Tallinna Vesi logo

Data protection policy

Data protection policy


This policy also applies to Watercom OÜ, a subsidiary of Aktsiaselts Tallinna Vesi.

Tallinna Vesi AS (hereafter referred to as ‘TVESI’) is committed to providing a high-quality public water supply and sewerage service that is available 24 hours a day, 365 days a year. In order to provide the best possible service to our customers and to ensure the proper fulfilment of all contractual obligations, we collect and store data relating to customers, contractors and partners in accordance with the principles set out below.

Watercom OÜ (hereafter referred to as 'WCOM'), whose main area of activity is the construction of water and sewer pipes (incl. for private individuals) and the provision of other services (e.g. pipe maintenance). TVESI and WCOM are hereafter referred to as the ‘company’, both separately and collectively.

The company reserves the right to amend this policy unilaterally as necessary. In such a case, the new data protection policy will take precedence over this one from the moment it is published.


1. Definitions

A customer means any natural or legal person who uses, has used, or has expressed an interest in using the services provided by the company, or is otherwise connected with them. This also includes any person whose personal data is obtained by the company in connection with the provision of these services.

Personal data means information directly or indirectly related to a natural person who is a customer or their natural person representative. The categories of personal data processed by the company are set out in this policy.

Processing means any operation performed on personal data (incl. collection, recording, storage, alteration, granting access, retrieval, transmission, etc.) as defined in the General Data Protection Regulation (GDPR).

The General Data Protection Regulation (GDPR) is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).


2. Types of personal data


The customer’s personal data may be collected from the customer, through their use of the services, and from external sources, such as public and private registers and other third parties.

The types of personal data mainly, but not exclusively, collected and processed by the company are as follows:

• identification details, e.g. first name and surname, identification code (national personal identification number), date of birth, details of an identity document (e.g. passport or ID card details);

• contact details (e.g. address, telephone number, e-mail address);

• financial information (e.g. details of payments, bank account information);

• information regarding reliability and due diligence (e.g. information on payment history, outstanding debts, losses incurred);

• details of ownership (e.g. the address of the place of consumption, or where the service is provided);

• data on consumption (e.g. data on meters required to measure the service and the volume of the service);

• information on habits, preferences (e.g. language of communication) and satisfaction;

• location data (e.g. IP address), log data;

• audio recordings (e.g. of telephone calls to the customer information and emergency lines) made for the legitimate interest of ensuring better customer service and improving service quality;

• CCTV data (video recordings) collected for the legitimate interest of protecting property and ensuring the safety of individuals;

• on-board camera recordings (video recordings) used for the legitimate interest of protecting property and effectively investigating incidents;

• communication data (data received via telephone, e-mail, letter or other means of contact, such as applications, enquiries and complaints);

• data relating to visits to the company’s website or data collected via other company channels (e.g. social media);

• data collected and/or created in the course of fulfilling a legal obligation, e.g. data resulting from enquiries made by investigative authorities, notaries, courts and bailiffs.


3. Principles governing the processing of personal data


• The company protects the personal data entrusted to it against any unauthorised use. The company processes personal data in accordance with the General Data Protection Regulation (GDPR) and applicable national legislation.

• Data is collected to the extent necessary to perform the concluded contracts and to provide the best possible service to customers.

• The company does not process any special categories of personal data (e.g. racial or ethnic origin, political opinions, religious or philosophical beliefs, etc.).


Personal data is processed:

• to conclude and perform a contract or other agreement with customers (e.g. to connect to and use the public water supply and sewerage system, or to receive any other service);

• to resolve customer enquiries, requests and complaints relating to services, and to process claims and information requests;

• to conduct financial transactions, maintain accounting records, manage customer debts and fulfil other financial obligations;

• to protect the interests of customers and/or the company and to ensure the quality of the services provided by the company, including to restrict and investigate the use of the services, any unlawful use thereof, or disruptions to their operation;

• to conduct and manage business operations, for the company to fulfil its legal obligations, including the necessary investments to provide services to customers;

• to send service-related offers and newsletters to customers, and conduct customer satisfaction surveys to improve the user experience of customers;

• to manage electronic communication channels (website, social media accounts) to ensure they operate smoothly and to improve their quality;

• to ensure the safety of individuals and protect the company’s assets, as well as investigating incidents.

• If the customer provides the company with information about a third party, they undertake to inform that third party that the company has received their personal data, specify the scope of that data and provide the company with written consent from the third party for the processing of their personal data, in a form that allows the identity of the consenting person to be verified.

• The company does not profile its customers or process personal data automatically.

• The company treats any personal data disclosed to it as strictly confidential, protecting it from unauthorised access by third parties through effective IT security measures.

• To ensure that personal data remains up to date and accurate, the company may verify and complete that data through internal and external sources for the purpose of performing a contract or complying with a legal obligation.

• The company will not disclose personal data to third parties, unless such disclosure is required by law, or where consent has been given by the data subject, or to processors engaged by the company.

• Personal data is mainly processed within the Republic of Estonia, with no processing taking place outside the European Economic Area.

• The company may send its customers promotional offers regarding its services or customer satisfaction surveys with a view to improving service quality. Customers have the right to opt out of receiving these offers or surveys at any time by contacting the company using the details provided in this data protection policy.


4. Duration of personal data processing and storage


Personal data will not be processed for longer than is necessary or until the customer withdraws their consent. The storage period may be determined by contracts or agreements with customers, TVESI's legitimate interests, or applicable legislation (e.g. accounting regulations, legislation relating to statutes of limitations, or other relevant legislation).


5. Rights of customers who are natural persons


Customers who are natural persons have the following rights in relation to the processing of their personal data.

• Right to obtain information. Customers have the right to obtain information about the processing of their personal data by the Company.

• The right of access to data, which includes confirmation from the company that we are processing the customer’s personal data, the right to a list of the personal data being processed, the purposes and legal basis for processing, and the right to a copy of the data.

• Right to rectification of inaccurate data. The customer may request that the company rectify any inaccurate or incomplete personal data.

• Right to erasure of data. In certain circumstances, customers have the right to request the erasure of their personal data, including when processing is based solely on consent and that consent is withdrawn, or when the personal data stored by the company is no longer necessary for the purposes for which it was collected.

• Right to request the restriction of data processing. This right arises, inter alia, where the company's processing of personal data is unlawful, or where the customer has contested its accuracy.

• Right to data portability. This right applies to personal data provided by the customer which is processed on the basis of consent or for the performance of a contract, in writing or in a commonly used electronic format, and where it is technically possible to transfer the data to another service provider.

• Right to withdraw one’s consent.

• Right to lodge a complaint with the supervisory authority, which in the Republic of Estonia is the Estonian Data Protection Inspectorate (https://www.aki.ee/, e-mail address info@aki.ee), if the customer considers that their rights have been infringed in accordance with the General Data Protection Regulation (GDPR).

The rights relating to personal data only apply if there are no specific restrictions on them (depending on the circumstances and any additional conditions arising from the General Data Protection Regulation).

The company will respond to the customer's enquiry within 30 days at the latest.


6. Joint processing of personal data


• TVESI and WCOM are joint controllers within the meaning of Article 26(1) of the General Data Protection Regulation (GDPR).

• Where two or more controllers jointly determine the purposes and means of processing, as well as their respective responsibilities, they will be considered joint controllers.

• TVESI and WCOM have signed a contract that sets out their obligations and rights as joint controllers.

• TVESI and WCOM use an integrated customer data information system (customer relationship management software) to process and manage customers’ personal data (identification and contact details, as well as details of ownership) in an integrated way, in order to provide high-quality services.

• TVESI and WCOM are responsible for ensuring the lawfulness and security of the processing of personal data.


7. Authorised processing of personal data


• If necessary to achieve the purpose of the processing, the company, acting as both a controller and a joint controller, will engage a processor to process personal data.

• An agreement for authorised processing of personal data is concluded with the processor, setting out the requirements for the processing of personal data by the processor.

• As joint controllers, TVESI and WCOM may act as processors for one another where this has been agreed in a contract or is necessary for the processing of personal data.

• The company that has appointed a processor for the processing of personal data is responsible for the actions of such processors, and the processors will fully comply with the company’s personal data processing principles.


8. Contact details


• The company’s contact point for personal data processing, where customers can submit enquiries, exercise their rights and file complaints relating to the processing of their personal data, is located at Ädala 10, Tallinn. The company can be contacted by phone on 626 2200 or by e-mail at tvesi@tvesi.ee.

• Customers can also contact the company via TVESI (tvesi@tvesi.ee) or WCOM (watercom@watercom.eu).

• The contact details of the Data Protection Officer are available on the website https://www.tallinnavesi.ee/en/contact-us.


9. Security measures


The company takes appropriate technical and organisational measures to ensure that personal data is processed securely, in a manner that prevents the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.


10. Visiting the website – cookies


The company uses cookies on its website. Cookies are small files that are stored on a computer or other device used to visit a website during the visit. The purpose of using cookies is to distinguish the user from other visitors to the website and improve their experience of the website based on the information collected.

Cookies are used to store information about the user’s IP address, browser type and version, the time and duration of their visit to the company’s website, their preferences and interests, etc.

Cookies may be used to identify a specific user of a website.

The company uses first-party cookies, which are divided more specifically into technical, analytical and authentication cookies.

The company that issues first-party cookies is the controller of personal data and manages the visited website.

• Technical cookies enable users to navigate the website and use its features.

• Analytical cookies collect information about how the website is used.

These cookies do not collect information that would allow a website user to be directly identified.

• Authentication cookies and functional cookies enable user identification when logging into the self-service portal, including the secure management of the session, and allow the website to remember the user’s preferences (e.g. name, language or region).


If a user wishes to restrict the acceptance and storage of cookies on their device, or to delete cookies that have already been stored, they can do so via their web browser settings.

The company uses Google Analytics, a web analytics service provided by Google Inc., to gather information about how its website is used.

Third-party Google Analytics cookies collect information which includes: IP address, number of website visitors, visitors’ location, pages visited, and the length of time a visitor spends on the site. Based on this data, we produce general overviews of website traffic and usage.

Google's privacy policy is available at https://policies.google.com/privacy.

The company uses social media platforms such as Facebook, Instagram, YouTube, and LinkedIn, in accordance with the privacy policies of those service providers.

Authorized processors of the customer's personal data


  1. Prominion OÜ (Mustamäe tee 16, Tallinn, e-mail address info@prominion.eu)
  2. Unifiedpost AS (Veerenni tn 40a, Tallinn, e-mail address teenindus@unifiedpost.com)
  3. Cumultec OÜ (Mõisa tn 4, Tallinn, e-mail address juri.dusko@cumultec.com)
  4. AS EMOR (Maakri tn 21, Tallinn, e-mail address karin.niinas@emor.ee)

If you have any questions, please contact our data protection specialist:

Shareholders’ Data Protection Policy


In connection with the convening and conduct of the general meeting of shareholders of AS Tallinna Vesi (hereinafter referred to as the 'company') (including the adoption of written resolutions by shareholders without convening an extraordinary general meeting) and in connection with the preparation of reports, the personal data of shareholders is processed. The controller of personal data is the company.

The purpose of processing personal data is to enable the company’s shareholders to participate in the general meeting and exercise their rights in accordance with the articles of association of the company and the Commercial Code. The legal basis for the processing of personal data is the fulfilment of obligations arising from the articles of association of the company, the Commercial Code, and the regulations of the stock exchange on which the company is listed.


The personal data processed includes:


  • data necessary for identification purposes, such as the name and surname of the shareholder (incl. a shareholder who is a legal person) or their representative, personal identification code, details of the identification document and details of the document certifying the representative’s right of representation (proxy, etc.);
  • contact details of the shareholder or their representative, particularly e-mail address and other contact details (postal address, telephone number);
  • details relating to the shares, such as the number of shares, size of holding, and number and bank of securities and current accounts;
  • information on voting and attendance at meetings, including details of how voting rights were exercised;
  • other data related to reporting.

The processing of personal data includes, in particular:

  • notice of and registration for the general meeting;
  • verifying the right to attend and vote at the general meeting, and adding the details to the list of participants;
  • participation in voting and checking of electronic and paper ballot papers;
  • processing requests for information submitted by shareholders to the Management Board of the company, questions relating to items on the general meeting agenda, requests to include additional items on the general meeting agenda and draft resolutions relating to items on the general meeting agenda;
  • preparing the minutes of the general meeting and its annexes and sending them to the notary and the Business Register;
  • preparation of reports related to the share register.

The company collects the personal data necessary for shareholders to attend the general meeting and for preparing reports directly from shareholders, the Estonian Central Register of Securities and the Business Register.

The company will only share shareholders’ personal data with third parties to the extent required and provided that there is a legal basis for doing so. If necessary, shareholders’ personal data will be provided to a notary, the Commercial Register, or the Estonian Central Register of Securities. These entities will process the shareholders’ personal data as independent controllers.

The company may involve other persons (authorised processors of personal data) in processing the data, for example to carry out voting procedures.

These individuals will only process the personal data of shareholders for purposes related to the relevant data processing and to the extent necessary for this purpose, acting as authorised processors on behalf of the company.

Under the General Data Protection Regulation, shareholders have the following rights as data subjects:

  • the right of access to data;
  • the right to request the rectification of data;
  • the right to request the erasure of data;
  • the right to restrict the data processing;
  • the right to object to the processing of data;
  • the right to request data portability;
  • the right to lodge a complaint with the Data Protection Inspectorate or bring legal action if shareholders believe that the company has infringed their right to protection of personal data.

Shareholders can exercise their rights in accordance with the conditions set out in the General Data Protection Regulation and other applicable legislation. Shareholders can contact the company by e-mail at tvesi@tvesi.ee.

The company retains shareholders’ personal data to fulfil its legal obligations as follows: minutes of general meetings and their annexes, as well as all materials related to the conduct of general meetings, are retained for at least the duration of the company’s operations, and data related to the preparation of reports are retained for seven years.