Estonian Refugee Council (ERC) respects your privacy and is committed to protecting your personal data. In the course of our humanitarian, advocacy, and fundraising work, we may collect and process personal information in compliance with the EU General Data Protection Regulation (GDPR) and applicable Estonian law.

This Privacy Policy explains how and why we collect, use, store, and safeguard your personal data. Our full data protection policy is accessible as PDF.

1. When Do We Process Your Data?

We process your personal data when you:

• Make a donation (one-time, recurring, major, or legacy)
• Request a donation tax return (requiring your personal identification code)
• Register as a volunteer or participate in our programmes
• Subscribe to newsletters or campaign updates
• Apply for a job or internship
• Contact us via forms, phone, or email
• Visit our websites or social media channels
• Participate in surveys, events, or advocacy campaigns

We may also process limited personal data during humanitarian programmes, monitoring, or reporting activities.

2. What Data Do We Collect?

The personal data we collect depends on how you engage with us, and may include:

Identification and Contact Details

• Name, phone number, address, email
• Language preference
• Personal identification code (if required for tax reporting in Estonia)

Donation and Payment Information

• Donation history, payment method, amounts, and frequency
• Bank or card data (processed securely by authorized providers)
• Preferences related to communication and tax return reporting

Engagement and Application Data

• Newsletter or campaign participation
• Volunteer registration, job applications, CVs
• Correspondence history (inquiries, feedback, support)

Technical and Website Data

• Browser type, IP address, device info, cookies
• Website usage patterns (e.g. navigation, preferences)

Sensitive Data
In limited humanitarian contexts, we may collect data that relates to vulnerability (e.g. gender, displacement status) when required to provide assistance. These are handled with strict confidentiality and technical safeguards.

3. How Do We Use Your Data?

We process personal data to:

• Accept and manage donations
• Fulfill legal obligations (e.g. reporting donations for tax returns in Estonia)
• Send updates, newsletters, and appeals (based on consent or legal grounds)
• Manage participation in volunteering, campaigns, and employment processes
• Respond to your inquiries or feedback
• Analyze donor or user engagement (e.g. frequency, interests)
• Improve our services and online platforms
• Collect aggregate statistics to measure our outreach and impact

We may also use data to target or personalize communications based on your preferences or engagement history, without using automated decision-making.

4. Legal Grounds for Processing

We rely on the following legal bases:

• Consent – for communications, newsletters, or events
• Contract – for processing donations, volunteer commitments, or service provision
• Legal obligation – e.g. accounting, tax reporting, employment law
• Legitimate interest – to promote our mission, develop donor relationships, and improve services

You can withdraw consent or object to certain types of processing at any time.

5. Data Sharing and International Transfers

We do not sell your data.
We may share your data with:

• Service providers (e.g. email platforms, payment processors) under strict data protection agreements
• Tax authorities, only when you request tax return reporting
• Humanitarian partners, only when required by a specific programme or grant, and with protective safeguards

If your data is transferred outside the EU/EEA, we ensure GDPR-compliant safeguards, such as EU Standard Contractual Clauses.

6. Cookies and Web Tracking

We use cookies on our website to ensure proper functionality, improve user experience, and analyze site usage. Cookies do not personally identify you.

You can adjust your browser settings to manage or block cookies. For more details, see our Cookie Policy.

7. Data Retention

We retain your personal data only as long as necessary for the original purpose or to comply with legal obligations. Our general retention periods are:

• Donation, financial, and tax-related data: 7 years, in line with accounting and tax law
• Newsletter and communication data: until you unsubscribe
• Inquiries and contact forms: up to 2 years
• Volunteer and job application records: as needed for evaluation and future engagement

Retention periods are reviewed regularly and based on legal, contractual, and operational needs.

8. Your Rights

Under the GDPR, you have the right to:

• Access – obtain a copy of your data
• Rectify – correct inaccurate or incomplete data
• Erase – request deletion where justified
• Restrict – request processing limits under certain conditions
• Object – to processing based on legitimate interests, including direct marketing
• Data Portability – request transfer of your data to another provider

Withdraw Consent – at any time, without affecting past processing

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, or misuse.

All external processors and staff handling your data are trained and bound by confidentiality and data protection obligations.

10. Policy Updates

We may update this Privacy Policy to reflect legal or operational changes. The most recent version is always available on our website.

Last updated: July 2025

11. Contact Us

If you have any questions, requests, or complaints about your personal data, please contact us at dpo@pagulasabi.ee and we will respond to you latest within 15 business days.

You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate if you believe your rights under data protection law have been violate