These data protection conditions establish the general principles of personal data processing and regulate the collection, processing and storage of personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter GDPR) and the Personal Data Protection Act (hereinafter IKS).

Personal data are collected, processed, and stored by the controller, which is OÜ Advokaadibüroo HETA (registry code 10285794) (hereinafter HETA), address Peterburi tee 2f, 11415 Tallinn, Harju County, Republic of Estonia.

The data protection conditions do not apply to data processing of legal persons.

1. Definitions

1.1 Personal data – any information relating to an identified or identifiable natural person.

1.2 Data subject – a natural person who visits and uses the website and whose data is collected during the session of using the website and/or who conducts pre-contractual negotiations of a service provision contract with HETA or is a party or a person authorized to enter into such contract.

1.3 Controller – HETA, which collects, processes and stores personal data and determines the purposes and means of personal data processing.

1.4 Processor – a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

1.5 Website –, operated by HETA.

1.6 Service – Legal services provided by HETA.

2. Collection of personal data and purpose for processing

2.1 Personal data is collected electronically through the contact form of the website for the initiation and holding of pre-contractual negotiations of a contract for the provision of services by HETA.

2.2 Personal data is collected via e-mail or in a written format for the conclusion and execution of a contract for the provision of services. Personal data necessary for the conclusion of a contract for the provision of services is not collected through the website or during the session of using the website. The personal data required for the conclusion and execution of a contract is collected during pre-contractual negotiations and, if necessary, additionally during the execution of the agreement.

2.3 The collection of personal data for the conclusion of a contract for the provision of services is performed to identify the identity of the data subject, to fulfil the contract and to deliver documents.

2.4 According to these data protection conditions, the representative of a legal person who is a natural person is considered a data subject only to the extent that it concerns the name, personal identification number and date of birth of the representative of the legal person. According to GDPR, a legal entity is not a data subject, therefore these data protection conditions do not apply to the processing of data of a legal entity.

2.5 The data of the network identifier and location information are not linked to information enabling the identification of a natural person.

3. List of collected personal data

3.1 Upon sending a request via the website’s contact form, the name and e-mail address are collected from the data subject to provide a reply to the request. Upon sending a request via the website’s contact form and the e-mail addresses shown on the website, it is assumed that the data subject has given his/her consent for the processing of the provided personal data.

3.2 For the purpose of the conclusion and fulfilment of the service provision contract, the following data is collected:

3.2.1 name, telephone number and e-mail address;

3.2.2 date of birth;

3.2.3 personal identification code;

3.2.4 residential address;

3.2.5 a copy of an identity document in the means of the Identity Documents Act;

3.2.6 other data that is submitted for the conclusion and execution of the service provision contract and for the fulfilment of HETA’s obligations arising from the law.

3.3 Special categories of personal data are not collected from the data subject, but if necessary, they are collected and processed only on the basis of the consent received from the data subject.

3.4 If the data subject fails to provide the personal data listed in point 3.2 above, identifying the person and fulfilling the contract may prove impossible due to insufficient personal data, in which case HETA may refuse to conclude the contract or provide the service.

4. Legal basis

4.1 Basis for the processing of personal data are:

4.1.1 the processing of personal data is necessary for the performance of a contract to which the data subject is party or in order to take measures at the request of the data subject prior to entering into a contract;

4.1.2 the processing of personal data is necessary to fulfil the legal obligation of the controller;

4.1.3 the processing of personal data is necessary in case of legitimate interest of the data controller or a third party.

5. Storage of personal data

5.1 Personal data is stored as long as it is necessary to fulfil the specific purpose for which personal data is processed.

5.2 Due to the obligation to organize accounting, personal data reflected in accounting documents are stored for up to 7 years from the end of the fiscal year when the accounting document was issued, drawn up or enforced.

6. Transfer of data to third parties

6.1 Personal data may be transferred to the following third parties without the consent of the data subject:

6.1.1 authorities with the right, competence and justified need arising from the law, including the court or supervisory, investigative and law enforcement authorities;

6.1.2 persons representing HETA when drafting and submitting or responding to legal claims.

6.2 Transferring of personal data in other circumstances is conducted only under a written consent of the data subject.

6.3 Technical data concerning the use of the website will be transferred to service providers that collect and analyse usage statistics.

7. Security

7.1 The controller considers all personal data collected on the basis of these data protection conditions as confidential and does not disclose them without the prior written consent of the data subject.

7.2 The controller is not responsible for a breach of security requirements if this breach is caused by the data subject’s own actions.

8. Rights of the data subject

8.1 The data subject has the right to:

8.1.1 access data concerning the data subject;

8.1.2 receive information about the processing of personal data;

8.1.3 require rectification and completion of data;

8.1.4 require restriction and termination of data processing;

8.1.5 submit objections;

8.1.6 request data transfer;

8.1.7 apply to the data protection supervisory authority (Estonian Data Protection Inspectorate) and/or the administrative court.

8.2 If data processing is based on consent, the data subject has the right to withdraw the consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

8.3 Upon absence of legal basis for the data processing the data subject has the right to require deletion and termination of personal data or termination of access to personal data. The application in this regard must be submitted digitally or with a handwritten signature signed by the applicant. The data controller shall provide a response to the request immediately, but no later than within one month after receiving the request. If necessary, this period can be extended by two months, considering the circumstances underlying the request. The application will not be satisfied if:

8.3.1 it poses a threat to the protection of the data subject or the protection of the rights and freedoms of other persons;

8.3.2 it impedes the work of law enforcement bodies;

8.3.3 it is impossible;

8.3.4 it is necessary for the enforcement of civil law claims.

8.4 For questions related to the processing of personal data or to submit requests, the data subject can contact the data controller using the e-mail address

8.5 The data controller may update, change and supplement these data protection conditions by notifying all affected persons.