Privacy Policy
This policy outlines the principles of data processing, including personal data of natural persons (data subjects), by EFTA Legal OÜ (hereinafter referred to as “EFTA”).
1. GENERAL PROVISIONS AND DEFINITIONS
1.1. EFTA is a legal services provider.
1.2. In this document, the following terms have the meanings assigned to them below:
- 1.2.1. Data subject means a natural person about whom EFTA holds information or who can be identified based on the information held. Data subjects include, for example, individual clients or their representatives, as well as other persons (including persons other than clients) whose personal data is processed in connection with the provision of legal services.
- 1.2.2. Guideline refers to this text, which sets out the principles for processing personal data and data that does not allow identification of the data subject by EFTA.
- 1.2.3. Personal data means any information relating to an identified or identifiable natural person.
- 1.2.4. Processing of personal data means any operation performed on personal data of the data subject, such as collection, recording, organization, storage, alteration, disclosure, provision of access, retrieval, use, transmission, cross-usage, combination, blocking, deletion, or destruction, or a combination of these operations, regardless of the method or tools used.
- 1.2.5. Client means a natural or legal person who has concluded a client agreement (mandate contract) with EFTA for the provision of legal services.
- 1.2.6. Visitor means a person who uses EFTA’s website eftalegal.ee.
- 1.2.7. Cookies means data files stored for authentication and statistical purposes.
2. PRINCIPLES OF DATA PROCESSING
EFTA always processes personal data respecting the interests, rights, and freedoms of data subjects, adhering to generally accepted principles of personal data processing (such as lawfulness and transparency, purpose limitation, data minimization, accuracy, reliability, and confidentiality), ensuring that EFTA is always able to demonstrate compliance with these purposes.
3. DATA SET
3.1. EFTA primarily processes the following personal data for the purposes specified below:
- 3.1.1. Personal data (name, personal identification code or date of birth) – for identifying the data subject;
- 3.1.2. Contact details (phone number, email address, residential address) – for communicating with the data subject;
- 3.1.3. Bank details (account number, bank name) – for payment of services (e.g., completed work);
- 3.1.4. Data provided by the client (including personal and contact details of debtors, contracts concluded and related information) and/or personal data obtained or generated during the provision of legal services – for providing legal services;
- 3.1.5. Personal data obtained from state registers, databases (e.g., Population Register, Commercial Register, Traffic Register) and other reliable sources – for providing legal services.
4. LEGAL BASIS AND MAIN PURPOSES OF DATA PROCESSING
4.1. EFTA processes personal data primarily for:
- 4.1.1. Provision of legal services, including conclusion (and pre-contractual negotiations) and execution of client agreements and management of existing contracts;
- 4.1.2. Receiving data from clients under the client agreement;
- 4.1.3. Making inquiries to state registers (e.g., Population Register, Commercial Register, Traffic Register);
- 4.1.4. Assessing the quality of legal services;
- 4.1.5. Identification of the data subject;
- 4.1.6. Enforcement of legal claims and protection of rights;
- 4.1.7. Communication with the data subject and ensuring fulfillment of payment obligations.
4.2. EFTA processes personal data only based on the data subject’s consent or as permitted by law. Data processing is considered lawful if necessary for performance of a contract, particularly a client agreement.
4.3. When processing on the basis of consent, EFTA processes data strictly within the limits, scope, and purposes defined by the data subject. Consent must be distinguishable from other matters, presented clearly and understandably, and given voluntarily, specifically, and unambiguously (e.g., by checking a box on the website). Consent may be given in writing or electronically.
4.4. Legitimate interest primarily means EFTA’s or client’s interest in legal protection. Data processing based on legitimate interest occurs only after careful assessment confirming necessity, purposefulness, and compliance with data subject’s rights and freedoms.
4.5. In balancing interests, EFTA considers:
- 4.5.1. Type and origin of legitimate interest and whether processing is necessary for fundamental rights or public interest;
- 4.5.2. Impact on data subject and reasonable expectations about data usage;
- 4.5.3. Additional safeguards such as data minimization, privacy-enhancing technologies, transparency, right to object, and data portability.
4.6. Legitimate interest based processing may include:
- 4.6.1. Protection of rights of EFTA or client (e.g., claims enforcement and defense, both in court and pre-trial);
- 4.6.2. Making inquiries to national registers (e.g. the Population Register, Commercial Register, Traffic Register) for the purpose of asserting legal claims, particularly when the recipient of the claim needs to be identified prior to submission (e.g. due to the specifics of the client’s business operations or similar reasons).
4.7. Processing to fulfill legal obligations (e.g., payment processing, anti-money laundering compliance) is also performed by EFTA as required by law.
4.8. If data is processed for a new purpose differing from the original, or without data subject consent, EFTA separately assesses the permissibility of such processing.
5. DATA RETENTION
5.1. EFTA retains personal data only as long as necessary for the purposes for which the data were collected or subsequently processed.
5.2. Personal data beyond retention periods will be destroyed.
5.3. Specifically, EFTA retains:
- 5.3.1. Personal data at least three years after termination of the client agreement (primarily to ensure quality of legal services);
- 5.3.2. Accounting documents (e.g., contracts, payment information, invoices) for 7 years after the end of the relevant financial year as required by law;
- 5.3.3. Data related to client claims until the expiration of limitation periods, usually 3 years, or 10 years in cases of intentional breach;
- 5.3.4. Data until expiration of claims recognized by a final court judgment, generally 10 years after the judgment becomes enforceable.
6. DISCLOSURE AND TRANSFER OF DATA TO THIRD PARTIES
6.1. EFTA may cooperate with parties to whom data may be transferred, requested, or received for purposes of data processing, provided that:
- 6.1.1. The purpose and processing are lawful;
- 6.1.2. Processing complies with EFTA’s guidelines and applicable (client) agreements.
6.2. Disclosure or transfer of personal data to third parties (e.g., courts, authorities) may occur during legal service provision. Such third parties may also include EFTA’s partners such as:
- 6.2.1. Credit registries;
- 6.2.2. IT partners;
- 6.2.3. Legal or debt collection service providers;
- 6.2.4. Providers or intermediaries of payment, postal, or other services and products.
7. SECURITY OF PERSONAL DATA
7.1. EFTA implements organizational and technical measures to protect data against unlawful processing, destruction, loss, unauthorized access, and other incidents.
7.2. In case of any incident involving personal data, EFTA will promptly take all necessary steps to mitigate effects, prevent recurrence, and reduce relevant future risks. All incidents are registered, and if required, the Data Protection Authority and affected data subjects will be notified via email or public channels.
8. RIGHTS OF DATA SUBJECTS AND EXERCISING RIGHTS
8.1. The data subject has the following rights to the extent provided by law:
- 8.1.1. If EFTA processes personal data based on the data subject’s consent, the data subject has the right at any time to notify EFTA of their wish to withdraw their consent to the processing of personal data, including the deletion of the collected data;
- 8.1.2. To receive information and access their personal data, i.e., the right of the data subject to obtain information and access the personal data collected about them;
- 8.1.3. To request the correction of inaccurate personal data;
- 8.1.4. To request the restriction of the processing of personal data. This right may arise, among other cases, when the processing is not permitted under applicable law or when the data subject contests the accuracy of the personal data. The data subject has the right to request restriction of processing for a period enabling the controller to verify the accuracy of the personal data, or when the processing is unlawful but the data subject does not request the erasure of the data;
- 8.1.5. To object to the processing of their personal data.
8.2. Data subjects may contact EFTA regarding questions, requests, or complaints about data processing via general contact details or email: andmekaitse@eftalegal.ee.
8.3. Data subjects may also file complaints with EFTA, the Data Protection Authority (aki.ee), or courts if they believe their rights have been violated.
9. COOKIES AND OTHER WEB TECHNOLOGIES
9.1. EFTA uses cookies and other similar technologies (e.g. IP address, device information, location data) on its website to collect information about visitors’ devices and their use of the website. Cookies are small text files that are stored on the visitor’s device. Prior to the use of non-essential cookies, visitors are asked for their explicit consent.
9.2. EFTA uses the collected data for statistical purposes regarding website traffic, which helps EFTA improve the user experience of the website. EFTA uses software that does not allow the identification of website visitors through cookies. For more information about our use of cookies, please refer to our Cookie Policy.
9.3. Visitors have the right to change their cookie preferences or withdraw their consent at any time. To do so, we provide access to a cookie preference management centre.
9.4. EFTA reserves the right to unilaterally amend these terms. Updated terms will be published on our website at eftalegal.ee.