Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Jurisdiction snapshot

Trends and climate
Would you consider your national data protection laws to be ahead or behind of the international curve?

Estonia has generally kept up with the international curve regarding data protection legislation. The Estonian data protection laws are based on EU data protection regulations, with some distinctions.

Are any changes to existing data protection legislation proposed or expected in the near future?

No significant changes are expected to data protection legislation at a national level. However, from 2018 the EU General Data Protection Regulation (2016/679) will apply and amendments to national laws are expected as a result.

Legal framework

Legislation
What legislation governs the collection, storage and use of personal data?

As a member of the European Union, Estonia has implemented the EU Data Protection Directive (95/46/EC) through the Personal Data Protection Act, which came into force on January 1 2008. Certain topics related to personal data protection are regulated under the Electronic Communications Act and the Information Society Services Act, which implement the EU Privacy and Electronic Communications Directive (2002/58/EC) (as amended by EU Directive 2009/136/EC).

Data retention requirements are established by the Electronic Communications Act, based on the EU Data Retention Directive (2006/24/EC). Although this directive was declared invalid by the European Court of Justice, no relevant changes have been made in the Electronic Communications Act as a result.

The Estonian Data Protection Inspectorate has also published several guidelines on its website concerning the application of personal data protection laws. However, such guidelines are non-binding.

Scope and jurisdiction
Who falls within the scope of the legislation?

Processors of personal data fall within the scope of the Personal Data Protection Act. A ‘processor of personal data’ is a natural or legal person, a branch of a foreign company or a state or local government agency that processes personal data or on whose assignment personal data is processed. The definition includes both data controllers and data processors.

The Personal Data Protection Act does not cover:

  • the processing of personal data by natural persons for personal purposes; or
  • the transmission of personal data through Estonia without processing. 

What kind of data falls within the scope of the legislation?

The legislation covers ’personal data’ – that is, data concerning an identified or identifiable natural person, regardless of the form or format in which it exists. Further, specific rules have been adopted for the processing of ‘sensitive personal data’, defined as the following:

  • data revealing political opinions or religious or philosophical beliefs (excluding data relating to being a member of a legally-registered organisation in private law);
  • data revealing ethnic or racial origin;
  • data relating to a data subject’s state of health or disability;
  • data relating to genetic information;
  • biometric data (above all fingerprints, palm prints, iris images and genetic data);
  • information relating to a data subject’s sex life;
  • information on trade union membership; and
  • information concerning commission of an offence or falling victim to an offence before a public court hearing, or making a decision regarding an offence or the termination of a court proceeding.

Are data owners required to register with the relevant authority before processing data?

Estonia has no general requirement to register data processing activities. Registration is required only if the data controller processes sensitive personal data. Alternatively to registration, the data controller may appoint a data protection officer and notify the Estonian Data Protection Inspectorate thereof.

Is information regarding registered data owners publicly available?

Information on which companies have registered sensitive data processing activities or appointed a data protection officer is publicly available. Since there is no general registration obligation for processors of personal data, no information is available regarding companies which process non-sensitive personal data. 

Is there a requirement to appoint a data protection officer?

There is no general requirement to appoint a data protection officer. A data protection officer may be appointed as an alternative to the registration of sensitive data processing. The Data Protection Inspectorate must be immediately informed of the appointment or termination of a data protection officer, including the officer's name and contact details.

Enforcement
Which body is responsible for enforcing data protection legislation and what are its powers?

The Estonian Data Protection Inspectorate is responsible for enforcing data protection legislation. The Data Protection Inspectorate may initiate supervisory proceedings on the basis of a complaint or on its own initiative.

As part of its administrative supervision, the Data Protection Inspectorate can:

  • suspend the processing of personal data;
  • demand the rectification of inaccurate personal data;
  • prohibit the processing of personal data;
  • demand the termination of personal data processing, including destruction or archiving; and

where necessary to prevent damage to the rights and freedoms of persons, immediately apply organisational, physical or technological security measures for the protection of personal data pursuant to the Substitutive Enforcement and Penalty Payment Act, unless the personal data is processed by a state agency.

Collection and storage of data

Collection and management
In what circumstances can personal data be collected, stored and processed?

Data controllers may generally collect and process personal data when any of the following legal bases for processing personal data exist:

  • The data subject has given unambiguous consent for processing. Consent must be given in a form which can be reproduced in writing (unless this is impossible due to the method of data processing). If the consent is given together with another declaration of intention, the consent of the data subject must be clearly distinguishable;
  • Processing occurs on the basis of law;
  • Processing is required for performance of a task prescribed by an international agreement or directly applicable legislation of the Council of the European Union or the European Commission;
  • Processing occurs in an individual case concerning the protection of the life, health or freedom of the data subject (or a third party, if obtaining the consent of the data subject is impossible); and
  • Processing is required to ensure the performance of a contract entered into with the data subject (unless sensitive personal data is to be processed).

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

No generally applicable timelines for retaining records exist. Personal data may be processed only as long as required for the purposes of the processing. Certain data may need to be kept for a predetermined period, based on a specific legal act. For example, accounting source documents must be kept for seven years from the end of the corresponding financial year and written employment contracts must be preserved for 10 years after expiry. 

Do individuals have a right to access personal information about them that is held by an organisation?

Yes, unless accessing the personal data may:

  • damage the rights and freedoms of other persons;
  • endanger the confidentiality of filiation of a child;
  • hinder the prevention of a criminal offence or apprehension of a criminal offender; or
  • complicate ascertaining the truth in a criminal proceeding.

Do individuals have a right to request deletion of their data?

Yes, unless personal data is processed on the basis of law (ie, not on the basis of consent). Nevertheless, the data subject may demand the correction of his or her inaccurate personal data.

Consent obligations
Is consent required before processing personal data?

Yes, unless the data is processed on the basis of law. 

If consent is not provided, are there other circumstances in which data processing is permitted?

Yes, but only if the personal data is processed:

  • on the basis of law;
  • for the performance of a task prescribed by an international agreement or directly applicable legislation of the Council of the European Union or the European Commission;
  • in individual cases, for the protection of the life, health or freedom of the data subject (or a third party, if obtaining the consent of the data subject is impossible); or
  • for ensuring the performance of a contract entered into with the data subject (unless sensitive personal data is to be processed).

What information must be provided to individuals when personal data is collected?

If the data processing is based on consent, the validity of the consent depends on the free will of the data subject. A declaration of consent must clearly determine:

  • the data for which permission for processing is being given;
  • the purpose of the data processing and the parties to which communication of the data is permitted;
  • the conditions for communicating the data to third parties; and
  • the rights of the data subject concerning further processing of his or her personal data.

Silence or inactivity is not deemed to be consent. Consent may be partial and conditional. Before obtaining a data subject's consent for the processing of personal data, the data processor must notify the data subject of its name (or that of its representative), as well as its address and other contact details.

If data is processed on the basis of law (ie, not consent), the data subject has the right to know the following information:

  • the personal data concerning the data subject;
  • the purposes of processing the personal data;
  • the categories and source of the personal data;
  • third parties or categories thereof to whom transfer of the personal data is permitted;
  • third parties to which the personal data of the data subject has been transferred;
  • the name of the personal data processor or its representative; and
  • the address and other contact details of the processor of the personal data.

Back to top

Data security and breach notification

Security obligations
Are there specific security obligations that must be complied with?

The Personal Data Protection Act provides that a personal data processor must implement appropriate organisational, physical and technological security measures for the protection of personal data against:

  • accidental or intentional unauthorised alteration (ie, protection of data integrity);
  • accidental or intentional destruction or prevention of access by entitled persons (ie, protection of data availability); and
  • unauthorised processing (ie, protection of data confidentiality).

Unlike in other jurisdictions, Estonian law requires a data controller and data processor to keep account of the equipment and software under its control that is used for processing personal data, and record:

  • the name, type, location and name of the producer of the equipment; and
  • the name, version and name of the producer of the software, as well as its contact details.

Breach notification
Are data owners/processors required to notify individuals in the event of a breach?

There is no general obligation to notify data breaches to individuals. However, telecommunications companies must inform their subscribers at the earliest opportunity in the event of a personal data breach that could adversely affect the personal data or privacy of subscribers or users.

Are data owners/processors required to notify the regulator in the event of a breach?

There is no general obligation to notify data breaches.

Telecommunications companies must notify the Data Protection Inspectorate at the earliest opportunity if a data breach occurs. The notification should occur as soon as possible and not later than 24 hours after discovering the breach. If the required information is not completely available, initial findings must be provided within 24 hours and additional information not later than three days after that.

Also, where a data processor is processing sensitive personal data and has appointed a data protection officer, he or she must inform the data processor of a violation or breach discovered. If the data processor does not act to terminate the violation, the party responsible for the protection of personal data must inform the Data Protection Inspectorate of the discovered violation.

Electronic marketing and internet use

Electronic marketing
Are there rules specifically governing unsolicited electronic marketing (spam)?

Yes. Electronic marketing is regulated by the Electronic Communications Act. As a general rule, the data subject must be able to consent to electronic marketing. The requirements for this consent depend on whether the recipient is a natural or a legal person and whether a client relationship exists between the parties. Real-time non-automated phone calls and regular mail are not considered electronic marketing.

In addition, customer consent must be obtained separately from other terms of a contract (ie, it cannot be obtained in the standard terms presented to the customer). A checkbox separate from the acceptance of the standard terms is often used to obtain this consent in practice.

Opt-in is required if the recipient is a natural person, except in the case of an existing client relationship, where opt-out is permitted. The message itself must always include:

  • information clearly identifying the party on whose behalf the marketing is sent;
  • clearly distinguishable direct marketing information; and
  • clear instructions on how to unsubscribe from further direct marketing (eg, an unsubscribe link).

Reliance on an opt-out (for natural persons) in the framework of existing client relationships is subject to the following additional requirements:

  • The entity sending the communications must have obtained the contact details in the course of a sale;
  • The direct marketing must be in respect of similar goods or services;
  • The recipient must have been given the chance to opt-out of the collection of his or her personal data;
  • The message must include information clearly identifying the party on whose behalf the marketing is sent; and
  • The message must include clearly distinguishable direct marketing information and provide the recipient with a simple means to opt out or unsubscribe in each subsequent email.

If the recipient is a legal person, an opt-out system applies. There is no need to obtain prior consent for direct marketing. However:

  • the message must include information clearly determining the person on whose behalf the marketing is sent;
  • the message must include clearly distinguishable direct marketing information; and
  • the recipient must be given a simple means to opt out or unsubscribe in each subsequent email.

Cookies
Are there rules governing the use of cookies?

Due to the opt-out system, consent to cookies is not required. The law does not refer specifically to browser settings or other applications that need to be adopted in order to exercise the right to refuse. A law is being drafted under which an opt-in system for cookies would apply to providers of information society services. The draft law was initially meant to enter into force on June 1 2015, but no information regarding the possible enforcement date is available at present. 

Data transfer and third parties

Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?

Cross-border transfers of personal data out of Estonia are permitted only to countries with an adequate level of data protection (ie, EU or European Economic Area (EEA) member states and countries whose level of personal data protection has been evaluated as adequate by the European Commission). Prior authorisation must be obtained from the Estonian Data Protection Inspectorate for the transfer of personal data to a country whose level of personal data protection has not been judged as adequate by the European Commission.

Transfers to countries without an adequate level of data protection are permitted without the authorisation of the Estonian Data Protection Inspectorate only:

  • with the consent of the data subject;
  • in individual cases, for the protection of the life, health or freedom of the data subject (or a third party, if obtaining the consent of the data subject is impossible); or
  • if the data recipient requests information:
    • obtained or created in the performance of public duties provided by an act or related legislation;
    • containing no sensitive personal data; and
    • to which access has not been restricted for any other reason.

Unless any of the above exceptions apply, the data processor must obtain prior authorisation from the Data Protection Inspectorate, even if the company is using the EU standard contractual clauses or relying on binding corporate rules.

Are there restrictions on the geographic transfer of data?

Transfers of personal data out of Estonia are allowed only to countries with an adequate level of data protection (ie, EU or EEA member states and country whose level of personal data protection has been evaluated as adequate by the European Commission). Prior authorisation must be obtained from the Estonian Data Protection Inspectorate for transfer of personal data to a country whose level of personal data protection has not been evaluated as adequate by the European Commission (unless an exception applies).

Third parties
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

The Personal Data Protection Act establishes certain criteria for transferring personal data to third parties.

For consent-based processing, the data controller must inform the data subject of the conditions for communicating the personal data to third parties and his or her rights concerning its further processing.

However, the transfer of personal data or granting access to personal data to third parties for the purposes of processing is permitted without the consent of the data subject:

  • if the recipient of the data processes it for the purposes of performing a task prescribed by domestic law, international agreement or directly applicable legislation of the Council of the European Union or the European Commission;
  • in individual cases, for the protection of the life, health or freedom of the data subject (or another party, if obtaining the consent of the data subject is impossible); or
  • if the recipient requests information:
    • obtained or created in the process of performance of public duties provided by law;
    • containing no sensitive personal data; and
    • to which access has not been restricted for any other reason.

Communication of data to third parties in order to assess the data subject’s creditworthiness or other such purposes is also permissible without consent if certain preconditions are met.

Penalties and compensation

Penalties
What are the potential penalties for non-compliance with data protection provisions?

Violation of applicable data processing requirements is punishable by a fine of up to €1,200 for natural persons and up to €32,000 for legal persons.

Officials of the Data Protection Inspectorate can issue precepts to processors of personal data and adopt decisions for the purposes of ensuring compliance with the Personal Data Protection Act. On failure to comply with a precept, the Data Protection Inspectorate may impose a penalty payment in administrative proceedings. The upper limit for a penalty payment is €9,600, which may be imposed repeatedly until compliance is achieved.

Compensation
Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?

No predetermined compensation is prescribed in the applicable laws. Individuals may present a civil claim for damages against the data controller or processor. 

Cybersecurity

Cybersecurity legislation, regulation and enforcement
Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?

No single law regulates cybercrime or cybersecurity in Estonia. Different laws regulate the issue for different purposes, rendering the regulation inconsistent. However, the government recently announced a public tender for legal analysis of the present regulatory situation. It is thus possible that the law on cybercrime and cybersecurity will be reformed in the coming years. 

What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?

Estonia follows the examples and policies of the European Union in the field of cybersecurity. No specific international standards have been adopted. 

Which cyber activities are criminalised in your jurisdiction?

Among others, the following activities have been criminalised:

  • the illegal alteration, deletion, damaging or blocking of data in computer systems;
  • the unlawful removal or alteration of the means of identification of terminal equipment used in an electronic communication network, for commercial purposes;
  • illegal interference with the functioning of computer systems by way of uploading, transmitting, deleting, damaging, altering or blocking data;
  • causing proprietary damage through:
    • unlawful entry, alteration, deletion, damaging or blocking of computer programs or data; or
    • other unlawful interference with a data processing operation for the purpose of proprietary benefit;
  • the supply, production, possession, distribution or otherwise making available of:
    • a device or computer program which is created or modified for the commission of the criminal offences specified in the Penal Code; or
    • the means of protection which allow access to a computer system with the intention of committing or enabling a third person to commit the crimes specified in the Penal Code;
  • illegally obtaining access to computer systems by elimination or avoidance of means of protection;
  • the knowing use of terminal equipment with unlawfully removed or altered means of identification in an electronic communication network;
  • offences against intellectual property, including:
    • infringement of copyright in a computer system;
    • trade in pirated goods;
    • copyright infringement;
    • illegal receipt of information society services and media services; or
    • removal of technical protective measures and information.

Which authorities are responsible for enforcing cybersecurity rules?

The authority responsible for enforcing cybersecurity rules depends on the matter at hand – for example:

  • the Technical Regulatory Authority supervises telecommunications companies;
  • the Data Protection Inspectorate deals with violations of personal data protection regulations; and
  • the Estonian Information System Authority supervises the application of security measures for information systems in the public sector.

The Police and Border Guard Board and the Prosecutor’s Office are responsible for the investigation and prosecution in criminal matters.

Cybersecurity best practice and reporting
Can companies obtain insurance for cybersecurity breaches and is it common to do so?

Insurance for cybersecurity breaches is uncommon in Estonia and the corresponding insurance products are of limited availability.

Are companies required to keep records of cybercrime threats, attacks and breaches?

Estonia has no general requirements for keeping records of cybercrime threats, attacks and breaches. 

Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?

There is no general obligation to report cybercrime threats, attacks or breaches. However, telecommunications companies must report threats, attacks and breaches involving personal data to the Data Protection Inspectorate.

Are companies required to report cybercrime threats, attacks and breaches publicly?

No.

Criminal sanctions and penalties
What are the potential criminal sanctions for cybercrime?

The penalty depends on the nature and gravity of the crime. For natural persons the penalty is usually a fine or three to five years’ imprisonment. For companies the penalty is a fine of between €4,000 and €16 million. 

What penalties may be imposed for failure to comply with cybersecurity regulations?

The penalty depends on the violation. Failure to comply with cybersecurity regulations is usually punishable with a fine. The maximum fine for the violation of personal data protection requirements by a company is €32,000. Violation of the obligations of the Electronic Communications Act is punishable by a fine of up to €3,200.