| Dokumendiregister | Andmekaitse Inspektsioon |
| Viit | 2.2-9/25/3925-2 |
| Registreeritud | 15.12.2025 |
| Sünkroonitud | 16.12.2025 |
| Liik | Väljaminev kiri |
| Funktsioon | 2.2 Loa- ja teavitamismenetlused |
| Sari | 2.2-9 Selgitustaotlused |
| Toimik | 2.2-9/2025 |
| Juurdepääsupiirang | Avalik |
| Juurdepääsupiirang | |
| Adressaat | Estonian B2B SaaS |
| Saabumis/saatmisviis | Estonian B2B SaaS |
| Vastutaja | Liina Kroonberg (Andmekaitse Inspektsioon, Koostöö valdkond, Koolitus- ja ennetustiim) |
| Originaal | Ava uues aknas |
ERAELU KAITSE JA RIIGI LÄBIPAISTVUSE EEST
Tatari tn 39 / 10134 Tallinn / 627 4135 / [email protected] / www.aki.ee
Registrikood 70004235
Oleh Konko
Estonian B2B SaaS
Yours: 30.11.2025 Ours: 15.12.2025 nr 2.2-9/25/3925-2
Answer to request Estonian Data Protection Inspectorate (DPI) has received your request:
We operate a small B2B SaaS infrastructure tool under the 1seal project, via Mudria OÜ (Estonia).
Our service processes only business email addresses and basic contact details of institutional
clients (no consumer data, no special categories, no profiling). I would like to kindly ask for
clarification on the minimal GDPR expectations for such a micro-enterprise: How should records
of processing activities under Article 30 be handled for a very small controller in this situation?
In a B2B-only context (business contacts of client organisations), when would a DPO appointment
become necessary, if at all? Are there any recommended retention periods or best practices for
business contact information used only for service provision and invoicing? Use case: offline-
verifiable transaction receipts for institutional clients – only business contact details, no private
individuals.
In response to your inquiry, I would like to give some brief explanations and where to seek help
in this matter if needed.
If a company employs at least one person and/or serves at least one natural person client, the
processing of their personal data cannot be considered occasional within the meaning of the GDPR.
Thus, the rules arising from the GDPR regarding the processing of personal data must be
considered. A concise internal policy document, tailored to the company’s specific characteristics,
is highly recommended. For instance, when an employee leaves, clear rules should govern the
handling of their email (contains the employee's name) address. The policy should specify whether
the account is deactivated, redirected, or retained temporarily to ensure business continuity, while
at the same time safeguarding personal data in compliance with the GDPR.1.
Data protection officer (DPO) is mandatory only where core activities involve large‑scale
monitoring of individuals or special category data. In a B2B‑only context limited to business
contacts, no DPO is usually required. Read more about DPO-s here.
GDPR prescribes no fixed periods for retention. Data should be retained as necessary for
contractual and statutory obligations (e.g., accounting/tax, typically 5–7 years), with periodic
review and deletion of outdated records. The general rule is that there must be a specific reason
1 Records of Processing, GDPR article 30.
2 (2)
for retaining personal data. Once the purpose has been achieved and there is no legal justification
for retaining personal data, it must be deleted.
This processing, limited to institutional business contacts, entails a light compliance burden
focused on transparency, security, and proportional retention. Although your clients are mainly
enterprises, it must be kept in mind that the processing of personal data cannot be entirely avoided.
For example, the processing of employee data is also considered personal data processing, which
means that GDPR must be followed.
If you need to review your companies’ specific processes and activities, it is advisable to seek
assistance from service providers such as legal professionals (lawyers etc.).
Information regarding the processing of personal data is available on the website of the Estonian
Data Protection Inspectorate (DPI), particularly within the Frequently Asked Questions (KKK)
section. For companies, there are different leaflets (compliance with the GDPR, privacy condition
depending on context, consent as legal basis and impact assessment). Leaflets don’t replace legal
consultation but provide a clearer framework for companies to evaluate their practices. Leaflets
emphasize that GDPR is not just a bureaucratic burden but a way to strengthen trust and
responsible data management.
It should be noted that most of these materials are in Estonian, and pursuant to the Language Act,
official proceedings with DPI are conducted in Estonian.
Respectfully
Liina Kroonberg
lawyer
authorized by Director General
| Nimi | K.p. | Δ | Viit | Tüüp | Org | Osapooled |
|---|