EN ET RU PL
Language
EN ET RU PL

Privacy Policy

Last updated: December 4, 2025

1. General Provisions

This document constitutes the Privacy Policy of the Handke Digital Solutions brand (Handke DS), operated by Handke Holding OÜ, a company registered in the Republic of Estonia, with its registered office at: Harju maakond, Kesklinna linnaosa, Sakala tn 7-2, 10141 Tallinn, Estonia, entered in the Estonian Commercial Register under number 17387477.

Handke Digital Solutions operates in the field of software development, website creation, process automation, and the provision of digital solutions for businesses and individual clients within the European Union and the European Economic Area (EEA).

The purpose of this Privacy Policy is to present, in a clear, transparent, and lawful manner, the principles governing the processing of personal data of individuals:

  • using the services of Handke Digital Solutions,
  • visiting the website www.handkeds.com,
  • submitting inquiries or using contact forms,
  • remaining in business or contractual relations with the Data Controller.

This Privacy Policy defines the rules for the processing of personal data in connection with:

  • the operation and maintenance of the website,
  • the provision of software development, web development, and digital services,
  • the conclusion and performance of contracts and service orders,
  • the conduct of business, administrative, and informational correspondence,
  • the fulfillment of legal obligations arising from the laws of the European Union and the Republic of Estonia.

The provisions of this Privacy Policy apply to:

  • Clients (business entities and private individuals),
  • Business partners and contractors,
  • Representatives of public institutions and administrative authorities – within the scope of official contacts,
  • Website users and other individuals whose personal data are processed in the course of the Data Controller’s activities.

This Privacy Policy covers both personal data provided directly to the Data Controller (e.g., via contact forms, e-mail, or telephone) as well as technical data collected automatically in connection with the use of the website (e.g., IP address, server log data, device and browser information).

Legal Basis for Data Processing

This Privacy Policy has been prepared in accordance with:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR),
  • the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus, RT I, 26.03.2019, 10),
  • other applicable laws of the Republic of Estonia and the European Union.

Nature of the Document

This document is for informational purposes only and is intended to fulfill the Data Controller’s information obligations towards data subjects. It does not constitute legal advice or an interpretation of legal provisions.

Any questions regarding the processing of personal data may be addressed to the Data Controller via e-mail at: office@handkeds.com.

Territorial Scope and Data Transfers

The services of Handke Digital Solutions are provided within the European Union and the European Economic Area (EEA).

Personal data may be transferred to entities located in other EU or EEA countries solely to the extent necessary for the provision of services and with the application of appropriate security measures.

Where personal data are transferred outside the EEA, the Data Controller applies appropriate legal safeguards, in particular:

  • Standard Contractual Clauses (SCCs),
  • other mechanisms compliant with Articles 44–49 of the GDPR.

Voluntary Provision of Data

The provision of personal data is voluntary; however, in certain cases it is necessary in order to:

  • prepare an offer,
  • conclude or perform a contract,
  • respond to an inquiry.

Failure to provide the required personal data may make it impossible to achieve the purposes indicated above.

2. Personal Data Controller

The controller of personal data within the meaning of Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) is:

Handke Holding OÜ
Harju maakond, Kesklinna linnaosa
Sakala tn 7-2, 10141 Tallinn, Estonia
Registry code: 17387477
EU VAT number: EE102932869
E-mail: office@handkeds.com
Phone: +372 5617 1770

Status of the Handke Digital Solutions Brand

Handke Digital Solutions is a brand operated by Handke Holding OÜ and does not constitute a separate legal entity or an independent personal data controller.

All personal data processed in connection with the activities carried out under the Handke Digital Solutions brand are processed by Handke Holding OÜ as the Data Controller, which determines the purposes and means of the processing of personal data in accordance with Article 4(7) of the GDPR.

Language of Communication

The primary operational language of the Data Controller is English.

Written communication, including inquiries and requests relating to the processing of personal data, may be conducted in any official language of the European Union or the European Economic Area (EEA). The Data Controller ensures that such correspondence is handled in accordance with applicable legal requirements.

Data Protection Officer

The Data Controller is not required to appoint a Data Protection Officer (DPO), as the nature, scope, and purposes of the processing of personal data do not meet the criteria set out in Article 37(1) of the GDPR.

In matters related to the protection of personal data, individuals may contact the Data Controller directly via e-mail at: office@handkeds.com.

Scope of the Data Controller’s Responsibility

The Data Controller is responsible in particular for:

  • ensuring that the processing of personal data complies with the GDPR and the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus),
  • implementing and applying appropriate technical and organizational measures to protect personal data,
  • ensuring the exercise of the rights of data subjects,
  • cooperating with the competent personal data protection supervisory authority in the Republic of Estonia (Andmekaitse Inspektsioon).

3. Categories of Data Subjects

In the course of its business activities, Handke Digital Solutions, operated by Handke Holding OÜ, processes personal data exclusively to the extent necessary for the proper provision of software development, project-based, and administrative services.

Personal data are processed in a transparent, adequate, and proportionate manner, limited to what is necessary in relation to the purposes for which they are collected, in accordance with the data minimization principle set out in Article 5(1)(c) of the GDPR.

The Data Controller processes personal data relating to the following categories of individuals:

3.1. Individual Clients

Natural persons using the services of Handke Digital Solutions, in particular those commissioning the development of websites, applications, automation solutions, or other digital products.

The processed data include, in particular: first and last name, e-mail address, telephone number, billing details, and information provided in the course of the cooperation.

3.2. Business Clients and Company Representatives

Representatives of businesses, companies, or other organizations using the services of Handke Digital Solutions.

The processed data include, in particular: first and last name, job title or position, business e-mail address, telephone number, and data identifying the entity represented by the individual (e.g., company name, address, tax identification number / EU VAT number).

3.3. Prospective Clients and Business Contacts

Natural persons, including representatives of businesses or organizations, who contact the Data Controller in order to obtain information about the offer, cooperation terms, or to establish a business relationship.

Personal data may be provided directly by the data subject (e.g., via a contact form, e-mail correspondence, or telephone conversation) or may originate from publicly available sources, in particular company websites or professional business platforms (e.g., LinkedIn).

The processing of personal data in this scope is carried out on the basis of the Data Controller’s legitimate interest in conducting informational activities, establishing and maintaining business relationships, and developing its business operations (Article 6(1)(f) of the GDPR).

Data subjects whose personal data are processed on this basis have the right to object to the processing of their personal data at any time, in accordance with Article 21 of the GDPR.

3.4. Suppliers and Technical Partners

Natural persons conducting business activities and representatives of entities cooperating with Handke Digital Solutions in the provision of auxiliary services, such as hosting, graphic design, accounting, translation services, or IT support.

Personal data are processed for the purpose of entering into and performing contracts or fulfilling legal obligations related to the conduct of business activities.

3.5. Individuals Contacting the Data Controller

Individuals submitting inquiries, feedback, or notifications via contact forms, e-mail, telephone, or other communication channels.

The processed data include basic contact details and the content of the correspondence and are used exclusively for the purpose of responding to the inquiry, handling the request, or resolving the reported matter.

3.6. Representatives of Public Authorities and Institutions

Employees or representatives of public administration bodies, state institutions, and supervisory authorities with whom the Data Controller communicates in connection with the fulfillment of obligations arising from the laws of the Republic of Estonia and the European Union.

Additional Notes

The Data Controller does not obtain personal data from undisclosed sources and does not conduct systematic monitoring of data subjects.

All personal data are processed in accordance with the principles of lawfulness, fairness, transparency, data minimization, integrity, and confidentiality, as set out in Article 5 of the GDPR and § 11 of the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus).

4. Scope of Personal Data Processed

The scope of personal data processed depends on the nature of the relationship with the data subject and the purpose for which the data are processed.

Personal data are processed in an adequate, limited, and proportionate manner, in accordance with the data minimization principle set out in Article 5(1)(c) of the GDPR and § 11(1) of the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus).

The Data Controller may process the following categories of personal data:

4.1. Identification and Contact Data

  • first and last name,
  • e-mail address (business or private),
  • telephone number,
  • correspondence or billing address (if required for invoicing purposes),
  • company details (e.g., company name, address, tax identification number / EU VAT number, website),
  • job title or role within the company.

These data are necessary in order to establish and maintain contact, prepare an offer, perform a contract, or conduct business correspondence.

4.2. Data Related to Projects and Business Cooperation

  • data of representatives of clients and business partners,
  • information contained in contracts, orders, project specifications, or briefs,
  • data necessary for settlements and accounting purposes (e.g., payments, invoices, receipts),
  • e-mail correspondence and the history of cooperation,
  • files and materials provided by the client for the purpose of performing the service (e.g., texts, graphics, screenshots, technical documentation).

4.3. Data Obtained from Publicly Available Sources

  • data made publicly available on websites, B2B platforms, or professional portals (e.g., LinkedIn),
  • contact details of company representatives published for business purposes.

The processing of such data is carried out in accordance with Article 14 of the GDPR, with an obligation to inform the data subject within the applicable statutory time limits after obtaining the data, unless an exception provided for by law applies.

4.4. Technical and Operational Data

When using the website www.handkeds.com, basic technical data may be automatically recorded, including in particular:

  • the IP address of the device,
  • browser and operating system identifiers,
  • date and time of the connection,
  • the visited page or requested resource.

These data are processed exclusively for the purposes of ensuring security, maintaining the continuity of website operations, and preventing abuse (e.g., hacking attempts or server overloads).

Technical data are not used for marketing purposes or profiling, and the Data Controller does not conduct analyses aimed at tracking user activity on the basis of such data.

4.5. Data Related to the Signing or Approval of Electronic Documents

Where documents are signed or approved electronically via SignRequest / Dropbox Sign or other equivalent solutions, a so-called audit trail may be generated, which may include in particular:

  • IP address,
  • date and time of signing,
  • identifying data of the signatory (e.g., first and last name, e-mail address).

The purpose of processing these data is to ensure the authenticity of the signature and the integrity of the document.

The legal basis for such processing is Article 6(1)(f) of the GDPR – the Data Controller’s legitimate interest in ensuring the security and reliability of concluded agreements and documents.

4.6. Technical Data Related to System Maintenance and Backups

In order to ensure service continuity and information security, the Data Controller may process technical data related to the operation of systems and infrastructure, including in particular:

  • system identifiers and authentication data (to the extent necessary for access control),
  • system logs and event logs,
  • backup copies of files and correspondence.

These data are stored on servers located within the European Economic Area (EEA) and are protected by appropriate security measures, including encryption, in accordance with Article 32 of the GDPR.

4.7. Special Categories of Personal Data (Sensitive Data)

As a rule, the Data Controller does not process special categories of personal data within the meaning of Article 9 of the GDPR (e.g., data concerning health, political opinions, ethnic origin, religious beliefs, or sexual orientation).

If a data subject voluntarily provides such data (e.g., in the content of a message or an attachment), their processing takes place exclusively to the extent necessary and in accordance with the applicable legal basis, in particular:

  • on the basis of explicit consent (Article 9(2)(a) of the GDPR), or
  • to the extent required by applicable legal provisions, where relevant.

Additional Notes

The Data Controller does not obtain personal data from undisclosed sources and does not conduct profiling or automated decision-making.

The Handke Digital Solutions website does not use cookies or analytical tools that track user activity.

Personal data are processed exclusively for purposes related to the provision of software development and technical services, in accordance with the principles of transparency and security set out in Articles 5 and 32 of the GDPR and § 11 of the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus).

5. Purposes and Legal Bases for the Processing of Personal Data

Handke Digital Solutions, operating under Handke Holding OÜ, processes personal data solely to the extent necessary to conduct lawful business activities, in a fair, transparent, and proportionate manner.

The processing of personal data is carried out in accordance with the principles set out in Articles 5 and 6 of Regulation (EU) 2016/679 (the “GDPR”) and §§ 10–11 of the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus).

The Data Controller ensures that personal data are processed exclusively for clearly defined purposes, in accordance with the principle of purpose limitation, and are not further processed in a manner incompatible with those purposes.

5.1. Preparation of Offers and Establishment of Cooperation

Processing of personal data for the purpose of responding to inquiries, preparing service offers, or taking steps at the request of the data subject prior to entering into a contract.

Legal basis: Article 6(1)(b) of the GDPR – processing necessary to take steps at the request of the data subject prior to entering into a contract.

5.2. Performance of Contracts and Orders

Processing of personal data of clients, contractors, partners, and suppliers for the purpose of concluding and performing contracts relating to software development services, website maintenance, or software development and implementation.

Legal basis:

  • Article 6(1)(b) of the GDPR – performance of a contract,
  • Article 6(1)(c) of the GDPR – compliance with a legal obligation arising from tax and accounting regulations (in particular, §§ 12–13 of the Estonian Accounting Act – Raamatupidamise seadus).

5.3. Correspondence and Handling of Inquiries

Processing of personal data of individuals who contact Handke Digital Solutions via contact forms, e-mail, telephone, or other communication channels, for the purposes of conducting ongoing correspondence and providing responses.

Legal basis: Article 6(1)(f) of the GDPR – the Data Controller’s legitimate interest in responding to inquiries, maintaining contact, and ensuring proper handling of business communications.

5.4. Accounting, Settlements, and Archiving

Processing of financial and documentation-related data necessary for issuing invoices, maintaining accounting records, performing tax settlements, and archiving documents for the period required under Estonian law.

Legal basis:

  • Article 6(1)(c) of the GDPR – compliance with a legal obligation of the Data Controller,
  • §§ 12–13 of the Estonian Accounting Act (Raamatupidamise seadus) – obligation to retain accounting documentation for a minimum period of seven (7) years.

5.5. Information and Infrastructure Security

Processing of technical data (e.g., IP addresses, system logs, server access data) for the purposes of ensuring the security of IT systems, preventing abuse and data loss, maintaining backup copies, and ensuring service continuity.

Legal basis:

  • Article 6(1)(f) of the GDPR – the Data Controller’s legitimate interest in ensuring the security of information and services,
  • § 11 of the Estonian Personal Data Protection Act – obligation to ensure the integrity and confidentiality of personal data.

5.6. Electronic Signing of Documents

Processing of personal data in connection with the electronic signing of documents using SignRequest / Dropbox Sign or other equivalent tools, for the purpose of confirming the authenticity of the signature and the integrity of the document.

Legal basis:

  • Article 6(1)(b) of the GDPR – performance of a contract or taking steps prior to entering into a contract (depending on the stage of cooperation),
  • Article 6(1)(f) of the GDPR – the Data Controller’s legitimate interest in ensuring the security and reliability of concluded agreements.

5.7. Establishment, Exercise, and Defense of Legal Claims

Processing of personal data for the purpose of establishing, exercising, or defending legal claims, including in the context of judicial, administrative, or mediation proceedings.

Legal basis: Article 6(1)(f) of the GDPR – the Data Controller’s legitimate interest in protecting its rights and legitimate interests.

5.8. Compliance with Obligations Toward Public Authorities

Processing and disclosure of personal data to competent public administration, tax, or judicial authorities, where such disclosure is required under applicable laws of the Republic of Estonia or European Union law.

Legal basis:

  • Article 6(1)(c) of the GDPR – compliance with a legal obligation,
  • § 10(1)(2) of the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus).

5.9. No Profiling or Automated Decision-Making

The Data Controller does not engage in automated decision-making, including profiling, within the meaning of Article 22 of the GDPR.

All decisions concerning clients, contractors, and business partners are made individually by authorized persons.

6. Legal Bases for the Processing of Personal Data

The Data Controller processes personal data only where a clear and lawful legal basis for such processing exists, arising from the provisions of:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the “GDPR”),
  • the Estonian Personal Data Protection Act – Isikuandmete kaitse seadus (IKS, RT I, 26.03.2019, 10).

The processing of personal data is always carried out in accordance with the principles set out in Article 5 of the GDPR and § 11 of the IKS, in particular the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, integrity, confidentiality, and accountability.

6.1. Legal Bases for the Processing of Personal Data (Article 6 GDPR)

The Data Controller processes personal data on the basis of the following legal grounds:

a) Consent of the Data Subject

(Article 6(1)(a) GDPR; § 10(1) IKS)

This legal basis applies in situations where the data subject voluntarily and explicitly provides personal data that are not required for the performance of a contract, in particular in the course of voluntary correspondence or by submitting project materials containing additional information.

Consent may be withdrawn at any time, without affecting the lawfulness of processing carried out prior to its withdrawal, in accordance with Article 7(3) of the GDPR.

b) Performance of a Contract or Steps Prior to Entering into a Contract

(Article 6(1)(b) GDPR; § 10(1)(2) IKS)

This legal basis covers the processing of personal data for the purpose of:

  • preparing, concluding, and performing contracts with clients and contractors,
  • providing software development, design, or technical services,
  • maintaining ongoing operational contact and managing cooperation.

c) Compliance with a Legal Obligation of the Data Controller

(Article 6(1)(c) GDPR; § 10(1)(3) IKS)

This legal basis covers the processing of personal data required under the laws of the Republic of Estonia and the European Union, in particular with regard to:

  • maintaining and retaining accounting and tax documentation in accordance with §§ 12–13 of the Estonian Accounting Act (Raamatupidamise seadus) (retention period of at least seven (7) years),
  • tax and reporting obligations,
  • compliance with obligations toward public administration bodies and supervisory authorities.

d) Legitimate Interests of the Data Controller

(Article 6(1)(f) GDPR; § 11(2) IKS)

The Data Controller processes personal data to the extent necessary for the purposes of its legitimate interests, such as:

  • conducting ongoing correspondence and handling inquiries,
  • ensuring the security of IT systems, documents, and technical infrastructure,
  • maintaining backup copies and system logs,
  • establishing, exercising, or defending legal claims.

In each case, the Data Controller assesses whether its interests are overridden by the rights and freedoms of the data subject, in accordance with Article 6(1)(f) of the GDPR in conjunction with Recital 47 of the GDPR.

Where personal data are processed on this basis, the data subject has the right to object to such processing in accordance with Article 21 of the GDPR.

6.2. Processing of Special Categories of Personal Data (Article 9 GDPR)

As a rule, the Data Controller does not process special categories of personal data within the meaning of Article 9(1) of the GDPR.

If a data subject voluntarily discloses such data (e.g., in the content of a message, an attachment, or a document), such data are processed solely:

  • on the basis of the explicit consent of the data subject (Article 9(2)(a) GDPR; § 21 IKS), or
  • to the extent strictly required by mandatory provisions of law.

Such data are subject to enhanced technical and organizational security measures in accordance with Article 32 of the GDPR.

6.3. General Principles of Data Processing

The Data Controller ensures that all personal data processing operations are carried out in compliance with:

  • Articles 5 and 6 of the GDPR – principles of lawfulness, purpose limitation, data minimization, integrity, confidentiality, and accountability,
  • § 11 of the IKS – principles of proportionality, fairness, and data adequacy,
  • Article 32 of the GDPR – security of processing, including encryption, access control, and backup creation,
  • Article 24 of the GDPR – the principle of accountability of the Data Controller.

The Data Controller does not engage in automated decision-making or profiling within the meaning of Article 22 of the GDPR.

6.4. Legal Compliance Assessment and Internal Documentation

In order to ensure full compliance with the GDPR and the laws of the Republic of Estonia, the Data Controller maintains and regularly updates, in particular:

  • a Record of Processing Activities in accordance with Article 30 of the GDPR,
  • Legitimate Interest Assessments where processing is based on Article 6(1)(f) of the GDPR,
  • an information security and personal data protection policy,
  • procedures for responding to personal data breaches in accordance with Articles 33–34 of the GDPR and § 23 of the IKS.

7. Sources of Personal Data

Personal data processed by Handke Digital Solutions, operating under Handke Holding OÜ, are obtained both directly from the data subjects and from lawful, publicly available sources.

The Data Controller acts in accordance with Article 14 of the GDPR and §§ 14–15 of the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus, “IKS”) and—where personal data are obtained indirectly—is required to inform the data subject of the source of such data without undue delay, no later than within the time limits specified in Article 14(3) of the GDPR, unless a statutory exemption applies.

7.1. Data Obtained Directly from Data Subjects

Personal data may be provided voluntarily in the course of ongoing communication and cooperation, in particular:

  • via e-mail, telephone calls, and online communication tools,
  • through contact forms available on the website www.handkeds.com,
  • during online meetings or direct business discussions,
  • as part of project materials, documents, or files provided where necessary for the performance of a contract.

7.2. Data of Clients, Contractors, and Business Partners

Personal data of representatives of companies, clients, and business partners may originate from:

  • direct business contacts (e-mail, telephone, meetings),
  • official websites of companies and organizations,
  • corporate and professional profiles on platforms such as LinkedIn,
  • public business registers, including the Estonian Äriregister (E-Business Register),
  • industry events and networking activities.

Such data are used solely to the extent necessary to establish or maintain cooperation and to pursue the legitimate business purposes of the Data Controller.

7.3. Data of Representatives of Public Authorities and Administrative Bodies

Such data originate from official correspondence (letters, e-mails, electronic documents) and public professional sources and are processed exclusively to the extent required by applicable law, in accordance with Article 6(1)(c) of the GDPR and § 10 of the IKS.

7.4. Data Obtained from Other Lawful Sources

The Data Controller may also obtain personal data from lawful, publicly available sources, such as:

  • public industry directories and B2B contact registers,
  • information portals or websites containing company contact details published for business purposes,
  • social media platforms—solely to the extent that professional information has been made publicly available by the individual (e.g., a LinkedIn profile or a company page).

The Data Controller does not collect data from private accounts, does not use covert data collection methods, and does not process data obtained from non-public sources.

7.5. Technical Data Related to Electronic Signatures

When documents (e.g., agreements, forms) are signed electronically using SignRequest / Dropbox Sign or other equivalent systems, certain technical and identification data may be automatically recorded, in particular:

  • the IP address of the device,
  • the date and time of signing,
  • identifiers related to the signing process (e.g., user or device identifiers), where generated by the system.

The purpose of processing such data is to ensure the authenticity of the signature, the integrity of the document, and the reliability of concluded agreements.

The legal basis for such processing is Article 6(1)(f) of the GDPR and § 11 of the IKS.

7.6. Technical Data from the Web Server

When using the website www.handkeds.com, basic technical data may be automatically recorded, such as:

  • the IP address of the device,
  • the type and version of the browser,
  • the operating system,
  • the date and time of the connection,
  • server log files.

These data are processed exclusively for the purposes of ensuring the security, stability, and proper functioning of the website, in accordance with Article 6(1)(f) of the GDPR and § 11 of the IKS (principle of integrity and confidentiality).

The Data Controller does not engage in profiling or systematic monitoring of users and does not apply tracking technologies for marketing purposes.

8. Recipients of Personal Data

Personal data may be disclosed solely to trusted entities that support the Data Controller in carrying out business activities, providing services, or fulfilling legal obligations, as well as to public authorities where such disclosure is required under the laws of the Republic of Estonia or European Union law.

All disclosures and transfers of personal data are carried out in accordance with Article 28 and Articles 44–49 of the GDPR and with due regard to the provisions of the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus, “IKS”), while observing the principles of data minimization, confidentiality, and purpose limitation.

Categories of Data Recipients

8.1. Technical and Organizational Service Providers Supporting the Data Controller

Personal data may be transferred or made available to entities providing auxiliary services to the Data Controller, in particular:

  • hosting and server service providers,
  • e-mail service providers and online communication operators,
  • providers of IT systems and cloud-based solutions,
  • providers of electronic signature services (e.g., SignRequest / Dropbox Sign),
  • accounting and bookkeeping service providers,
  • law firms and business advisors,
  • entities providing technical support and IT infrastructure maintenance services.

Such entities process personal data solely to the extent necessary to provide services to the Data Controller and—where they act as data processors—on the basis of a data processing agreement (Data Processing Agreement) concluded in accordance with Article 28 of the GDPR.

Each data processor is obliged, in particular, to:

  • maintain confidentiality,
  • apply appropriate technical and organizational measures (Article 32 of the GDPR and § 11 of the IKS),
  • process personal data only on documented instructions from the Data Controller.

8.2. Public Authorities and Institutions

Personal data may be disclosed exclusively to authorities legally entitled to request such data under applicable law, in particular:

  • the Estonian Tax and Customs Board (Maksu- ja Tolliamet),
  • the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon),
  • courts, law enforcement authorities, and other supervisory or control bodies,
  • authorities of the European Union and the European Economic Area, to the extent required by applicable regulations.

Disclosure of personal data to such entities takes place solely in cases required by law and only to the minimum extent necessary to fulfill the Data Controller’s legal obligations.

8.3. Service Providers Involved in Project-Based Cooperation

In certain cases, personal data may be transferred to entities cooperating in the implementation of IT projects (e.g., independent contractors or subcontractors) who perform specific technical tasks.

Such entities process personal data solely to the extent necessary to perform the entrusted tasks and on the basis of an appropriate agreement, including—where applicable—a data processing agreement concluded in accordance with Article 28 of the GDPR.

Principles Governing Data Transfers

All transfers of personal data are carried out solely to the extent necessary to achieve the purposes specified in this Privacy Policy and on the basis of an appropriate legal ground pursuant to Article 6 of the GDPR.

The Data Controller ensures that all recipients of personal data process such data in accordance with the principles of security and confidentiality set out in Article 32 of the GDPR and § 11 of the Estonian Personal Data Protection Act.

Personal data are not disclosed to social media platforms or advertising networks and are not used for marketing, advertising, or profiling purposes.

The Data Controller does not sell personal data and does not disclose them to third parties without a valid legal basis.

9. Transfers of Personal Data Outside the European Economic Area (EEA)

In the course of its business activities, Handke Digital Solutions, operated by Handke Holding OÜ, may process personal data using tools and services provided by external service providers which, in certain cases, may involve the transfer of personal data outside the European Economic Area (EEA).

Any such transfer of personal data is carried out solely to the extent necessary to achieve the specific purposes of processing and in full compliance with Articles 44–49 of the GDPR, with the application of appropriate legal safeguards.

9.1. Cloudflare

The Handke Digital Solutions website makes use of Cloudflare services, in particular for the purposes of:

  • protection against abuse and network-based attacks,
  • securing contact forms (Cloudflare Turnstile),
  • handling network traffic and technical logs.

Due to the global nature of Cloudflare’s infrastructure, technical data (such as IP addresses, connection information, or system logs) may be processed on servers located outside the EEA, including in the United States.

Such transfers of personal data may take place on the basis of:

  • the European Commission’s Standard Contractual Clauses (SCCs),
  • and, where applicable, adequacy decisions confirming an adequate level of data protection (e.g., the EU–US Data Privacy Framework).

9.2. Whereby

Handke Digital Solutions uses the Whereby platform for the purpose of conducting online meetings and communicating with clients and business partners.

Data processed in connection with such meetings (e.g., IP addresses, connection data, and technical metadata) may be processed on servers located both within the EEA and outside the EEA, depending on the participants’ locations and the network infrastructure used at a given time.

Whereby applies appropriate legal safeguards, including the European Commission’s Standard Contractual Clauses (SCCs), in accordance with Articles 44–49 of the GDPR.

9.3. SignRequest / Dropbox Sign

For the purpose of executing electronic signatures on documents, Handke Digital Solutions uses the SignRequest / Dropbox Sign service.

In connection with the use of this service, the following categories of personal data may be processed, in particular:

  • the signatory’s first and last name,
  • e-mail address,
  • IP address,
  • date and time of signing,
  • the document audit trail.

The use of this service may involve the transfer of personal data outside the EEA, in particular to the United States. Such transfers are carried out on the basis of the European Commission’s Standard Contractual Clauses (SCCs), in accordance with Article 46 of the GDPR.

9.4. Safeguards and General Principles

The Data Controller ensures that:

  • personal data are transferred outside the EEA only where such transfer is necessary to achieve specific processing purposes,
  • each data processor applies appropriate technical and organizational measures to ensure data security, in accordance with Article 32 of the GDPR,
  • all data transfers are carried out exclusively on the basis of valid and lawful data protection mechanisms provided for in Articles 44–49 of the GDPR.

The Data Controller does not transfer personal data outside the EEA in an uncontrolled manner or without an appropriate legal basis.

10. Personal Data Retention Periods

The Data Controller retains personal data solely for the period necessary to achieve the purposes for which the data were collected, in accordance with the storage limitation principle set out in Article 5(1)(e) of Regulation (EU) 2016/679 (GDPR) and the applicable laws of the Republic of Estonia.

Upon the expiry of the applicable retention periods, personal data are permanently deleted, anonymized, or archived in a manner that prevents the identification of the data subject, unless mandatory provisions of generally applicable law (in particular tax, accounting, or archival regulations) require further retention.

10.1. Clients and Contractors

a) Personal data processed for the purpose of preparing, concluding, and performing contracts, based on Article 6(1)(b) of the GDPR, are retained for the duration of the contract and, after its termination, until the expiration of applicable limitation periods for claims, generally no less than three (3) years, unless specific provisions of law provide for a longer period.

b) Personal data processed for ongoing business communication, handling inquiries, and cooperation, based on Article 6(1)(f) of the GDPR (the Data Controller’s legitimate interest), are retained for the duration of the cooperation or until the contact relating to a given matter has ended.

c) Personal data processed for accounting, billing, and tax purposes, based on Article 6(1)(c) of the GDPR (legal obligation), are retained for seven (7) years from the end of the relevant financial year, in accordance with Sections 12–13 of the Estonian Accounting Act (Raamatupidamise seadus), unless mandatory legal provisions require a longer retention period.

d) Personal data processed for the purposes of establishing, pursuing, or defending legal claims, based on Article 6(1)(f) of the GDPR, are retained until the expiration of limitation periods for such claims, generally no less than three (3) years from the termination of the contract or the end of the business relationship.

10.2. Prospective Clients, Suppliers, and Business Partners

a) Personal data of individuals contacted in connection with a potential cooperation or who have provided their data via e-mail, contact forms, or other communication channels, processed on the basis of Article 6(1)(f) of the GDPR, are retained for the period necessary to conduct business discussions or until an objection to processing is raised, but no longer than three (3) years from the last contact activity.

b) Personal data of representatives of entities cooperating with the Data Controller (e.g., in the fields of IT services, hosting, accounting, or consulting), processed on the basis of Article 6(1)(b) and (c) of the GDPR, are retained for the duration of the cooperation and thereafter until the expiration of limitation periods for claims (generally three (3) years), while accounting and tax documentation is retained for seven (7) years, in accordance with Estonian law.

10.3. Individuals Contacting the Data Controller

Personal data of individuals submitting inquiries via the contact form, e-mail, or telephone, processed on the basis of Article 6(1)(f) of the GDPR, are retained for the period necessary to provide a response and conclude the correspondence, and thereafter—where justified—until the expiration of potential claims, but no longer than three (3) years from the end of the contact.

10.4. Technical Data and System Logs

Technical data, server logs, and system event information processed on the basis of Article 6(1)(f) of the GDPR are retained for the period necessary to ensure system security, detect incidents, analyze errors, and prevent abuse, but no longer than ninety (90) days, unless IT security requirements, audit obligations, or other legal duties require a longer retention period.

10.5. Representatives of Public Authorities and Institutions

Personal data of employees or representatives of public authorities and institutions with whom the Data Controller conducts official correspondence are retained for the period necessary to handle the relevant matter and for the archival period required by applicable regulations, but no longer than ten (10) years from the conclusion of the proceedings, inspection, or official matter.

10.6. Final Provisions on Retention

a) Upon the expiry of the retention periods specified above, personal data are permanently deleted, anonymized, or archived in a manner that prevents identification of the data subject, in accordance with applicable law.

b) Where generally applicable legal provisions require a longer data retention period, such period may be extended solely to the extent necessary to comply with those obligations.

c) The Data Controller regularly reviews the personal data it holds and assesses the necessity of their continued retention, ensuring that personal data are not processed for longer than is necessary for the purposes for which they were collected.

11. Voluntary Provision of Personal Data

As a general rule, the provision of personal data by individuals using the services of Handke Digital Solutions, owned by Handke Holding OÜ, is voluntary.

In certain cases, however, the provision of personal data is necessary in order to achieve specific processing purposes, in particular to respond to an inquiry, prepare an offer, conclude or perform a contract, as well as to comply with legal obligations imposed on the Data Controller.

Failure to provide personal data required for a given purpose may result in the inability to respond to an inquiry, prepare an offer, conclude a contract, or perform a programming, maintenance, or other digital service provided by the Data Controller.

11.1. Scope of Required Data

In particular:

  • in the case of submitting an inquiry via a contact form, e-mail, or telephone – it is necessary to provide basic contact details enabling identification of the sender and the provision of a response;
  • in the case of concluding a contract or placing an order – it is necessary to provide identification and contact data, including company details (e.g., company name, address, EU VAT number), to the extent required to conclude and perform the contract;
  • in the case of electronic signing of documents – it may be necessary to provide data required for signature authorization, such as an e-mail address, IP address, and timestamp;
  • in the case of issuing an invoice, receipt, or payment confirmation – it is necessary to provide data required by applicable tax or accounting regulations.

11.2. Voluntary Data and Consent

The Data Controller clearly indicates in each case which personal data are necessary to achieve a specific purpose and which data are voluntary.

The scope of processed personal data is limited to the minimum necessary, in accordance with the data minimization principle set out in Article 5(1)(c) of the GDPR.

In situations where the processing of personal data is based on consent (Article 6(1)(a) of the GDPR), in particular in the case of voluntary informational or business contact, the decision to provide personal data rests solely with the data subject.

Consent may be withdrawn at any time, without affecting the lawfulness of processing carried out prior to its withdrawal, in accordance with Article 7(3) of the GDPR.

11.3. General Principles

The Data Controller makes every effort to ensure that data subjects are provided with full transparency regarding the processing of personal data and are given genuine control over the scope of information provided, the purposes of processing, and the data retention period.

The processing of personal data is carried out in compliance with the principles set out in Article 5 of the GDPR, in particular the principles of lawfulness, fairness, transparency, and data minimization.

12. Storage Location of Personal Data and Security Measures

12.1. Location of Data Storage

Personal data processed by the Data Controller are stored exclusively in electronic form – on devices and within systems under the Data Controller’s exclusive control or with trusted service providers whose infrastructure may be located within the European Economic Area (EEA) or, in specific cases, outside the EEA, subject to the application of appropriate legal safeguards in accordance with Articles 44–49 of the GDPR.

The Data Controller does not maintain paper documentation – all personal data are processed, stored, and archived exclusively in digital form.

12.2. Data Processing Locations and Systems

The physical and virtual locations where personal data are processed include, in particular:

  • an encrypted laptop used by the Data Controller, protected by a strong password, full disk encryption, and two-factor authentication (2FA);
  • an encrypted external data storage device used to create regular backup copies (offline backups), stored in a secure location and physically separated from the primary system;
  • servers of the hosting service provider Zone Media OÜ (Zone.ee), Lõõtsa 5, 11415 Tallinn, Estonia – providing hosting and e-mail services, with physical infrastructure located in the Republic of Estonia (EEA), meeting the security requirements set out in Article 32 of the GDPR;
  • servers and systems of tools supporting the Data Controller’s operations, including in particular:
    • SignRequest / Dropbox Sign – an electronic signature service that may involve the processing of personal data both within the EEA and outside the EEA, in particular in the United States, based on the use of EU Standard Contractual Clauses (SCCs), in accordance with Article 46 of the GDPR;
    • other auxiliary systems used for administrative, communication, or accounting purposes, whose providers ensure documented compliance with the GDPR and the application of appropriate security measures.

12.3. Technical and Organizational Measures

The Data Controller has implemented and maintains appropriate technical and organizational measures to ensure the security of personal data, in accordance with Article 32 of the GDPR and applicable Estonian law, including in particular:

  • encryption of network connections (SSL/TLS);
  • encryption of devices and data storage media;
  • restriction of access to personal data exclusively to the Data Controller;
  • use of strong, unique passwords and two-factor authentication (2FA);
  • regular updating of operating systems, software, and security mechanisms;
  • creation and secure storage of encrypted backup copies;
  • protection of devices with a firewall and malware protection software;
  • automatic screen locking and physical protection of equipment against access by unauthorized third parties;
  • restriction of data processing to devices secured in accordance with this Privacy Policy;
  • cooperation exclusively with IT service providers ensuring GDPR compliance;
  • maintenance of a register of data processing agreements and a register of security incidents;
  • implementation of procedures for responding to personal data breaches in accordance with Articles 33–34 of the GDPR;
  • regular reviews of access rights and periodic security audits, in line with the principles of privacy by design and privacy by default (Article 25 of the GDPR).

13. Rights of Data Subjects

Individuals whose personal data are processed by Handke Digital Solutions, a brand owned by Handke Holding OÜ, are entitled to all rights provided for in Regulation (EU) 2016/679 (GDPR) as well as in the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus).

In particular, you have the right to receive transparent information about the processing of your personal data, the right of access to your data, the right to rectification, restriction of processing, erasure, data portability, the right to object to processing, and the right to withdraw consent – to the extent and under the conditions set out in applicable law.

13.1. Right of Access to Data and to Obtain a Copy

You have the right to obtain confirmation as to whether the Data Controller processes your personal data and, where that is the case, the right to access such data and to receive a copy thereof, in accordance with Article 15 of the GDPR.

If the request is submitted electronically, the information shall be provided in a commonly used electronic format, unless you request a different form.

13.2. Right to Rectification

You have the right to request the rectification of inaccurate personal data concerning you without undue delay, as well as the completion of incomplete personal data, including by means of providing a supplementary statement, in accordance with Article 16 of the GDPR.

13.3. Right to Restriction of Processing

You have the right to request the restriction of the processing of personal data in the cases specified in Article 18 of the GDPR, in particular where:

  • you contest the accuracy of the data – for a period enabling the Data Controller to verify the accuracy of the data;
  • the processing is unlawful and you oppose the erasure of the personal data;
  • the personal data are no longer needed by the Data Controller, but are required by you for the establishment, exercise, or defense of legal claims;
  • you have objected to processing – pending the verification whether the legitimate grounds of the Data Controller override your rights and freedoms.

13.4. Right to Erasure (“Right to Be Forgotten”)

You have the right to request the erasure of personal data in the cases provided for in Article 17 of the GDPR, in particular where:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • you have withdrawn consent on which the processing was based and there is no other legal ground for the processing;
  • the personal data have been processed unlawfully.

This right does not apply to the extent that processing is necessary for compliance with a legal obligation to which the Data Controller is subject or for the establishment, exercise, or defense of legal claims.

13.5. Right to Data Portability

You have the right to receive the personal data that you have provided to the Data Controller in a structured, commonly used, and machine-readable format, and to transmit those data to another controller, where the processing is based on consent or on a contract and is carried out by automated means, in accordance with Article 20 of the GDPR.

13.6. Right to Object

You have the right to object at any time to the processing of personal data relating to you where such processing is based on the legitimate interests of the Data Controller (Article 6(1)(f) GDPR).

Following an objection, the Data Controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or grounds for the establishment, exercise, or defense of legal claims.

The right to object does not apply where the processing is necessary for compliance with a legal obligation to which the Data Controller is subject (Article 6(1)(c) GDPR).

13.7. Right to Withdraw Consent

Where the processing of personal data is based on consent, you have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal, in accordance with Article 7(3) of the GDPR.

13.8. Right to Lodge a Complaint with a Supervisory Authority

If you believe that the processing of your personal data infringes the GDPR or the law of the Republic of Estonia, you have the right to lodge a complaint with a competent supervisory authority, in particular with:

Andmekaitse Inspektsioon (AKI)
Tatari 39, 10134 Tallinn, Estonia
tel.: +372 627 4135
e-mail: info@aki.ee
website: https://www.aki.ee

If you reside, work, or the alleged infringement occurred in another Member State of the European Union, you may also lodge a complaint with the competent supervisory authority in that Member State, in accordance with Article 77 of the GDPR.

13.9. No Profiling and No Automated Decision-Making

Personal data are not processed in an automated manner that would result in decisions producing legal effects concerning you or similarly significantly affecting you, within the meaning of Article 22 of the GDPR.

The Data Controller does not carry out profiling.

13.10. Exercising Your Rights

For the purpose of exercising any of the rights listed above, you may contact the Data Controller:

e-mail: office@handkeds.com

Handke Holding OÜ / Handke Digital Solutions
Harju maakond, Kesklinna linnaosa
Sakala tn 7-2, 10141 Tallinn, Estonia

The Data Controller shall respond to requests concerning the exercise of data subject rights without undue delay and in any event within one month of receipt of the request, in accordance with Article 12(3) of the GDPR. Where necessary, taking into account the complexity and number of requests, that period may be extended by a further two months, of which the data subject shall be informed.

14. Personal Data Breaches

In the event of a personal data breach—understood as the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data of clients, business partners, or users—the Data Controller shall take immediate action to mitigate the effects of the incident and to prevent its recurrence.

The Data Controller shall, in each case, assess the risk to the rights and freedoms of natural persons and implement appropriate technical and organizational measures to eliminate or limit the effects of the breach.

All incidents related to personal data security are documented in accordance with the principle of accountability referred to in Article 5(2) of the GDPR and in accordance with Section 25(3) of the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus).

14.1. Notification of Breaches to the Supervisory Authority

If a personal data breach is likely to result in a risk to the rights or freedoms of natural persons, the Data Controller shall notify the competent supervisory authority—Andmekaitse Inspektsioon (AKI), Tatari 39, 10134 Tallinn, Estonia—without undue delay and, where feasible, not later than 72 hours after becoming aware of it, in accordance with Article 33 of the GDPR and Section 25 of the Estonian Personal Data Protection Act.

14.2. Communication to Data Subjects

Where a personal data breach is likely to result in a high risk to the rights or freedoms of natural persons, the Data Controller shall inform the affected data subjects of:

  • the nature of the personal data breach;
  • the likely consequences of the breach;
  • the measures taken or proposed to be taken to address the breach and mitigate its possible adverse effects.

Such communication shall be carried out in accordance with Article 34 of the GDPR, in a clear and intelligible manner.

14.3. Incident Response Procedure

The Data Controller has implemented an internal personal data breach response procedure, which includes in particular:

  • identification and classification of incidents;
  • immediate actions to contain and mitigate the effects of the breach;
  • risk assessment and determination of notification obligations;
  • documentation of breaches in an incident register;
  • analysis of root causes and implementation of preventive measures to avoid similar incidents in the future.

14.4. Review and Continuous Improvement of Security Measures

The effectiveness of the personal data breach response procedures is reviewed on a regular basis to ensure compliance with the GDPR and the law of the Republic of Estonia, as well as to maintain a high level of security of personal data processing.

15. Automated Decision-Making and Profiling

The Data Controller—Handke Holding OÜ, operating through the Handke Digital Solutions brand—does not carry out automated decision-making processes, including profiling, which would produce legal effects concerning natural persons or similarly significantly affect them, within the meaning of Article 22 of Regulation (EU) 2016/679 (GDPR) and Section 23 of the Estonian Personal Data Protection Act.

All decisions concerning clients, business partners, and individuals contacting the Data Controller are made exclusively by a human decision-maker, based on an individual assessment of the information provided, documents submitted, or correspondence conducted. No decisions are made solely by automated means.

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that person’s behavior, preferences, interests, or other personal characteristics.

The Data Controller may use technical or analytical tools that support operational activities (such as automated email sorting, filtering of contact form submissions, or basic statistical tools relating to website traffic); however, the use of such tools does not result in autonomous decision-making with respect to natural persons.

Any decision concerning a natural person always requires human involvement and an individual assessment of the specific circumstances.

16. Supervisory Authority

If you have any concerns regarding the manner in which your personal data are processed, or if you believe that your rights under Regulation (EU) 2016/679 (GDPR) have been infringed, you have the right to lodge a complaint with a competent supervisory authority—regardless of your place of residence, place of work, or the place of the alleged infringement—in accordance with Article 77 of the GDPR and Section 21 of the Estonian Personal Data Protection Act.

For the activities carried out by Handke Holding OÜ / Handke Digital Solutions, the competent supervisory authority in the Republic of Estonia is:

Andmekaitse Inspektsioon (AKI)
Tatari 39, 10134 Tallinn, Estonia
tel.: +372 627 4135
e-mail: info@aki.ee
website: https://www.aki.ee

If you reside, work, or the alleged infringement occurred in another Member State of the European Union or the European Economic Area (EEA), you may also lodge a complaint with the competent data protection authority in that Member State, in accordance with Article 77 of the GDPR.

Before submitting a complaint, the data subject may contact the Data Controller directly in order to clarify the matter:

e-mail: office@handkeds.com

Handke Holding OÜ / Handke Digital Solutions
Harju maakond, Kesklinna linnaosa
Sakala tn 7-2, 10141 Tallinn, Estonia

The Data Controller shall make every reasonable effort to handle the matter in a diligent, transparent, and lawful manner, in accordance with the GDPR and the law of the Republic of Estonia.

17. Jurisdiction and Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the Republic of Estonia, and interpreted in compliance with Regulation (EU) 2016/679 (GDPR) and the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus).

Any disputes or claims arising out of or in connection with the processing of personal data, the use of the website, or the services provided by Handke Holding OÜ / Handke Digital Solutions shall be subject to the jurisdiction of the courts of the Republic of Estonia having territorial jurisdiction over the registered seat of the Data Controller, in particular the Harju County Court (Harju Maakohus) in Tallinn.

The provisions of this section do not limit the rights of natural persons, including consumers, arising from mandatory provisions of European Union law or the law of their country of residence within the European Union or the European Economic Area.

In the event of any inconsistency between the provisions of this Privacy Policy and the applicable provisions of European Union law, the provisions of the GDPR and the national laws implementing it shall prevail.

18. Updates to the Privacy Policy

This Privacy Policy may be updated from time to time in order to ensure compliance with applicable laws, in particular Regulation (EU) 2016/679 (GDPR) and the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus), as well as to reflect changes in the scope of business activities, services provided, technologies used, or personal data processing procedures.

Each updated version of the Privacy Policy is published on the official website of Handke Digital Solutions at:
https://handkeds.com

The effective date of the current version of the Privacy Policy is indicated each time within the content of this document.

In the event of material changes that may affect the rights of data subjects or the manner in which personal data are processed (in particular changes to processing purposes, legal bases, categories of recipients, or IT service providers), the Data Controller shall inform data subjects in a transparent manner, in particular by:

  • a clear notice published on the website; or
  • an email notification, where the Data Controller holds the relevant contact details and such communication is feasible.

The Data Controller recommends that users regularly review the current version of the Privacy Policy in order to stay informed about the applicable rules governing the processing of personal data.

19. Marketing Activities and Contact with the Data Controller

The website of Handke Digital Solutions / Handke Holding OÜ does not use cookies or tracking technologies for analytical or advertising purposes. The use of the website does not involve automatic processing of users’ personal data for marketing purposes.

The Data Controller conducts marketing activities exclusively within the scope of promoting its own IT, development, and digital services, in particular through:

  • the publication of content on official corporate profiles on social media platforms (e.g. LinkedIn);
  • direct communication within B2B relationships.

Marketing activities do not involve profiling or automated decision-making with respect to natural persons.

Within the scope of direct marketing, the Data Controller may contact representatives of companies and institutions (e.g. name, surname, job title, business email address) in order to present an offer of cooperation in the field of digital services. Such contact (so-called B2B marketing / cold emailing) is carried out solely on the basis of the Data Controller’s legitimate interest in marketing its own services, pursuant to Article 6(1)(f) of the GDPR.

Any person contacted by the Data Controller for marketing purposes has the right to object at any time to the processing of personal data for such purposes. An objection may be submitted by sending an email to:

office@handkeds.com

Users may also contact the Data Controller on their own initiative via email or through the contact form. Personal data provided in this manner (e.g. name, email address, message content) are processed exclusively for the purpose of responding to the inquiry or conducting correspondence, pursuant to Article 6(1)(f) of the GDPR.

Personal data processed in connection with marketing activities and communication are not used for advertising purposes directed at website users, nor for profiling, and are processed in accordance with the principles of data minimization, integrity, and transparency set out in Article 5 of the GDPR.

20. Cookies

The website of Handke Digital Solutions / Handke Holding OÜ does not use cookies or other tracking technologies for marketing, analytical, advertising, or profiling purposes.

The Data Controller does not use analytical tools, remarketing solutions, or systems monitoring user behavior for statistical or commercial purposes. Use of the website does not involve automatic processing of users’ personal data for such purposes.

The website may use only technical mechanisms strictly necessary for its proper and secure operation, in particular those related to protection against abuse, network attacks, or unauthorized access attempts (e.g. security solutions provided by Cloudflare).

These mechanisms do not serve to track users and do not require user consent, in accordance with Article 5(3) of Directive 2002/58/EC (ePrivacy) and Section 102 of the Estonian Electronic Communications Act (Elektroonilise side seadus).

Accordingly, at the current stage, there is no requirement to display a cookie banner or to obtain user consent.

If, in the future, cookies or similar technologies are implemented for purposes other than strictly technical ones (e.g. analytical or functional purposes), the Data Controller shall inform users in a transparent manner and obtain the required consents in accordance with applicable laws, in particular:

  • Directive 2002/58/EC (ePrivacy);
  • the laws of the Republic of Estonia;
  • Article 6(1) of Regulation (EU) 2016/679 (GDPR).