State Electoral Office data protection terms and conditions

General information on personal data

Personal data is any type of data that can be used to identify an individual.

Personal data processing is any operation that is performed on personal data or on sets of personal data.

The documents that contain personal data and that have to be registered are stored for the term set for the storage of the documents entered in the list of documents.

The data protection policy does not apply to the storage of the data of legal entities and other institutions. The data protection policy also does not apply to the processing of the data of natural persons when the data is processed in connection with their official duties.

Processing situations

1. The data on candidates is published on the elections web page.

2. Visiting the web page. The following information is collected and stored: internet address of the computer or computer network (IP address), the name and address of the internet service provider of the computer or the computer network used, the time of the visit (time, date, year). IP addresses are not linked to the data identifying an individual. Information is collected concerning the part of the web page visited and the length of the visit; this is used for visitor statistics.

3. A letter, request for explanation, memorandum, or information request sent to the State Electoral Office and the response to the latter (hereinafter the letter). The letter is recorded in the document management system.

If the letter contains the contact details of a natural person, this data cannot be accessed through the document register. The document register displays the registry data of the letter, including the initials of the sender. A letter from an individual is made available upon information request, but the contact details of the individual are not disclosed; instead, the relevant part is blanked out.

The letters containing information that may threaten privacy, or any other data that cannot be accessed under the law, are subject to restricted access. The grounds for restricting access to documents are provided in Section 35 of the Public Information Act.

If the State Electoral Office has received a letter, request for explanation, memorandum, or information request, replying to which falls under the competence of another authority, the letter is forwarded to that authority and the sender is informed of this in writing.

Generally, correspondence is stored for five years or until the expiry of the term specified in legislation.

4. Applying for a traineeship or a job. The applications of candidates are not entered in the document register and no information about the participation of individuals in the competitions is published. The documents are made available to the individuals who are connected with the decision-making process. If the candidate includes data on other individuals in their application, it is presumed that the provisions of the Personal Data Protection Act have been observed, and the Chancellery of the Riigikogu has the right to contact the individuals that are mentioned in the documents e.g. for references. The information on employing an individual is public. The data on the candidates who were not employed is preserved for the contestation period (one year).

5. Contracts with natural persons contain personal data that may include information the publication of which may adversely affect the privacy of an individual (e.g. contact details). Access to the contracts concluded with natural persons is granted to the submitters of the relevant information requests.

6. Visiting the State Electoral Office and taking part in their events (hereinafter the events). The work of the organisers of elections and the election results are actively covered in the social media. Participants of the events can be photographed or filmed. The events are recorded with the purpose of informing the public of the activities of the Office.

7. Public procurements, if the CVs of the members of the tenderer team are requested within the framework of the procurement procedure. During the procurement procedure, personal data is processed for the purpose of preparing the procurement contract, therefore no agreement is needed for that. If it is necessary due to the nature of the service, a data processing contract within the meaning of Article 28 of the General Data Protection Regulation is concluded with the successful tenderer in order to ensure the security of personal data processing.


Rights of an individual regarding the data processing concerning them

1. An individual has the right of access to the personal data that has been collected on them. We refuse to disclose information only in the cases where it may:

  • damage the rights and freedoms of others;
  • damage public order or national security;
  • hinder or adversely affect the prevention, detection, or investigation of a crime, or imposing of a punishment.

2. When submitting personal data, the individual has the right to know:

  • who is responsible for processing the data;
  • which is the legal basis and the purpose for processing the data;
  • whether the data will be forwarded to anybody, including to a third country or an international organisation, and what is the basis for the obligation to do so;
  • how long the personal data will be stored.

If the data did not come from the individual themselves, they will also be informed about the following, in addition to the above:

  • what kind of personal data is processed;
  • what is the origin of this personal data.

3. An individual has the right to object to the processing of personal data concerning themselves.

4. An individual is informed before their personal data is processed for any other purpose than the one for which the data was originally collected.

5. An individual has the right to:

  • request rectification or deleting of inaccurate personal data (except in cases where the data is processed for the performance of legal obligations, exercise of public authority, or performance of duties in public interests);
  • request restrictions to be set on processing the personal data (except in cases the data are processed for the performance of legal obligations, exercise of public authority or performance of duties in public interests);
  • request that no automatic decisions are made regarding themselves on the basis of personal data;
  • withdraw consent for processing personal data (if the personal data processing was based on consent).

6. We will reply to requests without undue delay, but not later than one month after receiving the request. We prefer to reply by e-mail but if possible, we can also use other means specified in the request.

7. We are not required to meet unjustified or repeated requests. We are allowed to ask reasonable compensation for meeting such requests, taking into account the administrative expenses incurred in meeting these.

8. If a person finds that their rights have been unjustifiably restricted or violated, they have the right to turn to the Data Protection Inspectorate or the court.

9. We will inform the Data Protection Inspectorate of violations without undue delay, and if possible, within 72 hours after learning of these, except in cases where the violation is not likely to pose a serious threat to the rights and freedoms of a natural person. In case of a serious threat to the rights and freedoms, we will inform the data subject so that they could take the necessary measures without delay.


For more information on personal data processing, please contact the Data Protection Officer