EIF's Data Protection Policy

Personal data (“Personal Data” and also “the Data”) means any information submitted to EIF in relation to the registration or use of a .ee domain name (such as the information concerning the registrant of the domain and their administrative or technical contacts) and operations related thereto (such as exchanging domain contact data) or provided otherwise, which can be used, directly or indirectly, to identify you as a private individual.

EIF may process your personal data as follows:

1.1.   personal data, such as your name, personal identification number, date of birth, identity document, bank account etc., in order to verify the identity and power of representation of the registrant of the domain and the identities and powers of representation of the administrative and technical contacts of the registrant;

1.2.   the names and contact information (phone number, email address) of registrants and their administrative and technical contacts, in order to provide information and enable the functioning of the domain register;

1.3.   the names and email addresses of natural person registrants and their administrative and technical contacts for publication on the internet by responding to WHOIS requests, only with the separate consent of the registrant;

1.4.   the names and email addresses of the administrative and technical contacts of natural person registrants for publication on the Internet by responding to WHOIS requests. See more here;

1.5.   domain-name servers of natural person registrants, in order to add a zone and make it publicly available;

1.6.   all Personal Data required to decide on or perform the registration of a domain name or any other operation falling within the competence of EIF;

1.7.   all Personal Data required in order to facilitate the resolution of disputes by the Domain Disputes Committee and in court;

1.8.   all Personal Data required in order to comply with applicable legislation or any other rule, instruction or practice affecting EIS as well as to defend our rights that have been either violated or disputed, in or out of court;

1.9.   if you contact EIF, by sending an email, for example, we will become a party to communication and will use and save the data provided in your email for its intended purposes (such as establishing facts, solving a problem, etc.). In such a case, the grounds for the collection of the Data is that you have provided the Data by contacting EIF;

1.10.   registrant’s log-in data provided for the purpose of identification, such as the IP address, personal identification code (users can log in only by using an ID card or Mobile ID), information about the operations performed, successful or failed operations and the time of making a request;

1.11.   For the above purposes, EIF may prepare lists of the Personal Data analysed (such as a list of domain registrants).

If you refuse to provide such Personal Data to EIF, you may not be able to use the services provided by EIF.

EIF (registry code: 90010019), address Paldiski mnt 80, Tallinn 10617, acts as the controller, and processes your Personal Data as described in these Rules on Use of Personal Data. Where appropriate, EIF may give, in accordance with the GDPR and/or other legislation, the right to process Personal Data to its partner processors or third persons, who may use the Data only for the performance of the operations specified by EIF and under a contract concluded for this purpose. 

Our main cooperation partners processing the Personal Data of individuals related to .ee domains on behalf of EIF are the .ee Registrars. EIF does not directly provide registration services related to .ee domains; the services are provided through .ee Registrars, which can be contacted in order to register an .ee domain or, for example, to change a registrar. EIF has given .ee Registrars the right and has imposed on them the obligation to provide registration services to .ee domain registrants and to charge a fee for the service in accordance with the contracts signed with the registrants.

A further important point to note is that the Personal Data provided by you in relation to your .ee domain can be accessed only by the relevant .ee registrar and by EIF. If your .ee registrar shares your Personal Data collected in accordance with these Rules on Use of Personal Data with any third persons that do not have a contractual relationship in place with EIF, the .ee registrar must notify you thereof. In such a case, the .ee registrar is the controller of your Personal Data and has the obligation to clarify your rights as well as the reasons for using your Personal Data in such a manner.

Information on those .ee registrars that possess the rights of a processor is available at: https://www.internet.ee/registrars/accredited-registrars. 

EIF may also disclose the Data of private domain registrants and their representatives to the Estonian Information System Authority (RIA) and the Estonian police for cyber security purposes under the legal interest and relevant agreements. EIF may also disclose Personal Data if a court has issued a relevant judgment or order or if the relevant competent authority (the Consumer Protection Board) has a justified legitimate interest in such data.

Any processing of Personal Data must be duly substantiated. EIF processes Personal Data on the following four legal bases: performance of contract, performance of legal obligation, your consent and legitimate interest. We have classified all purposes for which Personal Data are processed in these four categories. Accordingly, different time limits for the storage of Personal Data apply to these legal bases. You have also different opportunities and rights to submit requests concerning your Personal Data.

3.1 On the basis of a contract

In order to apply for the registration of a .ee domain, you should submit an application to the .ee Registrar of your choice, which will prepare a contract for services to be concluded with you. The .ee Domain Regulation is a standard contractual clause and forms an integral part of the contract for services (see more: https://www.internet.ee/domeenid/ee-domeenireeglid).

For the purpose of the performance of the contract, the .ee Registrar and EIF will process Personal Data primarily in order to identify the registrant and their administrative and technical contacts and to verify their right of representation. In order to verify the right of representation, the .ee Registrar may require that the relevant authorisation is provided, or verify the registrant’s identity by requesting additional documentation. This also applies to a new .ee Registrar if you file an application for changing your registrar. 

We also collect and process Personal Data for the purpose of exchanging information (for example, if your domain reaches its expiry date or there is a problem that needs to be addressed). This is also the case if an interested person wishes to contact you. See more here. Registrars may also collect your Personal Data for billing purposes.

3.2 Performance of statutory obligations

The performance of statutory obligations may be relevant to the processing of Personal Data where EIF as a service provider is required by a public authority to process Personal Data in accordance with law.

If the processing of Personal Data is necessary for the performance of a statutory obligation, EIF is unable to decide on the collection and storage of such Personal Data. Such data may be subject to processing where EIF receives a relevant enquiry from a public authority, is bound by an obligation under the Accounting Act, or processing is necessary to ensure the security of the network and information systems.

3.3 With the consent of the data subject

For instance, EIF processes data with the consent of the data subject, where the data concern a person who notifies the domain registrant though a special form provided by EIF (see here about the terms and conditions of using WHOIS).

3.4 Legitimate interest

Legitimate interest means, in particular, that EIF wishes to use the Data to provide and develop better services as well as for the purpose of communication where this is not strictly necessary for the purpose of the performance of a contract. Legitimate interest means a balance between the rights of EIF and those of the users, enabling us to provide our services in the manner in which the domain registrants and the public expect us to do. 

For example, EIF has a legitimate interest in compiling various statistics on domains or preparing lists based on the Personal Data analysed (such as lists of domain registrants, etc.) which are necessary for the better functioning of the service and for decision-making. The processing of the Data on grounds relating to legitimate interest is not exhaustive, and EIF may for reasonable necessity and to a reasonable extent process the Data on grounds relating to the legitimate interest for other purposes as well. 

EIF also publishes the Data (name and email address) of the representatives of domain registrants on the Internet through WHOIS on grounds relating to legitimate interest in order to contribute to ensuring a transparent DNS (Domain Name System) and Internet. For further information see here.

You have the right to receive information about your Personal Data processed by EIF and your .ee Registrar at any time from EIF and your .ee Registrar to whom you have applied for the registration of a domain name or the change of the registrant. EIF has a Data Protection Officer who can be contacted by writing to info@internet.ee or calling 727 1000.

We will store your Personal Data for the period necessary for the purposes for which the personal data are processed (see Paragraph 1 and 2) or as required by the EIF’s statutory obligations.

The table below presents a summary of the principles of the storage of Personal Data by EIF, together with examples.

EIF will take all necessary organisational, physical and IT measures to ensure the integrity, availability and confidentiality of the Data. These measures include the protection of employees, information, IT infrastructure, internal devices and technical equipment of EIF.

Information security activities are aimed at the implementation of the relevant information protection level, risk management and prevention of threats. EIF will ensure security in accordance with the terms and conditions applicable to the provision of EIF services and in compliance with legal requirements. The necessary measures are established by the internal security rules of EIF. 

EIF employees are subject to the requirements of data confidentiality and protection and are responsible for complying with these requirements. EIF processors (in particular your .ee Registrar) and their employees have an obligation to ensure compliance with the requirements of personal data protection.

7.1. The right to request access to personal data

You have the right to access Personal Data that have been collected by EIF or your .ee registrar concerning you and to receive information about the purposes of the processing and the time limits for the storage of Personal Data. To access your Personal Data, you should contact EIF or your .ee registrar. To grant access to your Data, they need to verify your identity and, where appropriate, your right of representation. EIF and the .ee Registrar have the right to respond to your request within 30 days.

7.2. The right to rectification of personal data

If you discover that your Personal Data are incorrect, or your Personal Data have changed, you can submit a relevant statement at any time. Since the registration services are provided and your Personal Data are collected through .ee Registrars, you first need to submit your request to your .ee Registrar (with whom you have registered your .ee domain). If you are unable to contact your .ee Registrar, or have any other problems, you can always contact EIF.

7.3. The right to be forgotten

In certain cases, you can request that your Personal Data are erased. This concerns, for example, the processing of your Data with your consent. Complete erasure of your Personal Data may not always be possible, because EIF may use the Data for other legal purposes in relation to which the erasure of the Data is not permitted, to ensure the performance of contractual or statutory obligations.

7.4. The right to object

You have the right to object at any time to the processing of your Personal Data. Upon receipt of your objection, EIF will consider your legal rights and, if possible, will stop the processing of your Data. If your objection concerns Data the processing of which is required by EIF, EIF may refuse to act on your request. This may be the case where EIF must protect, prepare, or submit a legal claim.

7.5. The right to restriction of processing

In certain cases, you have the right to restrict the processing of your Personal Data by explicitly notifying EIF. You can restrict the processing of your Personal Data in particular: to verify the accuracy of the Personal Data or the grounds for processing if you have contested the accuracy of your Personal Data; if you need your Personal Data to prepare, submit or defend a legal claim. If you wish to restrict the processing of your Personal Data, you must clearly state the purpose of and reasons for such a restriction.

7.6. The right to data portability

You have the right to receive your Personal Data from EIF in a machine-readable format. The right to data portability applies in particular to the Data used by EIF and the .ee registrar for the purpose of performing a contract. You also need to understand that EIF cannot ensure that the other service provider to whom you wish to transfer your Data is able to receive your Personal Data, neither will EIF be liable therefor.

7.7. The right to lodge a complaint

If you have any complaints concerning the processing of your Personal Data by your .ee registrar, you have the right to lodge a complaint with EIF at any time, since EIF supervises operations and services carried out by .ee Registrars. If you have any complaints concerning the activities of EIF, please write about your concerns to us. Also you have the right to apply to the Estonian Data Protection Inspectorate or to the courts. 

In case of any wording misapprehensions between the English and Estonian version, wording in Estonian is superior and legally binding.