Terms of data protection


1. The East-Tallinn Central Hospital (hereinafter Hospital) processes your personal data in the following instances.

1.1. The Hospital provides you with healthcare and social services

We process your personal data, including contact data, health and genetic data, as well as data concerning race or ethnic origin, sexual life, and sexual orientation, if this data is needed in order to provide and properly document healthcare.  Your data may be processed to ensure the quality of treatment (including during the course of clinical audits) and to verify compliance with legislation governing the provision of healthcare and the processing of personal data. The retention periods of data certifying provision of a healthcare service are set forth by the law. In the case of documents certifying provision of outpatient and inpatient healthcare services, it is 30 years from confirmation of the data. .. In order to provide social services we generally process your data with your consent, except as permitted by law.

1.2. You are applying for a job at the Hospital

When recruiting personnel we use the CV you submitted and data found in other documents. When applying, the documents shall be retained for a period of one year following the end of the recruitment process.

1.3. You submit an inquiry, proposal or complaint to the Hospital

We will register your written communication in the Hospital's document management system and use previously collected information about you to respond. The correspondence will be retained for a period of five years.

1.4.  You are present on Hospital grounds or rooms in the field of view of a CCTV camera

Automatic video surveillance is conducted in marked areas via CCTV cameras installed on Hospital grounds and in Hospital rooms for the following purposes:

establishment of the facts in the event of security incidents or a suspicion thereof;

resolution of complaints if the circumstances of the complaint are identifiable via a recording.

The recordings of CCTV cameras and the real-time video feed are only accessible to authorised employees... Video recordings are retained for a period of 30 days.

In some departments there are CCTV cameras in appropriately marked rooms for monitoring treatment or diagnostic processes or ensuring patient safety. The video feed of these cameras can only be accessed by the healthcare professionals involved in the treatment process of the patient and the video footage is not recorded without the patient’s consent.

1.5. You use the Hospital’s patient portal or the self-service solution

If you use the patient portal iPatsient ( or the self-service solution ( to register for appointments and review your health data, the information system will log your activities and your IP address. The logs are used to detect information system software errors and to resolve other usability issues, and have a retention period of 30 days.

1.6. You are calling the Hospital’s information and registration telephone No. 666-1900

If you are calling the Hospital’s information and registration telephone, then the telephone number you are calling from and the phone call itself will be recorded. Call recordings shall be used to improve service quality and, where necessary, to resolve complaints, and have a maximum retention period of one year.

1.7. You are participating in training, conferences, seminars and other events organised by the Hospital

The Hospital registers the names, personal identification codes and contact data of event participants, in order to send information about the event, issue training completion certificates, compile statistics, and to submit invoices in the case of paid events. The data regarding event participants is retained for a period of five (5) years.

1.8.  Your loved one has received healthcare at the Hospital and has designated you as their contact person

The Hospital asks for the contact person’s name, telephone number and e-mail address. The Hospital contacts the Contact Person in the event that contact cannot be established with the patient, but contacting them is critically important.  If the patient changes or asks the Hospital to change their contact information, the previous information shall be deleted from the information system. Otherwise the Hospital shall retain the contact information for as long as it retains patient data.

1.9 Your personal data are used in research or for providing national statistics

The Hospital may also process your health data without your consent for research or providing national statistics. In the event of research for which asking your consent is not possible considering the nature of the research and the research is conducted in the public interest, the Hospital shall apply for an approval from the Human Research Ethics Committee for processing your health data.

1.10. You have consented to data processing not covered by clauses 1.1 to 1.9

You may be asked to consent to participation in a research study, video recording of the treatment process, or other processing of personal data not described above. If you grant permission, your personal data will be processed to the extent and the purpose for which you granted permission. The term for the retention of your data will be communicated to you when consent is requested.

2. The basis for the processing of personal data is:

2.1. The General Data Protection Regulation, laws and legislation enacted thereunder: including the Personal Data Protection Act, Health Care Services Organisation Act, Law of Obligation Act, Social Welfare Act, Health Insurance Act, Public Health Act, Communicable Diseases Prevention and Control Act, Establishment of Cause of Death Act, Population Register Act, Termination of Pregnancy and Sterilisation Act, the Procurement, Handling and Transplantation of Cells, Tissues and Organs Act, the Medicines Act, the Medicinal Products Act, the Insurance Activities Act, the Public Information Act, and other laws;

2.2. contract for the provision of healthcare services;

2.3. Your consent, for example, to participate in a drug trial or other research, video recording of the treatment process for the purposes of education or analysis at a later date.

3. If you are a patient at the Hospital, the Hospital will forward your data to the following recipients:

3.1. The Estonian Health Insurance Fund, in the event that the provision of the healthcare service is funded by the health insurance fund;

3.2. National registers, for example, the health information system, communicable disease register, tuberculosis register;

3.3. Local governments, for example, in the event that you require social services following hospitalisation;

3.4. Other institutions, who have the right to receive data pursuant to legislation, for example, other healthcare institutions, the police, prosecutor's office, court;

3.5. The patient’s designated person, i.e. the patient’s representative, insurance undertaking, lawyer, etc.

3.6 The Hospital’s cooperation partners – natural and legal persons whom the Hospital has authorised to perform data processing operations on its behalf. Cooperation partners are obliged to follow all of the data protection requirements.

4. You have the following rights in connection with the processing of personal data in the Hospital

4.1. The right to review your data

4.1.1. Reviewing your personal health data is possible via the health information system and the Hospital’s patient portal (

4.1.2. If you would like data that is not available in the environments specified in clause 4.1.1 or you do not have access to these environments, you must submit a request in order to obtain the personal information. The Hospital will respond to the request within 30 days and will release the data in the manner specified in the request, if the recipient of the data can be reliably identified. If the requested information is available to you in digital form or if you repeatedly request the information, the Hospital has the right to charge a reasonable fee to cover administrative costs or to refuse to release the information.

4.2. The right to have our personal data corrected, in the case that the data is incorrect or incomplete. To do so, you will need to submit an application (e-mail address: info [at] (info[at]itk[dot]ee)), which notes the document you are trying to correct, the correction you are requesting, as well as the content of the correction requested. Once the need for correction has been sufficiently substantiated, the Hospital will correct the data at the first available opportunity.

4.3. The right to withdraw consent at any time, if your data is being processed with your consent. Withdrawal of consent shall not apply to processing that took place prior to the withdrawal.

4.4. require the restriction of processing of your personal data in the events stipulated in the GDPR, for example for a period that allows the hospital to verify the correctness of the personal data;

4.5. object to the processing of your personal data in the events stipulated in the GDPR.

4.6. The right to have your personal data deleted in the cases provided for in the General Data Protection Regulation, such as when you withdraw your consent, unless the Hospital has the legal obligation to retain personal data.

4.7. The right to consult the Hospital’s data protection specialist on any matter relating to the processing of your personal data and the exercising of your rights arising from the General Data Protection Regulation.  If you are not satisfied with the response from the Hospital’s data protection specialist, you always have the right to lodge a complaint with the Estonian Data Protection Inspectorate (tel.: +372 627-4135, e-mail: info [at] (info[at]aki[dot]ee)) or to go to court.

5. The party responsible for processing personal data is AS Ida-Tallinna Keskhaigla, Ravi tn 18, Tallinn 10138, info [at] (info[at]itk[dot]ee).

6. Contact information for the Hospital’s data protection specialist: Andres Õige, tel 5421 0162, e-mailandmekaitse [at] (andmekaitse[at]itk[dot]ee)

APPROVED with the 15 April 2024 Decision of the Management Board of AS Ida-Tallinna Keskhaigla.