ContactTerms
ET/EN/RU
EN
EestiEnglishРусский
nimistuEstonia's public business register
HomeViewsIndustriesBlogSourcesAbout
Home/Privacy policy

Privacy policy

Effective from 20 May 2026

This privacy policy covers two kinds of personal-data processing: first, the data of nimistu.ee's own users and donors, and second, personal data drawn from public registers about people connected to companies (board members, owners and others). The second kind relies on legitimate interest, and our legitimate-interest assessment is published below.

Controller

The controller for this privacy policy is:

Nimistu MTÜ
Registry code: 80673204
Address: Parda tn 8, 10151 Tallinn, Estonia
E-mail: info@nimistu.ee
Website: nimistu.ee

What these terms cover

This privacy policy covers the processing of personal data in the following activities:

  • Accepting donations — Swedbank LinkPay, bank transfers, other payment services
  • Use of the website — visiting nimistu.ee, creating a user account, authenticating via eeID
  • Contacting us via the form — correction requests, general enquiries, data-access requests
  • Sending a newsletter and notices — where the user has consented

The processing of personal data from public registers (members of company management and supervisory boards, owners, politically exposed persons and others) in the nimistu.ee database is described in detail in the section below. Each individual view and source additionally carries its methodology and a source reference, and the general rules are also set out in the terms of use.

Processing of personal data from public registers

nimistu.ee aggregates data from the Estonian Business Register and other public sources and makes it findable in one place. In doing so we also process the personal data of natural persons who appear in those registers in connection with legal entities - for example as a board member or shareholder. The controller for this processing is Nimistu MTÜ (contact details above). The data is displayed openly on the website, so the recipients are website visitors and the public; the data is not sold or transferred for advertising or marketing.

Sources of the data

We do not collect this data from the data subject themselves, but from public sources. The main sources are:

  • Business Register open data (Centre of Registers and Information Systems)
  • Tax and Customs Board open data (tax data, tax arrears)
  • the public procurement register, EUIPO trademark data and other open data
  • international sanctions and politically-exposed-person lists (e.g. OpenSanctions)
  • public information sources and others, referenced individually at each view

Categories of data processed

  • name
  • role in the legal entity (e.g. board member, shareholder) and the role's start and end dates
  • the connection to a specific company or organisation
  • date of birth or year of birth and age, where present in a public source
  • politically-exposed-person (PEP) or sanctions status, where it follows from a public list

We do not publish the Estonian personal identification code on public pages, do not process special categories of (sensitive) personal data, and do not compile any reputation or credit score about natural persons. Nor do we publish evaluative or negatively-toned descriptions of individuals.

Purposes

We process this data for the following purposes:

  • increasing the transparency of the business environment - so that it is possible to know who represents, owns and controls Estonian legal entities
  • preventing fraud, money laundering and conflicts of interest, and supporting due-diligence (KYC/AML) obligations
  • ensuring freedom of information and access to information of public interest for journalists, researchers and citizens
  • the re-use of public-sector open data in the public interest

Legal basis and legitimate-interest assessment

The legal basis is legitimate interest (Article 6(1)(f) of the General Data Protection Regulation). The fact that data is in a public register is not an independent legal basis - we have therefore carried out a legitimate-interest assessment (a three-part test):

  • 1. Purpose test — the interests above (transparency, fraud and money-laundering prevention, freedom of information) are real, present and lawful. They serve both our interest and the wider public interest.
  • 2. Necessity test — the processing is necessary and proportionate for the purpose. The data is already public; the value comes from aggregating it and making it findable. We collect as little data as possible (data minimisation), and a less intrusive measure would not meet the same transparency aim.
  • 3. Balancing test — the data subjects appear in a business or representative capacity, not in their private life, and in the Estonian Business Register their role is public by law. A board member can reasonably expect their role to be public. The safeguards listed below ensure that our interest and the public interest do not override the data subject's fundamental rights and freedoms. Cases with a heightened privacy interest are assessed individually upon objection.

Conclusion of the assessment: the legitimate interests are real and are not overridden by the data subject's rights, provided we apply the safeguards below and handle objections case by case. You may request a copy of the full legitimate-interest analysis by contacting us.

Safeguards

  • we display former management-board, supervisory-board and other representative roles publicly for up to 5 years after the role ended
  • the personal identification code is removed from public pages and structured data
  • we do not process special-category data, compile reputation or credit scores, or publish evaluative descriptions
  • data is refreshed daily from the sources to keep it accurate
  • each data field carries its source and date
  • people connected only to non-profit associations and foundations, and more vulnerable individuals, are marked non-indexable for search engines
  • the data subject may object, which we resolve case by case; we also operate an erasure and suppression mechanism
  • data on politically-exposed (PEP) and sanctioned persons may be kept longer on overriding public-interest grounds (the fight against money laundering and corruption)

Retention period

We display current roles for as long as they remain valid in the register. We display ended representative roles publicly for up to 5 years after the role ended, unless there is an overriding public interest (e.g. politically-exposed or sanctioned persons). Data may remain in the database after public display ends only for as long as is necessary for the purpose.

Data-subject rights and objection

You have the right to access your data, rectify it, request erasure or restriction of processing, and object to processing based on legitimate interest (Article 21 GDPR). On a justified objection we suspend processing, assess your specific situation individually, and stop displaying the data unless we have compelling legitimate grounds that override your interests. You also have the right to lodge a complaint with the Data Protection Inspectorate (aki.ee). To exercise your rights, please contact us.

What personal data we collect

From donors

  • name (if the donor shares it)
  • e-mail address (if the donor shares it)
  • bank account number or payment-method info (received via the payment service; we do not store full payment data ourselves)
  • the donation amount, date and payment method
  • IP address at the time of the transaction (for security)

From website users

  • IP address
  • browser and device technical data (user agent, screen size, etc.)
  • pages visited and the time of the visit
  • referrer URL (the page the visitor came from)
  • where applicable: user-account data from eeID authentication (personal ID code, first and last name)

From contact-form users

  • name
  • e-mail address
  • message content
  • organisational affiliation (where the nature of the request requires it)

From newsletter subscribers

  • e-mail address
  • subscription start date
  • unsubscribe date (where applicable)

Legal bases

The legal basis for each processing category is:

  • Processing and recording donations — performance of a contractual obligation (GDPR Article 6(1)(b)) and a legal accounting obligation (Article 6(1)(c))
  • Website operation and security — legitimate interest (Article 6(1)(f)) — ensuring security, preventing misuse, service continuity
  • Contact-form communication — legitimate interest (Article 6(1)(f)) — receiving and handling user enquiries
  • User accounts via eeID authentication — consent (Article 6(1)(a)) — the user makes a deliberate choice to identify themselves to nimistu
  • Newsletter — consent (Article 6(1)(a)) — the user can unsubscribe at any time

For processing based on legitimate interest, we have balanced our interests against the rights of data subjects. You can review that assessment by contacting us.

Who we share data with

We process data ourselves, but in some cases use processors (subcontractors) to whom we transfer data in order to provide the service:

  • Swedbank — to provide payment services (LinkPay, bank transfers)
  • Hosting provider — to run nimistu.ee's server infrastructure (located in an EU member state)
  • Accounting provider — to meet obligations under the Accounting Act (where applicable)
  • eeID / Information System Authority — when a user authenticates
  • E-mail provider — for contact and newsletter communication
  • Cloudflare — for website availability, CDN and security

Data is never sold to third parties under any circumstances. Data is not shared with third parties for advertising or marketing purposes.

Data location and transfers outside the EU

Personal data is held on servers in EU member states. If any of our processors transfers data outside the European Economic Area, this happens only on the basis of a European Commission adequacy decision or standard data-protection clauses (GDPR Articles 45-46).

Retention periods

  • Donation-related data — retained for 7 years from the year of the transaction, under the Accounting Act
  • Website logs (IP addresses, etc.) — retained generally for up to 12 months, to detect possible misuse
  • User accounts (eeID) — retained until the user closes the account; we may delete it after 24 months of inactivity
  • Contact-form communication — retained generally for up to 36 months
  • Newsletter subscriber data — retained while the user is subscribed; after unsubscribing the e-mail is kept briefly as proof of the opt-out
  • eeID personal ID code — retained only while the user account is active

Your rights

You have the following rights regarding your personal data:

  • Right of access — ask us for a copy of the data we process about you
  • Right to rectification — if data is inaccurate or incomplete, please let us know
  • Right to erasure — (“right to be forgotten”) we can delete data, except where retention is legally required
  • Right to restriction — in certain cases we can suspend the use of data
  • Right to portability — you can receive your data in a structured format
  • Right to object — in particular against processing based on legitimate interest
  • Right to withdraw consent — where processing is based on consent, you can withdraw it at any time
  • Right to lodge a complaint — with the supervisory authority — the Data Protection Inspectorate (aki.ee)

To exercise your rights, contact us via the contact form or by e-mail to info@nimistu.ee. We respond to requests generally within one month.

Security

We apply appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration or unauthorised access:

  • data exchange with the website uses an encrypted connection (HTTPS/TLS)
  • passwords and other sensitive data are stored encrypted
  • access to data is limited to those who need it for their work
  • servers are located in secure data centres
  • regular backups are made
  • continuous security monitoring and updates

Cookies

nimistu.ee uses cookies to keep the service working and to improve the experience. You can manage cookie settings via the cookie dialog at the bottom of the page. More detail on cookies is in the terms of use or ask us via the contact form.

Changes to this policy

We may update this privacy policy over time. We announce significant changes on the website. The date this policy was last updated is shown at the top of the page.

Supervisory authority

Data-protection supervision is carried out by the Estonian Data Protection Inspectorate:

Website: aki.ee
E-mail: info@aki.ee
Address: Tatari 39, Tallinn 10134

You always have the right to contact the supervisory authority directly, but we recommend discussing the matter with us first.

Contact

Nimistu MTÜ
Registry code: 80673204
Address: Parda tn 8, 10151 Tallinn, Estonia
E-mail: info@nimistu.ee

For any data-protection questions, get in touch via the contact form.

Public registry of Estonian companies — every fact traceable to a source and a date. Free and ad-free for everyone.

Nimistu MTÜ
Address: Parda tn 8, 10151 Tallinn, Estonia
E-mail: info@nimistu.ee

Browse

  • Home
  • Views
  • Industries
  • Activity licences
  • Recent registrations

Data

  • 73 sources
  • Database
  • Extensions
  • MCP

Organisation

  • About
  • FAQ
  • For journalists
  • Donate
  • Donation terms
  • Refunds
  • Terms
  • Privacy
  • Contact
© 2026 Nimistu MTÜ. License CC-BY-SA 4.0 · details