Privacy Policy

Last updated: December 4, 2025

1. General Information and Data Controller

1.1. Scope of this document
This document outlines the rules governing the processing of personal data of individuals who use services provided under the Hansa Careers brand, operated by Handke Holding OÜ, a company registered in the Republic of Estonia. The purpose of this Privacy Policy is to clearly and transparently explain how and to what extent personal data is processed when individuals interact with the Controller in the course of its business activities.

1.2. Information about the Data Controller

Handke Holding OÜ
Harju maakond, Kesklinna linnaosa
Sakala tn 7-2
10141 Tallinn
Estonia

registration number (registrikood): 17387477
EU VAT number: EE102932869

1.3. Nature of business activities
The Controller operates in the field of employment intermediation services within the European Union and the European Economic Area, particularly facilitating communication and cooperation between employers and individuals seeking employment.

1.4. Individuals covered by this Privacy Policy
This Privacy Policy applies in particular to individuals who:

• use services provided by the Controller,
• visit the website www.hansacareers.ee,
• participate in recruitment processes,
• contact the Controller for business, administrative, or informational purposes,
• engage in professional correspondence with the Controller,
• represent public or private entities in the context of formal cooperation.

1.5. Purposes for which data is processed
The rules set out in this Policy apply to the processing of personal data in connection with:

• operating and maintaining the website www.hansacareers.ee,
• providing employment intermediation services,
• conducting client assignments and B2B cooperation,
• managing ongoing business and administrative correspondence,
• fulfilling obligations arising from applicable European Union and Estonian law.

1.6. Legal basis
This Privacy Policy has been prepared in accordance with:
– Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (GDPR),
– the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus),
– other applicable legislation of the European Union and the Republic of Estonia.

1.7. Communication Language and Contact Methods
The primary language of the Data Controller’s activities is English. Written communication may be conducted in any official language of the European Union or the European Economic Area.

The preferred and recommended method of contacting the Data Controller is electronic communication, in particular:
– via e-mail at: office@hansacareers.ee,
– through the contact form available on the website: www.hansacareers.ee,
– by phone: +372 5617 1770.

Contact with the Data Controller may also be conducted by postal correspondence to the address specified in Section 1.2. In order to ensure efficient handling of requests and an appropriate level of personal data protection, the Data Controller, operating entirely in a digital environment, nevertheless recommends the use of electronic communication. Traditional postal correspondence, due to the nature of the information transmitted, including the potential transmission of personal data, may be associated with longer processing times and an increased risk of data loss or unauthorized access.

1.8. Voluntary nature of providing data and Controller’s responsibility
Providing personal data is voluntary; however, in certain cases it is necessary to access the Controller’s services, participate in recruitment processes, or receive a response to an inquiry. Failure to provide required data may make it impossible to achieve these purposes.

The Controller is not required to appoint a Data Protection Officer, as the nature and scope of processing do not meet the criteria set out in Article 37(1) of the GDPR.

The Controller is responsible for:
– ensuring that data processing is carried out in accordance with applicable law,
– implementing appropriate technical and organizational measures to safeguard personal data,
– enabling and fulfilling the rights of data subjects,
– cooperating with the Estonian supervisory authority — the Andmekaitse Inspektsioon.

2. Categories of Individuals Whose Data We Process

As part of the operations of Hansa Careers, operated by Handke Holding OÜ, only the personal data necessary for providing employment intermediation services, maintaining business relationships, and ensuring ongoing operational and organizational communication is processed. All processing activities are carried out in accordance with the principles of lawfulness, fairness, transparency, and data minimization as defined in Article 5(1) of the GDPR, and are always limited to what is necessary and proportionate to the purpose for which the data is processed. The Controller processes personal data relating to the following categories of individuals:

2.1. Candidates participating in recruitment processes
Individuals applying for employment through Hansa Careers in response to specific, currently active recruitment processes for which job advertisements have been published. The data processed may include, in particular, information contained in a professional résumé, contact details, and any other information provided by the candidate in relation to the recruitment process. Candidate data may be obtained:

• directly from the candidate,
• from publicly available sources, but only to the extent that the candidate has made such information publicly accessible, in accordance with Article 14 of the GDPR.

This data is processed solely for the purpose of carrying out a specific recruitment process and is shared exclusively with clients for whom that recruitment process is conducted.

2.2. Candidates submitting data outside active recruitment processes
The Controller processes candidate data exclusively in relation to specific and active recruitment processes. If the Controller is not conducting any ongoing recruitment processes, or if individuals submit their data—particularly professional résumés or messages—without reference to a specific job advertisement, such data is not accepted or used in any recruitment process. Data submitted on a voluntary basis, without responding to a specific job advertisement, is not reviewed, stored, or forwarded, and may be deleted immediately upon receipt, unless otherwise required by law. The Controller does not maintain a database of spontaneous or unsolicited candidate submissions and does not use such submissions in future recruitment processes. Contact is made only with individuals who have explicitly applied for a specific job posting or who have publicly expressed an interest in employment—for example, through publicly available posts on social media—and solely to the extent necessary to initiate communication regarding the relevant job opportunity.

2.3. Clients and their representatives
Individuals and representatives of business entities with whom the Controller cooperates in the provision of employment intermediation services. The data processed includes, in particular, names, contact details, professional roles, and information necessary for executing contracts or business cooperation.

2.4. Potential clients and business partners
Individuals with whom contact has been established for the purpose of proposing cooperation, or whose data has been obtained from publicly available sources such as company websites or professional business platforms. This data is processed on the basis of the Controller’s legitimate interest in conducting business activities and developing business relationships.

2.5. Contractors and service providers
Individuals conducting business activity as sole proprietors and representatives of entities providing services to the Controller that are necessary for the operation of the business, particularly technical, accounting, legal, or communication services. This data is processed for the purpose of performing contracts, maintaining ongoing communication, and fulfilling statutory obligations.

2.6. Other individuals contacting the Controller and representatives of public authorities
Individuals who send inquiries through contact forms, email, or other communication channels, as well as representatives of public bodies and institutions with whom the Controller conducts official correspondence. This data is processed solely for the purpose of handling correspondence, providing responses, or fulfilling legal obligations.

Additional Information
The Controller:
– does not obtain data from non-public sources,
– does not conduct systematic monitoring of individuals,
– does not process data irrelevant to the purposes pursued.

3. Scope of Personal Data Processed

The scope of personal data processed depends on the nature of the relationship between the Controller and the data subject, as well as the purpose for which the data is provided. The Controller processes only the data necessary to achieve specific, lawful purposes, in strict adherence to the principle of data minimization. Personal data is processed in a manner that is adequate, relevant, and limited to what is necessary, in accordance with Article 5(1)(c) of the GDPR and § 11 of the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus).

3.1. Identification and contact data
The Controller may process, in particular, the following categories of data:

• first and last name,
• email address,
• telephone number,
• other contact details voluntarily provided in correspondence or through a contact form,
• business-related information in the context of professional communication (company name, job title, business email address, business phone number).

This data is processed for the purposes of communication, responding to inquiries, performing cooperation, or fulfilling administrative obligations.

3.2. Data of candidates participating in recruitment processes
When active recruitment processes are underway, the Controller processes data provided by candidates exclusively in response to specific recruitment advertisements. The processed data may include:

• information contained in a résumé (CV), such as professional experience, education, qualifications, skills, and language proficiency,
• the content of the message submitted in connection with the application,
• other information voluntarily provided by the candidate in relation to the advertised position.

The Controller does not obtain candidate data from sources other than direct contact in response to a job posting and does not process candidate data beyond what is necessary for the specific recruitment process.

3.3. Candidates submitting data outside recruitment processes
If the Controller is not conducting active recruitment processes or has not published job advertisements, personal data submitted on an unsolicited basis (particularly CVs sent without reference to a specific job posting) is not accepted or used. Such data is deleted without further processing, and the Controller does not create databases or records of spontaneously submitted applications. The Controller only accepts and reviews applications submitted in response to specific, active recruitment advertisements.

3.4. Client and business cooperation data
The Controller processes personal data of clients and their representatives to the extent necessary for providing employment intermediation services and conducting business cooperation. This data may include:

• name of the contact person,
• email address and telephone number,
• job title or professional role,
• information contained in contracts, invoices, and accounting documentation.

This data is processed to perform contracts, maintain working communications, and comply with tax and accounting obligations.

3.5. Data contained in communication and correspondence
The Controller processes data contained in correspondence conducted via email, contact forms, or other communication channels. The scope of the processed data depends on the content of the message sent by the correspondent and is limited to what is necessary to respond or address the matter.

3.6. Technical and operational data related to the website
When using the website www.hansacareers.ee, technical data may be processed, such as:

• IP address,
• browser and operating system information,
• date and time of connection,
• technical data stored in server logs.

This data is used solely to ensure website security, protect against misuse, and enable correct website functioning. In this regard, the Controller uses services provided by Cloudflare, Inc., which processes technical data as a processor on behalf of the Controller.

3.7. Data related to video communication
For online meetings or calls, the Controller may use the Whereby platform. Processing is limited to the data necessary to establish a connection, such as the participant’s name or username, IP address, and technical connection data. The Controller does not record meetings or store their content unless participants are informed in advance and provide their consent.

3.8. Special categories of personal data
As a rule, the Controller does not process special categories of personal data as defined in Article 9 of the GDPR. The Controller does not request such data and does not require its submission. If such data is provided voluntarily in correspondence or documents, it will be processed only to the extent necessary to fulfill the purpose for which it was submitted or will be deleted without delay.

4. Purposes and Legal Bases for Processing Personal Data

The Controller processes personal data only to the extent necessary to conduct its activities in compliance with applicable law, and in a manner consistent with the principles of fairness, transparency, and data minimization. Data processing is carried out in accordance with Articles 5 and 6 of Regulation (EU) 2016/679 (GDPR) and the provisions of the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus). Personal data is processed solely for clearly defined, legitimate purposes and is not further used in any manner incompatible with those purposes.

4.1. Conducting recruitment processes
Personal data of candidates is processed for the purposes of:

• receiving and reviewing applications submitted in response to specific recruitment advertisements,
• communicating with candidates throughout the recruitment process,
• assessing the candidate’s professional profile in relation to the requirements of a given job offer,
• forwarding candidate data to clients who are potential employers — strictly within the scope of the specific recruitment process.

Legal basis:
Article 6(1)(a) GDPR — consent of the candidate,
Article 6(1)(b) GDPR — steps taken at the request of the data subject prior to entering into a contract,
Article 9(2)(a) GDPR — explicit consent where the candidate voluntarily discloses special categories of personal data.

4.2. Retaining applications for future recruitment
Candidate data may be stored after the conclusion of a recruitment process only if the candidate provides separate and explicit consent. The data is stored for the period specified in the consent or until the consent is withdrawn.

Legal basis:
Article 6(1)(a) GDPR.

4.3. Entering into and performing contracts
Data of clients, contractors, and business partners is processed for the purposes of:

• entering into and performing contracts,
• providing employment intermediation services,
• handling commercial, administrative, and operational communications.

Legal basis:
Article 6(1)(b) GDPR — performance of a contract,
Article 6(1)(c) GDPR — compliance with legal obligations arising from tax and accounting regulations.

4.4. Maintaining business relationships and B2B marketing
Contact details of company representatives may be processed for the purposes of:

• conducting ongoing business communication,
• presenting cooperation proposals,
• direct marketing in B2B relations.

Legal basis:
Article 6(1)(f) GDPR — the Controller’s legitimate interest in conducting and developing business activities.
The data subject has the right to object to such processing.

4.5. Responding to inquiries and conducting correspondence
Data of individuals who contact the Controller via contact forms, email, or telephone is processed for the purpose of providing responses and conducting ongoing correspondence.

Legal basis:
Article 6(1)(f) GDPR — the Controller’s legitimate interest.

4.6. Settlements, accounting, and archiving
Personal data is processed to fulfill accounting, tax, and archiving obligations arising from the laws of the Republic of Estonia.

Legal basis:
Article 6(1)(c) GDPR — the Controller’s legal obligation.

4.7. Ensuring the security of forms and IT systems (Cloudflare)
The Controller implements technical and organizational measures to protect the website and contact forms against spam, abuse, and automated submissions. For this purpose, Cloudflare services are used, including Turnstile security mechanisms, which may process technical user data such as:

• IP address,
• browser and operating system data,
• technical information necessary for risk assessment.

This data is processed solely to ensure security and integrity of the IT systems.

Legal basis:
Article 6(1)(f) GDPR — the Controller’s legitimate interest in protecting the website and data.

4.8. Establishing, pursuing, or defending legal claims
Personal data may be processed for the purpose of establishing, pursuing, or defending against legal claims.

Legal basis:
Article 6(1)(f) GDPR — the Controller’s legitimate interest.

4.9. Fulfilling obligations towards public authorities
Personal data may be transferred to authorized public authorities, courts, or supervisory bodies to the extent required by law.

Legal basis:
Article 6(1)(c) GDPR — the Controller’s legal obligation.

5. Legal Bases for Processing Personal Data

The Controller processes personal data only when there is a clear and lawful basis for doing so, as provided under:
– Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (GDPR),
– the Estonian Personal Data Protection Act – Isikuandmete kaitse seadus (IKS, RT I, 26.03.2019, 10).

All processing activities are carried out in accordance with the principles set out in Article 5 GDPR and § 11 IKS, in particular the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, integrity, and confidentiality.

5.1. Legal bases for processing personal data (Article 6 GDPR)
The Controller processes personal data on the following legal bases:

a) Consent of the data subject
(Article 6(1)(a) GDPR; § 10(1) IKS)
Applies in situations where the individual voluntarily and unambiguously provides consent, in particular for:

• participation in future recruitment processes,
• transmission of data to a potential employer,
• processing of additional data voluntarily provided (e.g., likeness/image).

Consent may be withdrawn at any time without affecting the lawfulness of processing carried out prior to its withdrawal (Article 7(3) GDPR).

b) Performance of a contract or steps taken prior to entering into a contract
(Article 6(1)(b) GDPR; § 10(1)(2) IKS)

• conducting recruitment processes and employment intermediation services,
• establishing and performing cooperation with clients and contractors,
• preparing and executing service proposals,
• maintaining operational communication throughout the cooperation.

c) Compliance with a legal obligation
(Article 6(1)(c) GDPR; § 10(1)(3) IKS)
Covers processing required by Estonian and EU law, in particular:

• Raamatupidamise seadus §§ 12–13 — obligation to maintain and store accounting records for 7 years,
• tax and reporting obligations,
• obligations related to public audits and financial inspections.

d) Legitimate interest of the Controller
(Article 6(1)(f) GDPR; § 11(2) IKS)
Processing necessary for the Controller’s legitimate purposes, such as:

• conducting ongoing communication and handling inquiries,
• developing professional relationships and B2B cooperation,
• direct marketing within a business context (in accordance with Elektroonilise side seadus § 102),
• ensuring the security of IT systems, contact forms, and documentation,
• preventing abuse, as well as protection against spam and attacks,
• establishing, pursuing, or defending legal claims.

The Controller always assesses whether its legitimate interests override the rights and freedoms of the data subject (Article 6(1)(f) GDPR in conjunction with Recital 47 GDPR).

e) Performance of a task carried out in the public interest
(Article 6(1)(e) GDPR; § 10(1)(4) IKS)
Applies to situations involving processing conducted within or under the supervision of public institutions, particularly labor market and mobility programs (e.g., Eesti Töötukassa, EURES, EU programs), where such processing occurs.

5.2. Processing of special categories of personal data (Article 9 GDPR)
As a rule, the Controller does not process special categories of personal data referred to in Article 9(1) GDPR. If a data subject voluntarily discloses such information (e.g., health or disability data):

• processing takes place only on the basis of explicit consent (Article 9(2)(a) GDPR; § 21 IKS),
• such data is subject to enhanced technical and organizational security measures (Article 32 GDPR),
• lack of consent does not result in any negative consequences.

5.3. General principles of data processing
The Controller ensures that all personal data processing operations comply with:
– Articles 5 and 6 GDPR,
– § 11 Isikuandmete kaitse seadus,
– Article 32 GDPR — regarding processing security,
– Article 24 GDPR — accountability principle.

The Controller does not conduct automated decision-making or profiling within the meaning of Article 22 GDPR.

5.4. Compliance assessment and internal documentation
To ensure compliance with the GDPR and Estonian law, the Controller maintains and updates:

• a record of processing activities (Article 30 GDPR),
• legitimate interest assessments for processing under Article 6(1)(f) GDPR,
• information security documentation,
• procedures for responding to personal data breaches (Articles 33–34 GDPR, § 23 IKS).

6. Sources of Personal Data

The personal data processed by the Controller originates exclusively from lawful sources and is obtained in a manner compliant with applicable law, in particular Articles 13 and 14 of Regulation (EU) 2016/679 and the relevant provisions of the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus).

If personal data is obtained from sources other than directly from the data subject, the Controller fulfils the information obligation within a reasonable period, no later than within 30 days from the date of collection, unless otherwise required by law.

6.1. Data obtained directly from data subjects
Personal data is voluntarily provided to the Controller by individuals, in particular through:

• contact forms available on the website,
• email correspondence,
• telephone conversations or online meetings,
• responses to recruitment advertisements published by the Controller,
• ongoing communication during cooperation or business contacts.

The scope of the provided data depends on the nature of the contact and the purpose for which the individual is reaching out to the Controller.

6.2. Data obtained as part of recruitment processes
With regard to job candidates, personal data is obtained exclusively:

• directly from candidates responding to a specific recruitment advertisement published by the Controller,
• within communication initiated by the candidate in the context of a specific position.

The Controller does not accept and does not process résumés or other candidate data submitted spontaneously if no active recruitment processes are underway or if the data does not relate to a specific job offer.
Such data is deleted without undue delay and is not used for any recruitment purposes.

The Controller does not use non-public data sources and does not collect data from private or restricted social media profiles.

6.3. Data of clients, contractors, and business partners
Personal data of clients, contractors, and their representatives is obtained through:

• direct professional contacts,
• negotiations, contract conclusion, and performance,
• publicly available sources related to professional or business activity.

Such data is processed solely to the extent necessary to conduct business cooperation, operational communication, and fulfil legal obligations.

6.4. Data of representatives of public authorities and institutions
The Controller processes personal data of representatives of offices, public institutions, and supervisory authorities strictly within the scope arising from:

• conducting official correspondence,
• fulfilling legal obligations,
• cooperation with relevant public administration authorities.

The scope of the processed data typically includes the individual’s name, official email address, position or function, and other data provided in the context of formal communication.
The legal bases for such processing are, in particular, Article 6(1)(c) and Article 6(1)(f) of Regulation (EU) 2016/679.

6.5. Technical data and form security
When using the Controller’s website and contact forms, basic technical data may be automatically processed, such as:

• IP address,
• date and time of connection,
• technical information about the browser and operating system,
• data necessary to ensure secure communication.

To protect contact forms against abuse, spam, and automated submissions, the Controller uses the services of a security infrastructure provider (Cloudflare, Inc.).
As part of this mechanism, technical user data — including IP address and connection-related information — may be processed.

Data processing in this context is carried out on the basis of:
– Article 6(1)(f) GDPR — the Controller’s legitimate interest in ensuring system security and protection against abuse,
– appropriate safeguards and legal mechanisms applicable to data transfers outside the European Union.

6.6. Registry, accounting, and documentation data
Personal data processed for accounting, tax, or archiving purposes originates from:

• clients and contractors directly,
• contractual and billing documentation,
• official correspondence related to business operations.

The scope and retention period for such data are determined directly by applicable Estonian and EU legal requirements.

7. Recipients of Personal Data

Personal data processed by Hansa Careers, operating under the Handke Holding OÜ brand, may be disclosed only to recipients who:
– are legally entitled to receive the data under applicable law, or
– process the data on behalf of the Controller in connection with the performance of specific business or legal purposes.

All data disclosures are carried out in accordance with Articles 28 and 44–49 of Regulation (EU) 2016/679, as well as the relevant provisions of the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus), with full respect for the principles of data minimization, confidentiality, and purpose limitation.

7.1. Potential employers and recruitment partners
Candidate data may be shared with potential employers or recruitment partners exclusively:

• as part of a specific recruitment process,
• after informing the candidate in advance,
• to the extent necessary to assess professional qualifications,
• on the basis of an appropriate legal basis, in particular the candidate’s consent or steps taken prior to entering into a contract.

Data is not disclosed in bulk, nor is it used outside the clearly defined recruitment process.

7.2. Technical and organizational entities processing data on behalf of the Controller
Personal data may be entrusted to entities supporting the Controller’s operations, in particular:

• hosting and server infrastructure providers,
• email and contact form service providers,
• providers of IT tools and communication systems,
• providers of online meeting and video communication tools,
• providers of security solutions and anti-abuse systems, including form protection tools,
• accounting and bookkeeping service providers,
• law firms, tax advisors, and business advisors.

These entities process personal data solely on the basis of a data processing agreement and are required to:
– maintain confidentiality,
– apply appropriate technical and organizational measures,
– process data exclusively on documented instructions from the Controller.

7.3. Candidates and clients
Personal data may be shared with candidates or clients only to the extent necessary to fulfil a specific purpose, in particular:

• providing candidates with information about working conditions, job location, or employer profile,
• providing clients with information about a candidate within an ongoing recruitment process.

The scope of the data disclosed is always limited to the minimum required and depends on the stage of the process.

7.4. Public authorities and institutions
Personal data may be transferred to authorized public authorities strictly to the extent required by law, in particular:

• tax authorities,
• labor offices and labor market institutions,
• the data protection supervisory authority,
• courts, law enforcement agencies, and other supervisory bodies,
• institutions of the European Union and the European Economic Area.

7.5. Providers of online communication services
For online meetings or remote communication, personal data such as name, email address, or technical connection data may be processed by providers of remote communication tools.
Such processing is carried out solely to enable communication and organize meetings, and is based on the Controller’s legitimate interest or steps taken before entering into a contract.

7.6. Recipients of technical data for security purposes
To ensure the security of the website, IT infrastructure, and contact forms, technical user data — such as IP address or connection information — may be processed by network security service providers.
When data is transferred outside the European Union, appropriate legal safeguards required under Articles 44–49 GDPR are applied.

7.7. General principles of data disclosure
The Controller:

• does not sell personal data,
• does not disclose data to third parties without a legal basis,
• does not transfer data for advertising, marketing, or profiling purposes,
• does not provide data to social media platforms or commercial portals for marketing purposes.

Each data recipient processes personal data in accordance with the principles of security, confidentiality, and purpose limitation, and only to the extent necessary to perform the assigned task.

8. Transfers of personal data outside the European Economic Area (EEA)

As a rule, the Controller does not transfer personal data outside the European Economic Area (EEA) or to international organisations. The primary personal data processing operations are carried out within the territory of the European Union, in particular using infrastructure located within the EU, including in the Republic of Estonia.

The Controller uses hosting and email services provided by Zone Media OÜ, operating under the trade name zone.ee, whose data processing infrastructure is located within the territory of the European Union.
Personal data processed in connection with the operation of the website and email communication is generally processed within the European Economic Area (EEA) and is subject to the protection arising from Regulation (EU) 2016/679 (GDPR).

In order to ensure the security of the website, contact forms and protection against abuse and automated activities, the Controller also uses services provided by Cloudflare, Inc. In this context, technical data such as IP address, network connection data, browser and device information, as well as data necessary to assess the security of a request, may be processed. Due to the global nature of Cloudflare’s infrastructure, such data may be transferred or made available outside the EEA, in particular to the United States.

Any transfer of personal data in connection with the use of Cloudflare services is carried out in accordance with Chapter V of the GDPR, in particular on the basis of standard contractual clauses approved by the European Commission (Article 46 GDPR) and, where applicable, pursuant to the mechanisms provided under the EU–US Data Privacy Framework.
The Controller applies additional technical and organisational measures, such as encryption of data transmission and limitation of the scope of processed data to the minimum necessary to ensure the security of the service.

The Controller uses electronic document signing services provided by SignRequest B.V. In connection with the use of this service, personal data may be transferred outside the European Economic Area (EEA), in particular to third countries, including the United States.
Such transfers are carried out in accordance with Chapter V of the GDPR, on the basis of standard contractual clauses approved by the European Commission (Article 46 GDPR), as set out in the Data Processing Addendum forming part of the service’s terms and conditions.

The Controller allows online meetings to be conducted using video communication tools, in particular Whereby. Data processed in connection with online meetings is, as a rule, processed within the European Economic Area (EEA).
Due to the global nature of the technical infrastructure and the location of meeting participants, in limited and incidental cases personal data may be transferred outside the EEA. Such transfers are carried out with the application of appropriate safeguards required under the GDPR, in particular standard contractual clauses or other lawful data transfer mechanisms.

Apart from the cases indicated above, the Controller does not carry out permanent or planned transfers of personal data to third countries. Recruitment processes, contact with clients and business partners, email communication and ongoing operational activities are conducted using tools and services that, as a rule, process data within the territory of the European Union.

The Controller allows contact via external internet communication tools exclusively at the initiative of the contacting person and solely for informational purposes. Due to the potential location of servers of such tools outside the EEA, they are not considered a recommended or secure communication channel for matters involving personal data.
The Controller recommends that application documents, special category data and other sensitive information be transmitted exclusively via official communication channels.

In the event of any transfer of personal data outside the EEA, the Controller ensures that such transfer is carried out solely to the extent necessary to achieve the specified purpose, following a transfer risk assessment, and in compliance with the principles of data minimisation, confidentiality and processing security, in accordance with Articles 32 and 44–49 of the GDPR.

9. Data Retention Periods

The Controller retains personal data only for the period necessary to fulfill the purposes for which the data was collected, in accordance with Article 5(1)(e) of Regulation (EU) 2016/679 (GDPR) and § 17 of the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus).

Upon expiry of the relevant retention periods, the data is permanently deleted, anonymized, or archived in a manner that prevents identification of the individual, unless applicable Estonian or EU law requires further retention.

Retention periods are determined with regard to:

• the purpose of processing,
• the legal basis for processing,
• the nature of the relationship with the data subject,
• limitation periods for claims under Estonian law.

9.1. Candidate data

a) Personal data processed for a recruitment process in response to a specific job advertisement, based on Article 6(1)(b) GDPR, is retained for the period necessary to establish, exercise, or defend legal claims arising from the Controller’s services.

b) Data processed in connection with contact initiated by the Controller for recruitment-related purposes, based on Article 6(1)(f) GDPR, is retained until the communication relating to the specific matter is concluded.

c) Personal data shared with potential employers for the purpose of conducting a specific recruitment process, based on Article 6(1)(a) GDPR, is retained until the withdrawal of consent or the conclusion of the recruitment process, whichever occurs first.

d) Data processed for the purpose of invoicing and providing services to clients in support of recruitment activities, based on Article 6(1)(f) GDPR, is retained until the expiry of claims following the conclusion of the contract — generally for 3 years, calculated at the end of the calendar year, in accordance with Estonian law.

e) Data processed for the purpose of establishing, exercising, or defending legal claims arising from the services provided, based on Article 6(1)(f) GDPR, is retained until the expiry of such claims following the termination of the contract — generally for 3 years, unless a longer period is required by law.

f) Data processed for the purpose of communication relating to the Controller’s operations, based on Article 6(1)(f) GDPR, is retained for the period necessary to handle the specific matter.

g) Data retained in the Controller’s database for future recruitment processes, based on Article 6(1)(a) GDPR, is stored for no longer than 12 months from the date consent is given, or until consent is withdrawn — whichever occurs first.

h) Application documents, particularly résumés, submitted outside a response to a specific job advertisement or during periods when no active recruitment processes are underway, are not processed and are deleted without undue delay.

9.2. Client data

a) Personal data processed for the purpose of taking steps prior to entering into a contract or performing a contract, based on Article 6(1)(b) GDPR, is retained for the period required by law, particularly with regard to accounting and tax obligations — generally 7 years under Estonian law, unless a longer period applies.

b) Data processed for ongoing communication related to contract conclusion, performance, or settlement, based on Article 6(1)(f) GDPR, is retained for the duration of the cooperation, unless further processing is necessary to achieve another lawful purpose.

c) Data processed for reporting, accounting, and taxation purposes, based on Article 6(1)(c) GDPR, is retained for the period required under Estonian law — generally 7 years.

d) Data processed to establish, exercise, or defend legal claims arising from contract performance, based on Article 6(1)(f) GDPR, is retained until the expiry of claims — generally 3 years, unless the law provides for a longer period.

9.3. Other categories of data

a) Data of potential clients and contractors is retained for the period necessary to fulfill the purpose of contact or cooperation, but not longer than 3 years from the date of last communication, unless further retention is needed to defend legal claims.

b) Data of suppliers, service providers, and business partners is retained for the duration of the cooperation and thereafter in accordance with limitation periods for claims and accounting/tax obligations.

c) Data of individuals contacting the Controller is retained for the period necessary to respond and close the matter, and subsequently — if justified — until the expiry of claims, not longer than 3 years.

d) Data of representatives of public authorities and institutions is retained for the period necessary to fulfill a legal obligation or conclude an administrative matter, and thereafter for the statutory archiving period, not exceeding 10 years.

9.4. Technical data and form security
Technical data processed as part of the protection of contact forms (Cloudflare Turnstile), including IP address and technical information, is processed automatically and on a short-term basis solely for risk assessment, abuse prevention, and ensuring the security of services.

This data is not retained by the Controller and is not used for marketing or profiling purposes. Retention depends on the settings and security procedures of the service provider and may include short-term technical logs stored only for the time necessary to ensure system security or to analyze potential incidents.

If no security incidents occur, such technical data is not stored long-term.

9.5. Final provisions
Once the above retention periods expire, personal data is permanently deleted, anonymized, or archived in a manner that prevents identification of the individual, in accordance with § 17(4) of the Estonian Personal Data Protection Act.

The Controller regularly reviews stored data and the necessity of its further processing, ensuring that personal data is not retained longer than required for the purposes for which it was collected.

10. Voluntary Provision of Personal Data

10.1. As a rule, the provision of personal data is voluntary. In certain cases, however, the provision of specific data is necessary in order to perform particular actions, provide services, conduct a recruitment process, or enter into or perform a contract with the Controller. Failure to provide the required data may result in the inability to carry out certain activities or achieve a specific purpose.

10.2. In particular:

• participation in a recruitment process requires the provision of contact details and the submission of application documents;
• submitting inquiries via a contact form or by email requires the provision of data enabling the identification of the sender;
• entering into, performing, or settling a contract requires the provision of data necessary to fulfil contractual, tax, or accounting obligations;
• the use of certain website functionalities may require the processing of basic technical data necessary for the security and proper operation of the systems.

10.3. The Controller always informs individuals which data is required for the specific purpose and which data is optional. The scope of processed data is limited to what is necessary, in accordance with the data minimization principle set out in Article 5(1)(c) GDPR.

10.4. In cases where data is processed on the basis of consent, providing consent is entirely voluntary. Consent may be withdrawn at any time without affecting the lawfulness of processing carried out prior to withdrawal, in accordance with Article 7(3) GDPR.

10.5. The Controller takes measures to ensure the transparency of personal data processing and to provide individuals with genuine control over the scope, purpose, and duration of the processing of the information they provide.

11. Data storage locations and security measures

11.1. Personal data processed by the Controller is stored exclusively in electronic form, on devices and systems remaining under the Controller’s sole control, as well as in the systems of external service providers used by the Controller in the course of its business activities, in particular hosting services, email services and tools for electronic document signing.
As a rule, such data is stored within the territory of the European Economic Area (EEA); where personal data is processed outside the EEA, this takes place exclusively in accordance with Chapter V of the GDPR, in particular on the basis of standard contractual clauses (Article 46 GDPR).

11.2. The physical and virtual locations for the processing and storage of personal data include in particular:

• an encrypted laptop belonging to the Controller, protected by a password, full disk encryption and multi-factor authentication;
• an encrypted external storage medium used for periodic backups, stored in a secure location and separated from the primary system;
• the infrastructure of the hosting and email service provider Zone Media OÜ (zone.ee), with its registered office at Lõõtsa 5, 11415 Tallinn, Estonia, whose servers are located within the territory of the European Union and whose security measures meet the requirements of Article 32 GDPR and the relevant provisions of the Estonian Isikuandmete kaitse seadus;
• the systems of external service providers used for the signing and storage of electronically signed documents, in particular contracts and documents related to the Controller’s business activities, which operate primarily within the EEA or – where personal data is processed outside the EEA – on the basis of mechanisms compliant with Article 46 GDPR, in particular standard contractual clauses;
• the systems of communication tools used for conducting online meetings, whereby the Controller does not record or store audio or video recordings of meetings conducted using such tools.

11.3. The Controller applies appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing personal data, in accordance with Article 32 GDPR and the provisions of the Estonian Isikuandmete kaitse seadus. These measures include in particular:

• encryption of data transmission (SSL/TLS);
• encryption of devices and data storage media;
• restriction of access to personal data exclusively to the Controller;
• use of strong and unique passwords and multi-factor authentication;
• regular updates of operating systems, software and security measures;
• performance and secure storage of backup copies;
• use of firewalls and security software;
• automatic locking of devices and physical protection of hardware against unauthorised access;
• refraining from using private or unsecured devices for data processing;
• cooperation exclusively with service providers ensuring compliance with the GDPR;
• maintaining documentation related to the entrustment of personal data processing and recording incidents;
• application of procedures for responding to personal data breaches in accordance with Articles 33–34 GDPR;
• regular reviews of applied safeguards and access rights in accordance with the principles of privacy by design and privacy by default (Article 25 GDPR).

12. Your Rights Related to the Processing of Personal Data

Individuals whose personal data is processed by the Controller are entitled to the rights set out in Regulation (EU) 2016/679 (GDPR) and the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus). The Controller ensures full respect for all rights of data subjects and facilitates their exercise in accordance with applicable law.

In particular, you have the right to obtain clear and transparent information regarding the processing of your data, and the rights of access, rectification, restriction of processing, erasure, portability, objection, and withdrawal of consent — to the extent and under the conditions laid down in the GDPR.

12.1. Right of access to data and copies
You have the right to obtain confirmation as to whether the Controller processes your personal data and, if so, the right to access that data and receive a copy, in accordance with Article 15 GDPR. If the request is submitted electronically, the information will be provided in a commonly used electronic format.

12.2. Right to rectification
You have the right to request the immediate rectification of inaccurate personal data or the completion of incomplete data, in accordance with Article 16 GDPR. The Controller will make corrections after verifying the legitimacy of the request.

12.3. Right to restrict processing

a) when you contest the accuracy of the data — for a period enabling the Controller to verify it;
b) when the processing is unlawful and you oppose the deletion of the data;
c) when the Controller no longer needs the data for its purposes, but you need it to establish, exercise, or defend legal claims;
d) when you have objected to the processing — pending verification of whether the Controller’s legitimate grounds override your interests.

12.4. Right to erasure
You have the right to request the deletion of personal data in the cases set out in Article 17 GDPR, particularly when the data is no longer necessary for the purposes for which it was collected, when you withdraw consent, or when the processing was unlawful.
This right does not apply if further processing is necessary for the Controller to comply with legal obligations or to establish, exercise, or defend legal claims, in accordance with Article 17(3) GDPR.

12.5. Right to data portability
You have the right to receive the personal data you have provided to the Controller in a structured, commonly used, machine-readable format and to transmit it to another controller, where the processing is based on consent or a contract and is carried out by automated means, in accordance with Article 20 GDPR.

12.6. Right to object
You have the right to object at any time to the processing of your personal data where it is based on the Controller’s legitimate interest (Article 6(1)(f) GDPR).
Following an objection, the Controller will cease processing the data unless it demonstrates compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or unless processing is necessary to establish, exercise, or defend legal claims.
This right does not apply where data is processed to fulfill legal obligations imposed on the Controller.

12.7. Right to withdraw consent
Where processing is based on consent, you have the right to withdraw it at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to its withdrawal, in accordance with Article 7(3) GDPR.

12.8. Right to lodge a complaint with a supervisory authority
If you believe that the processing of your personal data violates the GDPR or the Estonian Personal Data Protection Act, you have the right to lodge a complaint with the competent supervisory authority, in particular:
Andmekaitse Inspektsioon (AKI) – the Estonian Data Protection Inspectorate.

If you reside or work in another EU Member State, you may also lodge a complaint with the supervisory authority competent for that Member State, in accordance with Article 77 GDPR.

12.9. Right not to be subject to automated decision-making
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, in accordance with Article 22 GDPR.
The Controller does not engage in automated decision-making or profiling. All decisions concerning candidates, clients, and business partners are made by authorized personnel.

12.10. Exercise of data subject rights and contact with the Controller
For the purpose of exercising the rights set out in this Privacy Policy, the data subject may contact the Controller in particular by electronic means:

email address: office@hansacareers.ee

The Controller conducts its activities fully digitally and recommends electronic communication as the primary and most secure form of contact in matters relating to the processing of personal data. Electronic communication enables faster handling of requests and reduces the risk of unauthorised access to personal data.

Written correspondence may be sent to the registered office address of the Controller:
Handke Holding OÜ
Harju maakond, Kesklinna linnaosa
Sakala tn 7-2
10141 Tallinn
Estonia

At the same time, the Controller does not recommend sending documents containing personal data by post, in particular application documents, copies of identity documents or sensitive information. The transmission of such data by traditional mail may involve the risk of unauthorised disclosure during postal handling and remains outside the full control of the Controller.

The Controller shall respond to requests relating to the exercise of data subject rights without undue delay and, in any event, no later than within one month of receipt of the request, in accordance with Article 12(3) of the GDPR. In particularly complex cases, this period may be extended by a further two months, of which the data subject shall be informed.

13. Personal Data Breaches

In the event of a personal data breach — understood as the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data — the Controller promptly undertakes actions aimed at mitigating the effects of the incident and preventing its recurrence.

The Controller assesses each incident individually, evaluating the nature and scope of the breach as well as the potential risks to the rights and freedoms of the affected individuals. Appropriate technical and organizational measures are then implemented to eliminate the cause of the breach and reduce its impact. All incidents related to data security are documented in accordance with the accountability principle set out in Article 5(2) of Regulation (EU) 2016/679 (GDPR) and § 25(3) of the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus).

If a personal data breach is likely to result in a risk to the rights or freedoms of natural persons, the Controller reports the breach to the competent supervisory authority — Andmekaitse Inspektsioon (AKI), Tatari 39, 10134 Tallinn, Estonia — no later than 72 hours after becoming aware of it, in accordance with Article 33 GDPR and § 25 of the Estonian Personal Data Protection Act, unless the breach is unlikely to result in such a risk.

Where a personal data breach is likely to result in a high risk to the rights or freedoms of natural persons, the Controller will, without undue delay, inform the affected individuals about the nature of the breach, its potential consequences, and the measures taken or proposed to mitigate its adverse effects, in accordance with Article 34 GDPR.

The Controller maintains an internal procedure for responding to personal data breaches, covering incident identification, risk assessment, remedial actions, and notification obligations. The effectiveness of this procedure is regularly reviewed to ensure compliance with the GDPR and Estonian law and to maintain a high level of security in the processing of personal data.

14. Automated Decision-Making and Profiling

The Controller does not engage in automated decision-making processes, including profiling, that would produce legal effects concerning an individual or similarly significantly affect them, within the meaning of Article 22 of Regulation (EU) 2016/679 (GDPR) and § 23 of the Estonian Personal Data Protection Act.

All decisions relating to candidates, clients, and business partners are made by a human being, based on an individual assessment of the information, documents, or correspondence provided. No decisions are made solely by automated means.

The Controller does not employ profiling that involves the automated assessment of personal characteristics, qualifications, behavior, preferences, or professional situation for the purpose of making decisions that would produce legal effects or significantly affect the individual.

As part of routine administrative processes, the Controller may use technical tools for auxiliary purposes (e.g., email filtering, organizing submissions, or classifying incomplete forms). However, these tools do not make independent decisions about individuals and do not replace human judgment.

15. Supervisory Authority

If you have concerns regarding the manner in which your personal data is processed, or if you believe that your rights under Regulation (EU) 2016/679 (GDPR) have been violated, you have the right to lodge a complaint with a competent supervisory authority, regardless of your place of residence, place of work, or the place where the alleged infringement occurred, in accordance with Article 77 GDPR and § 21 of the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus).

For the activities carried out by the Controller, the competent supervisory authority in the Republic of Estonia is:

Andmekaitse Inspektsioon (AKI), Tatari 39, 10134 Tallinn, Estonia — tel.: +372 627 4135; email: info@aki.ee; website: https://www.aki.ee.

If you reside or work in another European Union Member State, you may also lodge a complaint with the supervisory authority competent for your place of residence or employment, in accordance with Article 77 GDPR.

An up-to-date list of data protection authorities in EU Member States is available on the website of the European Data Protection Board (EDPB): https://edpb.europa.eu.

The Controller nevertheless encourages you to contact them directly beforehand regarding any matters related to data processing, preferably via email at: office@hansacareers.ee.

If necessary, you may also contact the Administrator in writing by sending correspondence to the company’s registered address. Please note that traditional postal communication may be less secure for personal data, which is why electronic contact remains the preferred method.

The Controller will make every effort to address each matter transparently, diligently, and in full compliance with the GDPR, without undue delay.

16. Jurisdiction and Applicable Law

This Privacy Policy is governed by the laws of the Republic of Estonia and is interpreted in accordance with Regulation (EU) 2016/679 (GDPR) and the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus).

To the extent permitted by applicable law, any disputes or claims related to the processing of personal data, the use of the Controller’s website, or the services provided by the Controller shall fall under the jurisdiction of the courts of the Republic of Estonia, competent for the Controller’s registered office.

The provisions of this section do not affect or limit the rights of individuals arising from mandatory provisions of European Union law, in particular consumer protection rules and the rights of data subjects in the EU or the European Economic Area, including those linked to their habitual residence or place of work.

17. Updates to the Privacy Policy

The Controller may periodically update this Privacy Policy in order to ensure its compliance with applicable laws and regulations — in particular Regulation (EU) 2016/679 (GDPR) and the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus) — as well as in connection with changes to the scope of its business activities, applied technologies, or personal data processing procedures.

The version of the Privacy Policy published on the Controller’s website, marked with the date of its most recent update, shall always apply. Each new version replaces all previous versions of the document as of the date of its publication.

The Controller recommends that data subjects regularly review the Privacy Policy in order to stay informed about the current rules governing the processing of personal data and the rights available to them.

In the event of introducing changes that are significant from the perspective of data subjects — in particular changes affecting the purposes or legal bases of processing, or modifications to the categories of data recipients — the Controller will inform data subjects in a clear and transparent manner. Such information may be provided through a prominent notice published on the Controller’s website or, where feasible and where the Controller holds a current email address of the data subject, by email.

18. Marketing activities and contact with the Controller

The Controller informs that the website does not use cookies or other tracking technologies and does not carry out automated collection of personal data for marketing or analytical purposes. Use of the website does not involve profiling or automated processing of users’ personal data in any form.

Marketing activities carried out by the Controller are limited exclusively to the promotion of its own recruitment services, in particular through the publication of information and job offers on social media platforms and by posting recruitment advertisements online. The Controller does not use website users’ data or their behavior to create marketing profiles.

As part of direct marketing activities, the Controller may contact representatives of companies in B2B relationships — for example by using their first name, surname, job title or business email address — solely for the purpose of presenting its recruitment service offerings. The legal basis for such processing is the Controller’s legitimate interest consisting in conducting business activities and promoting its own services.

Any person to whom the Controller directs marketing communications has the right to object at any time to the processing of their personal data for this purpose. An objection may be submitted by sending an email to: office@hansacareers.ee. Upon receipt of such an objection, the data will no longer be used for direct marketing purposes.

The Controller also enables users to initiate contact independently — either via the contact form or by email. Data provided in this manner, including first name, last name, email address or the content of the message, are used exclusively for the purpose of responding, conducting correspondence or handling the inquiry, on the basis of the Controller’s legitimate interest.

Personal data processed in connection with marketing and contact activities are not transferred outside the European Economic Area (EEA), and the processing itself is carried out in accordance with the principles of data minimisation, transparency and purpose limitation set out in Article 5(1) GDPR.

19. Cookies and Similar Technologies

The Controller’s website does not use cookies or any other tracking technologies typically employed for marketing, advertising, or analytics purposes. The Controller does not collect statistics on user behavior, does not use analytics tools, and does not store information about how users navigate the website. Use of the website does not involve profiling or monitoring of users.

The only external technology used on the website is Cloudflare Turnstile, implemented solely to protect the contact forms against spam, automated submissions, and abuse. This solution does not use marketing cookies, does not track users, and is not used to analyze user behavior.

As part of the operation of Cloudflare Turnstile, only basic technical data — such as the user’s IP address or browser signals — may be processed. Such processing occurs exclusively for the purpose of ensuring the security of the service and the integrity of the forms, based on the Controller’s legitimate interest.

Because the website does not use cookies requiring user consent, there is no need to display a cookie banner or obtain any form of consent to use the website, in accordance with the ePrivacy Directive and the Estonian Electronic Communications Act (Elektroonilise side seadus).

If, in the future, the Controller implements cookies or similar technologies that require user consent — for example to improve functionality or enable anonymous statistics — users will be informed clearly and in advance, in a manner compliant with applicable law. In such a case, consent will be obtained in accordance with ePrivacy rules, the GDPR, and Estonian telecommunications law.

Users will be able to manage their cookie preferences at any time through their browser settings or through a cookie management panel, should one be implemented in the future.

20. Server Logs

Using the website involves sending requests to the server on which it is hosted. Each network request is automatically recorded in so-called server logs and may include the following technical data:

– the user’s device IP address; – the date and time of the request; – information about the browser and operating system used; – the address of the visited subpage; – any technical error messages.

This data is technical in nature and is not used to identify users directly or to create user profiles. It is not processed for marketing or analytics purposes.

Server logs are processed in particular for the purpose of: – ensuring the security and stability of the website; – diagnosing technical system or network errors; – detecting abuse, intrusion attempts, and security incidents.

The legal basis for processing the technical data contained in server logs is Article 6(1)(f) GDPR — the Controller’s legitimate interest in ensuring the security of IT systems, in accordance with Article 32 GDPR and § 24 of the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus).

Server logs are retained for no longer than 90 days, unless further retention is necessary due to a security incident, abuse, or the need to defend against legal claims. After this period, the data is automatically deleted or anonymized.