Last updated: 13 May 2022

This Privacy Policy for Business Partners (“Privacy Policy”) stipulates how Milrem AS as the personal data controller processes the personal data of its business partners and their representatives in connection with the business relationship or any other contractual relationships concluded between the business partner and Milrem AS, as well as privacy rights available to data subjects.

This Privacy Policy applies to all our business partners (if they are natural persons) and business partners’ (legal persons’) representatives and contact persons acting as a management board member, employee or in any other capacity.

1. Controller of personal data

The controller of your personal data is Milrem AS (“Milrem”, “we”, “us” or “our”). Milrem is responsible for ensuring that your personal data is processed in accordance with this Privacy Policy and applicable personal data protection laws, in particular with the General Data Protecting Regulation (EU) 2016/679 (“GDPR”).

Contact details of the controller:

Milrem AS

Registry code: 12494266

Address: Betooni 1, Tallinn 13619, Estonia

Phone number: +372 662 0865


2. Collection of personal data

As your business partner, we collect your personal data in a variety of ways. In particular, we collect personal data provided directly by you when you place requests for information, purchase orders, act as a vendor or a vendor’s representative or otherwise communicate with us (for example, through our website or by directly contacting our representatives) prior to or after entering into a contractual relationship with you acting either in individual interests or on behalf of a legal person. We may also receive your personal data from legal persons with whom we have a contractual relationship. To the extent permitted by applicable law, we may also collect your personal data from third parties, such as government authorities and public databases.

Due to our contractual and statutory rights and obligations related to our business relationship and the values of Milrem, we may collect certain personal data, including:

  • general personal data, such as your name, personal identification code and date of birth, details and a copy of identity document, the language of communication;
  • contact details, such as your e-mail address, home address and phone number. In case of a business partner of legal person, we may also collect data on your position and contact details of the legal person you represent, as well as information on the authorisation (right of representation);
  • information related to our contractual relationship, such as data on inquiries and responses, feedback on our business activity, data on invoicing and transactions (including information on completed sales, fees payable and tax liabilities), details of the contract concluded between the business partner and us, personalised Milrem user account (including usage records, such as time, location, Microsoft OneDrive/SharePoint audit log);
  • data related to a breach of the contract, such as nature and time of the breach;
  • information collected on an ongoing basis in the course of our business relationship and in everyday communication, such as data necessary for the operation of our e-mail systems and other communication tools, IP address;
  • data about our marketing activities towards you, such as information about the undertaken marketing activities, corporate gifts, etc.;
  • data collected through video surveillance, if you visit our premises, but only to the extent needed to protect our legitimate interest to maintain security and establish, exercise or defend legal claims. Please note that this policy applies to the video surveillance which is installed in the common areas of our premises

We may also collect other personal data about you that you voluntarily provide to us in the course of our contractual relationship. You can provide us with other personal data if you wish, but this is not required for the purposes related to our contractual relationship.

3. Purpose and legal basis of data processing

We process your personal data for the following purposes on the basis of Article 6(1)(b) (for the performance of the contract or in order to take pre-contractual steps), Article 6(1)(c) (to comply with legal obligations applicable to us) and Article 6(1)(f) (our legitimate interests) of the GDPR, depending the circumstances under which you communicate with us. In some situations, we may also process your personal data based on your consent (Article 6(1)(a) of the GDPR).

  1. Processing requests for information, purchase orders and/or managing our contractual relationship

The primary purpose of collecting personal data is to enable us to process submitted requests for information and purchase orders with the objective to conclude a contract, perform our contractual obligations, invoicing the other party to the contract, manage and maintain a business relationship with our business partner. In these cases, the processing of personal data is based on our contract between you as a natural person and us, or our legitimate interest if the sales contract is concluded between us and the company you represent.

  1. Accounting purposes

We process personal data in order to comply with our obligations under applicable accounting and tax legislation. In these cases, the processing of personal data is based on legal regulations that oblige us to keep certain accounting data, such as accounting source documents.

  1. Data related to legal claims

If necessary, we may process personal data for the purposes of our legitimate interest in filing, processing or defending legal claims arising from the contractual relationship between us and our business partner.

  1. Marketing purposes

We may also process personal data for marketing purposes, in particular to provide you with information about our goods and services or to provide our business partners corporate gifts. In these cases, the legal basis for the processing of personal data is your consent or our legitimate interest to promote our business activities.

  1. Purposes of security

We also process personal data for the purposes of ensuring the safety of our assets and intellectual property rights, security of our systems, preventing fraud or malicious activities and enhancing the security of our employees. In these cases, the legal basis for the processing of personal data is our legitimate interest in ensuring an adequate level of data security and security in our systems and facilities.

4. Recipients of your personal data

We may disclose your personal data to other companies in Milrem Group (as identified and available at Your personal data may also be processed on our behalf by other companies in the Milrem Group, e.g., data may be processed in a central IT database. The processing is based on our legitimate interest in transferring personal data to other affiliated companies for administrative purposes, for example in connection with the use of central IT support and management.

We put our best efforts to keep your data safe and always require the high level of security and confidentiality from our employees and partners.

We may disclose your personal data to third parties:

  • if permitted or required by applicable law, e.g. at the request of a competent authority or due to legal proceedings;
  • if our trusted service providers (such as IT, accounting and/or legal service providers) provide services to us or on our behalf in accordance with our instructions. In these cases, we will control and remain responsible for the use of your personal data at all times;
  • in connection with our merger, takeover or sale of all or part of our business; and
  • if we, in good faith, believe that disclosure of relevant data is necessary to protect your rights, to protect your or others’ safety, to investigate fraud or other illegal activity.

More specifically, we may disclose your personal data to:

  • our employees who are responsible for cooperation with business partners, as well as employees in accounting, legal, IT maintenance, business analysis and business planning functions;
  • cloud service providers and other IT service providers used to manage our communications with business partners;
  • the Estonian Tax and Customs Board and other state authorities as such is required by law;
  • banks and other financial service providers;
  • our authorised processors and other persons involved in the performance of the contract;
  • persons who help us to exercise our rights under the agreement (providers of debt collection services, legal advisers, courts, etc.);
  • internal and external auditors; and
  • to parties involved in possible mergers, takeovers or the sale of all or part of our assets.

As a rule, we do not transfer personal data outside of the European Economic Area. If we do so, we take all measures to ensure that transfers outside the European Economic Area are adequately protected as required by applicable law. With respect to transfers to countries not providing an adequate level of data protection, Milrem bases the transfer on appropriate safeguards, such as standard data protection clauses adopted by the European Commission. If you wish to receive more information about data transfers and the safeguards that we apply to them, please contact us at the contact details provided above in section 1.

5. Retention of personal data

We process and retain your personal data as long as necessary to achieve the specific purposes described in this Privacy Policy, including to comply with legal requirements applicable to us.

Most of your personal data will be retained until the end of the contractual relationship between you and us. Certain personal data may be retained after the end of the contractual relationship, if required or permitted by applicable law. For example, we retain the accounting source documents (eg, copies of invoices) for 7 years from the end of the relevant financial year when a business transaction was recorded, as required by applicable law.

In some cases, personal data may be also retained for a longer period if storage of personal data is required in order to protect our or any third parties’ legitimate interests, e.g. in case of a legal dispute.

We will delete or anonymise your personal data when processing is no longer necessary for intended purposes.

6. Your rights

Subject to the restrictions and conditions set out in law, you have the following rights as a data subject:

  • to request access to your personal data. You may access, correct, update, change or remove your personal data at any time. However, please note that certain information is strictly necessary in order to fulfil the purposes defined in this Privacy Policy and may also be required by law. Thus, you may not remove such personal data;
  • to request rectification of your personal data;
  • to request erasure of your personal data. If personal data is erased under your request, we will only retain such copies of the information as are necessary for us to protect our or third parties’ legitimate interests, comply with governmental orders, resolve disputes, troubleshoot problems, or enforce any agreement you have entered into with us;
  • to data portability (insofar as it does not infringe our legitimate interests to protect our trade secrets or any other confidential information);

In some cases you may have a right to request restriction of processing of your personal data or to object to processing of your personal data.

If you think there is a problem with the way we are handling your personal data, you have a right to lodge a complaint to your national data protection authority in the EU/EEA, or seek judicial remedy. In Estonia, the competent supervisory authority is the Estonian Data Protection Inspectorate. You can find contact details of the Estonian Data Protection Inspectorate here: However, we encourage you to first contact us with any concerns that you may have, although you have no obligation to do so.

7. Security measures

We use reasonable security measures (including physical, electronic and administrative) to protect your personal data from loss, destruction, misuse and unauthorised access or disclosure. For example, we only grant access to your personal data to authorised employees and contractors who need it to perform their duties.

Please note that while we take reasonable steps to protect the security of your personal information, no system completely eliminates all potential security risks.

8. Updates

From time to time, we may update this Privacy Policy in order to adapt it to any updates that might arise. In such a case, the updated Privacy Policy will be available at our website This Privacy Policy was last updated as of the “Last updated” date shown above.

9. Our contacts

If you have any questions regarding this Privacy Policy or the personal data we process about you, please contact us at the contact details provided above in section 1.