Privacy notice



We at AS KredEx Krediidikindlustus value your privacy. With this Privacy Notice, we are letting you know what we have done to protect your right to privacy.

1. Definitions

The General Data Protection Regulation (GDPR) is Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

An automated individual decision means a decision concerning a person, based solely on automated processing, including profiling, which produces legal effects concerning the person or similarly significantly affects the person.

Personal data means any information relating to an identified or identifiable natural person (e.g., name, personal identification number, e-mail address, etc.).

Processing of personal data means any operation which is performed on personal data (e.g., alteration, viewing, retention, deletion).

A cookie is a small text file that a website stores on the visitor’s hard drive, smartphone or other device. Cookies send information to the website on the basis of which it is possible to recognise the settings and preferences of the visitor’s computer.

Profiling means any automated processing of personal data used to evaluate certain personal aspects of a person, e.g., to analyse or predict the individual’s economic situation, performance, personal preferences and interests.

2. Whose personal data do we process and who is concerned by this Privacy Notice?

This Privacy Notice concerns you when:

  • you visit our website;
  • you contact us;
  • are applying for a job with us;
  • you are affiliated with a company that makes an offer to us to provide a service.

3. Who is responsible for the processing of your personal data?

The controller of your personal data is AS KredEx Krediidikindlustus (registry code 11948506). Our contact address is: Sepise 7, 11415, Tallinn, Estonia and e-mail:

4. What personal data do we process, for what purpose and on what legal basis?

We process personal data only for the purposes necessary for the performance of our statutory tasks and legal obligations and on a clear legal basis.

Depending on the purposes, the following legal bases for the processing of personal data are:

  • we process personal data for the preparation and performance of contracts (including employment, authorisation and other contracts);
  • to comply with legal obligations arising from legislation for the purposes and to the extent set out in legislation. Examples of such legislation are the Employment Contracts Act, the State Assets Act, the Insurance Activities Act, the Accounting Act, the tax acts, and the International Sanctions Act;
  • For information security purposes on the basis of a legitimate interest. We process personal data on the basis of legitimate interest only if your interests do not outweigh the interest in processing the data and there are no other grounds for processing the personal data;
  • less frequently, we process personal data based on your consent. Consent to the processing of personal data can always be given voluntarily, knowingly, unambiguously and specifically for the processing of specified data.

The main reasons why we process personal data:

  • We process personal data when assessing the qualifications and suitability of persons who wish to start working for us. The data processed in this case are the candidate’s name, personal identification number, CV and letter of motivation (including information on education and previous work experience), data on the documents required in the job advertisement, information disclosed during the interview, and contact details. Legal basis: preparation of the conclusion of the contract;
  • When conducting a background check, we further process data on a person’s sentences in criminal proceedings, data on ongoing judicial, enforcement and bankruptcy proceedings, and information on related persons. Legal basis: the law, if the obligation to perform the suitability procedure arises from the Insurance Activities Act and our legitimate interest in assessing the suitability of the candidate and maintaining our good repute, unless the obligation to carry out the suitability procedure arises directly from the law. When making a query to the criminal records register, we rely on the consent of the person;
  • in the case of our cooperation partners, we also process personal data, if necessary, to assess the qualifications and suitability of the persons involved in the provision of the service to us. Legal basis: Insurance Activities Act and/or preparation of the conclusion of the contract;
  • we also process data in the performance of contracts, e.g., in order to calculate the fees related to the contract, make payments, provide information (including, if necessary, by forwarding the data to processors). Legal basis: performance of the contract;
  • if necessary, we process personal data for the establishment, exercise, assignment or defence of legal claims based on contracts or arising from pre-contractual negotiations. Legal basis: our legitimate interest in defending ourselves in legal disputes;
  • Your e-mail address will be used to provide feedback;
  • we process the IP addresses of our website users for information security purposes. Legal basis: our legitimate interest in managing and hedging risks.

5. Where did we get your data?

We mainly collect data from you (e.g. when you apply for a job with us, write to us or call us). In certain cases, we may also collect data from external databases (e.g., criminal records, commercial register, portal Official Announcements for background checks).

6. Can we transfer your data and to whom?

We may transfer your data to certain third parties if, for example, we have a legal obligation to do so or it is necessary to protect our legitimate interests, e.g., in the event of disputes. Such third parties are supervisory authorities (e.g., Financial Supervision Authority, Data Protection Inspectorate, Financial Intelligence Unit, Health Insurance Fund, Tax and Customs Board, Labour Inspectorate, Social Insurance Board), legal service providers (different law firms), audit firms, courts, bailiffs. Such authorities and companies are responsible for the proper processing of data as our processors, i.e., on our behalf and under our responsibility.

7. To what extent do we process the data and how long do we keep it?

  • We process personal data to the extent necessary for the purposes set for collecting the data and retain it for a specified period of time. If the data retention period is set by legislation, we will proceed from the time limit set out in legislation. We retain correspondence for 5 years, materials related to contracts for 10 years from the end of the contract, accounting documents for 7 years. Upon expiry of the term, we will delete the personal data. Documents which have expired are generally subject to destruction, unless otherwise provided by law;
  • We retain documents related to recruitment for up to one (1) year from the end of the competition, unless you have given us consent to retain the data for longer or if you have been a successful candidate and have entered into an employment contract.

8. Do we make automated individual decisions or utilise profiling based on your personal data?

No, we don’t make automatic individual decisions or utilise profiling.

9. Cookies

We do not use cookies on our website.

10. What are your rights and how can you exercise them?

  • You have the right to access your personal data and to be informed about what data we process. You may contact us and ask us about the purposes for which we are processing your personal data. We will try to answer questions as soon as possible, but we will try to do so within at least one month. In the case of more complex requests, it may be necessary to extend the time needed to respond to inquiries and requests by an additional two months. In this case, we will contact you and explain the reasons for the extension;
  • If necessary and justified, we will provide you with a copy of the documents related to you on your request. We issue data and documents upon request, either on paper or electronically. However, we may refuse to provide a copy if it disproportionately affects the rights and freedoms of others and it is not possible to take less restrictive measures;
  • If you notice that the personal data is not up to date, is incorrect or needs to be rectified or completed, you can contact us to rectify or complete the data;
  • You also have the right to transfer your personal data, but this only concerns data that you have provided to us and which we process in electronic format either on the basis of your consent or on the basis of a contract. The transfer of personal data means the provision of personal data to another controller;
  • You have the right to request the deletion of your personal data if the personal data are no longer necessary in relation to the purposes for which they were collected or processed. The right to deletion is not an absolute right. Sometimes we have a legal obligation to retain data. We are also under no obligation to delete personal information if we need it to establish legal claims or defend ourselves;
  • You have the right to request the restriction of the processing of your personal data until their accuracy is verified;
  • Where the processing of personal data is based on consent, you have the right to contact us at any time in order to withdraw your consent given to the processing of personal data. Withdrawal of consent has no retroactive effect;
  • If you believe that the processing of personal data infringes upon your right to the protection of personal data or other rights and freedoms, you have the right to object to the processing of your personal data;
  • You have the right to lodge a complaint with the national data protection supervisory authority if you believe that the processing of your personal data does not comply with data protection regulations. In Estonia, the national supervisory authority is the Data Protection Inspectorate.

11. Safeguards and notification

 We keep personal data strictly confidential and protect it from unauthorised access through effective organisational and IT security measures. However, if a personal data breach occurs and this constitutes a likely threat to your rights, we will notify the Data Protection Inspectorate of such a breach. We will implement additional measures to end the breach as soon as possible. If a breach is likely to result in a serious threat to your rights, we will notify you so that you can take the necessary precautions if necessary.

12. Keeping the Privacy Notice up to date

We have the right to change this Privacy Notice unilaterally at any time, taking into account changes in legislation, data protection law and developments in technology ensuring the protection of personal data.  We review the content of this Privacy Notice regularly and make changes to it as necessary.