Trinitii
What law(s) specifically govern personal data / information?
Regulation (EU) 2016/679 (General Data Protection Regulation – “GDPR”)
Principal data protection legislation in Estonia.
Personal Data Protection Act
National legislation that regulates:
- the protection of natural persons upon processing of personal data to the extent in which it elaborates and supplements the provisions of GDPR
- the protection of natural persons upon processing of personal data by law enforcement authorities in the prevention, detection and proceedings of offences and execution of punishments.
What are the key data protection principles in this jurisdiction?:
Key data protection principles are established by GDPR art 5. The Estonian legislation does not specify them.
Key data protection principles are the following:
Lawfulness, fairness and transparency
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject
Purpose limitation
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
Data minimisation
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Accuracy
Personal data shall be accurate and, where necessary, kept up to date
Storage limitation
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
Integrity and confidentiality
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
Accountability
The controller is responsible for processing of data in accordance with the GDPR. In particular, the controller is obliged to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in compliance with the GDPR
What is the supervisory authority / regulator in charge of data protection?
Data Protection Inspectorate of the Republic of Estonia
Is there a requirement to register with a supervisory authority / regulator?
No, a registration of a controller or processor is not necessary.
However, the GDPR foresees a few occasions where the controller or processor shall inform or consult the supervisory authority:
- GDPR art 37 establishes that when appointing a data protection officer, its contact details must be communicated to the supervisory authority;
- according to GDPR art 34-35, controller shall consult the supervisory authority prior to processing in case the result of a data protection impact assessment shows that processing would result in a high risk to the rights and freedoms of natural persons.
Is there a requirement to notify the supervisory authority / regulator?
Yes, according to GDPR art 33, in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Other notification obligations pursuant to GDPR apply as well (eg. in case of data protection impact assessment). There are notification obligations also pursuant to the Data Protection Law Act, where there are notification obligations for example in case of processing of personal data for scientific research.
Is it possible to register with / notify the supervisory authority / regulator online?
Yes, the personal data breach can be notified online via e-environment (available only in Estonian): https://www.aki.ee/meist/vota-uhendust/rikkumisteade
What are the key data subject rights under the data protection laws of this jurisdiction?
Right to information
The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. Pursuant to GDPR articles 13 and 14, data subjects have the right to be provided with information about the controller and certain details about processing their personal data.
Right of access
A data subject should have the right of access to personal data which have been collected concerning them, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing (GDPR article 15).
Right to rectification of errors
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning them (GDPR article 16).
Right to deletion/right to be forgotten
The data subject shall have the right to obtain from the controller the erasure of personal data concerning them when one of the grounds enlisted in GDPR article 17(1) apply (GDPR article 17).
Right to restriction of processing
The data subject shall have the right to obtain from the controller restriction of processing where one of the occasions enlisted in GDPR article 18(1) apply.
Right to data portability
The data subject shall have the right to receive a copy of their personal data from a controller in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller or have the data transmitted directly between controllers, if the grounds established in GDPR article 20 are fulfilled.
Right to object to processing
The data subject shall have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on either public interest (GDPR article 6(1), pt. e) or legitimate interest of the controller (GDPR article 6(1), pt. f), including profiling based on those provisions (GDPR article 21).
The data subject shall also have the right to object to processing related to direct marketing purposes (GDPR article 21(2) and (3)).
Right to withdraw consent
The data subject shall have the right to withdraw their consent at any time (GDPR article 7(3)).
Right to complain to the relevant data protection authority(ies)
Data subjects shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to them infringes the GDPR (GDPR article 77).
Right not to be subject to automated individual decision-making
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them (GDPR article 22).
Above is a summary of the key data subject rights. Please note that the GDPR establishes some further conditions and limitations to these rights.
Is there a requirement to appoint a data protection officer (or equivalent)?
Yes, according to GDPR art 37, the controller and the processor shall designate a data protection officer in any case where:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Yes, according to GDPR art 35 (1), where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
According to GDPR art 35 (3), a data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of:
- a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or
- a systematic monitoring of a publicly accessible area on a large scale.
Does this jurisdiction have any specific data breach notification requirements?
Yes. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons (GDPR article 33). The content of the notification is established in GDPR article 33(3).
What restrictions apply to the international transfer of personal data / information?
The international transfer of personal data/information is regulated by GDPR articles 44-50.
Transfer of personal data/information to the countries of European Economic Area (“EEA”) countries (Norway, Iceland, Lichtenstein) is equated to countries with an adequate level of data protection, i.e the transfer procedure is analogous to transfers within the European Union.
Transfers to countries that have received a decision from the European Commission on the adequacy of the level of data protection are analogous to transfers within the European Union (GDPR article 45(3)). A list of countries is available on the European Commission's website.
Transfers to the remaining countries not listed above are transfers to countries with an insufficient level of data protection and require additional safeguards or may take place in exceptional circumstances (GDPR articles 46-49). Very generally put, the safeguards can be following:
- Personal data can be transferred to countries with an insufficient level of data protection using safeguards enlisted in GDPR article 46(2). The safeguards can be either a legally binding and enforceable instrument between public authorities or bodies, binding corporate rules, standard contractual clauses, legally binding documents between public sector bodies or codes of conduct, or an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country. These safeguards do not need specific authorisation from the competent supervisory authority.
- Personal data can be transferred to countries with an insufficient level of data protection using safeguards enlisted in GDPR article 46(3). This requires prior special authorisation from the competent supervisory authority. The safeguards can be either contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights. Before issuing an authorisation decision, the competent supervisory authority will seek the opinion of the European Data Protection Board in order to apply the consistency mechanism set out in the GDPR.
- In the absence of an adequacy decision pursuant (GDPR article 45(3)), or of appropriate safeguards pursuant to (GDPR article 46), a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on the conditions established in GDPR article 49, such as the explicit consent of the data subject, the transfer is necessary for the performance of a contract between the data subject and data controller at the data subject's request or in the interest of the data subject, or the transfer is necessary for the establishment, exercise or defence of legal claims.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Yes, GDPR has extra-territorial effect.
GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not (GDPR article 3(1)).
GDPR applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or the monitoring of their behaviour as far as their behaviour takes place within the Union (GDPR article 3(2)).
What rules specifically deal with marketing?
In addition to GDPR, electronic marketing is regulated with Electronic Communications Act, Sections 103 and 1031.
Do different rules apply to business-to-business and business-to-consumer marketing?
Yes, slightly different rules apply.
In general, the use of electronic contact details of a subscriber or user of communications services, who is a natural person, for direct marketing is allowed only with the person's prior consent. The consent must correspond to the conditions provided in the GDPR (Electronic Communications Act, Section 1031(1)).
The use of electronic contact details of a subscriber or user of communications services, who is a legal person, for direct marketing is allowed if: upon use of contact details, a clear and distinct opportunity is given to refuse such use of contact details free of charge and in an easy manner; the person is allowed to exercise its right to refuse over an electronic communications network (Electronic Communications Act, Section 1031(2)).
There is a notable exception where consent is not required even for direct marketing to a natural person: in case the processor obtains the electronic contact details of a buyer, who is a natural or legal person, in connection with selling a product or providing a service, such contact details may still be used for direct marketing of its similar products to the buyer if:
- the buyer is given, upon the initial collection of electronic contact details, a clear and distinct opportunity to refuse such use of its contact details free of charge and in an easy manner;
- the buyer is given, each time when its electronic contact details are used for direct marketing, a clear and distinct opportunity to refuse such use of its contact details free of charge and in an easy manner;
- the buyer is allowed to exercise its right to refuse over an electronic communications network.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
Yes, see above. The rules established in Electronic Communications Act apply to electronic marketing.
What rules specifically deal with cookies?
Directive 2002/58 or EU ePrivacy Directive article 5(3) regulates cookies. However, Estonia has not yet transposed the regulation of cookies derived from Directive 2002/58 or EU ePrivacy Directive in the national legislation. As the ePrivacy Directive does not have directly applicable effect, then GDPR applies to the processing of the personal data processed through cookies.
The European Data Protection Board (EDPB) has issued guidance about using cookies, such as the Report of the work undertaken by the Cookie Banner Taskforce, and Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive.
What are the consequences of non compliance with data protections laws (including marketing laws)?
Liability for breaches of GDPR is established in Personal Data Protection Act, Sections 62-72. These are processed in misdemeanour proceedings by the Data Protection Inspectorate of the Republic of Estonia. The maximum fine is up to 20,000,000 euros or up to 4 per cent of its total global annual turnover for the previous financial year, whichever amount is higher.
Non-compliance with marketing laws entails liability under GDPR, processed by the Data Protection Inspectorate of the Republic of Estonia.
Criminal liability for offences related to personal data processing are established in Penal Code, Sections 157-1571. These are processed in criminal proceedings by the Data Protection Inspectorate of the Republic of Estonia. The consequence of these offences is usually a fine. The maximum fine for these offences is up to 32 000 euros. One of these offences enlisted in the Penal Code is punishable by a pecuniary punishment or up to one year’s imprisonment (if an illegal disclosure of specific categories of personal data, data concerning commission of offence or falling victim to offence, is committed for the purpose of personal gain or if significant damage was caused thereby to another person, it is punishable by a pecuniary punishment or up to one year's imprisonment – Penal Code Section 1571(2)).
However, in terms of legal requirements for criminal liability, there is a preamble clause 151 in GDPR allowing a different regime for Estonia and Denmark.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
Controllers and processors who are not established in the EEA are generally required to designate a representative in the EEA where their activities fall within the territorial scope of the EEA data protection regime under Article 3, specifically if they involve processing personal data of data subjects within the EEA in connection with the provision of goods or services, or the monitoring of the behaviour of data subjects located in the EEA (GDPR article 27).
The minimum age a data subject must reach in order to give valid consent to the processing of their own personal data is 13 in Estonia.
What upcoming data protection developments should multinational organisations be aware of?
Currently, new national legislation in the data protection field is not expected.
At the EU level, the new ePrivacy Regulation has still not been adopted yet. It is also not clear when it will happen. The European Commission has brought up a voluntary initiative called Cookie Pledge that aims to simplify the management by consumers of cookies and personalised advertising choices.
As of 2025, the GDPR is undergoing review and targeted reform at the EU level as part of the European Commission’s broader initiative to simplify EU legislation and reduce administrative burdens, particularly for SMEs and small mid-cap enterprises.