DLA Piper Intelligence

Data Protection
Laws of the World

Law

Estonia
Estonia

As a member of the European Union, Estonia has implemented the EU Data Protection Directive 95/46/EC with the Personal Data Protection Act in force from 1 January 2008 ('Act').

Certain topics relating to protection of personal data and privacy are regulated under the Electronic Communications Act and the Information Society Services Act which implement Directive 2002/58 on Privacy and Electronic Communications (as amended by Directive 2009/136/EC).

Data retention requirements are established under the Electronic Communications Act, based on Directive 2006/24/EC. Even though this Directive has been declared invalid by the CJEU no relevant changes have been made in the Electronic Communications Act as a result.

The Estonian Data Protection Inspectorate has published several guidelines on its website, however such guidelines are of non binding nature.

Last modified 24 Jan 2017
Law
Estonia

As a member of the European Union, Estonia has implemented the EU Data Protection Directive 95/46/EC with the Personal Data Protection Act in force from 1 January 2008 ('Act').

Certain topics relating to protection of personal data and privacy are regulated under the Electronic Communications Act and the Information Society Services Act which implement Directive 2002/58 on Privacy and Electronic Communications (as amended by Directive 2009/136/EC).

Data retention requirements are established under the Electronic Communications Act, based on Directive 2006/24/EC. Even though this Directive has been declared invalid by the CJEU no relevant changes have been made in the Electronic Communications Act as a result.

The Estonian Data Protection Inspectorate has published several guidelines on its website, however such guidelines are of non binding nature.

Last modified 24 Jan 2017
Definitions

Definition of personal data

Personal data are any data concerning an identified or identifiable natural person, regardless of the form or format in which such data exist.

Definition of sensitive personal data

The following are sensitive personal data:

  • data revealing political opinions or religious or philosophical beliefs, except data relating to being a member of a legal person in private law registered pursuant to the procedure provided by law
  • data revealing ethnic or racial origin
  • data on the state of health or disability
  • data on genetic information
  • biometric data (above all fingerprints, palm prints, eye iris images and genetic data)
  • information on sex life
  • information on trade union membership
  • information concerning commission of an offence or falling victim to an offence before a public court hearing, or making of a decision in the matter of the offence or termination of the court proceeding in the matter.
Last modified 24 Jan 2017
Authority

Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)

19 Väike Ameerika St.,
10129 Tallinn
Estonia
Telephone (+372) 627 4135
Email info@aki.ee
www.aki.ee

Last modified 24 Jan 2017
Registration

There is no general requirement to register data processing activities in Estonia.  Registering is required only if the data processor processes sensitive personal data.  Alternatively to the registration obligation, the data processor may appoint a Data Protection Officer (DPO). 

Last modified 24 Jan 2017
Data Protection Officers

There is no requirement to appoint a data protection officer stipulated by the Act.  Data Protection Officer may be appointed as an alternative to the registration of sensitive data processing (see previous section).  The Data Protection Inspectorate must be immediately informed of the appointment of such person and termination of such person's authority.  Upon appointment of a person responsible for the protection of personal data, the Data Protection Inspectorate must be informed of the person's name and contact details.

Last modified 24 Jan 2017
Collection & Processing

Data controllers may generally collect and process personal data when any of the following conditions are met:

  • the data subject has given his or her unambiguous consent for processing. Consent must be given in a format which can be reproduced in writing (unless adherence to such formality is not possible due to a specific manner of data processing). If the consent is given together with another declaration of intention, the consent of the person must be clearly distinguishable
  • on the basis of law
  • for performance of a task prescribed by an international agreement or directly applicable legislation of the Council of the European Union or the European Commission
  • in individual cases for the protection of the life, health or freedom of the data subject or other person if obtaining the consent of the data subject is impossible
  • for performance of a contract entered into with the data subject or for ensuring the performance of such contract (unless the data to be processed are sensitive personal data).
Last modified 24 Jan 2017
Transfer

Cross border transfers of personal data from Estonia are allowed only to countries with adequate level of data protection (ie EU/EEA member states and country whose level of personal data protection has been evaluated as adequate by the European Commission). If personal data is transferred to a country whose level of personal data protection has not been evaluated as adequate by the European Commission, a prior authorisation has to be obtained from the EDPI for such data transfer.

Cross border transfers to countries without adequate level of data protection are allowed without the authorisation of the EDPI only:

  • with the consent of the data subject (please note that in the context of employment relationships, the consent is likely not considered valid)
  • in individual cases for the protection of the life, health or freedom of the data subject or other person if obtaining the consent of the data subject is impossible
  • if the third person requests information obtained or created in the process of performance of public duties provided by an act or legislation issued on the basis thereof and the data requested do not contain any sensitive personal data and access to it has not been restricted for any other reasons.

Unless any of the aforementioned exceptions are applicable, the data processor must obtain the prior authorisation of the Inspectorate even if the company is using the EU Standard Contract Clauses or relying on BCR-s.

Last modified 24 Jan 2017
Security

Pursuant to the Act, the processor of personal data must implement appropriate organisational, physical and information technology security measures for the protection of personal data against accidental or intentional unauthorised alteration of the data, in the part of the integrity of data; against accidental or intentional destruction and prevention of access to the data by entitled persons, in the part of the availability of data and against unauthorised processing, in the part of confidentiality of the data.

Among others, the processor of personal data is required to keep account of the equipment and software under the control thereof used for processing of personal data, and record the following data:

  • the name, type, location and name of the producer of the equipment
  • the name, version and name of the producer of the software, and the contact details of the producer.
Last modified 24 Jan 2017
Breach Notification

There is no general obligation to notify data breaches.

Where the data processor is processing sensitive personal data and has appointed a person responsible of the protection of personal data (Data Protection Officer), this person has to inform the processor of personal data of a violation or breach discovered. If the processor of personal data does not take measures to terminate the violation, then the person responsible for the protection of personal data has the obligation to inform the Data Protection Inspectorate of the discovered violation.

Mandatory breach notification

 Only communications undertakings are required to notify the Data Protection Inspectorate at the earliest opportunity if a data breach occurs. The notification should be done as soon as possible, but not later than 24 hours after discovering the breach. If all required information is not available, then initial information must be provided within 24 hours and additional information not later than three days after the initial notice and information was given.

Last modified 24 Jan 2017
Enforcement

Estonian Data Protection Inspectorate is responsible for the enforcement of personal data processing regulation. Data Protection Inspectorate may initiate supervision proceedings on the basis of a complaint or on its own initiative.

The processor of personal data may bear liability in misdemeanour proceedings where a fine of up to EUR 32,000 may be imposed.

As part of administrative supervision the Estonian Data Protection Inspectorate has the right to:

  • suspend the processing of personal data
  • demand the rectification of inaccurate personal data
  • prohibit the processing of personal data
  • demand the closure or termination of processing of personal data, including destruction or forwarding to an archive
  • where necessary, immediately apply, in order to prevent the damage to the rights and freedoms of persons, organisational, physical or information technology security measures for the protection of personal data pursuant to the procedure provided for in the Substitutive Enforcement and Penalty Payment Act, unless the personal data are processed by a state agency.

Officials of the Data Protection Inspectorate have the right to issue precepts to processors of personal data and adopt decisions for the purposes of ensuring compliance with the Act. Upon failure to comply with a precept, the Data Protection Inspectorate may impose a penalty payment in administrative proceedings. The upper limit for a penalty payment is EUR 9,600 and this penalty payment may be imposed repeatedly until the non compliance is removed.

Last modified 24 Jan 2017
Electronic Marketing

Electronic marketing is regulated by the Electronic Communications Act. As a general rule, the data subject must be able to consent to the electronic marketing. The requirements for this consent depend on whether the addressee is a natural or a legal person, and whether there is an existing client relationship between the parties. Real time non automated phone calls and regular mail are not considered electronic marketing under Estonian law.

In addition, the customer consent must be obtained separately from other terms of the contract between the parties – ie it cannot be obtained in the standard terms presented to the customer (eg 'By accepting these terms you agree to receive our commercial communication to the email provided to us'). For example, in practice a checkbox separate from the acceptance of the standard terms is often used to obtain this consent.

Opt-in is required if the addressee is a natural person, except in the case of an existing client relationship, where opt out is permissible. The message itself must always include information to clearly determine the person on whose behalf the marketing is sent, clearly distinguishable direct marketing information and clear instructions on how to refuse from receiving further direct marketing (eg an unsubscribe link).

Reliance on an opt-out (for natural persons) in the framework of existing client relationships is subject to the following additional requirements:

  • the same entity has obtained the contact details in the course of a sale
  • the direct marketing is in respect of similar goods or services
  • the recipient was given a possibility to opt out at the collection of his/her personal data
  • the message must include information to clearly determine the person on whose behalf the marketing is sent
  • the message must include clearly distinguishable direct marketing information and the recipient is given a simple means in each subsequent email to opt out/unsubscribe.

If the addressee is a legal person, then opt out system is applicable. There is no need to obtain a prior consent for direct marketing, but:

  • the message must include information to clearly determine the person on whose behalf the marketing is sent
  • the message must include clearly distinguishable direct marketing information
  • the recipient is given a simple means in each subsequent email to opt out/unsubscribe.
Last modified 24 Jan 2017
Online Privacy

Traffic data and location data

Traffic data retention requirements apply only to communications undertakings. Providers of telephone or mobile telephone services and telephone network and mobile telephone network services, as well as providers of Internet access, electronic mail and Internet telephony services are required to preserve for a period of one year network traffic data, location data and associated data thereof which is necessary to identify the subscriber or user in relation to the communications services provided.

Cookies

Due to opt out system consent to cookies is not needed. The law does not refer specifically to browser settings or other applications to be adopted in order to exercise the right to refuse. We note that a draft law has been initiated under which an opt in system for cookies will be applicable to providers of information society services. The amendment was initially planned to enter into force on 1 June 2015, but currently there is no clear indication regarding the possible enforcement date.

Last modified 24 Jan 2017
Contacts
Kaupo Lepasepp
Kaupo Lepasepp
Partner
T +372 6 400 900
Mihkel Miidla
Mihkel Miidla
Senior Associate, Head of Technology & Data Protection
T +372 6 400 959
Last modified 24 Jan 2017