Selgitustaotlus

Dokumendiregister	Andmekaitse Inspektsioon
Viit	2.2-9/25/3925-1
Registreeritud	01.12.2025
Sünkroonitud	02.12.2025
Liik	Sissetulev kiri
Funktsioon	2.2 Loa- ja teavitamismenetlused
Sari	2.2-9 Selgitustaotlused
Toimik	2.2-9/2025
Juurdepääsupiirang	Avalik
Juurdepääsupiirang
Adressaat	Estonian B2B SaaS
Saabumis/saatmisviis	Estonian B2B SaaS
Vastutaja	Maarja Kirss (Andmekaitse Inspektsioon, Koostöö valdkond)
Originaal	Ava uues aknas

Failid

E-kiri.eml

Tähelepanu! Tegemist on välisvõrgust saabunud kirjaga.
Tundmatu saatja korral palume linke ja faile mitte avada.

Hello,

We operate a small B2B SaaS infrastructure tool under the 1seal project, via Mudria OÜ (Estonia).

Our service processes only business email addresses and basic contact details of institutional clients (no consumer data, no special categories, no profiling).

I would like to kindly ask for clarification on the minimal GDPR expectations for such a micro-enterprise:

How should records of processing activities under Article 30 be handled for a very small controller in this situation?
In a B2B-only context (business contacts of client organisations), when would a DPO appointment become necessary, if at all?
Are there any recommended retention periods or best practices for business contact information used only for service provision and invoicing?

Use case: offline-verifiable transaction receipts for institutional clients – only business contact details, no private individuals.

This is a request for non-binding compliance guidance, not a complaint.

Thank you in advance for any pointers or links to existing materials.

Best regards,

Oleh Konko

[email protected]