Your World of Legal Intelligence
 Estonia | 1-800-335-6202

Data Privacy Comparative Guide

Document Cited in Related
Vincent
Published date27 May 2022
Subject MatterPrivacy, Technology, Data Protection, Privacy Protection, Security
Law FirmNordx Legal
AuthorMr Risto Hübner

1 Legal and enforcement framework

1.1 Which legislative and regulatory provisions govern data privacy in your jurisdiction?

The applicable law in Estonia is the Personal Data Protection Act (PDPA). The PDPA applies in addition to the EU General Data Protection Regulation (GDPR) and contains certain supplementary provisions (eg, it specifies the age of consent for the processing of children's personal data for the provision of information society services). In addition, the PDPA regulates the protection of natural persons when personal data is processed by law enforcement authorities in relation to the prevention, detection and prosecution of offences and execution of punishments. The Estonian Constitution sets out a fundamental right to privacy (eg, everyone has the right to the inviolability of private and family life).

Privacy, data protection and cybersecurity-related rules are also found in several other legal acts, such as the Public Information Act and the Cybersecurity Act.

The EU Directive on Privacy and Electronic Communications (2002/58/EC) was transposed into Estonian law by the Electronic Communications Act (ECA), which regulates the use of electronic contact details for direct marketing, among other things.

1.2 Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?

Yes. As regards financial privacy, the Credit Institutions Act sets out certain rules on information that is subject to banking secrecy and imposes certain restrictions on the rights of data subjects (eg, in case of the processing of personal data for the purpose of preventing payment fraud and market abuse). The Money Laundering and Terrorist Financing Prevention Act also imposes certain limitations on the rights of data subjects (eg, in the context of cooperation and information exchange for anti-money laundering purposes between obliged persons). As regards direct marketing, the relevant rules are stipulated in the ECA.

1.3 Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?

The Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS 108) is the only legally binding multilateral instrument that applies in Estonia in the area of protection of privacy and personal data.

1.4 Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?

The body responsible for enforcing the data privacy legislation in Estonia is the Data Protection Inspectorate (DPI). The DPI exercises state and administrative supervision over compliance with the requirements set out in:

  • the PDPA and legislation established on the basis thereof;
  • the GDPR; and
  • other acts that govern the processing of personal data.

In exercising such state supervision, the DPI may implement the measures provided for in Article 58 of the GDPR.

In addition, the DPI may make enquiries of electronic communications undertakings to obtain the data required to identify an end user from the identification tokens used in public electronic communications networks, except for data relating to the transmission of messages, if it is impossible to identify the end user in any other way.

1.5 What role do industry standards or best practices play in terms of compliance and regulatory enforcement?

No answer submitted for this question.

2 Scope of application

2.1 Which entities are captured by the data privacy regime in your jurisdiction?

All persons that are controllers, joint controllers or processors of personal data are captured by the data privacy regime if they fall under the material and territorial scope of the EU General Data Protection Regulation (GDPR).

The material scope of the GDPR as set out in Article 2(1)) means that the GPDR applies to:

  • the processing of personal data wholly or partly by automated means; and
  • the processing other than by automated means of personal data which forms part of a filing system or is intended to form part of a filing system.

As regards territorial scope, please see question 2.3.

2.2 What exemptions from the data privacy regime, if any, are available in your jurisdiction?

According to Article 2(2) of the GDPR, the GDPR does not apply to the processing of personal data:

  • in the course of an activity which falls outside the scope of EU law;
  • by EU member states when carrying out activities which fall within the scope of Chapter 2 of Title V of the Treaty on European Union;
  • by a natural person in the course of a purely personal or household activity; or
  • by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and prevention of threats to public security.

The GDPR also:

  • does not apply to the personal data of deceased persons; and
  • does not cover the processing of personal data which concerns legal persons, and in particular undertakings established as legal persons.

2.3 Does the data privacy regime have extra-territorial application?

The territorial scope of the GDPR is set forth in Article 3 of the GDPR.

The GDPR applies to the processing of personal data in the context of the activities of an establishment of a data controller or data processor in the European Union, regardless of whether the processing takes place in the European Union.

In addition, the GDPR applies to the processing of personal data of data subjects who are in the European Union by a data controller or data processor which is not established in the European Union, where the processing activities relate to:

  • the offering of goods or services, irrespective of whether payment by the data subject is required;
  • data subjects in the European Union; or
  • the monitoring of data subjects' behaviour, insofar as that behaviour takes place within the European Union.

Also, the GDPR applies to the processing of personal data by a data controller which is established not in the European Union, but rather in a place where member state law applies by virtue of public international law.

3 Definitions

3.1 How are the following terms (or equivalents) defined in your jurisdiction? (a) Data processing; (b) Data processor; (c) Data controller; (d) Data subject; (e) Personal data; (f) Sensitive personal data; and (g) Consent.

(a) Data processing

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Article 4(2) of the EU General Data Protection Regulation (GDPR)).

(b) Data processor

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Article 4(8) of the GDPR).

(c) Data controller

A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by EU or member state law, the controller or the specific criteria for its nomination may be provided for by EU or member state law (Article 4(7) of the GDPR).

(d) Data subject

An identified or identifiable natural person (Article 4(1) of the GDPR).

(e) Personal data

Any information relating to an identified or identifiable natural person ('data subject'). An 'identifiable natural person' is someone who can be identified, directly or indirectly, in particular by reference to

  • an identifier such as
    • a name;
    • an identification number;
    • location data;
    • an online identifier; or
  • one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4(1) of the GDPR).

(f) Sensitive personal data

Defined as 'special categories of personal data' in the GDPR, which means:

  • data that reveals
    • racial or ethnic origin;
    • political opinions;
    • religious or philosophical beliefs; or
    • trade union membership;
  • genetic data;
  • biometric data;
  • data concerning health; and
  • data concerning a natural person's sex life or sexual orientation (Article 9(1) of the GDPR).

3.2 What other key terms are relevant in the data privacy context in your jurisdiction?

'Consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, through a statement or through a clear affirmative action, signifies agreement to the processing of personal data relating to him or her (Article 4(11) of the GDPR).

According to Article 8(1) of the GDPR, where the consent applies in relation to the offer of information society services directly to a child, the processing of the...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT