov.ee Website

    If You are a visitor to the e.resident.gov.ee website, we may collect some personal data automatically via cookies on our website. Click here for more information about which cookies we use and how we use the data gathered via cookies.

    1.4. I am a user of the Company Profiles web application

    To create or edit your company profile on the e-Residency Company Profiles web application at company.e-resident.gov.ee you must log in with your e-Residency digi-ID card. When you log in, we use only the minimum amount of data from your digi-ID card in order to verify that you are an e-Resident and to retrieve public information from the Estonian E-Business Registry (https://www.rik.ee/en/e-business-register) about companies in which you are a shareholder. The personal data we use includes:

    • Your ID code
    • Your e-⁠Residency status

    E-⁠Residency status is required in order to log in. We also use the abovementioned personal data to verify the existence and public legal information of your companies so that we can provide you with Company Profiles services. Based on your ID code a single request for information is made to the Estonian E-Business Registry webpage. The following information is retrieved:

    • A list of companies in which you are a shareholder
    • The names of the companies in which you are a shareholder
    • The Registration codes of companies in which you are a shareholder
    • The year of formation of companies in which you are a shareholder

    By giving us permission to retrieve said information using your ID code, your user profile can be created. If you do not create a profile for any of your companies or you delete the profiles of all your companies within 90 days of creating your user profile, it will be automatically deleted from the Company Profiles web application. The deletion of your profile includes revoking all permissions you have given us. Should you want to delete your user profile and revoke such permissions sooner than 90 days, please contact e-Residency support at e-⁠resident@gov.ee with your request. Your profile will be deleted, and all permissions revoked within 48h from receipt of your request.

    Once a company profile exists for your company a single request to check and update your company’s information is made every 7 days and every time you log in using your e-Residency digi-ID card. The following information is retrieved about your company from the Estonian E-Business Registry (https://www.rik.ee/en/e-business-register) using your ID code:

    • A list of companies in which you are a shareholder
    • The names of the companies in which you are a shareholder
    • The Registration codes of companies in which you are a shareholder
    • The year of formation of companies in which you are a shareholder

    e-⁠Residency retains the right to remove any and all offensive, false, or illegal information from any company’s profile. E-⁠Residency reserves the right to make changes to the Company list web application.

    1.5. I am attending e-⁠Residency Webinars

    If you are registering for our webinars, we process the personal data that you have provided to us upon registration for the webinar. Such personal data includes:

    • Name
    • email address
    • country/region

     Additionally, we ask if you are already an e-⁠resident and own an Estonian company.

    We process your personal data to offer and therafter improve webinars and develop more customized offerings. For statistical purposes, we analyze the personal data in anonymized form. The legal basis for such processing is our legitimate business interest that overrides Your interests and fundamental rights and freedoms which require protection of personal data (GDPR art 6(1)(f)).The legal basis for such processing is our legitimate business interest that overrides Your interests and fundamental rights and freedoms which require protection of personal data (GDPR art 6(1)(f)).

    We believe that as You have initiated contact with us, our interests override Your interests and fundamental rights and freedoms which require protection of personal data. You have the right to object to such processing in which case we will stop processing Your personal data unless we can demonstrate compelling legitimate grounds for the processing which override Your interests, rights and freedoms or unless we are processing Your personal data to protect our legal rights.

    Your personal data will be deleted in 12 months after registering for a webinar. Should you want us to remove some or all personal data we have obtained through the registration, please contact e-⁠Residency support at e-⁠resident@gov.ee with your request. Your personal data will be deleted within 30 days from receipt of your request.

    1.6. I am a user of the Events Calendar website

    If you are registering to an event in the Events Calendar organized by e-⁠Residency, we process the personal data that you have provided to us upon registration. Such personal data includes:

    • Name
    • E-mail address
    • Country/region

    Additionally, we may ask if you are already an e-⁠resident and own an Estonian company.

    We process your personal data to analyze the audience of organized events and for the purposes to better customize our events and marketing based on the audience. For statistical purposes, we analyze the personal data you have provides us in anonymized form. The legal basis for such processing is our legitimate business interest that overrides Your interests and fundamental rights and freedoms which require protection of personal data (GDPR art 6(1)(f)).

    We believe that as You have initiated contact with us, our interests override Your interests and fundamental rights and freedoms which require protection of personal data. You have the right to object to such processing in which case we will stop processing Your personal data unless we can demonstrate compelling legitimate grounds for the processing which override Your interests, rights and freedoms or unless we are processing Your personal data to protect our legal rights.

    We may also process Your personal data to fulfil our legal obligations (GDPR art 6 (1) (c)) and to protect our legal rights (e.g. to file claims, to protect ourselves from claims), in which case the legal basis for such processing is our legitimate interest that overrides Your interests and fundamental rights and freedoms which require protection of personal data (GDPR art 6(1)(f)).

    Your personal data will be deleted after the end of the event.

    Should you want us to remove some or all personal data we have obtained through the registration, please contact e-⁠Residency support at e-⁠resident@gov.ee with your request. The withdrawal of consent does not affect the lawfulness of the processing based on consent before its withdrawal.

    Please note that if the organizer of the event is not e-⁠Residency, then in such cases e-⁠Residency will not process your personal data and is not responsible for the use and purposes of how your personal data is processed by a third party organizing the event.

    1.7. I am Contacting the e-⁠Residency Support Team

    If You are contacting the e-⁠Residency support through electronic means (e.g. through the support form at learn.e-⁠resident.gov.ee, by email e-⁠resident@gov.ee, through social media channel), we process the personal data that you have provided us. Such personal data includes:

    • name
    • contact details (e.g. email address, information about social media account)
    • data that you provide us in the course of our communication
    • automatic data such as server and HTTP logs, data transmitted by Actions on Google API and usage information

    We kindly ask You to not provide us any special categories of personal data in your inquiry (e.g. data about race, ethnic origin, political opinions, religious beliefs, health, sexual orientation).

    If You are contacting us, we process your personal data to reply to your inquiry. We may forward your inquiry with the respective authority, if they possess the information that is necessary to reply to your inquiry (e.g. PBGB, respective embassy, Estonian Ministry of Foreign Affairs, other public authorities). The legal basis for such processing is our legitimate interest that overrides Your interests and fundamental rights and freedoms which require protection of personal data (GDPR art 6(1)(f)).

    In addition, we process your personal data to analyse and improve our customer service. For that purpose we may share your information (email, content of your inquiry) with third party service providers who process your personal data on behalf of us in order to help us make our customer service faster and more effective. For statistical purposes, we analyze the personal data in anonymized form. The legal basis for such processing is our legitimate business interest that overrides Your interests and fundamental rights and freedoms which require protection of personal data (GDPR art 6(1)(f)).

    We believe that as You have initiated contact with us, our interests override Your interests and fundamental rights and freedoms which require protection of personal data. You have the right to object to such processing in which case we will stop processing Your personal data unless we can demonstrate compelling legitimate grounds for the processing which override Your interests, rights and freedoms or unless we are processing Your personal data to protect our legal rights.

    We may also process Your personal data to fulfil our legal obligations (GDPR art 6 (1) (c)) and to protect our legal rights (e.g. to file claims, to protect ourselves from claims), in which case the legal basis for such processing is our legitimate interest that overrides Your interests and fundamental rights and freedoms which require protection of personal data (GDPR art 6(1)(f)).

    Should you want us to remove some or all personal data we have obtained through your inquiry, please contact e-⁠Residency support at e-⁠resident@gov.ee with your request. Your profile will be deleted within 30 days from receipt of your request.

    1.8. I am requesting for a telephone consultation

    If you have requested for a telephone consultation from e-⁠Residency, we process the personal data that you have provided to us upon registration and during the consultation. Such personal data includes:

    • Name
    • E-mail address
    • Phone number
    • Country/region
    • Data that you provide us in the course of our communication (we kindly ask You to not provide us any special categories of personal data in your inquiry (e.g. data about race, ethnic origin, political opinions, religious beliefs, health, sexual orientation)).

    Additionally, we may ask upon registration if you are already an e-⁠resident and own an Estonian company. You may be asked to name the industry of where your company is active and describe what are the main topics you are requesting a consultation for.

    The consultation may be provided by e-⁠Residency or by a third party service provider who will then process your personal data on behalf of us in order to offer you more specified consultation. Your personal data will be deleted after you have received the consultation you requested.

    We process your personal data to offer you personalized consultation. In addition, we process your personal data to analyze and improve our customer service. For statistical purposes, we analyze the personal data in anonymized form. The legal basis for such processing is our legitimate business interest that overrides Your interests and fundamental rights and freedoms which require protection of personal data (GDPR art 6(1)(f)).

    We believe that as You have initiated contact with us, our interests override Your interests and fundamental rights and freedoms which require protection of personal data. You have the right to object to such processing in which case we will stop processing Your personal data unless we can demonstrate compelling legitimate grounds for the processing which override Your interests, rights and freedoms or unless we are processing Your personal data to protect our legal rights.

    We may also process Your personal data to fulfil our legal obligations (GDPR art 6 (1) (c)) and to protect our legal rights (e.g. to file claims, to protect ourselves from claims), in which case the legal basis for such processing is our legitimate interest that overrides Your interests and fundamental rights and freedoms which require protection of personal data (GDPR art 6(1)(f)).

    Should you want us to remove some or all personal data we have obtained through the registration, please contact e-⁠Residency support at e-⁠resident@gov.ee with your request. The withdrawal of consent does not affect the lawfulness of the processing based on consent before its withdrawal.

    1.9. I am a Representative or a Contact Person of Our Partner

    If You are a representative or a contact person of our partner, we process the personal data that we have received from yourself or from the partner. Such personal data includes:

    • name
    • position
    • contact data (email address, telephone number)

    If You are a representative or a contact person of our partner, we process Your personal data to contact our partner in order to perform the contracts concluded between us or to cooperate in other ways. The legal basis for such processing is our legitimate interest to administer the relationship with our partner (GDPR art 6(1)(f)). We believe that as You are the representative or contact person of our partner, our business interests override Your interests and fundamental rights and freedoms which require protection of personal data. You have the right to object to such processing in which case we will stop processing Your personal data unless we can demonstrate compelling legitimate grounds for the processing which override Your interests, rights and freedoms or unless we are processing Your personal data to protect our legal rights.

    We may also process Your personal data to fulfil our legal obligations (GDPR art 6 (1) (c)) and to protect our legal rights (e.g. to file claims, to protect ourselves from claims), in which case the legal basis for such processing is our legitimate interest that overrides Your interests and fundamental rights and freedoms which require protection of personal data (GDPR art 6(1)(f)).

    1.10 I am a user of the e-⁠Residency Marketplace rating application

    To add a rating and/or a review to a service provider listed on the e-⁠Residency Marketplace at marketplace.e-⁠resident.gov.ee, you must log in to the service provider company profile page on the Marketplace. You can use your e-⁠resident digital-ID card or Smart ID to log in. You can leave either only a rating or a rating with a review.

    After you have submitted your rating with a review, the following data will be published on the Marketplace service provider profile:

    • Your full name
    • Date of review
    • Your rating
    • Your review

    If you submit only a rating, your personal data will not be published on the service provider public profile. When submitting only a rating, the score of your rating will be calculated to the average score of the service provider.

    Service providers have access to their company profile page on the Marketplace. After logging in to their company profile page, a service provider can see the same information as displayed in the public view. In addition, a service provider can also see the name of the user who has submitted only a rating. Service providers have the possibility to write a reply to the reviews left on their company profile, edit or delete their own previous replies to the reviews left on their company profile.

    Data processing by the e-⁠Residency program team:

    If you are adding a rating and/or a review to a service provider page listed on the e-⁠Residency Marketplace, we process the personal data that you have provided in order to do so. Such personal data includes:

    • Your ID code
    • Your full name
    • Date of review
    • Your review
    • Date of rating

    The e-⁠Residency program team keeps a log of all the users who have left either only a rating or a rating with a review. The log is available only to members of the e-⁠Residency program team who have justified need for processing Your personal data. The data is not shared with any outside parties of the e-⁠Residency program team.

    The purpose of keeping a log and storing your personal data is for security reasons – to avoid user-manipulation of the average rating score statistics and obvious repeating malicious reviews given by one user. If any abnormal usage of the rating system or review system by one user is detected, the ratings will be deleted by the e-⁠Residency program team. In the event of repeated malicious behaviour, e-⁠Residency program team reserves the right to restrict such user’s access to the e-⁠Residency Marketplace.

    e-⁠Residency program team retains the right to remove any and all offensive, false, or illegal information from any review. E-⁠Residency program team reserves the right to make changes to the e-⁠Residency Marketplace rating web application.

    If you are a user of the e-⁠Residency Marketplace rating application, the legal basis for your data processing is Your consent that You have given when adding a rating and/or a review. You have the right to withdraw your consent at any time by contacting us on e-⁠resident@gov.ee. Your personal data will be deleted within 30 days from receipt of your request. The withdrawal of a consent does not affect the lawfulness of the processing based on consent before its withdrawal.

    We may also process Your personal data to fulfil our legal obligations (GDPR art 6 (1) (c)) and to protect our legal rights (e.g. to file claims, to protect ourselves from claims), in which case the legal basis for such processing is our legitimate interest that overrides Your interests and fundamental rights and freedoms which require protection of personal data (GDPR art 6(1)(f)).

    We retain Your personal data until You withdraw Your consent.

    2. Access to Personal Data and Transmission of Personal Data

    Only members of the e-⁠Residency program team who have justified need for processing Your personal data have access to Your personal data. We share Your personal data with third parties only if we have justified need, to the justified extent and only if we have a legal basis for such transmission.

    We use service providers that may have access to Your personal data. These service providers shall be considered as data processors. For example such data processors include cloud service providers, email service providers, data analytics service providers etc. We use only data processors who provide sufficient guarantees that they apply appropriate technical and organizational measures in order to ensure the protection of Your personal data. We have concluded appropriate data processing agreements with the service providers and shall remain responsible for their actions in respect of the processing of Your personal data.

    We may also transmit Your personal data to the following third parties who act as independent controllers with regard to Your personal data:

    • to third parties who possess information that is necessary to reply to data subject’s inquiry (e.g. PBGB, embassies, Estonian Ministry of Foreign Affairs, other public authorities), in which case the legal basis for the transmission of personal data is our legitimate interest to extent which in our assessment overrides your interests and fundamental rights and freedoms which require protection of personal data
    • to third parties who protect our legal rights (e.g. our legal consultants), in which case the legal basis for the transmission of personal data is our legitimate interest to the extent which in our assessment overrides your interests and fundamental rights and freedoms which require protection of personal data
    • to third parties who audit us, in which case the legal basis for the transmission of personal data is our legitimate interest to the extent which in our assessment overrides your interests and fundamental rights and freedoms which require protection of personal data
    • to third parties to whom we are obligated to transmit personal data in accordance with law or other legal acts (e.g. supervisory authorities), in which case the legal basis for transmission is the fulfilment of our obligations arising from law

    Should You require more detailed information as regards the data processors or independent third parties who might process Your personal data, please contact us on the contact details below.

    3. Transmission of Personal Data Outside the European Economic Area

    Our data processors (e.g. cloud service providers) may process Your personal data outside the European Economic Area (EEA). Usually we do not transmit Your personal data outside the EEA, but if we find it necessary, we transmit data only if we have a legal basis to do so, including to data recipients: (i) who are located in a country where sufficient level of personal data protection is ensured in the assessment of the European Commission (including organisations certified under the Privacy Shield) or (ii) on the basis of an agreement which meets the EU requirements for the transmission of personal data to personal data processors located outside the EEA.

    Should you require more detailed information as regards transferring your personal data outside the EEA (e.g. the names of the recipients and the exact legal basis for any such transfer), please contact us on the contact details below.

    4. Retention of Personal Data

    We retain Your personal data until it is necessary depending on the purposes for which we collected the data.

    We retain personal data of e-⁠residents until You withdraw Your consent. If You do not withdraw Your consent, we retain the personal data of e-⁠residents as long as we are cooperating with the Police and Boarder Guard Board to carry out the purposes of the e-⁠Residency program.

    We retain personal data of newsletter subscribers until You withdraw Your consent.

    We retain personal data of people who have contacted our support team indefinitely.

    We retain personal data of representatives and contact persons of our partners as long as we have a relationship with the partner and in case of any legal disputes up to 10 years after the end of the relationship to protect our rights.

    5. Security

    We implement sufficient technical and organizational security measures to protect Your personal data, taking into account: (i) the level of technology, (ii) the costs of implementation, (iii) the nature, scope, context and purposes, and (iv) the possible risks to You that may arise from data processing.

    6. Your Rights

    With regard to Your personal data, You have all the rights prescribed by legal acts, including the GDPR, on the terms and conditions and to the extent established therein:

    • the right to request access to Your personal data (including to receive a copy of Your personal data)
    • the right to request the rectification of personal data
    • the right to request the deletion of personal data
    • the right to request the restriction of the processing of personal data
    • the right to the portability of personal data
    • the right to withdraw your consent, if we process your personal data on the basis of Your consent
    • the right to submit objections if personal data is being processed on the basis of our legitimate interest.

    If You wish to exercise the rights specified above or should You have any questions about the processing of Your personal data, please contact us on the contact details provided below. We will answer to Your request as soon as possible, but at least within 1 month of receipt of Your request and inform You about the measures we have taken. For reasons of complexity or large scope of Your request, it may take us longer to process Your request (up to 3 months), in which case we will inform You of such circumstances.

    If You believe that Your rights have been violated or Your personal data have not been processed in accordance with this Privacy Notice, we kindly recommend You to contact us on the contact details provided below. In case of a violation, You also have the right to turn to a competent data protection supervisory authority (in Estonia the Estonian Data Protection Inspectorate) or the court.

    7. Amendment of the Privacy Notice

    If our personal data processing practices shall change or we need to change the Privacy Notice due to changes in the applicable data protection related legal acts, other legal acts, case-law or guidelines or practices of competent authorities, we have the right to unilaterally amend the Privacy Notice. If the amendments affect You significantly, we shall notify You before the amendments enter into force by email.

    8. Applicable Law

    Ettevõtluse ja Innovatsiooni SA is a legal entity registered in the Republic of Estonia and the processing of Your personal data is therefore subject to the laws of the Republic of Estonia.

    Contact Details

    If You have any questions concerning the processing of Your personal data or if You wish to exercise Your rights with regard to Your personal data, please contact our data protection officer using the following contact details:

    • Data Protection Officer: andmekaitse@eas.ee
    • or contact the e-⁠Residency Team of Ettevõtluse ja Innovatsiooni SA by our general contact details: e-⁠resident@gov.ee