Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Data security and breach notification

Security obligations
Are there specific security obligations that must be complied with?

The Personal Data Protection Act provides that a personal data processor must implement appropriate organisational, physical and technological security measures for the protection of personal data against:

  • accidental or intentional unauthorised alteration (ie, protection of data integrity);
  • accidental or intentional destruction or prevention of access by entitled persons (ie, protection of data availability); and
  • unauthorised processing (ie, protection of data confidentiality).

Unlike in other jurisdictions, Estonian law requires a data controller and data processor to keep account of the equipment and software under its control that is used for processing personal data, and record:

  • the name, type, location and name of the producer of the equipment; and
  • the name, version and name of the producer of the software, as well as its contact details.

Breach notification
Are data owners/processors required to notify individuals in the event of a breach?

There is no general obligation to notify data breaches to individuals. However, telecommunications companies must inform their subscribers at the earliest opportunity in the event of a personal data breach that could adversely affect the personal data or privacy of subscribers or users.

Are data owners/processors required to notify the regulator in the event of a breach?

There is no general obligation to notify data breaches.

Telecommunications companies must notify the Data Protection Inspectorate at the earliest opportunity if a data breach occurs. The notification should occur as soon as possible and not later than 24 hours after discovering the breach. If the required information is not completely available, initial findings must be provided within 24 hours and additional information not later than three days after that.

Also, where a data processor is processing sensitive personal data and has appointed a data protection officer, he or she must inform the data processor of a violation or breach discovered. If the data processor does not act to terminate the violation, the party responsible for the protection of personal data must inform the Data Protection Inspectorate of the discovered violation.

Click here to view the full article.