Privacy Policy

Last updated: 2026-05-19 15:55

Summary

This Privacy Policy explains how Figure Baltic Advisory processes personal data in connection with its websites, Compensation Survey Portal and services. Figure processes personal data mainly to provide and manage services, conduct compensation surveys and related analyses, ensure security, communicate with clients, Partners and users, comply with legal obligations, and carry out marketing where permitted.

 

1. Controller and contact details

The personal data controllers are Figure Baltic Advisory OÜ, registry code 11466977, Figure Baltic Advisory SIA, registry code 40203423228, and Figure Baltic Advisory UAB, registry code 306671468 (hereinafter collectively "Figure"). Figure can be contacted by e-mail at info@figure.ee, by phone at +372 627 7077, or by post at Sepapaja 6, Tallinn 11415, Estonia.

Depending on the country, website, Portal, service or contractual relationship, the relevant controller is Figure Baltic Advisory OÜ, Figure Baltic Advisory SIA or Figure Baltic Advisory UAB. The relevant controller is generally the Figure entity that provides the service, operates the relevant local website or has entered into the contractual relationship with the client or Partner. If the relevant controller is not clear from the context, Figure will provide further information upon request.

Data protection contact: info@figure.ee.

 

2. Personal data processed by Figure

Figure may process the following categories of personal data, depending on the service, website, Portal activity or relationship involved:

  • contact and identification data, such as first name, surname, e-mail address, phone number, employer, job title and, where required for a specific service, authentication or legal requirement, personal identification code or other identifier;
  • client, Partner and professional data, such as organisation name, role, authorisations, service history, purchased or used services, contractual details and communication history;
  • Compensation Survey Portal account and access data, such as username, access rights, authentication method, login status and security logs;
  • authentication data, where Portal users may be authenticated through ID-card, Mobile-ID, Smart-ID or, where applicable, username and password authentication. When username and password authentication is used, Figure stores the username and a securely hashed password or equivalent authentication credential;
  • survey and compensation-related data, including pseudonymised compensation data, job-related variables, benefits, compensation policies and other information required for compensation surveys and related analyses;
  • training and event data, including participation, absences, payment information, feedback and satisfaction data;
  • assessment and test data, including strengths, development areas, competences, test results and interview summaries, in relation to assessment services offered in Latvia and Lithuania; consulting assignment data, including information necessary to provide and document consulting services;
  • technical, usage and security data, such as IP address, device and browser information, session identifiers, actions and queries in Figure web environments, access logs and information about logging in and out;
  • cookie and similar technology data, including cookie consent choices, language preferences, website usage information and campaign measurement data;
  • marketing and communication data, such as communication preferences, subscriptions, event registrations, opt-outs and engagement with Figure communications.

Figure does not intentionally collect or process special categories of personal data, such as health data, political opinions, religious or philosophical beliefs, trade union membership or biometric data used for identification. If Figure receives special category data that is not necessary for the relevant service, Figure will delete such data as soon as reasonably possible and will not use it for further processing.

2.1 Compensation Survey Portal data

In the Figure Compensation Survey Portal, Figure processes personal data relating to Partner representatives and, where applicable, Sub-Users authorised by the Partner, as well as pseudonymised compensation-related data submitted by Partners. Such data may include user account data, authentication and login information, access rights, security logs, submitted survey data, compensation-related variables and other information required for conducting Figure Compensation Surveys, preparing deliverables and carrying out statistical research and analysis related to labour market, compensation, benefits, HR practices and workforce trends.

2.2 Data received from Partners and clients

Where Figure receives personal data or pseudonymised data from a Partner or client rather than directly from the data subject, Figure processes such data as an independent controller for the purposes described in this Privacy Policy, including conducting surveys, preparing deliverables, quality control, statistical research and analysis, and service development.

Such data may be received from the data subject’s employer, client organisation, Partner organisation, their authorised representatives, or another organisation participating in Figure’s services.

Where Figure receives data from a Partner or client rather than directly from the data subject, the Partner or client is responsible for ensuring that it has a valid legal basis for disclosing the data to Figure and that relevant data subjects have received appropriate information about such disclosure, including information about Figure as an independent controller and the purposes of further processing by Figure. Figure provides this Privacy Policy to explain its own further processing activities as an independent controller, including the information required under Articles 13 and 14 of the GDPR, where applicable.

2.3 Pseudonymised, anonymised and aggregated data

Pseudonymised data may still qualify as personal data under the GDPR where it can be attributed to an individual by using additional information. Figure applies safeguards such as access restrictions, aggregation, statistical thresholds, confidentiality obligations and, where appropriate, anonymisation to reduce the risk of re-identification.

Anonymised and aggregated data that cannot be used to identify an individual is not personal data under the GDPR and may be used by Figure for statistical, benchmarking, research and service development purposes without a fixed retention period.

 

3. Purposes and legal bases of processing

Figure processes personal data only where it has a defined purpose and an applicable legal basis under the GDPR. The main processing activities are summarised below.

Processing activity Purpose Main legal basis
Websites, web environments and necessary cookies Operating websites and online services, ensuring security, remembering privacy preferences and enabling requested functionality. Legitimate interest for website operation and security; performance of a contract where necessary to provide an online service requested by the user; legal obligation where necessary to record privacy choices or meet compliance requirements.
Functional, performance and marketing cookies Providing optional website functions, measuring website performance and, where applicable, measuring or personalising marketing activities. Consent, unless an exemption applies under applicable law.
Compensation Survey Portal access and authentication Creating and managing user access, verifying identity, managing authorisations, maintaining audit logs and ensuring Portal security. Performance of a contract where applicable; legitimate interest in access management, Portal security, audit logging and protecting confidential data; legal obligation where applicable.
Compensation surveys and deliverables Collecting, validating and analysing compensation and benefits data, preparing market statistics, deliverables and related analyses. Performance of a contract where applicable and/or legitimate interest.
Statistical research and service development Developing and improving compensation surveys, HR insights, market reports and related services. Legitimate interest, with safeguards such as minimisation, access restrictions, pseudonymisation, aggregation and anonymisation where appropriate.
Training, events and consulting assignments Providing requested services, managing participation, preparing outputs, collecting feedback and communicating with participants or clients. Performance of a contract where applicable, legitimate interest, consent or legal obligation, depending on the service setup.
Assessment services in Latvia and Lithuania Providing assessment-related services, administering assessments, preparing assessment outputs and communicating with participants or clients. Consent where assessment participation is voluntary or assessment data is processed on that basis; performance of a contract where applicable; legitimate interest only where necessary for service administration, quality assurance, security or client-requested assessment delivery and where the balancing test supports it.
Client and Partner relationship management Managing contracts, orders, invoices, support requests, communications and service delivery. Performance of a contract where applicable, legitimate interest and legal obligation, depending on context.
B2B marketing and communications Informing clients and prospective clients about Figure services, surveys, events, publications and HR-related insights. Consent or legitimate interest in a B2B context, where permitted by applicable law.
Legal compliance and dispute management Complying with legal obligations, responding to lawful requests, enforcing agreements and resolving disputes. Legal obligation and/or legitimate interest.

 

Where the contractual relationship is with a client, Partner or employer rather than directly with the data subject, Figure relies on the applicable legal basis for the relevant processing activity, such as legitimate interest, legal obligation or consent, as appropriate.

Where processing is based on consent, the data subject may withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. Where consent relates to cookies or similar technologies, consent can be managed or withdrawn through the cookie settings available on the Figure website.

Where processing is based on legitimate interests, Figure carries out a legitimate interest balancing test and assesses whether its interests are overridden by the rights and freedoms of data subjects. Figure applies appropriate safeguards, such as data minimisation, access restrictions, pseudonymisation, aggregation, confidentiality obligations and opt-out mechanisms.

In relation to the Compensation Survey Portal, Figure and the Partner act as independent controllers. Figure is not considered a processor in relation to the Portal activities and services, as Figure determines the purposes and means of the processing required for conducting compensation surveys, preparing deliverables and carrying out statistical research and analysis. The Partner is separately responsible for the lawfulness of the disclosure of data to Figure and for informing relevant data subjects.

 

4. Recipients, service providers and international transfers

Figure does not sell personal data or make personal data publicly available. Figure may disclose personal data only where necessary for the purposes described in this Privacy Policy, where required by law, or where the data subject, client or Partner has authorised such disclosure.

Recipients of personal data may include:

  • Figure group entities;
  • IT, hosting, software, authentication, security and analytics service providers;
  • professional advisers, auditors, legal advisers and accounting service providers;
  • clients or employers where necessary for the requested service, such as training participation, assessment results in relation to assessment services offered in Latvia and Lithuania, consulting deliverables or survey-related administration;
  • cooperation partners involved in survey, benchmarking or statistical projects;
  • public authorities, courts, supervisory authorities or other recipients where disclosure is required by law or necessary to protect legal rights.

Service providers and cooperation partners are required to protect personal data and process it only in accordance with applicable data protection requirements and contractual obligations.

4.1 Mercer

Where the Partner has contractually agreed in the Portal or otherwise, Figure may share anonymised and aggregated survey data with Mercer LLC and its affiliates or other cooperation partners for compensation benchmarking, statistical analysis and related survey projects. Figure does not share directly identifiable employee data with Mercer for these purposes.

Partner-level business information and aggregated market data may still be confidential information under contractual terms, even where it does not constitute personal data.

4.2 International transfers

Cooperation partners and service providers of Figure may be located in the European Union, the European Economic Area or, where necessary for service delivery, in third countries. International transfers of personal data outside the EEA are carried out only in accordance with Chapter V of the GDPR.

Where personal data is transferred outside the EEA, Figure relies on a valid transfer mechanism, such as an adequacy decision of the European Commission or Standard Contractual Clauses approved by the European Commission. Where required, Figure assesses transfer risks and applies supplementary technical and organisational measures, such as encryption, pseudonymisation, access restrictions and confidentiality obligations. Figure prioritises service providers and platforms located within the EU/EEA whenever possible.

 

5. Retention of personal data

Figure processes and retains personal data in accordance with the storage limitation principle under Article 5(1)(e) of the GDPR. Unless stated otherwise, personal data is retained for a standard period of 5 years to fulfil the purposes for which it was collected, comply with legal obligations, resolve disputes or enforce agreements.

Personal data, including compensation data, survey and feedback responses, talent assessments, interview summaries, account information and security logs, is generally retained for 5 years from the conclusion of the relevant activity or the last interaction with Figure, unless a longer or shorter period is required by law, specified in the Cookie Policy or another service-specific notice, agreed with the relevant client or Partner, or justified by the specific processing context.

Marketing data is retained for 5 years or until the data subject withdraws consent, objects to direct marketing or opts out, whichever occurs first.

At the end of the retention period, personal data is deleted or anonymised using appropriate technical and organisational measures designed to prevent reconstruction or re-identification. Retention may exceed 5 years only where necessary to comply with legal obligations, resolve disputes or enforce agreements. Anonymised and aggregated data that no longer constitutes personal data may be retained without a fixed retention period.

 

6. Cookies and similar technologies

Figure uses cookies, local storage, session storage and similar technologies on its websites and web environments. These technologies may involve the processing of online identifiers and technical information, such as IP address, device and browser information, session identifiers, language preferences, login status, cookie consent choices and website usage information.

Necessary cookies and similar technologies are used to provide the requested online service, ensure security, enable login functionality and remember privacy preferences. Functional, performance and marketing cookies and similar technologies that are not strictly necessary are used only with the user’s consent, unless an exemption applies under applicable law. Where marketing cookies are accepted, they may be used to measure marketing activities, create advertising profiles and show more relevant advertisements based on the user’s preferences and website usage. Users can accept, reject or change non-essential cookie preferences at any time through the cookie settings available on the Figure website.

Detailed and current information about the cookies and similar technologies used on Figure websites, including their purposes, providers, categories, storage periods and consent management options, is available in the Figure Cookie Policy: https://figure.ee/cookie-policy.

 

7. Security and confidentiality

Figure applies appropriate technical and organisational measures to protect personal data against accidental or unauthorised processing, disclosure, alteration, loss or destruction. These measures may include encryption, pseudonymisation, password hashing, secure connections, authentication controls, access restrictions, logging, confidentiality obligations and other security measures appropriate to the risk.

Access to personal data is limited to Figure employees, representatives and service providers who need access for their duties or for providing services to Figure and who are bound by confidentiality and data protection obligations. Figure considers data protection requirements when selecting IT, hosting, software and other service providers.

 

8. Rights of data subjects

Data subjects have the right to request access to their personal data, rectification of inaccurate data, erasure of data, restriction of processing, data portability, objection to processing based on legitimate interests or direct marketing, and withdrawal of consent.

Data subjects also have the right not to be subject to a decision based solely on automated processing, including profiling, where such decision produces legal effects concerning them or similarly significantly affects them. Figure does not make such decisions.

Data subjects can exercise their rights by contacting Figure at info@figure.ee. The request should include the full name of the data subject, a description of the right being exercised and any additional information that may help Figure identify the relevant data, service or account.

Figure will respond to requests without undue delay and, in any case, within one month of receipt, as required by GDPR Article 12(3). If a request is complex or involves multiple requests, Figure may extend the response period by an additional two months and will inform the data subject of the extension and reasons for it within the initial one-month period.

To protect personal data, Figure may request additional information to verify the identity of the requester before processing the request. Requests are processed free of charge, but Figure may charge a reasonable fee or refuse to act on repetitive, excessive or manifestly unfounded requests as permitted by GDPR Article 12(5).

 

9. Personal data breaches

In the event of a personal data breach, Figure will assess the nature and impact of the breach and take appropriate measures to mitigate potential harm. Where required under Articles 33 and 34 of the GDPR, Figure will notify the relevant supervisory authority and affected data subjects within the applicable time limits. Figure documents personal data breaches in accordance with GDPR requirements.

 

10. Inquiries and right to lodge a complaint

Questions, requests or objections relating to personal data processing may be sent to Figure at info@figure.ee.

Data subjects also have the right to contact the relevant supervisory authority to lodge a complaint or seek assistance regarding their personal data and its processing.

Estonia

  • Supervisory authority: Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
  • Address: Tatari 39, 10134 Tallinn, Estonia
  • Phone: +372 627 4135
  • Email: info@aki.ee
  • Website: www.aki.ee

Latvia

  • Supervisory authority: Data State Inspectorate (Datu valsts inspekcija)
  • Address: Elijas 17, Riga, LV-1050, Latvia
  • Phone: +371 67223131
  • Email: pasts@dvi.gov.lv
  • Website: www.dvi.gov.lv

Lithuania

  • Supervisory authority: State Data Protection Inspectorate (ValstybinÄ— duomenų apsaugos inspekcija)
  • Address: L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania
  • Phone: +370 5 271 2804 / +370 5 279 1445
  • Email: ada@ada.lt
  • Website: https://vdai.lrv.lt/

Figure Baltic Advisory

Figure Baltic Advisory office
Figure Baltic Advisory location on the map
Figure Baltic Advisory Lithuania

+370 691 91863
info@figure.lt

Paupio g. 58-33 LT-11341 Vilnius Lithuania

Figure Baltic Advisory UAB Reg: 306671468 PVM: LT100016713915 IBAN: LT687300010184622521 Swedbank S.W.I.F.T.: HABALT22
Figure Baltic Advisory office
Figure Baltic Advisory location on the map
Figure Baltic Advisory Estonia

+372 627 7077
info@figure.ee

Sepapaja 6 11415 Tallinn Estonia

Figure Baltic Advisory OÜ Reg: 11466977 KM EE101209496 IBAN: EE722200221039865464 Swedbank S.W.I.F.T.: HABAEE2X
Figure Baltic Advisory office
Figure Baltic Advisory location on the map
Figure Baltic Advisory Latvia

+371 29 357 973
info@figure.lv

Krišjāņa Valdemāra iela 33-13 LV-1010 Riga Latvia

Figure Baltic Advisory SIA Reg: 40203423228 VAT: LV40203423228 IBAN: LV52HABA0551053500983 Swedbank S.W.I.F.T.: HABALV22
Privacy policy
Cookie policy