Data protection (GDPR) in Estonia

Company in Estonia OÜ will help to form a package of necessary documents for your company’s website, in accordance with the requirements of personal data protection. The EU general data protection regulation applies to all EU countries. Any company in the EU that processes the personal data of citizens anywhere in the world is bound by these rules, and any company outside the EU that processes the personal data of EU citizens is also subject to the requirements of the EU Directive. Personal data protection is now synonymous with corporate responsibility.

Based on our extensive shared experience, we provide the services you need for data protection and consistency. Clients of many industries trust us not only for understanding the specifics of Estonian legislation in this field, but also for the accuracy of the work done.

The General Regulation on Data Protection in EU countries has introduced significant changes in the regulation of personal data, and all companies operating under Estonian jurisdiction now have to comply with it. In the initial phase of the Company in Estonia OÜ recommends an audit by helping the client to define the processing of their data, which is the first step, before you can move on to creating and executing an action plan for GDPR compliance.

GDPR compliance and protection of personal information

Already today you should think about proper work with personal data, as there is no business area left that is not related to personal data. GDPR applies to almost any business operating on the Internet and not only: online shops and services, portals, messengers and applications, and many other services.

GDPR (General Data Protection Regulation) is a European Union regulation containing strict rules for handling personal data, which are binding not only on EU countries, but also on countries that provide services or sell goods to EU residents.

Possible consequences of non-compliance with GDPR

The penalty for violation of GDPR requirements is a fine up to EUR 20 million or 4% of the company’s annual income (whichever is greater). Note that GDPR enforcement will be as strict as liability. Thus, IT-business needs to adapt its documents, policies and procedures to the new rules.

GDPR compliance assessment

In order to perform the work according to the characteristics of the Client, the organizational structure of the Client is examined with a view to identifying the units whose functional function involves the processing of personal data, as well as developing job-specific questionnaires and interviewing plans.

The methods of work are:

  • Analysis of documentation provided
  • Staff questionnaires and interviews
  • Analysis of websites and web services owned by the company

The following actions are taken during the survey:

  • Identification of Personal Data Flow Flows (Personal Data Flow)
  • Determination of the place of the principal institution in Europe
  • Defining the list of employees, processors and third parties involved in the processing of personal data
  • Definition of the list and amount of personal data to be processed
  • Analysis of contracts, agreements, consents, public offers and other documents concluded with third parties in the framework of the relations with which they are transferred or obtained from them personal data
  • Analysis of contracts, agreements, consents, public offers and other documents concluded with natural persons which are the legal grounds for processing personal data
  • Determination of the location of personal data
  • Highlighting the information systems in which personal data are processed
  • Determination of the existence of organizational and management documents defining the procedure for processing and protecting personal data
  • Description of the measures in place to ensure the security of personal data
  • Identification of cross-border transfers of personal data and establishment of a list of countries where cross-border transfers of personal data take place

On the basis of a survey of information systems and processing processes, compliance with GDPR requirements is determined.

On the basis of the results of the conformity assessment, recommendations are prepared on the alignment of personal data processing with GDPR requirements.

Reporting documents

  • GDPR compliance status with GDPR recommendations to align the organization’s personal data processing with GDPR requirements
  • GDPR alignment plan

When drafting organizational and management documents, the requirements of various EU regulations in the area of personal data are synthesized with a view to structuring

Development of GDPR documents

  • List of personal data processing processes
  • Privacy Notice for Personal Data Processing (Privacy Notice)
  • Policy for the protection of personal data
  • Consent to the processing of personal data (consent), if necessary
  • Agreements between the personal data operator (controller) and personal data processors (processor), if necessary (Data Processing Addendum)
  • Rules for responding to requests from individuals
  • Regulations on the Destruction of Personal Data
  • Regulation on the Portability of Personal Data in Machine-Readable Form
  • Rules for Responding to Information Security Incidents in Personal Data Processing
  • Regulation on Notification of Personal Data Leakages
  • Personal Data Processing and Security Manual

Confidentiality impact assessment (DPIAs)

On the basis of the results of organizational and technical measures and processes for processing personal data, the impact on confidentiality (DPIAs) is evaluated. The assessment is carried out to ensure a minimum level of risk for personal data subjects.

The confidentiality impact assessment can be performed several times, with security measures adjusted, if the optimum level of risk cannot be reached with the original safety measures.

Reporting documents

  • Confidentiality Impact Assessment Report (DPIAs)

Company in Estonia OÜ will help you set up processes for handling personal data in accordance with international law and GDPR to ensure efficient and secure data collection, identification, confidentiality, and, above all, avoid heavy fines for possible non-compliance with regulations.

Company in Estonia OÜ services include:

  • Legal audit (due diligence) of the client’s business activities to identify non-compliance with GDPR standards
  • Development of documents and internal rules to align the company’s activities with GDPR standards
  • Contractual provision of Data Protection Officer services

Data Protection officer services:

  1. Informing the client and his staff of GDPR standards and regulations
  2. Supervision of client activities in compliance with GDPR standards
  3. Provision of advice and advice necessary to meet GDPR standards
  4. Cooperation with government regulators
  5. Development of internal standards and rules (instructions) for the client and its employees as part of GPDR regulatory procedures
  6. Act as a contact point between the client and government regulators for data processing, as well as for consultation and clarification
  7. Processing of client databases containing information about their end clients according to GPRD requirements, risk prevention

Company in Estonia OÜ provides legal services and will be happy to assist with Data protection (GDPR) preparation for your Estonian company.