Guide to the Implementation of GDPR at the National Level: Estonia

Guide to the Implementation of GDPR at the National Level: Estonia

In Estonia, the Data Protection Authority (DPA) has the power to enquire about data required for the identification of an end-user related to the identification tokens used on public electronic communications' networks. However, this does not extend to data relating to the transmission of messages if the identification of an end-user is impossible in any other manner [1].

As of now, the DPA has yet to issue guidance on the application of the General Data Protection Regulation (GDPR) or national implementation law in Estonia. It's important to note that fines in misdemeanour proceedings cannot be imposed on public authorities, and penalties in administrative proceedings cannot be imposed on state authorities in Estonia [2].

When it comes to data relating to deceased individuals, certain sensitive information about deceased individuals, especially related to security or classified activities, remains protected for a fixed period post-mortem. Access to personal data of deceased persons is controlled by national legislation and agencies like the Digital and Population Data Services Agency [3][4].

The DPA's decisions may be challenged by filing an appeal directly with the DPA within 30 days of becoming aware of the decision, or alternatively, the decision may be appealed to an administrative court [5].

In Estonia, personal data may be processed without the consent of the data subject for academic, artistic, and literary expression, provided it does not cause excessive damage to the rights of the data subject. Similarly, personal data may be processed and disclosed in the media for journalistic purposes without the consent of the data subject, if it is in the public interest and in accordance with the principles of journalism ethics [6].

The Andmekaitse Inspektsioon, located at Tatari 39, Tallinn 10134, Estonia, serves as the Estonian Data Protection Authority, with a website available at aki.ee [7]. There are no not-for-profit bodies that are specifically mandated to bring claims on behalf of individuals in Estonia [8].

In terms of specific rules regarding the DPA's power to obtain information from controllers or processors that are subject to obligations of professional secrecy, no specific rules have been adopted in Estonia. However, there are certain sector-specific rules that may restrict such powers [9].

There are no specific provisions governing the processing of a national identification number in Estonia. The Employment Contracts Act and the Occupational Health and Safety Act provide certain specific requirements relating to the processing of health data of employees, subject to certain stricter rules [10].

It's worth noting that the DPA has yet to take material enforcement action for breaches of the GDPR in Estonia [11]. Mihkel Miidla and Kaupo Lepasepp lead the Sorainen Data Protection practice and projects in Estonia [12].

Lastly, breaches such as the unlawful disclosure of personal data by a person subject to a confidentiality obligation, the unlawful disclosure of, or the enabling of illegal access to, sensitive personal data, or data concerning the commission of or falling victim to an offence before a public court hearing, making a decision in the matter of the offence, termination of the court proceedings in the matter, or the illegal use of another person's identity are subject to potential criminal penalties in Estonia [13].

For comprehensive and authoritative details, it is advisable to consult Estonian national data protection laws (such as the Personal Data Protection Act) or directly inquire with Estonian authorities managing personal data.

1. White & Case offers a variety of international legal services, which include guidance on regulatory compliance and intellectual property law, with a global team of lawyers who practice in numerous areas, including data protection.
2. On White & Case's website, whitecase.com, one can find news, publications, and insights on various legal matters, including developments related to health-and-wellness and science.
3. In partnership with Sorainen, Mihkel Miidla and Kaupo Lepasepp provide legal services in Estonia, specifically focusing on data protection practice and projects.
4. In Estonia, events such as breaches in confidentiality obligations can lead to potential criminal penalties, such as unlawful disclosure of personal data or illegal access to sensitive data.
5. The Andmekaitse Inspektsioon, located at Tatari 39, Tallinn 10134, Estonia, acts as the country's Data Protection Authority, responsible for enforcing compliance with national data protection laws like the Personal Data Protection Act.
6. Under certain circumstances, personal data may be processed without the consent of the data subject in Estonia, such as for academic, artistic, or literary expression, or for journalistic purposes, provided it is in the public interest and adheres to journalism ethics.
7. While data protection authorities can inquire about data required for the identification of an end-user in Estonia, they cannot compel access to data relating to the transmission of messages if the identification of an end-user is impossible in any other manner.
8. In Estonia, the Digital and Population Data Services Agency manages access to personal data of deceased individuals, following national legislation.
9. When it comes to the DPA's power to obtain information from controllers or processors subject to professional secrecy obligations in Estonia, no specific rules have been adopted, but there may be sector-specific restrictions that apply.

Read also: