1 GENERAL
1.1 Eesti Rahva Muuseum (in English: Estonian National Museum) (hereinafter “ERM” or “we“) is a museum of Estonian and Finno-Ugric cultures.
1.2 This privacy notice (hereinafter “Notice“) provides an overview of how we process, including collect, use, store and disclose your personal data as a residency applicant and resident during the application for and participation in the international residency programme.
1.3 We process your personal data as described in this Notice and in accordance with applicable legislation, including the European Union’s General Data Protection Regulation (2016/679) and other data protection legislation.
2 CONTROLLER
2.1 For the personal data processing purposes described in this Notice, the controller who determines the purposes and means of processing your personal data is: Eesti Rahva Muuseum, registry code 70005536, address Muuseumi tee 2, Tartu 60532, Estonia.
2.2 In case of personal data protection related inquiries, please contact us by writing to andmekaitse@erm.ee.
3 CATEGORIES AND SOURCES OF PERSONAL DATA
3.1.1 Basic data: full name, e-mail address, country of residence (hereinafter “Basic Data“);
3.1.2 Application data: data submitted when applying for the residency programme, including Basic Data, CV, portfolio, role description, motivation statement (hereinafter “Application Data“);
3.1.3 Contractual data: the written contract document, including data contained therein, Basic Data, contract date, residency period, business name and registry code (if the contract is concluded with a legal person), data related to contract amendments, data related to contract termination (hereinafter “Contractual Data“);
3.1.4 Accounting data: Basic Data, bank account details, data related to grants and reimbursement of expenses, including payment amount and frequency (hereinafter “Accounting Data“);
3.1.5 Security data: data obtained as a result of camera use, including images visible on camera recordings, log data of cards or chips enabling access to buildings and premises, including card and/or chip number (hereinafter “Security Data“).
3.2 We may obtain your personal data: (i) directly from you when you disclose it to us during the application process or during the residency; (ii) from publicly available sources; and (iii) through technical means.
3.3 The processing of the above personal data is necessary to carry out the application process; to enter into and perform the contract, including to administer the residency programme and to comply with obligations arising from legislation, which is why if you do not provide the personal data required for these purposes, we may not be able to carry out the application process, enter into the contract or fulfil other purposes set out in this Notice.
4 PURPOSES AND LEGAL BASES FOR PROCESSING PERSONAL DATA
4.1 We process your personal data lawfully, fairly and transparently, including only when we have a legal basis to do so. The legal basis for processing your personal data depends on the objective and context in which we collect personal data. We may process your specific categories of personal data for the following purposes and on the following legal bases:
| Processing purpose | Legal basis | Categories of personal data |
| Application for the residency programme | ||
| Identification of residency applicant | GDPR Art 6(1)(f): our legitimate interest to select residents to ensure the implementation of the residency programme | Basic Data |
| Conducting the residency application process, including collecting data through submitted applications | GDPR Art 6(1)(f): our legitimate interest to select residents to ensure the implementation of the residency programme | Basic Data Application Data |
| Assessment of residency applicant’s strengths and weaknesses | GDPR Art 6(1)(f): our legitimate interest to assess the strengths and weaknesses of the residency applicant to determine whether the applicant is suitable for the residency programme | Basic Data Application Data |
| Making the resident selection decision | GDPR Art 6(1)(f): our legitimate interest to make informed selection decisions | Basic Data Application Data |
| Notifying the residency applicant of the results of the application process | GDPR Art 6(1)(f): our legitimate interest to notify residency applicants of the results of the application process | Basic Data Application Data |
| Handling pre-contractual negotiations and communications | GDPR Art 6(1)(b): taking steps prior to entering into a contract (for natural persons) GDPR Art 6(1)(f): our legitimate interest to handle pre-contractual negotiations (for legal persons) | Basic Data Contractual Data |
| Administration of the residency programme | ||
| Preparation and conclusion of the contract | GDPR Art 6(1)(b): taking steps prior to entering into a contract (for natural persons) GDPR Art 6(1)(f): our legitimate interest to handle pre-contractual negotiations (for legal persons) | Basic Data Contractual Data |
| Performance of the contract and management of the contractual relationship | GDPR Art 6(1)(b): performance of a contract (for natural persons) GDPR Art 6(1)(f): our legitimate interest to perform the contract (for legal persons) | Basic Data Contractual Data Accounting Data |
| Amendment and termination of the contract | GDPR Art 6(1)(b): performance of a contract (for natural persons) GDPR Art 6(1)(f): our legitimate interest to amend or terminate the contract (for legal persons) | Basic Data Contractual Data |
| Accounting | ||
| Calculation and payment of grants | GDPR Art 6(1)(b): performance of a contract (for natural persons) GDPR Art 6(1)(f): our legitimate interest to perform the contract (for legal persons)GDPR Art 6(1)(c): compliance with a legal obligation | Basic DataContractual DataAccounting Data |
| Calculation and payment of compensation and benefits, including expense reimbursements | GDPR Art 6(1)(b): performance of a contract (for natural persons) GDPR Art 6(1)(f): our legitimate interest to perform the contract (for legal persons) | Basic Data Contractual Data Accounting Data |
| Security measures | ||
| Use of cameras for the protection of persons and property and for the detection of offences | GDPR Art 6(1)(f): our legitimate interest to ensure the protection of property, including to prevent, detect and manage detected offences against property, to ensure the protection of persons and to establish, exercise and/or defend legal claims | Security Data |
| Use of access control system (chip and card) for the protection of persons and property and for the detection of offences | GDPR Art 6(1)(f): our legitimate interest to ensure the protection of property, including to prevent, detect and manage detected offences against property, to ensure the protection of persons and to establish, exercise and/or defend legal claims | Security Data |
| General | ||
| Data backup, including storage of information containing personal data in backup systems | GDPR Art 6(1)(f): our legitimate interest to store documents and materials in backup systems to ensure the continuity of data processing operations | All data categories |
| Establishing, exercising and/or defending legal claims | GDPR Art 6(1)(f): our legitimate interest to establish, exercise or defend legal claims where necessary | All data categories |
5 RECIPIENTS OF PERSONAL DATA AND DATA TRANSFERS
5.1 We may disclose your personal data to recipients in the following categories:
5.1.1 Public sector authorities, supervisory and law enforcement authorities, e.g. the Tax and Customs Board and the Police and Border Guard Board, to comply with a statutory obligation, a court order, to establish, exercise or defend our rights, to prevent, deter or report unlawful acts and in other cases. The legal basis is performance of our legal obligations or our legitimate interest to report offences and other incidents, to exercise and enforce our rights;
5.1.2 Service providers, IT-service providers, application platform service providers, to carry out the application process and the residency programme and to ensure the functioning of day-to-day operations. The legal basis is our legitimate interest to carry out the application process and the residency programme and to ensure our proper economic activity;
5.1.3 Professional advisors,e.g. legal advisors, to ensure our lawful activities and, where necessary, to establish, exercise or defend legal rights. The legal basis is our legitimate interest to ensure our lawful activities and, where necessary, to establish, exercise or defend legal claims;
5.1.4 Our legal successors and their representatives, if necessary for the transfer, merger or acquisition of ERM. The legal basis is our legitimate interest to ensure a successful transfer, merger or other reorganisation.
5.2 Some of the recipients we engage in data processing, including processors, may be located outside the European Economic Area, therefore when disclosing personal data to them, we may transfer your personal data outside this territory. In such cases, we ensure that appropriate safeguards are in place to protect your personal data (e.g. standard contractual clauses approved by the European Commission or an adequacy decision). You have the right to obtain additional information about the safeguards in place by contacting us using the contact details provided in Section 2 of this Notice.
6 PERSONAL DATA RETENTION PERIOD
6.1 We retain your personal data for as long as is reasonably necessary to achieve the purposes set out in Section 4 of this Notice or as required by applicable legislation. When determining the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential harm from unauthorised use or disclosure of the personal data, the purposes of processing and whether we can achieve those purposes by other means, and the obligations arising from applicable legislation.
6.2 For example, the retention period for Accounting Data is 7 years as of the end of the financial year when a business transaction was recorded in the accounting journals. For more detailed information on the retention periods for personal data, please contact us using the contact details provided in Section 2 of this Notice.
6.3 Following the retention period or if we no longer need the respective personal data for the purposes of processing, we delete the respective personal data within a reasonable time, unless the retention of personal data is required to perform duties or fulfil requirements arising from the legislation or to protect against ongoing or threatened disputes.
7 YOUR RIGHTS AS A DATA SUBJECT
7.1 You have the right to contact us at andmekaitse@erm.ee to exercise the following rights with respect to our processing of your personal data:
7.1.1 Right to access to personal data, including to receive a copy thereof and to receive information about the processing of your personal data;
7.1.2 Right to rectification of personal data if we are processing inaccurate or incomplete personal data about you;
7.1.3 Right to erasure of personal data, e.g. if it is no longer necessary for the purpose for which we collected it, you withdraw your consent to processing and we have no other legal basis for processing the personal data, or the personal data has been processed unlawfully;
7.1.4 Right to request restriction of processing of personal data, e.g. if you dispute the accuracy of the personal data, the processing of personal data is unlawful, or we no longer need the personal data for the purposes of processing but you need the personal data for the establishment, exercise or defence of legal claims;
7.1.5 Right to data portability to you or to another controller, where technically feasible, and where we process the data by automated means and the legal basis for processing is your consent or the performance of a contract;
7.1.6 Right to object,e.g. where processing is based on our legitimate interest;
7.1.7 Right to withdraw consent at any time.The withdrawal of your consent does not affect the lawfulness of the processing of personal data prior to the withdrawal;
7.1.8 Right to lodge a complaint with a supervisory authority, e.g., to the Estonian Data Protection Inspectorate (in Estonian: Andmekaitse Inspektsioon) (www.aki.ee, info@aki.ee).
8 CHANGES TO THE NOTICE
8.1 We may amend or modify this Notice from time to time to accurately reflect the processing of your personal data. In such cases, we will make the most recent version of the Notice available to you.
Version: February 2026