Your data is safe and handled due course

Advokaadibüroo Lepmets & Nõges OÜ values and considers the protection of personal data important. This Privacy Policy explains how Advokaadibüroo Lepmets & Nõges OÜ (hereinafter also the Firm or we) collects and processes the personal data of data subjects (hereinafter also data).

Data subjects are you - our client or a visitor to the website www.lepmetsnoges.eu (hereinafter the website). You are also a data subject if the processing of your data is necessary for us to provide legal services to our client, and also if we have obtained the data from a third party. In summary, a data subject is any natural person whose data we process.

Data means any information relating to an identified or identifiable natural person.

Processing of data means any operation performed on personal data, including storage, use, transfer and disclosure.

In this Privacy Policy, we provide a clear overview of what data we process, for what purposes and on what legal basis we process it, and what your rights are in relation to your data.

When processing personal data and drafting this policy, we rely on the General Data Protection Regulation (EU) 2016/679 (also known as the GDPR) and other legal acts in force in the Republic of Estonia, including the Personal Data Protection Act. Any data protection related terms are used primarily in the meaning of the GDPR.

Who is the controller?

The controller is the person who determines the purposes and means of the processing of personal data, i.e. who decides why and how data is processed.

The controller is Advokaadibüroo Lepmets & Nõges OÜ, registry code 17246544.

We are located at Meistri 12, Tallinn, Estonia. You may contact us at this address by post. Digitally, you can send all inquiries, complaints and claims related to data processing to our e-mail address office@leno.ee

How do we obtain data?

We collect personal data in several different situations:

• First and foremost, we collect data in situations where you provide it to us yourself. This happens either in the course of us providing services or before that, when pre-contractual negotiations take place, or when you inform us of the circumstances for which you need the service. We collect data via e-mail, the contact form on the website and by phone, but we may also record it in the course of direct communication.
• We may also receive data from a third party without having directly requested it from them. This generally occurs in the course of providing legal services or when carrying out preparatory work for providing such services.
• We may also collect data independently and on our own initiative. In the latter case, we may obtain it, for example, from public registers, social platforms and other online environments, state or local government authorities, payment institutions and other sources. The collection of such data is generally related to the provision of legal services or the performance of preparatory work for the provision of such services.
• We also collect data automatically when you use our website. In such cases, the data may include, for example, the IP address, your visit history and the URL links opened on the website. Please also read more about this in the cookies section.

NB! If you provide us with personal data relating to a third party, you are responsible for the accuracy of such personal data. You are also responsible for ensuring that the provision of such data is relevant and that there is a legal basis for the disclosure of the data. If a third party contacts us with an inquiry in order to obtain information about the processing of their personal data, we may disclose that you were the person who provided us with such personal data, except of course where lawyer confidentiality obligations prohibit us from doing so.

What data do we process?

Since personal data, by its nature, is any information that makes it possible to identify a person by comparison with other data, it is not possible to provide a fixed and final list of data. This applies especially in the course of providing legal services, where the data may be very diverse. Nevertheless, below we set out the data that we generally process in typical situations:

1. Primary data: first and last name, personal identification code, gender, phone number, e-mail address, residential address and other contact details.
2. Secondary data: data about your work or business activities and financial standing; family and private life related data; your correspondence with third parties; data about transactions you have made, your assets, rights and obligations; photos or videos in which you appear or your voice recordings;
3. Data for fulfilling due diligence measures: data from an identity document, data regarding payment behaviour, a photo or copy of the document, data regarding links to money laundering or terrorist financing, data about asset structures and the origin of assets.
4. Data relating to the provision of legal services: client agreement, the content of legal services, powers of attorney, correspondence between you and the Firm, data on breach of contract, details of payment transactions.
5. Website data: data generated automatically from visiting the website. See also the chapter on cookies.
6. Special categories of personal data: under Article 9(1) of the GDPR, this is data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data used for the unique identification of a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation.

For what purposes and on what legal basis do we process data?

The legal bases for processing data arise from Article 6(1) of the GDPR. We process data on the following bases:

1. If you have given consent (Article 6(1)(a));
2. If it is necessary for entering into and performing a contract (Article 6(1)(b));
3. If it is necessary for compliance with our legal obligation (Article 6(1)(c))
4. If we have a legitimate interest (Article 6(1)(f) of the GDPR), in particular to improve the quality of our services and customer service, to market the Firm, and to protect our financial interests as well as our clients and employees;
5. If it is necessary for the performance of a task carried out in the public interest (Article 6(1)(e) of the GDPR), in particular where we or our employee acts in the performance of a public task, for example as a bankruptcy trustee.

If we process your data on the basis of consent, you have the right to withdraw your consent at any time. This does not affect the lawfulness of processing carried out prior to withdrawal. With regard to processing based on legitimate interest, you have the right to object.

When collecting data on any legal basis, we follow the data minimisation principle. This means that from each data category we collect only such data whose collection is relevant and only to the relevant extent. For example, if we provide legal services in an employment dispute, your family and private life data is generally not relevant and we do not request, collect or process it.

We process special categories of personal data only if we have a basis for this under Article 9(2) of the GDPR. In particular, the basis is Article 9(2)(f) of the GDPR, which allows processing where it is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity. In addition, § 41(1) point 4¹ of the Bar Association Act grants a sworn advocate the competence to process personal data of a person other than the client, including special categories of personal data, obtained under a contract or the law, without the consent of such persons, where this is necessary for the provision of legal services.

Below we provide a summary table of the purposes of processing and legal bases. Explanations of the processed data can be found in the previous chapter.

The above summary table is not exhaustive, and for certain purposes we may also use data on another legal basis, in particular for compliance with a legal obligation or for the performance of a contract. If we process data for a purpose other than the one for which it was originally collected, we assess the justification for such processing. In assessing justification, we take into account the similarity of the new purpose, the nature of the data, the way and context in which the data was collected, the possible consequences for the data subject's rights, and the need to implement additional safeguards.

With whom do we share data and where do we store data?

In the course of providing services, we may need to transfer your data to third parties. This primarily occurs when resolving a legal dispute in court or in pre-trial proceedings.

We also use various third-party service providers in our day-to-day work, to whom it may be necessary to transfer data for our operations. Such service providers include, for example, IT, accounting, translation, audit or archiving service providers. These service providers are our processors.

All processors process your personal data on behalf of the Firm. We transfer to them only the data necessary for the provision of the service and never more. Such service providers may use the data only within the scope of providing the service. We ensure that all service providers follow our instructions and data processing agreements. The standard of care required of the service provider when processing your data must not be lower than ours. They must also implement appropriate technical measures to ensure a level of data protection comparable to that of the Firm.

In addition to the above, we may also have an obligation to transfer personal data arising from the law. In such cases, we may transfer data to public authorities, in particular to various supervisory bodies, such as the court, the Police and Border Guard Board, the Financial Intelligence Unit, the Financial Supervision Authority, the Data Protection Inspectorate, etc.

We store and process your data within the European Union. We do not transfer your data outside the European Union unless this is necessary for the provision of legal services and unless there is a legal basis for doing so. If it is necessary, we will implement additional safeguards. We do not transfer data to countries whose level of data protection does not meet the requirements of the European Commission. If it is nevertheless necessary for the provision of legal services, we transfer only the minimum necessary data and implement strict safeguards, in particular transferring data in encrypted form.

What are my rights as a data subject?

You have the following rights in relation to your data:

• Right of access. You have the right to obtain information as to whether your personal data is being processed. You have the right to access your data and to obtain copies of it. You have the right to know the purpose of processing and the period for which the data is stored. You have the right to know the persons with whom the data has been shared.
• Right to rectification. If personal data is inaccurate or incomplete, you have the right to request that it be corrected or completed.
• Right to erasure. In certain cases, you have the right to request the erasure of your personal data, in particular where the data is no longer necessary for the purposes for which it was processed, or where the processing was based on consent that has been withdrawn.
• Right to restriction of processing. You have the right to request the temporary restriction of the processing of personal data, for example where you have contested the accuracy of the data.
• Right to object. You have the right to object to the processing of your personal data where processing is based on legitimate interest.
• Right to data portability. Where processing is based on consent or on a contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used and machine-readable format. You also have the right to request that the data be transmitted to another service provider where technically feasible.
• Right to lodge a complaint. Please see the next section regarding this right.

Right to contact the controller, the supervisory authority or the court

If you wish to exercise your rights as a data subject listed in the previous section, please send us a notice to the e-mail address office@leno.ee.

If you consider that your rights have been infringed, you also have the right to contact the Data Protection Inspectorate. The contact details of the Data Protection Inspectorate can be found on the website www.aki.ee.

In addition, you always have the right to go to court. Questions related to the Privacy Policy are resolved under the laws of the Republic of Estonia. In the event of a dispute, you may bring the matter before Harju County Court.

Please note that in the course of providing legal services we generally obtain data which, due to statutory obligations or the lawyer's professional ethics, we are not allowed to disclose, change or delete. Such obligations may limit our ability to satisfy your requests.

Retention of personal data

We retain your personal data only for as long as is necessary to achieve the purposes for which it is processed. Therefore, the retention period depends on the specific data. When determining the retention period, we take into account the type and content of the data. We also take into account whether we have an ongoing legal dispute with you or a third party and whether the use of certain data is justified for the protection of our interests and rights. Once limitation periods for claims have expired, the purpose of retention generally ends.

We also always retain data at least until the time we are required to do so by law or by other guidance adopted and issued on the basis of law. We retain primary accounting documents for 7 years from the end of the relevant financial year.

To find out the retention period for your specific data, please contact us at the e-mail address office@leno.ee. Please note that where there is no statutory obligation to retain data and we have determined the retention period independently, we have the right to retain the data until the end of the period, but we have no obligation to do so, i.e. we may delete the data earlier.

Cookies

Cookies are small text files that the website stores on your device (computer, tablet or smartphone) when you visit the website. Please read more about cookies and their use in our cookie notice.

The legal basis for the use of cookies is legitimate interest (where the purpose of use is to ensure the functionality and security of the website) and your consent (where the purpose of use is to retain your choices or compile statistics).

Information about the specific cookies used by the website is displayed in the cookie settings window.

Amendments to the Privacy Policy

We have the right to amend this Privacy Policy unilaterally. We will notify you of all amendments by publishing an updated Privacy Policy on the website or, where necessary, via other means of communication.

This Privacy Policy is effective as of 26 January 2026.

COOKIE NOTICE

This cookie notice forms part of the Privacy Policy of Advokaadibüroo Lepmets & Nõges OÜ. The purpose of the notice is to provide information about what cookies are and for what purposes and how we use them.

1. What are cookies?

Cookies are small text files that the website stores on your device (computer, tablet or smartphone) when you visit the website. These files help the website remember you and your preferences and make using the website smoother (for example, it retains the language, font size, screen preferences, etc.).

Cookies may be session cookies, which are deleted automatically after you close your browser, and persistent cookies, which remain on your device for some time to remember your preferences or to analyse website use over a longer period. Cookies also allow us to monitor website traffic and user interactions with the website, analyse visitor behaviour and improve the user experience.

2. Necessary cookies

Necessary cookies are required for the core functions of the website to work. They enable, for example, secure navigation and access to different subpages. Such cookies remember choices made during a single session and active use. The purpose is for the website to function smoothly. These cookies do not collect personal data, but without them the website may not function properly.

3. Analytical cookies

Analytical cookies help us understand how you use the website during your session. With their help, we generally collect anonymous data, such as which pages you viewed and how long you stayed on a page. This information helps us improve the website and make browsing the website and finding information more user-friendly.

Analytical cookies are activated only after you have given consent to the use of such cookies. You can withdraw this consent at any time.

4. Marketing cookies

Marketing cookies help make the provision of our services more personalised and allow us to assess the effectiveness of external advertising campaigns. Marketing cookies track how a particular visitor uses different websites in order to assess that person's behaviour on our website. These cookies also collect data, for example, about which website you came from to reach our website.

Marketing cookies are activated only after you have given consent to the use of such cookies. You can withdraw this consent at any time.

5. How to change cookie settings

On each new visit, pop-up opens on our website, where you can make choices regarding the use of cookies. You cannot make choices regarding necessary cookies. For analytical and marketing cookies, you must provide clear consent before we can use them.

Information about each specific cookie used by the website is displayed in the pop-up. This includes information about the purpose of the cookie, the time it was created and whether it is a session or persistent cookie.

You can change your cookie settings on our website at any time. You can also delete cookies already stored in your browser settings. In addition, you can configure your browser to refuse all cookies. To do this, please consult the instructions for your browser or mobile device. Please note that in some cases, refusing certain cookies may limit the functionality of websites or even block access to the website. Additional information on how to control the use of cookies through your browser settings can be found at https://www.aboutcookies.org/ or http://www.google.com/privacy_ads.html.

If you have questions or problems with the use of cookies on our website, please contact us at the e-mail address office@leno.ee.