Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management
In what circumstances can personal data be collected, stored and processed?

Data controllers may generally collect and process personal data when any of the following legal bases for processing personal data exist:

  • The data subject has given unambiguous consent for processing. Consent must be given in a form which can be reproduced in writing (unless this is impossible due to the method of data processing). If the consent is given together with another declaration of intention, the consent of the data subject must be clearly distinguishable;
  • Processing occurs on the basis of law;
  • Processing is required for performance of a task prescribed by an international agreement or directly applicable legislation of the Council of the European Union or the European Commission;
  • Processing occurs in an individual case concerning the protection of the life, health or freedom of the data subject (or a third party, if obtaining the consent of the data subject is impossible); and
  • Processing is required to ensure the performance of a contract entered into with the data subject (unless sensitive personal data is to be processed).

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

No generally applicable timelines for retaining records exist. Personal data may be processed only as long as required for the purposes of the processing. Certain data may need to be kept for a predetermined period, based on a specific legal act. For example, accounting source documents must be kept for seven years from the end of the corresponding financial year and written employment contracts must be preserved for 10 years after expiry. 

Do individuals have a right to access personal information about them that is held by an organisation?

Yes, unless accessing the personal data may:

  • damage the rights and freedoms of other persons;
  • endanger the confidentiality of filiation of a child;
  • hinder the prevention of a criminal offence or apprehension of a criminal offender; or
  • complicate ascertaining the truth in a criminal proceeding.

Do individuals have a right to request deletion of their data?

Yes, unless personal data is processed on the basis of law (ie, not on the basis of consent). Nevertheless, the data subject may demand the correction of his or her inaccurate personal data.

Consent obligations
Is consent required before processing personal data?

Yes, unless the data is processed on the basis of law. 

If consent is not provided, are there other circumstances in which data processing is permitted?

Yes, but only if the personal data is processed:

  • on the basis of law;
  • for the performance of a task prescribed by an international agreement or directly applicable legislation of the Council of the European Union or the European Commission;
  • in individual cases, for the protection of the life, health or freedom of the data subject (or a third party, if obtaining the consent of the data subject is impossible); or
  • for ensuring the performance of a contract entered into with the data subject (unless sensitive personal data is to be processed).

What information must be provided to individuals when personal data is collected?

If the data processing is based on consent, the validity of the consent depends on the free will of the data subject. A declaration of consent must clearly determine:

  • the data for which permission for processing is being given;
  • the purpose of the data processing and the parties to which communication of the data is permitted;
  • the conditions for communicating the data to third parties; and
  • the rights of the data subject concerning further processing of his or her personal data.

Silence or inactivity is not deemed to be consent. Consent may be partial and conditional. Before obtaining a data subject's consent for the processing of personal data, the data processor must notify the data subject of its name (or that of its representative), as well as its address and other contact details.

If data is processed on the basis of law (ie, not consent), the data subject has the right to know the following information:

  • the personal data concerning the data subject;
  • the purposes of processing the personal data;
  • the categories and source of the personal data;
  • third parties or categories thereof to whom transfer of the personal data is permitted;
  • third parties to which the personal data of the data subject has been transferred;
  • the name of the personal data processor or its representative; and
  • the address and other contact details of the processor of the personal data.

Data transfer and third parties

Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?

Cross-border transfers of personal data out of Estonia are permitted only to countries with an adequate level of data protection (ie, EU or European Economic Area (EEA) member states and countries whose level of personal data protection has been evaluated as adequate by the European Commission). Prior authorisation must be obtained from the Estonian Data Protection Inspectorate for the transfer of personal data to a country whose level of personal data protection has not been judged as adequate by the European Commission.

Transfers to countries without an adequate level of data protection are permitted without the authorisation of the Estonian Data Protection Inspectorate only:

  • with the consent of the data subject;
  • in individual cases, for the protection of the life, health or freedom of the data subject (or a third party, if obtaining the consent of the data subject is impossible); or
  • if the data recipient requests information:
    • obtained or created in the performance of public duties provided by an act or related legislation;
    • containing no sensitive personal data; and
    • to which access has not been restricted for any other reason.

Unless any of the above exceptions apply, the data processor must obtain prior authorisation from the Data Protection Inspectorate, even if the company is using the EU standard contractual clauses or relying on binding corporate rules.

Are there restrictions on the geographic transfer of data?

Transfers of personal data out of Estonia are allowed only to countries with an adequate level of data protection (ie, EU or EEA member states and country whose level of personal data protection has been evaluated as adequate by the European Commission). Prior authorisation must be obtained from the Estonian Data Protection Inspectorate for transfer of personal data to a country whose level of personal data protection has not been evaluated as adequate by the European Commission (unless an exception applies).

Third parties
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

The Personal Data Protection Act establishes certain criteria for transferring personal data to third parties.

For consent-based processing, the data controller must inform the data subject of the conditions for communicating the personal data to third parties and his or her rights concerning its further processing.

However, the transfer of personal data or granting access to personal data to third parties for the purposes of processing is permitted without the consent of the data subject:

  • if the recipient of the data processes it for the purposes of performing a task prescribed by domestic law, international agreement or directly applicable legislation of the Council of the European Union or the European Commission;
  • in individual cases, for the protection of the life, health or freedom of the data subject (or another party, if obtaining the consent of the data subject is impossible); or
  • if the recipient requests information:
    • obtained or created in the process of performance of public duties provided by law;
    • containing no sensitive personal data; and
    • to which access has not been restricted for any other reason.

Communication of data to third parties in order to assess the data subject’s creditworthiness or other such purposes is also permissible without consent if certain preconditions are met.

Click here to view the full article.