The Riigikogu (Parliament of Estonia) and its Chancellery generally do not need to use personal data in any great amounts for performing their tasks. However, in the course of their work the Riigikogu and its Chancellery receive information that has to be protected by access restrictions according to the law, which means that only certain officials may consult these data.
General information on personal data
Personal data is any kind of data that enables to identify a person.
Personal data processing is any operation that is performed on personal data or on sets of personal data.
We do not publish information containing personal data as public data.
Data protection policy does not concern the storing of the data of legal entities and other institutions. Data protection policy also does not concern the processing of the data of natural persons when the data is processed in connection with their official duties.
The documents that contain personal data and have to be registered are stored in accordance with the storage terms established in the list of documents.
Personal data processing situations
1. Upon entry to Toompea Castle, the security police officer asks the visitor to submit an identity document for verifying their identity and issuing visitor’s badge. The visitor’s name and personal identification code are entered into the entrance system, which can be accessed by the employee of the Facilities Department who administers the system, and the security police officers.
2. Upon visiting the Riigikogu web page, the following information is collected and stored: internet address of the computer or computer network (IP address), the name and address of the internet service provider of the computer or the computer network used, time of the visit (time, date, year). IP addresses are not attributed to the data identifying a person. Information is collected on the part of the web page visited and length of the visit, and it is used for visitor statistics.
3. Letters, requests for explanation, memoranda, information requests and collective proposals sent to the Riigikogu and the Chancellery of the Riigikogu (hereinafter letters), and replies to them. The letters are recorded in the document management system.
If the letter contains the contact details of a natural person, such data are not accessible through the document register. The document register displays the registry data of the letters, including the initials of the sender. A letter of a person is delivered upon information request, but the contact details of a person are not disclosed – the relevant part is blanked out.
Letters containing information that may threaten privacy, or other data, access to which is prohibited by law, are subject to restricted access. The grounds for restricting access to information are provided in [outlinks value=”Article 35 of the Public Information Act” link=”https://www.riigiteataja.ee/akt/122032011010?leiaKehtiv#para35″].
If the Riigikogu or the Chancellery of the Riigikogu has received a letter, request for explanation, memorandum or information request, replying to which belongs to the competence of another agency, such letters are forwarded to that agency, and the sender is informed of it in writing.
Correspondence is usually stored for five years, or until the expiry of the term specified in a legislative act.
4. Applying for a traineeship or a job. The applications of candidates are not entered in the document register and no information about a person’s participation in the competition is published. Access to documents is given to persons who are connected with the decision-making process. If the candidate includes the data of other persons in his or her application, it is presumed that the Personal Data Protection Act is observed, and the Chancellery of the Riigikogu has the right to contact the persons that are mentioned in the documents for references. Information on employing a person is public. The data of the candidates who were not employed is preserved for the contestation period (one year).
5. Contracts with natural persons may contain personal data that may include information, publication of which may adversely affect the privacy of a person (like contact details). Access to the contracts made with natural persons is given to the submitters of relevant information requests.
6. Participation in the events, information days and visits organised by the Riigikogu or the Foresight Centre (hereinafter jointly events). The work of the Riigikogu and the Foresight Centre is actively covered in the social media. The participants of the events may be photographed or filmed. The events are recorded with the purpose of informing the public of the activities of the Riigikogu.
7. Public procurements, if the CVs of the members of the tenderer team are requested within the framework of the procurement procedure. During the procurement procedure, the personal data processing is conducted for the purpose of preparing the procurement contract; therefore, no agreement is needed for that. If it is necessary due to the nature of the service, a data processing contract within the meaning of Article 28 of the General Data Protection Regulation is concluded with the successful tenderer in order to ensure the security of personal data processing.
Rights of a person regarding the data processing concerning him or her
1. A person has the right of access to personal data that have been collected concerning him or her. We refuse to disclose information only in the cases when it may:
- damage the rights and freedoms of others;
- damage public order or national security;
- hinder or adversely affect the prevention, detection and investigation of a crime, or imposing of punishment.
2. Upon submission of personal data, the person has the right to know:
- who is responsible for processing of the data;
- on which legal basis and for what purpose the data are processed;
- if the data will be forwarded to anybody, including to a third country or an international organisation, and what is the basis for the obligation to do that;
- how long the personal data will be stored.
3. If the data did not come from the person himself or herself, he or she will be informed in addition to the above:
- what kind of personal data are processed;
- what is the origin of these personal data.
4. A person has the right to object to the processing of personal data.
5. A person is informed before it is planned to process his or her personal data for any other purpose than the data were originally collected for.
6. A person has the right:
- to request rectification or deleting of inaccurate personal data (except in the cases the data are processed for the performance of legal obligations, exercise of public authority or performance of duties in public interests);
- to restrict processing of personal data (except in the cases the data are processed for the performance of legal obligations, exercise of public authority or performance of duties in public interests);
- to request that no automatic decisions are made regarding him or her on the basis of personal data;
- to withdraw consent to processing of personal data (if the personal data processing was based on consent).
7. We will reply to requests without delay, but not later than within one month after receiving the request. We prefer to send the reply by e-mail, but we can also use other means specified in the request.
8. An unjustified or repeated request does not have to be satisfied. It is allowed to ask reasonable compensation for meeting such a request, taking into account the administrative expenses made for processing it.
9. If a person finds that his or her rights have been unjustifiably restricted or violated, he or she has the right to turn to Data Protection Inspectorate or the court.
10. We will inform the Data Protection Inspectorate of violations without undue delay, and if possible, within 72 hours after learning of it, except in the cases the violation does not pose a probable serious threat to the rights and freedoms of a natural person. In the case of a serious threat to the rights and freedoms, we will inform the data subject so that he or she could take the necessary measures without delay.
For more information on personal data processing, please contact the Data Protection Specialist: firstname.lastname@example.org.