Language switcher

You are here

Processing of personal data

Public documents created in the course of the work of the Information System Authority (RIA) are available on the RIA website and through the public document register.

Access to personal data is regulated by the Public Information Act, the Personal Data Protection Act, and the General Regulation on the Protection of Personal Data of the European Union. We make every effort to protect your personal information and to comply with data protection and privacy laws.

Personal data is any data that enables the identification of a person and the processing of personal data is any act performed with personal data.

NB! The following information does not cover:

  • the processing of data of legal persons and authorities and/or the data of their self-employed representative/employee if the data is processed in connection with their occupational commitments, duties, etc.;
  • the processing of personal data on websites referred to on the RIA website, but not managed by RIA (external links).

The principles of personal data processing in the Information System Authority are given below:


Request for clarification, memorandum, request for explanation, and other correspondence

Personal data (such as name, contact details, etc.) may be included in requests for clarification, memoranda, requests for explanation, and other correspondence (inquiries). All inquiries and letters received by RIA are registered.

We use the personal data contained in your inquiry to resolve the inquiry and respond to you. If we need to make inquiries from someone else to respond to you, we will only disclose your personal data to a minimum, to the extent strictly necessary, and we will ensure that the principles of legality, minimisation, and confidentiality of your data are guaranteed.

If it is the responsibility of another authority to reply to the letter, we will forward it to that authority. We will notify the sender of the forwarding of the letter.

Correspondence with private individuals is generally restricted. If someone wishes to have access to your correspondence and submits a request for explanation, we will decide whether the document can be issued in part or in full. The document we issue will not retain any personal contact information, such as your (email) address or telephone number (unless the correspondence is on behalf of a legal person or authority). In other cases, restricting access depends on the content of the document. Possible grounds for access restrictions are set out in the Public Information Act.

Regardless of the restriction on access, we will issue the document to an authority or person who has a direct legal right to request it (e.g., body conducting pre-trial proceedings or a court).

We keep the inquiries and letters addressed to RIA as indicated in the list of documents. Documents whose retention period has elapsed will be destroyed.

We may use the correspondence we have with you to assess the quality of our work within the authority. We publish correspondence statistics and summaries anonymously, without names.

If you request information that contains personal data about you or third parties with restricted access, we have an obligation to identify the person requesting the information. If you request restricted personal data concerning third parties, you must inform us of the basis and purpose of accessing the information (subsection 14 (2) of the Public Information Act »).

If you contact us with a question regarding personal data, please send the inquiry digitally or with a hand-written signature. We will issue the respond to an inquiry with a hand-written signature by identifying you on the basis of your identity document.

It is possible to charge a fee of up to 0.19 euros per page issued for issuing data on paper from the twenty-first page (subsection 25 (2) of the Public Information Act »).


Visiting the RIA website and the information telephone number

When visiting the website, the data collected and stored about the visitor is limited to: the Internet Protocol address (IP address) of the computer or computer network used; the page visited; computer web browser and operating system; time of visit; user device in general; page browser size and language selection; service provider, domain name, and region.

The IP addresses are associated with any information which would identify the user. We collect data about which parts of the website are visited and about the duration of such visits. The data collected is used to compile statistical data about visits to the site to develop the website and make it more convenient for the user. More information

Calls to our information telephone number are recorded to ensure better quality of service.

You will be notified of the recording of the telephone call at the beginning of the call so that you can choose the appropriate way to contact the authority (telephone, email, post). By staying on the line, you consent to the recording of your telephone call (Article 6 (1) (a) of the General Data Protection Regulation).

Visiting the Information System Authority

The visitors entering the premises of the Information System Authority are first greeted by the office assistant working in the guest area, who is entitled to ask for your identity document.

At the front desk, the office assistant registers all visitors in an electronic data processing system. For this purpose, the visitor shall present an identity document (identity card, passport, or driving licence of an Estonian citizen or a citizen of a foreign state) to the office assistant. The data entered into the data processing system includes your name, personal identification code, the photo or facial image on your identity document, name of the country that issued the identity document.

You are allowed into the rooms of the Authority only when accompanied by an employee of the Authority. Security cameras installed in the building of the Information System Authority are used in the performance of a public task to fulfil an obligation prescribed by law.


​​​​​​Applying for a job and internship at the Information System Authority


All documents related to the application contain personal data (for example, the application with the accompanying documents, correspondence with the candidate, information collected from public sources about the candidate). The candidate has the right to access the data collected by RIA and to request them to be rectified, completed, or erased pursuant to law. In order to exercise your rights, you must send a corresponding application signed digitally to the email address andmekaitse[@]

RIA keeps the letters and documents received during the recruitment process in a form containing personal data:

  • to resolve possible legal disputes arising in the recruitment process (1 year);
  • to make an offer of employment to the next best candidate in the ranking (90 days as of the making of an offer of employment to the person who has won the competition);
  • to propose to participate in a future competition with the consent of the candidate.

The data of the candidates is confidential information to which third parties (including competent authorities) have access only in cases provided by law.

Processing of personal data of job candidates (293.13 KB, PDF) (in Estonian)

Other data processing

We may also process data for supervisory purposes, to resolve incidents, to perform analysis, to grant access rights, to provide evidential value, to organise events, and in other cases provided by law.


The right of access to your data. The right to request the rectification of inaccurate data.

Anyone has the right of access to the personal data collected about them. If personal data is not disclosed on the website, it is possible to submit a request for data. We will issue the data to you as soon as possible, but at least within one month after registration of the application. We will release the data about you either on paper or electronically, based on your wishes.

If personal information is restricted, we need to verify your identity.

We may restrict your right to receive information or gain access to your personal data if this may:

  • harm the rights and freedoms of another person,
  • hinder the prevention of a crime or catching an offender or complicate determining the facts in criminal proceedings,
  • endanger national security.

Anyone has the right to request the rectification of their inaccurate personal data.

If you have any questions in connection with the processing of personal data by the Information System Authority, please contact the Head of the Legal Department of the Information System Authority.

A person whose rights have been violated during the processing of personal data has the right to file a complaint with the Data Protection Inspectorate or an administrative court.

Last modified: 06.01.2022

Did you get the answer to your question?

We thank you for your feedback.