Data subject means an identified or identifiable natural person, whose personal data is processed.
Personal data means any information relating to an identified or identifiable natural person (data subject).
Processing of personal data shall mean any operation which is performed on personal data (such as amending, viewing, deleting).
2. SA KredEx as the controller of personal data
In addition to the status of a controller, KredEx also acts as a processor in certain cases. KredEx acts as a processor, for example, when implementing the state support measures, the basis of which is the national legislation and which inter alia determine the purpose and extent of data processing.
In the case of further questions, contact KredEx.
Hobujaama 4, Tallinn 10151
+372 667 4100
You can contact the data protection officer of KredEx by e-mail at firstname.lastname@example.org.
The list of processors of KredEx is available on our website.
3. Personal data processing principles of KredEx
KredEx processes your personal data in a fair and transparent manner, and only if we are permitted to process your personal data by legislation.
3.2 Purpose limitation
KredEx collects your personal data for specified, explicit and legitimate purposes. We do not process your personal data in a way incompatible with these purposes. If your personal data is processed for a purpose other than the initial purpose of processing personal data, we shall rely on the legal basis arising from law (e.g. when processing the inquiries of courts and other judicial authorities, KredEx does not process your personal data anymore for the purposes of grants, guarantees or for the provision of other services) or we will ask for your prior consent to process your personal data for a purpose other than the initial purpose of processing personal data.
3.3 Data minimisation
KredEx is committed to ensuring that the personal data processed by KredEx are adequate, relevant and limited to what is necessary for the purposes for which they are processed. We do not collect excessive data or data that is unnecessary for KredEx. If a data subject forwards personal data to KredEx that exceed the necessary extent, we shall take all reasonable measures to avoid the further processing of excessive personal data and to minimise the volume of processed personal data.
We aim to ensure that your personal data is accurate and up-to-date, if necessary. KredEx will take every reasonable step to ensure that personal data that is inaccurate is erased or rectified without delay. If the personal data is inaccurate, KredEx will allow you to rectify and/or delete the data. We do not correct and cannot allow the deletion of such personal data which we are committed to maintaining unchanged for compliance with a legal obligation (e.g. for the fulfilment of requirements arising from the Accounting Act).
3.5 Storage limitation
KredEx will keep your personal data in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed and for compliance with legal requirements. KredEx processes personal data for no longer than it is required under applicable legislation with binding contracts or binding legal obligations.
3.6 Integrity and confidentiality
KredEx ensures the protection of your personal data and processes your personal data in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing. KredEx makes every reasonable effort to avoid accidental loss, destruction or damage of data. KredEx uses technical and organisational measures to increase security during the processing of personal data. To raise awareness and increase knowledge in KredEx about the protection of personal data, privacy training is organised for the KredEx personnel who process your personal data. In addition, the protection of personal data is ensured through the obligation of confidentiality applicable to the KredEx personnel, arising from the nature of the provided services (e.g. banking secret).
Processing of special categories of personal data (sensitive data, such as data revealing racial or ethnical origin, political views, religion or philosophical beliefs) is not the core activity of KredEx. KredEx only processes such data, if there are legal grounds for this, for example, where we are committed or permitted to process this type of personal data by law. Also, if this is determined by the terms and conditions of a service. For example, we offer private individuals a housing loan guarantee, the special target group of which includes veterans of the Defence Forces and the Defence League who have participated in a foreign mission or have been injured during their service in Estonia (health-related data). In addition, KredEx processes special categories of personal data when providing the home grant service to families with many children and when the data subjects forward such data to KredEx during the provision of any other service by themselves.
3.7 Data protection by design and by default
When designing the services related to processing personal data, KredEx takes account of the right to the protection of personal data and privacy of the data subject. In the processes concerning the processing of personal data and in developing these, KredEx gives consideration to the state of the art and implements measures to minimise the risks that are presented by personal data processing pursuant to the state of the art as far as possible. In the processes relating to the processing of personal data, their protection shall be ensured based on the nature, extent, context and purposes of processing the personal data.
4. Purposes, categories and legal bases for the processing of personal data and storage of personal data in KredEx
KredEx processes all personal data, which during the communication with the data subject, have become known and have been disclosed to KredEx. KredEx only processes and stores the personal data within a determined period of time and after that the data will be deleted or destroyed. The personnel of KredEx only has the right to process the personal data to the extent that is necessary for the performance of the assigned tasks and that are required for the achievement of the purpose of processing the personal data. KredEx processes the personal data for the compliance of legal obligations arising from legislation (national law, regulations and EU legislation), for the performance of the concluded contracts and preparing the conclusion of a contract (e.g. for processing the submitted application) and in restricted cases, also on the basis of consent (to send the newsletter of KredEx).
KredEx mainly processes the personal data for offering loans, guarantees, venture and private capital investments, to enable grants and implement the Startup Estonia programme activities. In order to obtain guarantees and grants, the data subject is required to previously fill in the respective forms, the records contained in which are used for deciding on the guarantees and grants. The data disclosed by the data subject via the form are strictly limited to what is necessary for offering the respective service. For example, when awarding the home grant to families with many children, KredEx processes the personal data of the applicants as well as of their children: name, personal identification code, e-mail address, residence and data concerning the income, custody and ownership.
The personal data is processed in a situation where it is necessary to assess whether the data subject is eligible for a guarantee or whether the additional collateral provided by the data subject to the enterprise loan is acceptable. KredEx has signed cooperation agreements with many banks and issued authorisations for concluding the guarantee contracts. Based on this, it is the bank and not KredEx who assesses the creditworthiness of the data subject pursuant to the submitted data, and also specifies the availability and amount of self-financing of the data subject, and calculates the guarantee amount. In the case of a positive loan decision and eligibility for the guarantee, the bank concludes the loan as well as the guarantee contract with the data subject.
KredEx also processes the personal data in a situation where the data subject turns to KredEx with specifying questions, requests or inquiries. if the respective communication is by e-mail, KredEx may also additionally collect statistical data in connection with this communication, such as what service the questions are about and what kind of questions arise, etc. KredEx wants to communicate to its customers and other people who are interested in receiving direct marketing messages, the relevant news about the services of KredEx, invitations to the events organised by KredEx and other information pertaining to KredEx. If you have given your consent to receive newsletters and messages, KredEx will also collect the statistics, e.g. whether you opened the letter, which links you pressed, which devices you used for this and what their technical characteristics are.
We also process personal data, if the data subject applies for a job at KredEx. KredEx does not store the documents related to the application for more than one year as of the competition for the post. Based on the data subject's consent we may also store the data of the candidate within the agreed period of time after the end of the recruitment process to make a further employment offer.
We only collect and process such personal data, the need for which we have clearly defined for ourselves in advance. For example, we collect, process and use the contact pertaining to a data subject in order to contact the data subject, if necessary.
5. Data subject's rights
Respect for the rights of the data subject is important for KredEx, and accordingly, particular consideration is given to it. On the request of the data subject, KredEx may provide information about the specific data subject by electronic means, in writing or orally, considering that the identity of the data subject is clear and proven.
This means that if there are suspicions when handling your request, KredEx may ask for further information from you to identify the data subject. We do this to be sure of the identity of the data subject and to ensure that we provide the right information to the right person.
If the purposes for which KredEx processes the personal data do not need or no longer need the identification of the data subject, KredEx shall not be obliged to store, collect or process additional information for the identification of the data subject.
5.1 Right of information about the extent and use of personal data
You have the right to access your personal data and get further information about what KredEx processes concerning you. This enables you to be informed and check, if necessary, what kind of personal data is processed by KredEx in relation to you and how. You may also contact KredEx and ask for the purpose of processing your personal data, if the purpose is unclear for you or you have further questions for us. We try to answer your questions as soon as possible, however no later than within one month. For more complicated inquiries we may be required to extend the term of responding to the inquiries and requests of a data subject by another two months. In this case we will contact you to extend the term of responding and explain the reasons for the extension to you.
Upon your request, KredEx will make a free copy of the documents pertaining to you, if this is necessary and justified. For any subsequent copies, KredEx may charge a fee for making and forwarding the copies based on the actual cost – above all, if the requests of the data subject are of a recurring nature. If you submit the request by electronic means and unless you request otherwise, KredEx will provide the information by electronic means. KredEx may refuse to provide a copy or to disclose data in the copy, if this has a disproportionate effect on the rights and freedoms of other persons and less restrictive measures cannot be implemented.
5.3 The right to rectification
All data subjects, who notice that their personal data are not up-to-date, are inaccurate or need rectification, may turn to KredEx for the rectification or correction of the data. You may also ask to supplement your incomplete personal data. KredEx will ensure that in the event of justified and legitimate requests, the personal data will be corrected at the first opportunity.
5.4 The right to data portability
If justified in the relevant case and if it does not adversely affect the rights and freedoms of others, the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller, if the processing in question is based on consent or on a contract and the processing is carried out by automated means.
5.5 The right to erasure (right to be forgotten)
This right enables the data subject to demand the erasure of personal data concerning him or her, if the personal data are no longer necessary or suitable in relation to the purposes of their collection or processing. The right to erasure is not an absolute right and accordingly, your request to delete the personal data may not mean that all your personal data are deleted after the request is received. Sometimes, we have a legal obligation to store the data and, in this case, we might not be able to satisfy your request. The same may apply, if we may store the respective data for the establishment, exercise or defence of legal claims.
5.6 Right to the restriction of processing
In justified cases, KredEx may restrict the processing of personal data upon your request for a period enabling one to verify the accuracy of the personal data or until you object to the accuracy of your personal data. The data subject has a right to demand restriction of processing, for example at the time when KredEx assesses the application of the requirement to delete personal data.
5.7 Right to withdraw consent
Where processing is based on consent, you may turn to KredEx at any time and withdraw your consent given for processing the personal data. The withdrawal of consent is without retro-active effect and shall not affect the lawfulness of the completed processing of personal data when the consent was valid.
5.8 Right to object
If you find that the processing of personal data by KredEx infringes your right to the protection of personal data or other rights and freedoms, you shall have the right to object to processing of the personal data.
5.9 Right to lodge a complaint with a supervisory authority
All data subjects have a right to lodge a complaint with a national data protection supervisory authority, if the data subject finds that the processing of his or her personal data does not correspond to the provisions of data protection laws and general data protection rules. In Estonia, the national supervisory authority is the Estonian Data Protection Inspectorate.
6. Safeguards and notification
KredEx keeps the personal data strictly confidential and protects the personal data from illegally falling into the hands of third persons by implementing efficient information IT security measures and organisational and technical measures.
Whenever a personal data breach occurs in KredEx and this represents a likely threat to the rights and freedoms of the data subject, we shall report such breach to the Data Protection Inspectorate. We will implement additional measures to end the breach as soon as possible.
Where the breach is likely to result in a high risk to the rights and freedoms of the data subject, we shall communicate the breach to the data subject. The purpose of communication is to enable the data subjects themselves to implement preventive measures to mitigate the potential risks arising from the situation.
7. Implementing provision