1 Legal and enforcement framework

1.1 Which legislative and regulatory provisions govern data privacy in your jurisdiction?

The applicable law in Estonia is the Personal Data Protection Act (PDPA). The PDPA applies in addition to the EU General Data Protection Regulation (GDPR) and contains certain supplementary provisions (eg, it specifies the age of consent for the processing of children's personal data for the provision of information society services). In addition, the PDPA regulates the protection of natural persons when personal data is processed by law enforcement authorities in relation to the prevention, detection and prosecution of offences and execution of punishments. The Estonian Constitution sets out a fundamental right to privacy (eg, everyone has the right to the inviolability of private and family life).

Privacy, data protection and cybersecurity-related rules are also found in several other legal acts, such as the Public Information Act and the Cybersecurity Act.

The EU Directive on Privacy and Electronic Communications (2002/58/EC) was transposed into Estonian law by the Electronic Communications Act (ECA), which regulates the use of electronic contact details for direct marketing, among other things.

1.2 Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?

Yes. As regards financial privacy, the Credit Institutions Act sets out certain rules on information that is subject to banking secrecy and imposes certain restrictions on the rights of data subjects (eg, in case of the processing of personal data for the purpose of preventing payment fraud and market abuse). The Money Laundering and Terrorist Financing Prevention Act also imposes certain limitations on the rights of data subjects (eg, in the context of cooperation and information exchange for anti-money laundering purposes between obliged persons). As regards direct marketing, the relevant rules are stipulated in the ECA.

1.3 Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?

The Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS 108) is the only legally binding multilateral instrument that applies in Estonia in the area of protection of privacy and personal data.

1.4 Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?

The body responsible for enforcing the data privacy legislation in Estonia is the Data Protection Inspectorate (DPI). The DPI exercises state and administrative supervision over compliance with the requirements set out in:

  • the PDPA and legislation established on the basis thereof;
  • the GDPR; and
  • other acts that govern the processing of personal data.

In exercising such state supervision, the DPI may implement the measures provided for in Article 58 of the GDPR.

In addition, the DPI may make enquiries of electronic communications undertakings to obtain the data required to identify an end user from the identification tokens used in public electronic communications networks, except for data relating to the transmission of messages, if it is impossible to identify the end user in any other way.

1.5 What role do industry standards or best practices play in terms of compliance and regulatory enforcement?

No answer submitted for this question.

2 Scope of application

2.1 Which entities are captured by the data privacy regime in your jurisdiction?

All persons that are controllers, joint controllers or processors of personal data are captured by the data privacy regime if they fall under the material and territorial scope of the EU General Data Protection Regulation (GDPR).

The material scope of the GDPR as set out in Article 2(1)) means that the GPDR applies to:

  • the processing of personal data wholly or partly by automated means; and
  • the processing other than by automated means of personal data which forms part of a filing system or is intended to form part of a filing system.

As regards territorial scope, please see question 2.3.

2.2 What exemptions from the data privacy regime, if any, are available in your jurisdiction?

According to Article 2(2) of the GDPR, the GDPR does not apply to the processing of personal data:

  • in the course of an activity which falls outside the scope of EU law;
  • by EU member states when carrying out activities which fall within the scope of Chapter 2 of Title V of the Treaty on European Union;
  • by a natural person in the course of a purely personal or household activity; or
  • by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and prevention of threats to public security.

The GDPR also:

  • does not apply to the personal data of deceased persons; and
  • does not cover the processing of personal data which concerns legal persons, and in particular undertakings established as legal persons.

2.3 Does the data privacy regime have extra-territorial application?

The territorial scope of the GDPR is set forth in Article 3 of the GDPR.

The GDPR applies to the processing of personal data in the context of the activities of an establishment of a data controller or data processor in the European Union, regardless of whether the processing takes place in the European Union.

In addition, the GDPR applies to the processing of personal data of data subjects who are in the European Union by a data controller or data processor which is not established in the European Union, where the processing activities relate to:

  • the offering of goods or services, irrespective of whether payment by the data subject is required;
  • data subjects in the European Union; or
  • the monitoring of data subjects' behaviour, insofar as that behaviour takes place within the European Union.

Also, the GDPR applies to the processing of personal data by a data controller which is established not in the European Union, but rather in a place where member state law applies by virtue of public international law.

3 Definitions

3.1 How are the following terms (or equivalents) defined in your jurisdiction? (a) Data processing; (b) Data processor; (c) Data controller; (d) Data subject; (e) Personal data; (f) Sensitive personal data; and (g) Consent.

(a) Data processing

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Article 4(2) of the EU General Data Protection Regulation (GDPR)).

(b) Data processor

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Article 4(8) of the GDPR).

(c) Data controller

A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by EU or member state law, the controller or the specific criteria for its nomination may be provided for by EU or member state law (Article 4(7) of the GDPR).

(d) Data subject

An identified or identifiable natural person (Article 4(1) of the GDPR).

(e) Personal data

Any information relating to an identified or identifiable natural person (‘data subject'). An ‘identifiable natural person' is someone who can be identified, directly or indirectly, in particular by reference to

  • an identifier such as:
    • a name;
    • an identification number;
    • location data;
    • an online identifier; or
  • one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4(1) of the GDPR).

(f) Sensitive personal data

Defined as ‘special categories of personal data' in the GDPR, which means:

  • data that reveals:
    • racial or ethnic origin;
    • political opinions;
    • religious or philosophical beliefs; or
    • trade union membership;
  • genetic data;
  • biometric data;
  • data concerning health; and
  • data concerning a natural person's sex life or sexual orientation (Article 9(1) of the GDPR).

3.2 What other key terms are relevant in the data privacy context in your jurisdiction?

‘Consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, through a statement or through a clear affirmative action, signifies agreement to the processing of personal data relating to him or her (Article 4(11) of the GDPR).

According to Article 8(1) of the GDPR, where the consent applies in relation to the offer of information society services directly to a child, the processing of the personal data of a child is lawful where the child is at least 16 years old. If the child is below the age of 16, such processing is lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. EU member states may provide by law for a lower age for these purposes, provided that is not below 13 years. The minimum age for such consent under the Personal Data Protection Act is 13.

4 Registration

4.1 Is registration of data controllers and processors mandatory in your jurisdiction? What are the consequences of failure to register?

The registration of data controllers and processors is not mandatory in Estonia.

4.2 What is the process for registration?

N/A.

4.3 Is registered information publicly accessible?

N/A.

5 Data processing

5.1 What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?

The legal bases for processing are stated in Article 6(1) of the EU General Data Protection Regulation (GDPR). The processing is lawful only if and to the extent that at least one of the following applies:

  • The data subject has consented to the processing of his or her personal data for one or more specific purposes;
  • The processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
  • The processing is necessary to comply with a legal obligation to which the data controller is subject;
  • The processing is necessary to protect the vital interests of the data subject or of another natural person;
  • The processing is necessary to perform a task carried out in the public interest or in the exercise of official authority vested in the data controller; or
  • The processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data – in particular, where the data subject is a child.

As regards special categories of personal data, the processing of such data is prohibited unless a specific legal ground set out in Article 9(2) of the GDPR applies – for example, where the data subject has given his or her explicit consent.

5.2 What key principles apply (eg, notice) when processing personal data in your jurisdiction? Do these vary depending on the type of data being processed? Or on whether it is outsourced?

According to Article 5 of the GDPR, the key principles for data processing are as follows:

  • Lawfulness, fairness and transparency: Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
  • Purpose limitation: Personal data shall be collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
  • Data minimisation: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which the data is processed.
  • Accuracy: Personal data shall be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, erased or rectified without delay.
  • Storage limitation: Personal data shall be kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject.
  • Integrity and confidentiality: Personal data shall be processed in a manner that ensures the appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
  • Accountability: The data controller shall be responsible for, and be able to demonstrate compliance with, the abovementioned principles.

These principles must be applied regardless of the type of data being processed.

5.3 What other requirements, restrictions and best practices should be considered when processing personal data in your jurisdiction?

The requirements set forth in the GDPR vary depending on the nature of the data processing. For example, prior to relying on legitimate interests as a legal ground, data controllers should carry out a legitimate interest assessment. This means that when processing personal data under Article 6(1)(f) of the GDPR, it is important to define the legitimate interest and assess whether it overrides the fundamental rights and freedoms of the data subject.

According to Article 35 of the GDPR, where a type of processing – in particular, using new technologies, and taking into account the nature, scope, context and purposes of the processing – is likely to result in a high risk to the rights and freedoms of natural persons, the data controller should, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data – in particular, the origin, nature, particularity and severity of that risk. Where a data protection impact assessment indicates that the processing operations would involve a high risk which the data controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, the supervisory authority should be consulted prior to the processing.

6 Data transfers

6.1 What requirements and restrictions apply to the transfer of data to third parties?

According to Article 4(10) of the EU General Data Protection Regulation (GDPR), a ‘third party' is a natural or legal person, public authority, agency or body other than the data subject, data controller, data processor and persons who, under the direct authority of the data controller or processor, are authorised to process personal data.

Personal data can be transferred to third parties if there is a legal ground for this. Legal grounds are set forth in Article 6 of the GDPR.

Where relevant, according to Articles 13 and 14 of the GDPR, information on the recipients or categories of recipients of the personal data must be provided to the data subjects. Moreover, information about the recipients must be added to the data controller's records of processing activities according to Article 30 of the GDPR.

6.2 What requirements and restrictions apply to the transfer of data abroad? Do these vary depending on the destination?

When transferring personal data outside the European Economic Area – that is, to third countries – an appropriate data transfer mechanism must be applied. The GDPR offers a variety of mechanisms to transfer data to third countries, such as:

  • adequacy decisions;
  • standard contractual clauses;
  • binding corporate rules;
  • certification mechanisms;
  • codes of conduct; and
  • so-called ‘derogations'.

According to Article 45(1) of the GDPR, a transfer of personal data to a third country or an international organisation may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question, ensures an adequate level of protection. Such a transfer does not require any specific authorisation. The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, South Korea, Switzerland, the United Kingdom (under the GDPR and the EU Law Enforcement Directive) and Uruguay as providing adequate protection.

According to Article 46(1) of the GDPR, in the absence of an adequacy decision, a data controller or processor may transfer personal data to a third country or an international organisation only if:

  • the data controller or processor has provided appropriate safeguards; and
  • enforceable data subject rights and effective legal remedies for data subjects are available.

Such safeguards include standard contractual clauses adopted by the European Commission and binding corporate rules.

6.3 What other requirements, restrictions and best practices should be considered when transferring personal data, both within your jurisdiction and abroad?

Article 28(1) of the GDPR provides that where processing is to be carried out on behalf of a data controller, the controller shall use only data processors that provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject. Therefore, as part of the accountability process, the controller should in practice carry out an assessment of the data processor to gain assurance that the transfer of personal data meets the requirements of the GDPR.

When transferring personal data to third countries that are not subject to an adequacy decision (Article 45 of the GDPR), the data exporter (either a data controller or processor) must, among other things, assess whether the laws of that third country ensure a level of protection of personal data which is essentially equivalent to that available in the European Union. If the laws of the third country do not ensure such level of protection, the data exporter may need to consider implementing one or several supplementary measures, such as encryption, to secure the transfer.

7 Rights of data subjects

7.1 What rights do data subjects enjoy with regard to the processing of their personal data? Do any exemptions apply?

The rights of data subjects are set forth in the EU General Data Protection Regulation (GDPR) as follows:

  • the right to receive information with respect to the processing of personal data when the data is collected from the data subject, as well as when the data has not been obtained from the data subject (Articles 13 and 14);
  • the right of access (Article 15), which allows data subjects to submit access requests and obtain information from the data controller about whether their personal data is being processed;
  • the right to rectification (Article 16), which allows data subjects to ask the data controller to update any inaccurate or incomplete data it has on them;
  • the right to erasure (Article 17), which allows data subjects, under the circumstances set forth in the GDPR, to ask that their personal data be deleted;
  • the right to restriction of processing (Article 18), which allows data subjects to request that the data controller limit the way it uses their personal data;
  • the right to data portability (Article 20), which allows data subjects, under the conditions set forth in the GDPR, to receive personal data concerning them which they have provided to a controller, and to transmit that data to another controller;
  • the right to object (Article 21), which allows data subjects, under the conditions set forth in the GDPR, to object at any time to the processing of their personal data which is based on, for example, a legitimate interest; and
  • the right not to be subject to a decision based solely on automated processing, including profiling (Article 22).

7.2 How can data subjects seek to exercise their rights in your jurisdiction?

Data subjects can exercise their rights by submitting their request to the data controller. According to Article 12 of the GDPR, the data controller must inform the data subject of the action taken in response to a request under Articles 15 to 22 without undue delay, and in any event within one month of receipt of the request. This period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The data controller must inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where requests from a data subject are manifestly unfounded or excessive – in particular, because of their repetitive character – the data controller may either:

  • charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
  • refuse to act on the request.

7.3 What remedies are available to data subjects in case of breach of their rights?

According to Article 77(1) of the GDPR, a data subject has the right to lodge a complaint with a supervisory authority – in particular, in the member state of his or her habitual residence or place of work, or the place of the alleged infringement – if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.

Furthermore, according to Article 79 of the GDPR, each data subject has the right to an effective judicial remedy where he or she considers that his or her rights under the GDPR have been infringed as a result of the processing of his or her personal data in non-compliance with the GDPR. Proceedings against a data controller or processor are brought before the courts of the member state in which the data controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the member state in which the data subject has his or her habitual residence, unless the data controller or processor is a public authority of a member state acting in the exercise of its public powers.

8 Compliance

8.1 Is the appointment of a data protection officer mandatory in your jurisdiction? If so, what are the consequences of failure to do so?

According to Article 37(1) of the EU General Data Protection Regulation (GDPR), data controllers and data processors must appoint a data protection officer (DPO) in the following cases:

  • The processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
  • The core activities of the data controller or processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
  • The core activities of the data controller or processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10 of the GDPR.

If a data controller or processor fails to appoint a DPO, then according to Article 83(4)(a) of the GDPR and Section 62 of the Personal Data Protection Act, the supervisory authority may impose a fine of up to €10 million or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

8.2 What qualifications or other criteria must the data protection officer meet?

The general requirements for DPOs are set forth in Article 37(5) of the GDPR, which provides that a DPO shall be appointed based on:

  • his or her professional qualities and expert knowledge of data protection law and practices; and
  • his or her ability to fulfil the tasks referred to in Article 39 of the GDPR (please also see question 8.3).

8.3 What are the key responsibilities of the data protection officer?

Article 39(1) of the GDPR sets out the minimum responsibilities/tasks of the DPO as follows:

  • to inform and advise the data controller or processor and employees who carry out data processing of their obligations pursuant to the GDPR and to other EU or member state data protection provisions;
  • to monitor compliance with the GDPR, with other EU or member state data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including:
    • the assignment of responsibilities;
    • awareness raising and training of staff involved in processing operations; and
    • related audits;
  • to advise, where requested, on data protection impact assessments and monitor performance pursuant to Article 35 of the GDPR;
  • to cooperate with the supervisory authority; and
  • to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36 of the GDPR, and to consult, as appropriate, on any other matter.

8.4 Can the role of the data protection officer be outsourced in your jurisdiction? If so, what requirements, restrictions and best practices should be considered in this regard?

Yes, Article 37(6) of the GDPR allows the DPO to function on the basis of a service contract.

A DPO should be able to perform his or her duties independently. As per Article 38(6) of the GDPR, the data controller or processor must ensure that any such tasks and duties do not result in a conflict of interest. Although the DPO may fulfil other tasks and duties, he or she should not be involved in determining the purposes and the means of processing of personal data. Therefore, in practice, positions such as chief executive officer, chief information security officer and head of HR would likely be considered as conflicting positions, as these individuals may well participate in determining the purposes and means of data processing.

8.5 What record-keeping and documentation requirements apply in the data privacy context?

Both data controllers and processors must maintain records of processing activities (ROPA) unless they fall under the exemption for organisations with fewer than 250 employees according to Article 30(5) of the GDPR. Even if the organisation falls under this exemption, it is still recommended, for the sake of accountability, to maintain ROPA. ROPA must be in writing, including in electronic form. Both data controllers and processors must provide ROPA to the supervisory authority upon request.

The mandatory elements of the data controller's ROPA are provided in Article 30(1) of the GDPR; and the mandatory elements of the data processor's ROPA are provided in Article 30(2) of the GDPR.

8.6 What other requirements, restrictions and best practices should be considered from a compliance perspective in the data privacy context?

N/A.

9 Data security and data breaches

9.1 What obligations apply to data controllers and processors to preserve the security of personal data?

One of the principles of personal data processing according to the EU General Data Protection Regulation (GDPR) is ‘integrity and confidentiality'. This means that the data controller must ensure that the data is processed in a manner that ensures the appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

According to Article 32(1) of the GDPR, data controllers and processors must implement appropriate technical and organisational measures to ensure a level of security that is appropriate to the risk. When implementing these measures, factors such as the following must be taken into account:

  • the state of the art;
  • the costs of implementation;
  • the nature, scope, context and purposes of processing; and
  • the risk of varying likelihood and severity for the rights and freedoms of natural persons.

Such measures may include:

  • the pseudonymisation and encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

When engaging data processors, the data controller must, according to Article 28(1) of the GPDR, use only processors that provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR. This assessment should be carried out prior to engaging the processor. As a mandatory element of the data processing agreement, the data processor must assist the data controller in ensuring compliance with the obligations pursuant to Article 32 of the GDPR.

9.2 Must data breaches be notified to the regulator? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

According to Article 33(1) of the GDPR, a data controller must notify the supervisory authority of a data breach without undue delay (no later than 72 hours) after becoming aware of the breach, unless it is unlikely to result in a risk to the rights and freedoms of natural persons. It is therefore for the data controller to assess, in light of the circumstances and facts of the data breach, whether the breach is unlikely to result in such a risk.

If the data controller concludes that the data breach must be notified to the supervisory authority, then according to Article 33(3) of the GDPR, this notification shall at least:

  • describe the nature of the breach – including, where possible:
    • the categories and approximate number of data subjects concerned; and
    • the categories and approximate number of personal data records concerned;
  • communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • describe the likely consequences of the breach; and
  • describe the measures taken or proposed to be taken by the data controller to address the breach – including, where appropriate, measures to mitigate its possible adverse effects.

The data controller must document all personal data breaches (whether or not they have been notified to the supervisory authority).

9.3 Must data breaches be notified to the affected data subjects? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

According to Article 34 of the GDPR, a personal data breach must be notified to the data subjects without undue delay only if it is likely to result in a high risk to the rights and freedoms of natural persons. The notification should:

  • describe in clear and plain language the nature of the personal data breach;
  • communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • describe the likely consequences of the breach; and
  • describe the measures taken or proposed to be taken by the data controller to address the breach – including, where appropriate, measures to mitigate its possible adverse effects.

If the following conditions are met, the data subjects need not be notified of the breach:

  • The data controller has implemented appropriate technical and organisational protection measures which were applied to the personal data affected by the personal data breach – in particular, those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
  • The data controller has taken subsequent measures which ensure that a high risk to the rights and freedoms of data subjects is no longer likely to materialise; or
  • Notification of the data subjects would involve disproportionate effort. In such a case, the data controller should issue a public communication or similar measure through which the data subjects can be informed in an equally effective manner.

9.4 What other requirements, restrictions and best practices should be considered in the event of a data breach?

N/A.

10 Employment issues

10.1 What requirements and restrictions apply to the personal data of employees in your jurisdiction?

The Employment Act imposes a general obligation on employers to respect the privacy of employees and verify the performance of their duties in a manner that does not violate their fundamental rights. In addition, it imposes a general obligation on employers to ensure that the personal data of employees is processed in accordance with the law. Employers must also take into account the data retention periods that are set forth in various legal acts. The Employment Act obliges employers to preserve written employment contracts for the term of validity of the employment contract and for 10 years after its expiry.

Several other specific legal acts set out data retention periods. For example, the Occupational Health and Safety Act requires employers to:

  • retain medical records for 10 years after termination of the employment relationship; and
  • retain information concerning investigations of occupational accidents and occupational diseases for 55 years.

10.2 Is the surveillance of employees allowed in your jurisdiction? What requirements and restrictions apply in this regard?

The surveillance of employees is allowed as long as:

  • it has a legitimate purpose and an appropriate legal ground (Article 6 of the EU General Data Protection Regulation (GDPR));
  • the principles of data protection are complied with; and
  • the processing of the surveillance data is justified and documented according to the data protection rules. This will depend on what type of surveillance is conducted, on a case-by-case basis.

10.3 What other requirements, restrictions and best practices should be considered from an employment perspective in the data privacy context

The processing of employees' personal data is often overlooked by data controllers. When it comes to ensuring compliance with the GDPR, controllers of personal data/employers often focus only on the processing of personal data of customers and data subjects other than employees (including candidates and former employees). As the GDPR does not distinguish between data subjects, employers must ensure that all GDPR requirements are also met with regard to employees' personal data (eg, maintaining records of processing activities, publishing relevant privacy notices regarding employees/recruitment).

11 Online issues

11.1 What requirements and restrictions apply to the use of cookies in your jurisdiction?

The use of cookies or similar technologies is primarily governed by the e-Privacy Directive (2002/58/EC). According to Article 95 and Recital 173 of the EU General Data Protection Regulation (GDPR), the e-Privacy Directive is a lex specialis to the GPDR. This means that although the GDPR provides general rules on the processing of personal data, the e-Privacy Directive specifies certain aspects about the use of cookies. In particular, the e-Privacy Directive provides that cookies can be used only based on consent, unless the exceptions apply.

Estonia has not yet transposed the ‘cookie-related provisions' of the e-Privacy Directive (including Article 5(3)) into national law. As a result, in Estonia, the directive should be applied directly to situations where cookies or similar technologies are used.

Article 5(3) of the e-Privacy Directive provides that cookies or similar technologies can be used with the prior consent of the subscriber or user. The consent must follow the requirements for consent stipulated in the GDPR, meaning that it must be freely given, specific, informed and unambiguous. The cookies or similar technologies can be used without consent only if:

  • they are used for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
  • they are strictly necessary to provide an ‘information society service'.

11.2 What requirements and restrictions apply to cloud computing services in your jurisdiction from a data privacy perspective?

All general requirements stated in the GDPR apply in the case of cloud computing services where the cloud computing involves the processing of personal data.

11.3 What other requirements, restrictions and best practices should be considered from a marketing perspective in the online and networked context?

N/A.

12 Disputes

12.1 In which forums are data privacy disputes typically heard in your jurisdiction?

According to Article 77 of the EU General Data Protection Regulation (GDPR), every data subject has the right to lodge a complaint (against a data controller or a data processor) with a supervisory authority – in particular, in the EU member state of his or her habitual residence or place of work or the place of the alleged infringement – if he or she considers that the processing of personal data relating to him or her infringes the GDPR.

In practice, data subjects typically lodge complaints in their country of residence. However, if the data controller or processor against which the complaint is lodged is located in another member state, as a general rule, the supervisory authority of the main establishment or a single establishment of the data controller or processor will be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor in accordance with the procedure provided in Article 60 of the GDPR.

12.2 What issues do such disputes typically involve? How are they typically resolved?

Typically, the Data Protection Inspectorate will issue precepts to data controllers (both natural and legal persons) and order them to comply. Precepts typically include a warning that a non-compliance levy will be imposed if the data controller fails to comply with the precept. Most of the Data Protection Inspectorate's (DPI) precepts include the data controller's failure to provide a legal basis for the processing. Cases where the controller of personal data is a natural person often relate to the unlawful publishing of personal data on social media.

12.3 Have there been any recent cases of note?

On 15 November 2021, one of the largest fuel station chains in Estonia received a precept and later a non-compliance levy of €25,000 for the use of audiovisual recordings at service stations. According to the precept, the DPI received information that cameras were being used in the service stations to monitor and evaluate employees. In addition to video recording, audio recording also took place. The DPI concluded that the use of audiovisual surveillance is not inherently permissible in businesses that provide goods and services, and that its use could be justified only by very exceptional circumstances, which did not exist in this case. The DPI acknowledged that although the use of audio recordings in addition to video surveillance may be helpful in a public place such as a service station, there are less intrusive ways to ensure security and resolve conflicts (eg, explanations from staff or a review of closed-circuit television footage).

13 Trends and predictions

13.1 How would you describe the current data privacy landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

The Data Protection Inspectorate (DPI) is giving the issue of closed-circuit television cameras significant attention (see question 13.3), publishing guidelines and hosting seminars on this topic. It has also been a lot more active in issuing precepts to data controllers and ordering their compliance, mostly due to the lack of a legal basis for the processing. The precepts also include a warning on the imposition of a non-compliance levy if the controller fails to comply with the precept. The DPI is expected to become even more active when exercising administrative supervision.

At the end of 2020, the Ministry of Justice submitted for approval a proposal for an administrative fine law that would allow for a more effective response to breaches of financial, competition and data protection laws. The infringements for which administrative fines may be imposed in the future, together with the possible levels of fines, will be set out in specific laws. The draft law is currently before the Estonian Parliament, although its status is uncertain.

14 Tips and traps

14.1 What are your top tips for effective data protection in your jurisdiction and what potential sticking points would you highlight?

As data protection regulation and practice are constantly evolving across the European Union, it is important to:

  • follow the news and enforcement decisions issued in the various member states;
  • maintain cooperation; and
  • follow the guidelines of the European Data Protection Board.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.