Tartu City as a local authority processes personal data in accordance with the law and the legislation issued on the basis thereof for the performance and execution of the functions assigned to local authorities and their agencies. We process personal data in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council, the Personal Data Protection Act, other legislation that regulates data protection and the Guidelines of the Data Protection Inspectorate.
In which cases do we process your personal data?
1. You send us a request for an explanation, a memo or a request for information.
- Personal data is generally processed based on your own initiative when you send us a request for an explanation, a memo or a request for information. In this case, we use your personal data to respond to you.
- If we have to make additional queries to respond to you, we will disclose your personal data only to the extent that is absolutely necessary.
- If another agency has the competency to respond to a request for an explanation/a memo/a request for information sent to us, we will send it to said agency and inform you of this.
- Pursuant to law, the data of correspondence must be visible in the public view of the city’s document register, which is why we register all letters sent by private persons in the said register. We do not disclose the name of the sender or recipient of the letter if they are private persons and only the initials of the sender or recipient are visible in the public view. If you write to us on behalf of a legal entity or agency, please use your work-related contact details instead of private ones. Such contact details are public in the document register.
- If the letter sent by you includes data not subject to disclosure, it is marked as “internal use only” when entered in the register. Restriction of access depends on the content of the document and the grounds of possible access restrictions are specified in § 35 of the Public Information Act.
- We retain correspondence with private persons for five years, after which the documents are subject to destruction.
2. You file a complaint/challenge to us or a complaint is filed about you.
- If you file a complaint/challenge to us or a complaint is filed about you, we will use your personal data to solve the case. We disclose the personal data of the person who filed the complaint/challenge only to the extent absolutely necessary for solving the case.
- If another agency has the competency to review the complaint/challenge sent to us, we will send it to said agency and inform you of this.
- Procedural documents are delivered to the parties:
- by e-mail (as a rule, we don’t encrypt e-mail messages);
- by post as an ordinary or registered letter (the postal risk is borne by the postal service provider and recipient of the letter);
- by fax (in exceptional cases on the person’s request).
- We use the address you gave us or the address that can be obtained from the Population Register or the Commercial Register for processing the case and delivering documents to you. We also use the person’s official e-mail address (firstname.lastname@example.org, email@example.com).
- Pursuant to law, the data of complaints/challenges is visible in the public view of the document register, where we do not disclose the data of private persons. Only the initials of private persons are visible in the public view.
- We retain complaints/challenges for five years. Documents that have exceeded this deadline are subject to destruction.
3. You are a party to misdemeanour proceedings.
- If you are a party to misdemeanour proceedings, we will process your personal data to carry out these proceedings. Misdemeanour proceedings are regulated in detail by the Code of Misdemeanour Procedure and the Code of Criminal Procedure.
- We disclose the data of the person who reported the misdemeanour to the other parties to the proceedings to the extent prescribed in the codes of procedure and necessary for solving the case. The anonymity of witnesses is not guaranteed in misdemeanour proceedings.
- The parties to the proceedings are the person subject to proceedings and their defender. The parties to the proceedings can review the materials pursuant to the procedure provided for by the codes of procedure.
- The person who filed the complaint/reported the misdemeanour is not deemed to be a party to the proceedings pursuant to the Code of Misdemeanour Procedure. In order to review the materials, the person who reported the misdemeanour must submit a request for information considering the established access restrictions.
- We’ve joined the e-file system, which we use for the purpose of carrying out misdemeanour proceedings, incl. for data exchange with other agencies (e.g. for sending criminal records to the Criminal Records Database). The e-file information system is closed pursuant to the Statutes. It’s possible to access it only by logging in with an ID card. Only competent officials have access rights. A party to proceedings can also view their procedural data and submit and receive procedural documents.
- Enforced misdemeanour decisions are registered in the Criminal Records Database. It’s possible to request all registry data about oneself free of charge. Information about another person’s punishment for a misdemeanour is given to the person who requests such information if the amount of the fine was at least 50 fine units or the misdemeanour has been committed repeatedly. A fee must be paid for an electronic query and a state fee must be paid for a paper document when the punishment data of another person are requested. Certain personal data (address, citizenship, etc.) and the punishment data of minors are not issued. The exact requirements for access to punishment data are specified in Chapter 3 of the Criminal Records Database Act.
- The Act permits us to disclose the circumstances of misdemeanour proceedings only in exceptional cases (§ 62 of the Code of Misdemeanour Procedure). We intend to use this right only if absolutely necessary and try to avoid excessive infringement of the privacy of the persons concerned. We also retain the right to give explanations of our activities to the general public if the person themselves makes the procedural information public. We don’t disclose information to a larger extent than previously disclosed by the person themselves.
4. You visit our websites, participate in surveys, register for events, order notifications or call the helpline
- We process the data of visits to our websites only in a non-personalised format for statistical purposes that help us develop the websites and make them more convenient for visitors.
- When you log into the Tartu Kultuuriaken (Window of Culture) website, we process your personal data to allow you to add a new event or hobby activity.
- When you request personal notifications, we only process your personal data for sending the requested notifications.
- If you participate in a survey, the data will be disclosed for statistical purposes only in a non-personalised format. In the case of surveys where respondents can win prizes, we process your data in order to contact you.
- Upon registration for an event, we process your personal data to prepare the list of participants in the event and to contact you if necessary.
- If you call our helpline, we only process your personal data to the extent disclosed by you in order to give you information. We make summaries of the content of the calls to the helpline without using any personal information. We don’t record phone calls.
5. You apply for a job with us
- If you apply for a job with us, we will process the personal data disclosed by you in order to assess your suitability for the relevant position.
- We will collect additional data about you from public sources in order to assess your suitability. You have the right to view the received information and submit your explanations and objections.
- We presume that the applicant has given their consent to the persons listed under references in the application documents to answer questions about the applicant and the persons listed under references have agreed to be contacted by us for information.
- We retain the documents received in the course of recruitment for the following purposes:
- for the resolution of legal disputes that may arise in the recruitment process – until the expiry of the claim (one year);
- in order to make a job offer to the applicant next in the rankings (within 150 days of making a job offer to the person who won the competition);
- for making proposals for participation in future competitions with the consent of the applicant.
- The data of applicants are restricted information, which third parties may access only in the cases stipulated by law.
When do we forward your personal data?
- We disclose personal data in the official agencies and the work of local government bodies only for the purpose of processing cases and to the persons involved in the proceedings to the extent absolutely necessary for solving the case.
- If anyone wants to view a document subject to access restrictions by way of a request for information, we check whether the requested document can be issued in an unchanged format or whether it has to be processed in such a manner that information subject to access restriction does not become accessible to third parties. Restriction of access depends on the content of the document.
- Irrespective of access restrictions, we issue the document to the agency or person who is entitled to request this pursuant to law (e.g. an investigation agency, a person who conducts pre-trial proceedings or a court).
How do we retain your personal data?
- We proceed from the principle according to which your personal data are processed for as long as necessary for the specific purpose.
- The deadlines for the retention of documents are established in detail in the list of documents managed by the agencies of Tartu City and other agencies. Documents are retained until the expiry of the established deadlines or until they are handed over to the public archive. Documents whose retention deadlines have expired are destroyed. Examples of the general retention deadlines of some documents that contain or may contain personal data:
- notices of residence are retained for 10 years;
- applications and source documents for obtaining a personal identification code are retained for 10 years;
- documents for payment of social benefits are retained for five years.
How do we respond to breaches concerning personal data?
- If a breach concerning personal data occurs and this poses a probable threat to the rights and freedoms of a person, we inform the Data Protection Inspectorate of the breach. We take measures to resolve the breach immediately.
- If a major threat to your rights and freedoms occurs as a result of the breach, we will also inform you of this. The purpose of notifying you is to allow you to take the necessary precautions to resolve the situation.
What are your rights?
- You have the right to view the personal data that we have collected about you. We will respond to your request for this within one month. We will issue the data concerning you on paper or electronically as requested by you. In order to allow a person to view personal data, we must be convinced that the person has the right to receive the relevant data. We have the right to demand submission of the additional data necessary for identifying you.
We refuse to satisfy your application to view data if doing so may:
- damage the rights and freedoms of another person;
- damage national security;
- prevent or damage the prevention, detection or processing of an offence or the enforcement of punishments.
- If your personal data are processed on the basis of your prior consent, you have the right to withdraw the consent at any time.
- You have the right to demand the correction of personal data concerning you if they have changed or are inadequate, incomplete or incorrect for any other reason. You also have the right to demand that incomplete data are updated for the specific purpose of processing.
- You have the right to demand the restriction of the processing of your personal data or their deletion in specific cases, especially if we (no longer) have a legal basis for processing your personal data.
- The rights of you as a data subject are stipulated in detail in Articles 15-22 of Regulation (EU) 2016/679, which you can view here.
- You have the right to file objections against our decisions and activities at any time as challenges or to go to administrative court. You also have the right to file a complaint with the Data Protection Inspectorate.
These explanations do not concern the retention of the data of legal entities and other agencies. Neither do they cover the processing of personal data on the other websites referred to on our website (external links).
If you have any questions about data processing, you can contact our data protection specialist by e-mail: firstname.lastname@example.org.