February 2024

1. Governing Texts

1.1. Key acts, regulations, directives, bills

• Data protection in Estonia is primarily governed by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') which has been implemented into Estonian law by virtue of the Personal Data Protection Act 2018 ('PDPA') which entered into force on January 15, 2019.

1.2. Guidelines

Estonia's data protection authority, the Data Protection Inspectorate ('DPI'), has issued the following guidance:

• Guidelines to legitimate interest (only available in Estonian here);
• Guidelines for using cameras (only available in Estonian here);
• Guidelines to processing of personal data in work relationships (only available in Estonian here);
• General instructions of the personal data processor relationships (only available in Estonian here)
• Personal data in the social care and health sector (only available in Estonian here)
• Guide to the publication of payment irregularities (only available in Estonian here)
• Guidelines on data protection officers (only available in Estonian here) ('the DPO Guidelines');
• Reminder for social networking users (only available in Estonian here);
• Processing of personal data by housing associations (only available in Estonian here);
• Notification of a child in need and data protection (only available in Estonian here); and
• Disclosure of personal data in the media: intervention criteria of the Data Protection Inspectorate (only available in Estonian here).

1.3. Case law

Despite the very widespread tendency among lawyers to refer to the decisions of the Supreme Court of Estonia ('the Supreme Court'), the Estonian legal system is based on codified law. Therefore, in each dispute, parties must primarily rely on the GDPR and/or the PDPA rather than on legal precedent per se.

2. Scope of Application

2.1. Personal scope

There are no variations of the GDPR, except for the validity of the consent after the death of the data subject. See section on legal bases in other instances below.

2.2. Territorial scope

There are no variations of the GDPR.

2.3. Material scope

There are no variations of the GDPR.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The DPI is the regulatory authority for data protection.

3.2. Main powers, duties and responsibilities

The independent supervisory authority in Estonia is the DPI (within the meaning of Article 51(1) of the GDPR and Article 41 of the Data Protection Directive with respect to Law Enforcement (Directive (EU) 2016/680) ('the Law Enforcement Directive')).

The DPI is competent to (§56(2) of the PDPA):

• improve the awareness and understanding of the public, controllers, and processors in relation to the risks associated with the processing of personal data, as well as standards and safeguards in force for processing and the rights related to the processing of personal data – the DPI may give recommended instructions for the performance of this function;

• provide information to data subjects upon request about the exercise of the rights arising from the PDPA and, where appropriate, cooperate for this purpose with the supervisory authorities of other EU Member States;
• if necessary, initiate misdemeanor proceedings and impose penalties, in cases where no other administrative measures achieve compliance with the requirements provided by law or the GDPR;
• cooperate with international data protection supervision organizations, other data protection supervision authorities, and other competent foreign authorities and persons;
• monitor relevant developments, insofar as they have an impact on the protection of personal data, in particular, the development of information and communications technologies;
• give advice on the personal data processing operations referred to in §39 of the PDPA;

• participate in the European Data Protection Board ('EDPB');
• apply administrative coercion on the bases, to the extent of, and pursuant to, the procedure prescribed by law;
• present opinions on own initiative or upon request in the issues related to the protection of personal data to the Estonian Parliament, the Government of Estonia, the Chancellor of Justice, other agencies, and the public; and

• perform other duties arising under the law.

In addition, the DPI has the right to (§56(3) of the PDPA):


• warn data controllers and processors that intended processing operations are likely to infringe the PDPA;

• demand rectification of personal data;

• demand erasure of personal data;

• demand restrictions on data processing;

• demand termination of data processing, including destruction or forwarding to an archive;

• where necessary, immediately apply, in order to prevent damage to the rights and freedoms of persons, organizational, physical, or information technology security measures to protect personal data pursuant to the procedure provided for in the Substitutive Enforcement and Penalty Payment Act, unless the personal data is processed by a state agency;

• implement temporary or permanent restrictions on the processing of personal data, including prohibitions on the processing of personal data; and

• initiate supervision proceedings on the basis of a complaint or on its own initiative.

4. Key Definitions

Data controller: There are no variations of the GDPR.

Data processor: There are no variations of the GDPR.

Personal data: There are no variations of the GDPR.

Sensitive data: There are no variations of the GDPR.

Health data: There are no variations of the GDPR.

Biometric data: There are no variations of the GDPR.

Pseudonymization: There are no variations of the GDPR.

5. Legal Bases

5.1. Consent

There are no variations of the GDPR.

5.2. Contract with the data subject

There are no variations of the GDPR.

5.3. Legal obligations

There are no variations of the GDPR.

5.4. Interests of the data subject

There are no variations of the GDPR.

5.5. Public interest

There are no variations of the GDPR.

5.6. Legitimate interests of the data controller

There are no variations of the GDPR.

5.7. Legal bases in other instances

The PDPA provides the following rules which the GDPR does not regulate:

Processing of personal data after the death of a data subject (§9 of the PDPA)

The consent of a data subject shall remain valid during the lifetime of the data subject and for ten years after the death of the data subject unless the data subject had decided otherwise before their death. If the data subject died as a minor, their consent shall be valid for 20 years after their death. After the death of the data subject, processing of their personal data is permitted only with the consent of the successors of the data subject, except in cases where:

• ten years have passed since the death of the data subject;

• 20 years have passed since the death of a data subject who was a minor;
or
• personal data is processed under any other applicable legal basis(es).

In the case of several successors, processing of the data subject's personal data is permitted with the consent of any of them. The consent specified in §9(1) of the PDPA is not required if the processed personal data only contain the data subject's name, sex, date of birth and death, the fact of death, and the time and place of burial.

Processing of personal data in connection with violation of obligation (§10 of the PDPA)

The transmission of personal data related to a violation of any obligation to third parties and processing of the transmitted data by any third party is permitted for the purpose of assessing the creditworthiness of the data subject, or for any other similar purpose(s) and is only permitted in cases where the controller or processor has verified the accuracy of the data transmitted and the legal basis for the transmission of personal data, and has registered the data transmission. The collection and transmission of data to third parties for the purposes specified in §10(1) of the PDPA is not permitted if:

• special categories of personal data are processed for the purposes of Article 9(1) of the GDPR;

• the data concerns the commission of an offense or a victim in an offense before a public court hearing, the making of a decision in an offense, or the termination of court proceedings;

• it would excessively damage the rights or freedoms of the data subject;

• fewer than 30 days have passed from the violation of a contract; or

• more than five years have passed since the end of the violation of an obligation.

Processing of personal data in public places (§11 of the PDPA)

Unless otherwise provided by law, upon making in public places audio or visual recordings intended for future disclosure, the consent of data subjects will be substituted for an obligation to notify data subjects in a manner that allows persons to understand the fact of the recording of the audio or visual images and give persons an opportunity to object to the recording of their person if they so wish. The notification obligation does not apply in the case of public events, the recording of which for the purposes of the disclosure may be reasonably presumed.

6. Principles

There are no variations of the GDPR.

7. Controller and Processor Obligations

7.1. Data processing notification

There are no national notification requirements.

7.2. Data transfers

There are no variations of the GDPR.

7.3. Data processing records

There are no variations of the GDPR.

7.4. Data protection impact assessment

The DPI has issued a list of activities which require a Data Protection Impact Assessment ('DPIA') ('Blacklist'):

• Estonia DPIA Blacklist ('Estonia Blacklist').

Furthermore, the EDPB has published the following Opinion for Estonia:

• Opinion 6/2018 on the draft list of the competent supervisory authority of Estonia regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR).

More specifically, the Estonia Blacklist highlights that the following types of processing operations, among others, require a DPIA:

• profiling;
• special categories of data or data about criminal convictions on a large scale;
• systematic monitoring of a publicly accessible area on a large scale;
• biometric data for the purposes of uniquely identifying a natural person on a large scale;
• genetic data on a large scale;
• large-scale processing when it might pose a risk of identity theft or fraud;
• large-scale processing when it might pose a risk of property loss;
• large-scale processing when it involves real-time location tracking;
• large-scale processing when it might pose a risk of disclosure of personal economic standing;
• large-scale processing when it might pose a risk of discrimination with legal consequences; and
• large scale processing when it might pose a risk of loss of statutory confidentiality of information.

The Estonia Blacklist notes that the following factors should be considered when determining whether the processing is carried out on a large scale:

• the number of data subjects concerned, either as a specific number or as a proportion of the relevant population;
• the volume of data and/or the range of different data items being processed;
• the duration, or permanence, of the data processing activity; and
• the geographical extent of the processing activity.

The DPI has not issued a list of activities which do not require a DPIA (Whitelist).

Notably, the DPI has issued a model DPIA document (only available in Estonian here).

National activities subject to prior consultation/authorization

There are no variations of the GDPR.

A controller or processor that intends to process personal data which are entered into a newly created filing system, must first consult the DPI in the following cases (Article 39(1) of the PDPA):

• a DPIA carried out indicates that the processing of personal data would result in a high risk in the absence of measures taken; and
• the nature of the processing of personal data involves a high risk to the rights and freedoms of data subjects.

National activities not subject to prior consultation/authorization

There are no variations of the GDPR.

7.5. Data protection officer appointment

There are no variations of the GDPR.

The DPI has compiled a list of recommended competencies which are considered a prerequisite for the effective fulfillment of the role of a data protection specialist. Accordingly, a data protection specialist should have knowledge of, among other things (the DPO Guidelines):

• information security principles and relevant technologies and developments;
• the values and goals of the organization;
• internal and business processes of the organization;
• relevant legislation, including EU and national data protection law and sector-specific law, as well as case law, opinions, and guidelines;
• principles and methods of data analytics and profiling, including pseudonymization and anonymization; and
• frameworks and methods for conducting DPIAs and risk management.

Furthermore, the DPI also recommends that a data protection specialist should be able to, among other things (the DPO Guidelines):

• prepare a DPIA, identify risks, and draw up action plans to mitigate such risks;
• manage and coordinate the organization's data protection processes, including developing strategy and instructions and implementing data protection principles; and
• identify and document data processing operations and violations, including data breaches for which the supervisory authority and/or data subject must be notified.

7.6. Data breach notification

Variation/exemptions on breach notification obligation

There are no variations of the GDPR.

Sectoral obligations

There are no sector-specific laws.

7.7. Data retention

• §7(11) of the Assistant Police Officer Act:

Personal data are retained for ten years as of the time the person applies for an assistant police officer or their status of assistant police officer ends. After the expiry of the period of retention, the data are deleted.

• §1061(2) of the Civil Service Act:

The archived personal data shall be stored as follows:

1. data necessary for the calculation of the length of service of the public and special services and the maintenance of the electronic service record for 75 years;
2. the current account number, address, details of activities and restrictions of the ancillary activities and compliance with the restriction on competition, data on compliance with the time of health checks and the state of health, development and appraisal interviews carried out and interviews relating to attestation, existence of permits relating to the state of health, necessary for performance of service or work duties, and data on the spouses, minor children and other dependents of persons who are in service and employed in an agency, for up to one year unless there is another legal basis for further processing; and
3. personnel and payroll data not specified in Clauses 1 and 2 of §1061(2) of the Civil Service Act five years unless otherwise provided by law.

• §40(3) of the Public Information Act:

A restriction on access to information classified as internal which contains private personal data applies for 75 years as of the receipt or documentation thereof or for 30 years as of the death of the person or, if it is impossible to establish death, for 110 years as of the birth of the person.

• §81(4) of the Estonian Defense League Act:

The special categories of personal data in the database of the Estonian Defense League ('the Defense League) shall be deleted after one year has passed and the data concerning the membership of the Defense League no later than after 50 years have passed as of the termination of the membership of the Defense League or refusal to accept for a member of the Defense League.

• §47 (1) of the Money Laundering Act:

For the purpose of identification of persons and verification of submitted information, the obliged entity must retain the originals or copies of the documents specified in §§20(21), 21, 22, and 46 of the Money Laundering Act, the information registered in accordance with §46 and the documents serving as the basis for the establishment of a business relationship for no less than five years after the termination of the business relationship.

• §32(7) of the Establishment of Cause of Death Act:

Registry data shall be preserved for an unspecified term.

• §8(41) of the Labor Market Services and Benefits Act:

Data entered in the register shall be preserved from the entry thereof in the register until ten years after the end of the proceedings provided for in this Act and initiated with regard to a person or after the death of a person. Upon expiry of the retention period, the data entered in the register shall be pseudonymized once a year at the end of the calendar year during which the retention period expires.



Pseudonymized data entered in the register shall be preserved for a term of 65 years after the expiry of which such data are rendered anonymous once a year at the end of the calendar year (§8(42) of the Labor Market Services and Benefits Act).

• §22(5) of the Work Ability Allowance Act:

Information entered in the database is preserved as follows:

• information concerning the assessment of work ability from the entry thereof in the database until ten years after the death of a person;
• information concerning payment of work ability allowance and payment of social tax in special cases from the entry thereof in the database until ten years after the end of the proceedings provided for in this Act and initiated with regard to a person or after the death of a person; and
• data entered in the database shall be pseudonymized once a year at the end of the calendar year during which the retention period expired.

Pseudonymized data entered in the database shall be preserved for a term of 65 years after the expiry of which such data are rendered anonymous once a year at the end of the calendar year during which the retention period expired (§22(6) of the Work Ability Allowance Act).

• §77(8) and §(81) of the Act on Granting International Protection to Aliens:

The data entered in the register shall be retained for a maximum of 50 years and the retention periods shall be specified by data categories in the statutes of the register.



Biometric data processed for the purpose of identification of a person or verification of a person's identity shall be deleted from the register immediately after the comparative study is performed.

• §54²(3) of the Financial Supervision Authority Act:

Personal data processed in supervision proceedings specified in §54²(2) shall be retained for the term provided by an Act or legislation issued pursuant to an Act or for as long it is necessary for the achievement of the purposes thereof.

• §37(13) of the Gambling Act:

Database entries regarding a person shall be retained for up to five years after the person's last visit to the gaming location for games of chance. The data shall be deleted after the lapse of said time period.

• §62(5) of the Investment Funds Act:

The data and documents submitted to a registrar in a format that can be reproduced in writing for an entry to be made shall be preserved by the registrar for ten years after making the respective entry.

• §102(4) of the Radiation Act:

The data specified in §102(3) must be preserved in the national dose register of exposed workers during the entire time the exposed worker is engaged in radiation works. Thereafter the data shall be preserved until the time the person attains or would have attained 75 years of age but not for a shorter period than 30 years after the person no longer engages in radiation works.

• §49²(2³) of the Competition Act:

The supporting documents of data from the register and data from the register shall be preserved for ten years from the grant of individual aid or the grant of last aid under an aid scheme. Data is deleted after this term has passed.

• §46⁹(12²) of the Aviation Act:

Personal data collected for the purpose of carrying out the check are retained for a period of ten years following the completion of the check, expiry of the contract or document serving as the basis for the performance of the task specified in §46⁹(2) or termination of the checked employment or service relationship. After the expiry of this term, the data are deleted.

• §63^4. of the Payment Institutions and E-money Institutions Act:

A payment service provider shall be entitled to store personal data until the expiry of the limitation period for claims arising from the payment service contract or law unless otherwise provided by law.

• §64(2¹) of the General Part of the Economic Activities Code Act:

The person entering information in the register preserves the documents which contain personal data and serve as a basis for entering information in the register for up to ten years after expiry of the period of validity of the licence and thereafter deletes these.

• §5(5) of the Employment Contracts Act:

The employer shall preserve the written employment contract during the term of validity of the employment contract and for ten years after the expiry of the employment contract.

• §4² of the Health Services Organization Act:

§4² (4): From the data collected pursuant to §4(3), the data certifying the provision of in-patient and out-patient health services shall be preserved for 30 years after the approval of data concerning the service provided to a patient.

§4² (5): Differently from the term specified in §4(4), the following data certifying the provision of health services shall be preserved as follows:

1. data on a pupil's health record for five years after graduation or leaving school, also the data on an ambulance card and referral and reply to referral for five years after the approval of data;
2. data on death notice and notice of cause of death for ten years after the approval of data;
3. tissue samples containing health data that have been taken for intravital pathomorphological testing shall be preserved depending on the need for the provision of health services but not longer than for 30 years after the approval of data;
4. autopsy report data for 30 years after approval of data; and
5. data on blood chart, transfusion report, and report of reaction following the transfusion for 30 years after a person's death.

• §24(11) of the Occupational Health and Safety Act:

Information concerning investigations of occupational accidents and occupational diseases shall be retained for 55 years.

• §42¹ of the Electricity Market Act

§42¹(6): The data transmitted to the data exchange platform are preserved for twelve years and are then deleted.

• §77¹ of the  European Parliament Election Act

§77¹(3): The list of voters is preserved permanently in the National Archives.

• §21¹ of the Security Authorities Act

§21¹(6): A security authority retains information collected under this or another Act for as long as necessary for the performance of its functions provided in this Act or until the need for further processing cannot be excluded.

• §106 of the Waste Act

§106(3): A collector of metal waste shall preserve a document specified in subsection 1 of this section for five years and ensure protection of the personal data.

• §54¹ of the Estonian Defense Forces Organization Act

§54¹(4): Personal data collected in the manner specified in subsections 1 and 2 of this section shall be retained for as long as is necessary for the performance of the task/function specified in clause 6 of subsection 1 of § 36 of this Act and shall be deleted immediately upon termination of the need for processing.

• §181 of the Insurance Activities Act

§181(5): An insurance broker shall be entitled to store personal data until the expiry of the limitation period for claims arising from the contract entered into with the client or law unless otherwise provided by law.

• §70² of the Municipal Council Election Act

§70²(3): The list of voters is preserved permanently in the National Archives.

• §34 of the Law Enforcement Act

§34(2): A recording made with monitoring equipment is preserved for at least one month after the date of recording but for no longer than one year, unless otherwise provided by law.

• §126¹² of the Code of Criminal Procedure

§126¹²(2): Surveillance files shall be stored as follows:

 1) surveillance files kept on criminal offenses under preparation, files on searching persons, and confiscation files – until the redundancy of information contained therein, but for not longer than 50 years;

 2) files on criminal offenses – until the deletion of data concerning punishment from the punishment register or the expiry of the limitation period for the criminal offense.

• §36¹ and 36² of the Rescue Act

§36¹(4): Data collected about a person for a background check are retained for five years after the end of the background check or in the event of a legal dispute arising after release from the status of a volunteer until the settlement thereof.

§36²(4): The information obtained as a result of fingerprinting an assistant explosive ordnance disposal technician and analyzing their DNA sample is deleted from the national registers after three years from the release of the assistant explosive ordnance disposal technician from the status of a volunteer.

• §77¹ of the Riigikogu Election Act

§77¹(3): The list of voters is preserved permanently in the National Archives.

• §47 of the Money Laundering and Terrorist Financing Prevention Act

§47(1): For the purpose of identification of persons and verification of submitted information, the obliged entity must retain the originals or copies of the documents specified in subsection 2¹ of § 20 and §§ 21, 22, and 46 of this Act, the information registered in accordance with § 46 and the documents serving as the basis for the establishment of a business relationship for no less than five years after the termination of the business relationship.

• §64¹ of the Referendum Act

§64¹(3): The list of voters is preserved permanently in the National Archives.

• §35³ of the Weapons Act

§35³(1): Information entered in the register of service and civilian weapons is retained as follows:

2) personal data of persons – for 30 years after the expiry of a right granted to a person on the basis of this Act.

7.8. Children's data

According to §8(1) of the PDPA, if Article 6(1)(a) of the GDPR applies in connection with the provision of the information society services directly to a child, the processing of the child's personal data is only permitted in cases where the child is at least 13 years old.

7.9. Special categories of personal data

There are no variations of the GDPR.

7.10. Controller and processor contracts

There are no variations of the GDPR.

8. Data Subject Rights

8.1. Right to be informed

There are no variations of the GDPR.

8.2. Right to access

There are no variations of the GDPR.

8.3. Right to rectification

There are no variations of the GDPR.

8.4. Right to erasure

There are no variations of the GDPR.

8.5. Right to object/opt-out

There are no variations of the GDPR.

8.6. Right to data portability

There are no variations of the GDPR.

8.7. Right not to be subject to automated decision-making

There are no variations of the GDPR.

8.8. Other rights

There are no variations of the GDPR.

9. Penalties

The legal system of Estonia does not allow for administrative fines as set out in the GDPR. The requirements of Article 83(9) of the GDPR have yet to be implemented.

In addition to the sanctions provided for in the GDPR, the PDPA establishes sanctions in the following cases:

Failure to comply with orders of the DPI (§69 of the PDPA)

• Failure to comply with an order provided for in Article 58(2) of the GDPR is punishable by a fine of up to €20 million (approx. $21.7 million); and
• The same act, if committed by a legal entity, is punishable by a fine of up to €20 million (approx. $21.7 million) or up to 4% of its total global annual turnover for the previous financial year, whichever amount is the higher.

Violation of granting access to the DPI (§70 of the PDPA)

• Failure to comply with an order issued based on the investigative powers provided for in Article 58(1) of the GPDR, if the DPI is thereby refused access to personal data, other information, or premises, is punishable by a fine of up to €20 million (approx. $21.7 million); and
• The same act, if committed by a legal person, is punishable by a fine of up to €20 million (approx. $21.7 million) or up to 4% of its total global annual turnover for the previous financial year, whichever amount is the higher.

Illegal processing of personal data outside the performance of employment or service duties (§71 of the PDPA)



The illegal collection, viewing, reading, or use of personal data, enabling access thereto or making inquiries or extracts thereof by any natural person who has access to personal data based on their employment or service duties, if this does not involve the necessary elements of an offense provided for in §§157 and 157 prim of the Penal Code, is punishable by a fine of up to 200 fine units under §71 of the PDPA.

Violation of other personal data processing requirements (§72 of the PDPA)



Violation of personal data protection requirements, if this does not involve the necessary elements of an offense provided for in §§62 to 71 of the PDPA and §§157 and 157 prim of the Penal Code, is punishable by a fine of up to 200 fine units under §72 of the PDPA.

Illegal disclosure of personal data (§157 of the Penal Code)

Disclosure of information obtained in the course of professional activities by a person who is required by law not to disclose such information, if this does not contain the necessary elements of an offence provided for in §1571 of the Penal Code, is punishable by a fine of up to 300 fine units. In addition, the same act, if committed by a legal person, is punishable by a fine of up to €32,000 (approx. $34,740).

Illegal disclosure of specific categories of personal data, data concerning the commission of an offense or falling victim to the offense (§157(1) of the Penal Code)

Illegal disclosure of or enabling of illegal access to specific categories of personal data and data concerning the commission of an offense or falling victim to an offense before a public court hearing or making of a decision in the matter of the offense or termination of the court proceeding in the matter is punishable by a fine of up to 300 fine units. Moreover, the same act, if committed for the purpose of personal gain or if significant damage was caused thereby to another person, is punishable by a pecuniary punishment or up to one year's imprisonment.

Lastly, an act provided for in §1571(1) of the Penal Code, if committed by a legal person, is punishable by a fine of up to €32,000 (approx. $34,740), while an act provided for in §1571(2), if committed by a legal person, is punishable by a pecuniary punishment.

In 2023, the Penal Code was amended in such a way that it should now be easier to punish a legal entity that processes personal data.

§14 of the Penal Code Liability of legal person:

In the cases provided by law, a legal person is liable for an act committed in the interests of the legal person or in breach of its legal obligations by:

• its body, a member, senior official, or competent representative; or
• any person on the instructions of a body or person specified in clause 1 of this subsection, or due to insufficient work organization or supervision of the legal person.

Where a legal person is legally obliged to act, it is liable for failure to act on the grounds provided in subsection 1 of this section, irrespective of whether the body or person specified in subsection 1 is also legally obliged to act alongside the legal person.

Prosecution of a legal person does not preclude prosecution of a natural person who committed the offense, where the law also provides for the liability of the natural person.

The provisions of this section do not apply to the state, intergovernmental organizations, local authorities, or legal persons in public law.

9.1 Enforcement decisions

There are not any notable enforcement decisions.