Data Processing Principles in the E-Krediidiinfo Portal
Valid from 23rd of January 2023
AS CREDITINFO EESTI (hereinafter Creditinfo Eesti) collects, processes, and mediates credit and business information with the aim of contributing to the mitigation of financial risks of both companies and individuals. Creditinfo Eesti is also the administrator of the Payment Default Register established by Estonian banks.
In its day-to-day operations, Creditinfo Eesti also processes personal data, being the controller of personal data and determining the purposes and means of processing. When making data requests, the persons making requests are also the controllers.
The contact details of Creditinfo Eesti as the controller of personal data are as follows: registry code 10256137; address Tatari 1, 10116 Tallinn.
Creditinfo Eesti has appointed a data protection specialist, whose contact details are as follows: email address email@example.com; postal address Tatari 1, 10116 Tallinn; phone +372 665 9643.
Creditinfo Eesti places great importance on the protection of personal data, which is why Creditinfo Eesti processes personal data responsibly, based primarily on the interests, rights, and freedoms of data subjects.
These data processing principles (hereinafter the Principles) explain how Creditinfo Eesti processes personal data.
- Terms used in the Principles
1.1. The Data Subject is an identified or identifiable natural person. An identifiable natural person is a person who can be identified, directly or indirectly.
The data subjects whose personal data is processed by Creditinfo Eesti are:
1) representatives of legal persons, i.e., natural persons who use the E-Krediidiinfo portal of Creditinfo Eesti as representatives of legal persons;
2) natural persons whose personal data is received by Creditinfo Eesti as public information from information holders (public databases, etc.), and
3) natural persons in respect of whom data has been entered in the Payment Default Register maintained by Creditinfo Eesti.
1.2. Personal Data is any information about an identified or identifiable natural person (Data Subject).
1.3. Processing is any operation or set of operations which is performed on Personal Data of the Data Subject or on sets of Personal Data, whether or not by automated means, including the collection, storage, use, transmission, erasure, etc. thereof.
1.4. Third Party is any person who is not a Data Subject, Creditinfo Eesti, or an employee of Creditinfo Eesti.
1.5. Recipient is a natural or legal person, public authority, agency, or another body to whom the Personal Data is disclosed, whether it is a Third Party or not.
1.6. Public Information, as defined in the Public Information Act, is information which is recorded and documented in any manner and on any medium and which is obtained or created upon performance of public duties provided by law or by legislation issued on the basis thereof.
1.7. Payment Default Register is a register containing debt information created in 2001 by Estonian banks and maintained by Creditinfo Eesti.
- General principles
2.1. In processing Personal Data, Creditinfo Eesti is guided by these Principles, Regulation 2016/679 of the European Parliament and of the Council (General Data Protection Regulation), the Personal Data Protection Act, and other relevant legislation regulating data protection, guidelines of supervisory authorities, as well as best practices and good business practices.
2.2. Creditinfo Eesti ensures the integrity, availability, and confidentiality of Personal Data by implementing appropriate organisational and technical measures.
2.3. Creditinfo Eesti uses only those processors in the processing of Personal Data who ensure the use of appropriate security measures and process the Personal Data in accordance with the instructions of Creditinfo Eesti and in compliance with legal requirements.
2.4. Employees of Creditinfo Eesti are obliged to keep the Personal Data that has become known to them in the course of their duties confidential due to the requirements of legislation and in accordance with the employment contract or other similar agreement concluded with them. This confidentiality obligation is applied for an indefinite period and the employees of Creditinfo Eesti are liable for breaching the obligation. Creditinfo Eesti ensures the regular training of its employees regarding the requirements for the processing and protection of Personal Data.
2.5. Creditinfo Eesti assumes that the Data Subject also contributes to the secure processing and protection of their Personal Data: for example, keeps the passwords of their ID-card secret, ensures that the computer they use for the consumption of the services and products of Creditinfo Eesti is secure, etc. Creditinfo Eesti is not liable for the possible consequences if the Data Subject does not treat the protection of their Personal Data conscientiously.
2.6. The rules of Creditinfo Eesti applicable to cookies are available on the website of Creditinfo Eesti, www.creditinfo.ee.
- The sources and types of Personal Data processed by Creditinfo Eesti. Purposes and legal bases of processing
3.1. Creditinfo Eesti collects Personal Data for a clearly defined and legitimate purpose, and subsequently processes the data in a manner that is compatible with that purpose. The processing of Personal Data takes place on the legal basis provided for in the General Data Protection Regulation.
3.2. The composition of the Personal Data collected by Creditinfo Eesti depends on the source from and purpose for which the Personal Data is collected.
3.3. Creditinfo Eesti processes Personal Data for the purpose of fulfilling legal obligations arising from legislation as well as for the legitimate interest of Creditinfo Eesti itself and the customers of Creditinfo Eesti.
3.4. The legitimate interests of Creditinfo Eesti are expressed in the development of the products and services of Creditinfo Eesti and in the promotion of business activities, with the aim of providing customers with better products and services for assessing their creditworthiness, as well as in ensuring data and information security and fulfilling the general legal obligations provided for in legislation.
3.5. Processing of Personal Data when using the E-Krediidiinfo portal as a querier
3.5.1. The Personal Data processed on the E-Krediidiinfo portal necessary for the use of the portal are collected primarily from the data subject themselves or from the legal person whom the data subject represents.
3.5.2. The processing of Personal Data in the E-Krediidiinfo portal takes place when the legal person represented by the Data Subject concludes a sales contract for the products or services purchased and/or when this contract needs to be executed.
3.5.3. Personal Data is used by a legal person to place orders through the Data Subject in the E-Krediidiinfo portal.
3.5.4. The following Personal Data is processed in the e-Krediidiinfo portal:
1) personal identification data: first and last name and personal identification code, as well as data related to the ID-card, Mobile-ID, or Smart-ID used for logging in;
2) contact details: email address and/or mobile phone number;
3) Personal Data related to the services: data generated by the Data Subject as a representative of the legal person in the course of or in connection with the use of E-Krediidiinfo, e.g., data on products and services purchased by the Data Subject, data on invoices submitted to the legal person and their content, requests, inquiries, and complaints submitted by the Data Subject, etc.;
4) data related to visiting E-Krediidiinfo.
3.5.5. In addition to the above, Creditinfo Eesti processes the data of the satisfaction surveys of Data Subjects both for the performance of the contract and for the execution of legitimate interest. The purpose of using the satisfaction survey data is improving the use of E-Krediidiinfo and the quality of products and services offered on these portals, as well as developing new products and services.
3.6. Processing Personal Data when the processing of the data of the Data Subject is necessary for the preparation of reports and for the provision of answers to queries
3.6.1. Processing Personal Data collected as public information
220.127.116.11. Creditinfo Eesti receives Personal Data as public information from information holders, the Commercial Register, the Population Register, the Land Register, Ametlikud Teadaanded, the Tax and Customs Board, the Payment Default Register.
18.104.22.168. The data processed as public information includes:
- personal identification code, first and last name, whether the person has Estonian citizenship, residence permit, and right of residence: type and expiry date of validity, fact of the death of the person, whether the person is an e-resident;
- payment default data: amount of debt, start date, end date, person who submitted the payment default, payment default status (valid, terminated, contested);
- balance of Tax and Customs Board receivables: type of receivable, amount of debt, amount on payment schedule, disputed amount;
- current business and entrepreneurship prohibitions;
- relationship to the legal person in the following roles: representative person (e.g. member of the board, chairman of the board, procurator): role, starting date of the relationship, end date of the relationship; owner of the legal person (e.g. shareholder, stockholder, general partner): role, country of location, starting date of the relationship, end date of the relationship, type of ownership, size of holding and percentage of participation; member of the supervisory board and chairman of the supervisory board of the legal person: role, starting date of the relationship, end date of the relationship; other relationship to the legal person (e.g. founder, auditor): role, country of location, starting date of the relationship, end date of the relationship; beneficial owner: details of the beneficial owner of the legal person entered in the commercial register;
- official announcements relating to the person: type of announcement, content, start date of publication, end date of publication;
- number of properties, extracts from the land register (divisions I to IV).
22.214.171.124. The Personal Data collected as public information is processed by Creditinfo Eesti for the purpose of assessing the creditworthiness of Data Subjects and, in certain cases, of legal persons related to them, as well as for the purpose of assessing other reliability. The legal basis for processing is the legitimate interest of Creditinfo Eesti or the legitimate interest of the customers of Creditinfo Eesti.
3.6.2. Processing Personal Data in the Payment Default Register
126.96.36.199. Personal Data related to payment defaults may be entered in the Payment Default Register maintained by Creditinfo Eesti by legal persons who have obtained the corresponding right under the agreement concluded with Creditinfo Eesti.
188.8.131.52. The following Personal Data is entered and published in the Payment Default Register: the first and last name and personal identification code or date of birth of the Data Subject connected to the payment default, the date on which the debt underlying the payment default occurred and ended, the magnitude of the debt amount, and information on the origin of the debt.
184.108.40.206. Creditinfo Eesti processes (maintains and transfers) the Personal Data related to payment defaults entered in the Payment Default Register to collect the debt information of different persons and to transfer it to the Recipients for using it for assessing creditworthiness and other similar purposes. Creditinfo Eesti processes such Personal Data for the legitimate interest of Creditinfo Eesti as well as for the legitimate interest of the Recipients to whom the Personal Data related to payment defaults is transferred from the Payment Default Register.
220.127.116.11. Creditinfo Eesti has the right to transfer Personal Data related to a payment default to those Recipients who have a legal basis for obtaining the respective Personal Data and who use the Personal Data for the purposes of creditworthiness assessment and/or other similar purposes.
3.6.3. Processing Personal Data for marketing purposes
18.104.22.168. In order to send marketing offers and marketing communications, including newsletters, Creditinfo Eesti uses the email addresses and/or mobile phone numbers of the representatives of Data Subjects as legal persons.
3.7. In addition to the above purposes, Creditinfo Eesti processes the Personal Data of Data Subjects also for the protection of the violated or disputed rights of Creditinfo Eesti, for the exercise of the rights of Creditinfo Eesti in connection with legal claims, with proving and protecting them in court or out of court. The processing takes place on the basis of the legitimate interest of Creditinfo Eesti and for the performance of the contract with the Data Subject.
- Processing based on legitimate interest
4.1. If, according to these principles, data processing takes place on the basis of legitimate interest, it is possible to consult the analysis of the legitimate interest, and to do so, one must send a request to the email address firstname.lastname@example.org.
Profile analysis is the automated processing of Personal Data used to evaluate certain personal characteristics of the Data Subject. Creditinfo profiles to identify the beneficial owners, calculate the probability of default, and prepare a credit assessment. For profiling, Creditinfo uses the data specified in Section 3. Such data processing takes place on the basis of the legitimate interest of Creditinfo Eesti.
- Transfer of Personal Data by Creditinfo Eesti
6.1. Creditinfo Eesti transfers Personal Data:
6.1.1. as a response to queries and in the composition of reports to its customers – for use in the assessment of creditworthiness and other reliability;
6.1.2. to authorities and persons (e.g., law enforcement agencies, courts, supervisory authorities, enforcement agents, notaries, tax authorities, trustees in bankruptcy, etc.) – to fulfil their obligations under the law;
6.1.3. in the case of assignment of the claim, to a new creditor;
6.1.4. to data processors of Creditinfo Eesti.
6.2. Data processors of Creditinfo Eesti are cooperation partners of Creditinfo Eesti who provide Creditinfo Eesti with accounting and settlement management services, archiving services, auditing services, legal or financial consultation services, debt collection services, and IT assistance and maintenance. The processor has the right to carry out the processing operations only in respect of the Personal Data and to the extent for which Creditinfo Eesti has authorised the processor.
6.3. Creditinfo does not transfer data to third countries. If it becomes necessary for Creditinfo to transfer data to third countries, Creditinfo will comply with the requirements of the General Data Protection Regulation and other applicable legislation.
- Term for the storage of Personal Data
7.1. Creditinfo Eesti processes Personal Data for as long as it is necessary to achieve the purposes of the processing and there is a legal basis. Data obtained from public registers will be stored by Creditinfo Eesti as long as this data is available in the public register. Ametlikud Teadaanded will be stored by Creditinfo Eesti as long as they are archived on the Ametlikud Teadaanded portal. Creditinfo Eesti will publish the data of a completed payment default in the Payment Default Register up to 5 years after the end of the default.
7.2. If the data is no longer used actively, Creditinfo Estonia will retain it for a further 3 + 1 years on the basis of the legitimate interest of Creditinfo Estonia, based on the three-year limitation period, plus one year to ensure the availability of the data, as Creditinfo may not immediately become aware of the lodging of the claim.
7.3. The Data Subject can obtain additional information regarding the terms for storing their data by sending an inquiry to email@example.com.
- Rights of the Data Subject in relation to the processing of their Personal Data
8.1. The data subject has the right:
8.1.1. to receive information from Creditinfo Eesti on whether Creditinfo Eesti is processing their Personal Data and, if it does, to have access to that Personal Data pursuant to the procedure and to the extent provided by legislation, including obtaining a copy of the Personal Data;
8.1.2. request to correct their Personal Data if data is inadequate, incomplete, or invalid;
8.1.3. request the deletion of their Personal Data in the cases and to the extent provided by legislation, for example, if Creditinfo Eesti has no legal basis to process such Personal Data or Personal Data is processed with the consent of the Data Subject and the Data Subject has withdrawn their consent. This right does not apply if the Personal Data requested to be deleted is also processed on other legal grounds, e.g. for the performance of a contract. If the processing is based on legitimate interest, the Data Subject has the right to object and then, Creditinfo Eesti assesses whether there are legitimate reasons for processing or whether the data must be deleted;
8.1.4. restrict the processing of their Personal Data in accordance with the procedure and to the extent provided for in the legislation, for example, during the time when Creditinfo Eesti assesses whether the Data Subject has the right to delete their Personal Data;
8.1.5. receive their Personal Data which has been provided by the Data Subject to Creditinfo Eesti and which are processed on the basis of consent or for the performance of the contract in a commonly used machine-readable format, and, if technically possible, transfer this Personal Data to another controller (data portability);
8.1.6. object to the processing of their Personal Data, including profiling, if the processing of Personal Data is based on legitimate interest. In this case, Creditinfo Eesti will stop processing the Personal Data of the Data Subject, unless the interests of Creditinfo Eesti outweigh any possible infringement of the rights of the Data Subject;
8.1.7. demand the termination of the processing of Personal Data if the processing of Personal Data is unlawful, i.e., Creditinfo Eesti has no legal basis for the processing of Personal Data;
8.1.8. withdraw their consent to the processing of their Personal Data;
8.1.9. submit a complaint concerning the processing of Personal Data to Creditinfo Eesti if the Data Subject considers that the processing of their Personal Data violates their rights and interests;
8.1.10. submit a complaint concerning the processing of Personal Data to the Data Protection Inspectorate (website: www.aki.ee) or apply to the competent court if the Data Subject considers that the processing of their Personal Data violates their rights and interests.
8.2. To exercise their rights, the Data Subject may contact Creditinfo Eesti by forwarding their inquiry, request, or complaint to the email address firstname.lastname@example.org. Creditinfo Eesti shall respond to the Data Subject without undue delay, but no later than one month from the date of receipt of the request. If the circumstances need to be further specified or verified before replying to the Data Subject, Creditinfo Eesti may extend the deadline for replying by informing the Data Subject in advance.
- Amendment of the Principles
9.1. Creditinfo Eesti has the right to change the Principles unilaterally at any time on the basis of the legislation in force. The new version of the Principles will be published on the website Creditinfo Eesti, www.creditinfo.ee.