Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Estonia - Data Protection Overview
Back

Estonia - Data Protection Overview

March 2022

1. Governing Texts

Data protection in Estonia is primarily governed by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') which has been implemented into Estonian law by virtue the Personal Data Protection Act 2018 ('PDPA') which entered into force on 15 January 2019.

1.1. Key acts, regulations, directives, bills

  • The PDPA

1.2. Guidelines

Estonia's data protection authority, the Data Protection Inspectorate ('DPI'), has issued the following guidance:

  • Guidelines on data protection officers (only available in Estonian here) ('the DPO Guidelines');
  • Guidelines on data controllers (only available in Estonian here);
  • Transfer of Personal Data to a Foreign Country;
  • Guidelines on data security (only available in Estonian here);
  • Reminder for social networking user (only available in Estonian here);
  • Frequently asked questions (only available in Estonian here);
  • Processing of personal data by housing associations (only available in Estonian here); and
  • Notification of a child in need and data protection (only available in Estonian here).

1.3. Case law

Despite the very widespread tendency among lawyers to refer to the decisions of the Supreme Court of Estonia ('the Supreme Court'), the Estonian legal system is based on codified law. Therefore, in each dispute, parties must primarily rely on the GDPR and/or the PDPA rather than on legal precedent per se.

  • Tallinn Administrative Court, case no. 3-19-579 (only available in Estonian here): The PDPA does not allow DPI refusal to carry out supervision on the sole basis of the argument so that a person would be able to file civil claims directly against persons allegedly violating their rights in order protect their rights.
  • Harju County Court, case no. 2-18-12412 (only available in Estonian here): The interpretation of the GDPR must be based, among other things, on the principles set out in the preamble to the Regulation. Recital 4 of the GDPR states, inter alia, that the right to the protection of personal data is not absolute but must be weighed against the role of the processor in society and balanced with other fundamental rights following the principle of proportionality. According to Recital 46, the processing must be considered lawful if necessary, to protect the data subject's vital interests. It is clear from Recital 53 that the Member States are entitled to maintain or impose additional requirements on health data processing.
  • Tallinn Administrative Court, case no. 3-2-375 (only available in Estonian here): The DPI based its considerations only on the practice established before the entry into force the GDPR and did not take into account the rights arising from the GDPR for the applicants, going as far as to find without further justification that the earlier interpretation is in line with the GDPR. The Court disagreed with this approach, as the legal situation regarding the legal remedies available to the data subject has changed since the entry into force of the GDPR. The GDPR ensures more extensive protection of the data subject's personal data than before.

2. Scope of Application

2.1. Personal scope

There are no variations of the GDPR, except for the validity of the consent after the death of the data subject. See section on legal bases in other instancesbelow.

2.2. Territorial scope

There are no variations of the GDPR.

2.3. Material scope

There are no variations of the GDPR.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The DPI is the regulatory authority for data protection.

3.2. Main powers, duties and responsibilities

The independent supervisory authority in Estonia is the DPI (within the meaning of Article 51(1) of the GDPR and Article 41 of the Data Protection Directive with respect to Law Enforcement (Directive (EU) 2016/680) ('the Law Enforcement Directive')).

The DPI is competent to (Section 56(2) of the PDPA):

  • improve the awareness and understanding of the public, controllers, and processors in relation to the risks associated with the processing of personal data, as well as standards and safeguards in force for processing and the rights related to the processing of personal data – the DPI may give recommended instructions for the performance of this function;

  • provide information to data subjects upon request about the exercise of the rights arising from the PDPA and, where appropriate, cooperate for this purpose with the supervisory authorities of other EU Member States;
  • if necessary, initiate misdemeanour proceedings and impose penalties, in cases where no other administrative measures achieve compliance with the requirements provided by law or the GDPR;
  • cooperate with international data protection supervision organisations, other data protection supervision authorities, and other competent foreign authorities and persons;
  • monitor relevant developments, insofar as they have an impact on the protection of personal data, in particular the development of information and communications technologies;
  • give advice on the personal data processing operations referred to in Section 39 of the PDPA;

  • participate in the European Data Protection Board ('EDPB');
  • apply administrative coercion on the bases, to the extent of, and pursuant to, the procedure prescribed by law;
  • present opinions on own initiative or upon request in the issues related to protection of personal data to the Estonian Parliament, the Government of Estonia, the Chancellor of Justice, other agencies, and the public; and

  • perform other duties arising under the law.

In addition, the DPI has the right to (Section 56(3) of the PDPA):


  • warn data controllers and processors that intended processing operations are likely to infringe the PDPA;

  • demand rectification of personal data;

  • demand erasure of personal data;

  • demand restrictions on data processing;

  • demand termination of data processing, including destruction or forwarding to an archive;

  • where necessary, immediately apply, in order to prevent damage to the rights and freedoms of persons, organisational, physical, or information technology security measures to protect personal data pursuant to the procedure provided for in the Substitutive Enforcement and Penalty Payment Act, unless the personal data is processed by a state agency;

  • implement temporary or permanent restrictions on processing of personal data, including prohibitions on the processing of personal data; and

  • initiate supervision proceedings on the basis of a complaint or on its own initiative.

4. Key Definitions

Data controller: There are no variations of the GDPR.

Data processor: There are no variations of the GDPR.

Personal data: There are no variations of the GDPR.

Sensitive data: There are no variations of the GDPR.

Health data: There are no variations of the GDPR.

Biometric data: There are no variations of the GDPR.

Pseudonymisation: There are no variations of the GDPR.

5. Legal Bases

5.1. Consent

There are no variations of the GDPR.

5.2. Contract with the data subject

There are no variations of the GDPR.

5.3. Legal obligations

There are no variations of the GDPR.

5.4. Interests of the data subject

There are no variations of the GDPR.

5.5. Public interest

There are no variations of the GDPR.

5.6. Legitimate interests of the data controller

There are no variations of the GDPR.

5.7. Legal bases in other instances

The PDPA provides the following rules which the GDPR does not regulate:

Processing of personal data after the death of a data subject (Section 9 of the PDPA)

The consent of a data subject shall remain valid during the lifetime of the data subject and for ten years after the death of the data subject unless the data subject had decided otherwise before their death. If the data subject died as a minor, their consent shall be valid for 20 years after their death. After the death of the data subject, processing of their personal data is permitted only with the consent of the successors of the data subject, except in cases where:

  • ten years have passed since the death of the data subject;

  • 20 years have passed since the death of a data subject who was a minor;
or
  • personal data is processed under any other applicable legal basis/bases.

In the case of several successors, processing of the data subject's personal data is permitted with the consent of any of them. The consent specified in Section 9(1) of the PDPA is not required if the processed personal data only contain the data subject's name, sex, date of birth and death, the fact of death, and the time and place of burial.

Processing of personal data in connection with violation of obligation (Section 10 of the PDPA)

The transmission of personal data related to a violation of any obligation to third parties and processing of the transmitted data by any third party is permitted for the purpose of assessing the creditworthiness of the data subject, or for any other similar purpose/purposes and is only permitted in cases where the controller or processor has verified the accuracy of the data transmitted and the legal basis for transmission of personal data, and has registered the data transmission. The collection and transmission of data to third parties for the purposes specified in subsection 1 of Section 10 of the PDPA is not permitted if:

  • special categories of personal data is processed for the purposes of Article 9(1) of the GDPR;

  • the data concerns the commission of an offence or a victim in an offence before a public court hearing, the making of a decision in an offence, or the termination of court proceeding;

  • it would excessively damage the rights or freedoms of the data subject;

  • fewer than 30 days have passed from the violation of a contract; or

  • more than five years have passed from the end of the violation of an obligation.

Processing of personal data in public places (Section 11 of the PDPA)

Unless otherwise provided by law, upon making in public places audio or visual recordings intended for future disclosure, the consent of data subjects will be substituted for an obligation to notify data subjects in a manner which allows persons to understand the fact of the recording of the audio or visual images and give persons an opportunity to object to the recording of their person if they so wish. The notification obligation does not apply in the case of public events, recording of which for the purposes of disclosure may be reasonably presumed.

6. Principles

There are no variations of the GDPR.

7. Controller and Processor Obligations

7.1. Data processing notification

There are no national notification requirements.

7.2. Data transfers

There are no variations of the GDPR.

7.3. Data processing records

There are no variations of the GDPR.

7.4. Data protection impact assessment

The DPI has issued a list of activities which require a Data Protection Impact Assessment ('DPIA') ('Blacklist'):

Furthermore, the EDPB has published the following Opinion for Estonia:

More specifically, the Estonia Blacklist highlights that the following types of processing operations, among others, require a DPIA:

  • profiling;
  • special categories of data or data about criminal convictions on a large scale;
  • systematic monitoring of a publicly accessible area on a large scale;
  • biometric data for the purposes of uniquely identifying a natural person on a large scale;
  • genetic data on a large scale;
  • large-scale processing when it might pose a risk of identity theft or fraud;
  • large-scale processing when it might pose a risk of property loss;
  • large-scale processing when it involves real-time location tracking;
  • large-scale processing when it might pose a risk of disclosure of personal economical standing;
  • large-scale processing when it might pose a risk of discrimination with legal consequences; and
  • large scale processing when it might pose a risk of loss of statutory confidentiality of information.

The Estonia Blacklist notes that the following factors should be considered when determining whether the processing is carried out on a large scale:

  • the number of data subjects concerned, either as a specific number or as a proportion of the relevant population;
  • the volume of data and/or the range of different data items being processed;
  • the duration, or permanence, of the data processing activity; and
  • the geographical extent of the processing activity.

The DPI has not issued a list of activities which do not require a DPIA (Whitelist).

Notably, the DPI has issued a model DPIA document (only available in Estonian here).

National activities subject to prior consultation/authorisation

There are no variations of the GDPR.

A controller or processor that intends to process personal data which are entered into a newly created filing system, must first consult the DPI in the following cases (Article 39(1) of the PDPA):

  • a DPIA carried out indicates that the processing of personal data would result in a high risk in the absence of measures taken; and
  • the nature of processing of personal data involves a high risk to the rights and freedoms of data subjects.

National activities not subject to prior consultation/authorisation

There are no variations of the GDPR.

7.5. Data protection officer appointment

There are no variations of the GDPR.

The DPI has compiled a list of recommended competencies which are considered a prerequisite for the effective fulfilment of the role of a data protection specialist. Accordingly, a data protection specialist should have knowledge of, among other things (the DPO Guidelines):

  • information security principles and relevant technologies and developments;
  • the values and goals of the organisation;
  • internal and business processes of the organisation;
  • relevant legislation, including EU and national data protection law and sector-specific law, as well as case law, opinions, and guidelines;
  • principles and methods of data processing, including pseudonymisation and anonymisation; and
  • frameworks and methods for conducting DPIAs and risk management.

Furthermore, the DPI also recommends that a data protection specialist should be able to, among other things (the DPO Guidelines):

  • prepare a DPIA, identify risks, and draw up action plans to mitigate such risks;
  • manage and coordinate the organisation's data protection processes, including developing strategy and instructions and implementing data protection principles; and
  • identify and document data processing operations and violations, including data breaches for which the supervisory authority and/or data subject must be notified.

Notably, organisations must notify the appointment of a DPO by submitting the person's details to the Company Registration Portal or via email at [email protected] (the Statement; the Guidance on Notification; the Notice). To this end, the DPI has issued guidance on notification for organisations (only available in Estonian here) ('the Guidance on Notification').

7.6. Data breach notification

Variation/exemptions on breach notification obligation

There are no variations of the GDPR.

Sectoral obligations

There are no sector-specific laws.

7.7. Data retention

Personal data processed in supervision proceedings specified in Section 542(2) shall be retained for the term provided by an Act or legislation issued pursuant to an Act or for as long it is necessary for the achievement of the purposes thereof.

Database entries regarding a person shall be retained for up to five years after the person's last visit to the gaming location for games of chance. The data shall be deleted after the lapse of said time period.

The data and documents submitted to a registrar in a format that can be reproduced in writing for an entry to be made shall be preserved by the registrar for ten years after making the respective entry.

The data specified in Section 102(3) must be preserved in the national dose register of exposed workers during the entire time the exposed worker is engaged in radiation works. Thereafter the data shall be preserved until the time the person attains or would have attained 75 years of age but not for a shorter period than 30 years after the person no longer engages in radiation works.

The supporting documents of data from the register and data from the register shall be preserved for ten years from grant of individual aid or grant of last aid under an aid scheme. Data is deleted after this term has passed.

Personal data collected for the purpose of carrying out the check are retained for a period of ten years following the completion of the check, expiry of the contract or document serving as the basis for the performance of the task specified in Section 469(2) or termination of the checked employment or service relationship. After the expiry of this term, the data are deleted.

A payment service provider shall be entitled to store personal data until the expiry of the limitation period for claims arising from the payment service contract or law unless otherwise provided by law.

The person entering information in the register preserves the documents which contain personal data and serve as a basis for entering information in the register for up to ten years after expiry of the period of validity of the licence and thereafter deletes these.

The employer shall preserve the written employment contract during the term of validity of the employment contract and for ten years after the expiry of the employment contract.

Subsection (4): From the data collected pursuant to Section 4(3), the data certifying the provision of in-patient and out-patient health services shall be preserved for 30 years after the approval of data concerning the service provided to a patient.

Subsection (5): Differently from the term specified in Section 4(4), the following data certifying the provision of health services shall be preserved as follows:

  1. data on a pupil's health record for five years after graduation or leaving school, also the data on an ambulance card and referral and reply to referral for five years after the approval of data;
  2. data on death notice and notice of cause of death for ten years after the approval of data;
  3. tissue samples containing health data that have been taken for intravital pathomorphological testing shall be preserved depending on the need for the provision of health services but not longer than for 30 years after the approval of data;
  4. autopsy report data for 30 years after approval of data; and
  5. data on blood chart, transfusion report, and report of reaction following the transfusion for 30 years after a person's death.

Information concerning investigations of occupational accidents and occupational diseases shall be retained for 55 years.

7.8. Children's data

According to Section 8(1) of the PDPA, if Article 6(1)(a) of the GDPR applies in connection with provision of the information society services directly to a child, the processing of the child's personal data is only permitted in cases where the child is at least 13 years old.

7.9. Special categories of personal data

There are no variations of the GDPR.

7.10. Controller and processor contracts

There are no variations of the GDPR.

8. Data Subject Rights

8.1. Right to be informed

There are no variations of the GDPR.

8.2. Right to access

There are no variations of the GDPR.

8.3. Right to rectification

There are no variations of the GDPR.

8.4. Right to erasure

There are no variations of the GDPR.

8.5. Right to object/opt-out

There are no variations of the GDPR.

8.6. Right to data portability

There are no variations of the GDPR.

8.7. Right not to be subject to automated decision-making

There are no variations of the GDPR.

8.8. Other rights

There are no variations of the GDPR.

9. Penalties

The legal system of Estonia does not allow for administrative fines as set out in the GDPR. The requirements of Article 83(9) of the GDPR have yet to be implemented.

In addition to the sanctions provided for in the GDPR, the PDPA establishes sanctions in the following cases:

Failure to comply with orders of the DPI (Section 69 of the PDPA)

  • Failure to comply with an order provided for in Article 58(2) of the GDPR is punishable by a fine of up to €20 million; and
  • The same act, if committed by a legal entity, is punishable by a fine of up to €20 million or up to 4% of its total global annual turnover for the previous financial year, whichever amount is the higher.

Violation of granting access to the DPI (Section 70 of the PDPA)

  • Failure to comply with an order issued based on the investigative powers provided for in Article 58(1) of the GPDR, if the DPI is thereby refused access to personal data, other information or premises, is punishable by a fine of up to €20 million; and 
  • The same act, if committed by a legal person, is punishable by a fine of up to €20 million or up to 4% of its total global annual turnover for the previous financial year, whichever amount is the higher.

Illegal processing of personal data outside performance of employment or service duties (Section 71 of the PDPA)

The illegal collection, viewing, reading, or use of personal data, enabling access thereto or making inquiries or extracts thereof by any natural person who has access to personal data based on their employment or service duties, if this does not involve the necessary elements of an offence provided for in Sections 157 and 157 prim of the Penal Code, is punishable by a fine of up to 200 fine units under Section 71 of the PDPA.

Violation of other personal data processing requirements (Section 72 of the PDPA)

Violation of personal data protection requirements, if this does not involve the necessary elements of an offence provided for in Sections 62 to 71 of the PDPA and Sections 157 and 157 prim of the Penal Code, is punishable by a fine of up to 200 fine units under Section 72 of the PDPA.

9.1 Enforcement decisions

There are not any notable enforcement decisions.