Law: Personal Data Protection Act 2018 and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')
Regulator: Data Protection Inspectorate ('DPI')
Summary: Estonia implemented the GDPR in 2018 through the PDPA, which is closely aligned with the GDPR and does not derogate at all in areas such as the appointment of a data protection officer, data breach notification, or data subject rights. However, the PDPA states that the consent of a data subject remains valid for ten years after death and 20 years if the data subject was a minor. To date, the DPI has issued warnings with the potential for fines for non-compliance which relate to, for instance, video surveillance, the DPI's request for information, and the right to rectification. Furthermore, the DPI has issued guidance on automated decision-making, video surveillance and the main responsibilities of data controllers.