EIF's Data Protection Policy

Estonian Internet Foundation Data Protection Policy

Estonian Internet Foundation Data Protection Policy


Eesti Interneti SA (english: Estonian Internet Foundation, hereinafter as “EIF”), pursuant to the objectives set out in these Rules on the Use of Personal Data, clarifies users’ rights. The overall purpose of this document is to explain what EIF is doing to protect and respect privacy and how personal data are collected, used and protected by EIF. This document also aims to clarify the rights of data subjects with respect to their personal data.

When processing data, EIF will comply with national and EU legislation on data protection and security, and will use personal data only for the purpose for which they were collected and to the extent necessary for this specific purpose.

Each accredited .ee registrar (“.ee Registrar” separately or “.ee Registrars” jointly) will refer to these Rules on Use of Personal Data and to the .ee Domain Regulation when entering into a service contract with a registrant of an .ee domain. We will inform users of significant changes or notifications on the EIF website, if needed by email or by other reasonable means.


In case of any wording misapprehensions between the English and Estonian version, wording in Estonian is superior and legally binding.

Personal data (“Personal Data” and also “the Data”) means any information submitted to EIF in relation to the registration or use of a .ee domain name (such as the information concerning the registrant of the domain and their administrative or technical contacts) and operations related thereto (such as exchanging domain contact data) or provided otherwise, which can be used, directly or indirectly, to identify you as a private individual.

EIF may process your personal data as follows:

1.1.   personal data, such as your name, personal identification number, date of birth, identity document, bank account etc., in order to verify the identity and power of representation of the registrant of the domain and the identities and powers of representation of the administrative and technical contacts of the registrant;

1.2.   the names and contact information (phone number, email address) of registrants and their administrative and technical contacts, in order to provide information and enable the functioning of the domain register;

1.3.   the names and email addresses of natural person registrants and their administrative and technical contacts for publication on the internet by responding to WHOIS requests, only with the separate consent of the registrant;

1.4.   the names and email addresses of the administrative and technical contacts of natural person registrants for publication on the Internet by responding to WHOIS requests. See more here;

1.5.   domain-name servers of natural person registrants, in order to add a zone and make it publicly available;

1.6.   all Personal Data required to decide on or perform the registration of a domain name or any other operation falling within the competence of EIF;

1.7.   all Personal Data required in order to facilitate the resolution of disputes by the Domain Disputes Committee and in court;

1.8.   all Personal Data required in order to comply with applicable legislation or any other rule, instruction or practice affecting EIS as well as to defend our rights that have been either violated or disputed, in or out of court;

1.9.   if you contact EIF, by sending an email, for example, we will become a party to communication and will use and save the data provided in your email for its intended purposes (such as establishing facts, solving a problem, etc.). In such a case, the grounds for the collection of the Data is that you have provided the Data by contacting EIF;

1.10.   registrant’s log-in data provided for the purpose of identification, such as the IP address, personal identification code (users can log in only by using an ID card or Mobile ID), information about the operations performed, successful or failed operations and the time of making a request;

1.11.   For the above purposes, EIF may prepare lists of the Personal Data analysed (such as a list of domain registrants).

If you refuse to provide such Personal Data to EIF, you may not be able to use the services provided by EIF.

You have the right to receive information about your Personal Data processed by EIF and your .ee Registrar at any time from EIF and your .ee Registrar to whom you have applied for the registration of a domain name or the change of the registrant. EIF has a Data Protection Officer who can be contacted by writing to info@internet.ee or calling 727 1000.

We will store your Personal Data for the period necessary for the purposes for which the personal data are processed (see Paragraph 1 and 2) or as required by the EIF’s statutory obligations.

The table below presents a summary of the principles of the storage of Personal Data by EIF, together with examples.

Storage period

Examples

for one week

The Data provided by the interested person through the special contact form in order to contact the private domain registrant. EIF will store only the technical information of the sent email and not the content of it. The aim is to ensure access to the technical information provided in the event of possible problems, incidents, complaints or other legal claims.

for three years

Emails and notices sent by private individuals to EIF. Also, email communication concerning any disputes referred to and notices sent to the Domain Disputes Committee. The aim is to ensure that EIF has access to the messages in the event of possible problems, incidents, complaints or other legal claims, as well as for the purposes of monitoring, compiling statistics, etc.

for ten years

The Data collected in the course of and related to registering a domain (e.g. name, contact details, personal identification code, date of birth, etc.). The aim is to ensure that law enforcement authorities have access to the Data after the domain registration has expired in order to ensure cyber security. As Data related to domains are important for law enforcement authorities, they are stored after the expiry of domain registration until the expiry of the limitation period for a crime in the first degree.

EIF will take all necessary organisational, physical and IT measures to ensure the integrity, availability and confidentiality of the Data. These measures include the protection of employees, information, IT infrastructure, internal devices and technical equipment of EIF.

Information security activities are aimed at the implementation of the relevant information protection level, risk management and prevention of threats. EIF will ensure security in accordance with the terms and conditions applicable to the provision of EIF services and in compliance with legal requirements. The necessary measures are established by the internal security rules of EIF. 

EIF employees are subject to the requirements of data confidentiality and protection and are responsible for complying with these requirements. EIF processors (in particular your .ee Registrar) and their employees have an obligation to ensure compliance with the requirements of personal data protection.

7.1. The right to request access to personal data

You have the right to access Personal Data that have been collected by EIF or your .ee registrar concerning you and to receive information about the purposes of the processing and the time limits for the storage of Personal Data. To access your Personal Data, you should contact EIF or your .ee registrar. To grant access to your Data, they need to verify your identity and, where appropriate, your right of representation. EIF and the .ee Registrar have the right to respond to your request within 30 days.

7.2. The right to rectification of personal data

If you discover that your Personal Data are incorrect, or your Personal Data have changed, you can submit a relevant statement at any time. Since the registration services are provided and your Personal Data are collected through .ee Registrars, you first need to submit your request to your .ee Registrar (with whom you have registered your .ee domain). If you are unable to contact your .ee Registrar, or have any other problems, you can always contact EIF.

7.3. The right to be forgotten

In certain cases, you can request that your Personal Data are erased. This concerns, for example, the processing of your Data with your consent. Complete erasure of your Personal Data may not always be possible, because EIF may use the Data for other legal purposes in relation to which the erasure of the Data is not permitted, to ensure the performance of contractual or statutory obligations.

7.4. The right to object

You have the right to object at any time to the processing of your Personal Data. Upon receipt of your objection, EIF will consider your legal rights and, if possible, will stop the processing of your Data. If your objection concerns Data the processing of which is required by EIF, EIF may refuse to act on your request. This may be the case where EIF must protect, prepare, or submit a legal claim.

7.5. The right to restriction of processing

In certain cases, you have the right to restrict the processing of your Personal Data by explicitly notifying EIF. You can restrict the processing of your Personal Data in particular: to verify the accuracy of the Personal Data or the grounds for processing if you have contested the accuracy of your Personal Data; if you need your Personal Data to prepare, submit or defend a legal claim. If you wish to restrict the processing of your Personal Data, you must clearly state the purpose of and reasons for such a restriction.

7.6. The right to data portability

You have the right to receive your Personal Data from EIF in a machine-readable format. The right to data portability applies in particular to the Data used by EIF and the .ee registrar for the purpose of performing a contract. You also need to understand that EIF cannot ensure that the other service provider to whom you wish to transfer your Data is able to receive your Personal Data, neither will EIF be liable therefor.

7.7. The right to lodge a complaint

If you have any complaints concerning the processing of your Personal Data by your .ee registrar, you have the right to lodge a complaint with EIF at any time, since EIF supervises operations and services carried out by .ee Registrars. If you have any complaints concerning the activities of EIF, please write about your concerns to us. Also you have the right to apply to the Estonian Data Protection Inspectorate or to the courts. 

In case of any wording misapprehensions between the English and Estonian version, wording in Estonian is superior and legally binding.