Data protection (GDPR) in Estonia

Service will help to form a package of necessary documents for your company’s website, in accordance with the requirements of personal data protection. The EU general data protection regulation applies to all EU countries. Any company in the EU that processes the personal data of citizens anywhere in the world is bound by these rules, and any company outside the EU that processes the personal data of EU citizens is also subject to the requirements of the EU Directive. Personal data protection is now synonymous with corporate responsibility.

Based on our extensive shared experience, we provide the services you need for data protection and consistency. Clients of many industries trust us not only for understanding the specifics of Estonian legislation in this field, but also for the accuracy of the work done.

The General Regulation on Data Protection in EU countries has introduced significant changes in the regulation of personal data, and all companies operating under Estonian jurisdiction now have to comply with it. In the initial phase of the Service recommends an audit by helping the client to define the processing of their data, which is the first step, before you can move on to creating and executing an action plan for GDPR compliance.

GDPR compliance and protection of personal information

Already today you should think about proper work with personal data, as there is no business area left that is not related to personal data. GDPR applies to almost any business operating on the Internet and not only: online shops and services, portals, messengers and applications, and many other services.

GDPR (General Data Protection Regulation) is a European Union regulation containing strict rules for handling personal data, which are binding not only on EU countries, but also on countries that provide services or sell goods to EU residents.

Possible consequences of non-compliance with GDPR

The penalty for violation of GDPR requirements is a fine up to EUR 20 million or 4% of the company’s annual income (whichever is greater). Note that GDPR enforcement will be as strict as liability. Thus, IT-business needs to adapt its documents, policies and procedures to the new rules.

GDPR compliance assessment

In order to perform the work according to the characteristics of the Client, the organizational structure of the Client is examined with a view to identifying the units whose functional function involves the processing of personal data, as well as developing job-specific questionnaires and interviewing plans.

The methods of work are:

  • Analysis of documentation provided
  • Staff questionnaires and interviews
  • Analysis of websites and web services owned by the company

The following actions are taken during the survey:

  • Identification of Personal Data Flow Flows (Personal Data Flow)
  • Determination of the place of the principal institution in Europe
  • Defining the list of employees, processors and third parties involved in the processing of personal data
  • Definition of the list and amount of personal data to be processed
  • Analysis of contracts, agreements, consents, public offers and other documents concluded with third parties in the framework of the relations with which they are transferred or obtained from them personal data
  • Analysis of contracts, agreements, consents, public offers and other documents concluded with natural persons which are the legal grounds for processing personal data
  • Determination of the location of personal data
  • Highlighting the information systems in which personal data are processed
  • Determination of the existence of organizational and management documents defining the procedure for processing and protecting personal data
  • Description of the measures in place to ensure the security of personal data
  • Identification of cross-border transfers of personal data and establishment of a list of countries where cross-border transfers of personal data take place

On the basis of a survey of information systems and processing processes, compliance with GDPR requirements is determined.

On the basis of the results of the conformity assessment, recommendations are prepared on the alignment of personal data processing with GDPR requirements.

Reporting documents

  • GDPR compliance status with GDPR recommendations to align the organization’s personal data processing with GDPR requirements
  • GDPR alignment plan

When drafting organizational and management documents, the requirements of various EU regulations in the area of personal data are synthesized with a view to structuring

Development of GDPR documents

  • List of personal data processing processes
  • Privacy Notice for Personal Data Processing (Privacy Notice)
  • Policy for the protection of personal data
  • Consent to the processing of personal data (consent), if necessary
  • Agreements between the personal data operator (controller) and personal data processors (processor), if necessary (Data Processing Addendum)
  • Rules for responding to requests from individuals
  • Regulations on the Destruction of Personal Data
  • Regulation on the Portability of Personal Data in Machine-Readable Form
  • Rules for Responding to Information Security Incidents in Personal Data Processing
  • Regulation on Notification of Personal Data Leakages
  • Personal Data Processing and Security Manual

Confidentiality impact assessment (DPIAs)

On the basis of the results of organizational and technical measures and processes for processing personal data, the impact on confidentiality (DPIAs) is evaluated. The assessment is carried out to ensure a minimum level of risk for personal data subjects.

The confidentiality impact assessment can be performed several times, with security measures adjusted, if the optimum level of risk cannot be reached with the original safety measures.

Reporting documents

  • Confidentiality Impact Assessment Report (DPIAs)

Service will help you set up processes for handling personal data in accordance with international law and GDPR to ensure efficient and secure data collection, identification, confidentiality, and, above all, avoid heavy fines for possible non-compliance with regulations.

Service services include:

  • Legal audit (due diligence) of the client’s business activities to identify non-compliance with GDPR standards
  • Development of documents and internal rules to align the company’s activities with GDPR standards
  • Contractual provision of Data Protection Officer services

Data Protection officer services:

  1. Informing the client and his staff of GDPR standards and regulations
  2. Supervision of client activities in compliance with GDPR standards
  3. Provision of advice and advice necessary to meet GDPR standards
  4. Cooperation with government regulators
  5. Development of internal standards and rules (instructions) for the client and its employees as part of GPDR regulatory procedures
  6. Act as a contact point between the client and government regulators for data processing, as well as for consultation and clarification
  7. Processing of client databases containing information about their end clients according to GPRD requirements, risk prevention

Data Protection Reform in Estonia

On April 14, 2016, Parliament approved the General Data Protection Regulation (GDPR), replacing the current Data Protection Directive. The new regulation is directly applicable, which means that together with the national implementing acts it will also replace the existing Estonian Personal Data Protection Act. The regulation entered into force on 24 May 2016 and will be applied after a two-year transition period starting on 25 May 2018. The regulation applies to enterprises and other legal entities that process personal data. Processing of personal data means, for example, the collection, documentation, storage, etc. of personal data in accordance with the General Regulations. For example, when a company has a customer database or customer loyalty program, the company stores employee résumés or customer email addresses, home addresses, photos, CCTV recordings, phone numbers and other similar data, can be considered as processing of personal data.

As the Data Protection Regulation introduces many changes, the updated Personal Data Protection Act will also enter into force in Estonia. Using the draft Law on the Protection of Personal Data, the explanatory note and the General Data Protection Regulation, the law firm Service summarized the main points that an entrepreneur should know about the processing of personal data.

What is personal data?

Personal data is all data relating to an identifiable or identifiable physical person that expresses the physical, mental, physiological, economic, cultural or social characteristics, relationships and affiliation of that person. Therefore, all data that can be attributed to an individual, even indirectly, should be treated as personal data. According to the law, personal data is divided into so-called «ordinary» and special categories of personal data. Examples of common personal data include name, place of residence, photograph of a person, surveillance camera recording, by which a person can be identified, etc. D.

Specific categories of personal data are data revealing or revealing racial or ethnic origin, political views, religious or philosophical beliefs, genetic data, biometric data, health data or data, concerning the sexual life or sexual orientation of an individual. The processing of such personal data is prohibited, except in exceptional cases. Exceptional cases under the new Personal Data Protection Act and General Regulations are, for example, when processing is necessary for reasons of significant public interest or when processing is necessary to prevent a threat to public order or national security. The definition of public interest cannot be found in the current legislation. The public interest is a very abstract concept, but one definition may be that the public interest is aimed at creating or preserving a public good.

Does the new data protection regulation affect you and your company?

Companies that should review their personal data policy:

  • Real estate companies (e.g., real estate agencies)
  • Financial and insurance companies (e.g., banks, creditors, insurance companies)
  • Mail and online retailers (e.g., Internet shops)
  • Administrative and support companies (e.g., travel agencies, debt collection)
  • Providers of health and social services (including general health care, family health centers, nursing, dental care)
  • Information and communication companies (e.g., web portals, magazine publishers, telecommunications)
  • Professional, scientific and technical companies (e.g., advertising agents, market researchers, interviewers)
  • Accommodation facilities (for example, hotels, motels, guest houses)

When is the processing of personal data legal and permitted?

The processing of personal data is legal if at least one of the conditions laid down in Article 6 of the Rules is fulfilled:

  1. Consent of a person to the processing of his personal data for one or a specific purpose – for example, the website operator must ask the customer for confirmation whether the customer allows the use of his personal data for a specific purpose (for example, for the purpose of fulfilling an order, etc.).
  2. The processing of personal data is necessary for the performance of a contract concluded with the participation of a person – this includes the conclusion of any contract. For example, if a customer orders goods to a parcel machine via an online store. SSB Remember that you will not be asked for excessive customer data when signing the contract. For example, when ordering goods in the above-mentioned dispensing machine, the customer must not disclose his home address.
  3. Processing of personal data is necessary to fulfill a legal obligation – here we mean such obligations of the data processor, which arise from the law. For example, casinos are required under the Gambling Act to request personal information from those who are members of the casino.
  4. The processing is necessary to protect the vital interests of the data subject or other natural person, or to perform a task performed in the public interest or in the exercise of official powers vested in the controller. According to the General Regulation, the processing of certain categories of personal data may serve both important public interests and vital interests of the data subject, for example, when processing is necessary for humanitarian purposes, including monitoring epidemics and their spread, or in humanitarian emergencies, in particular natural and man-made disasters.

What are the rights of the data subject, i.e. the person whose data are being processed?

  • Right to information and personal data concerning him

The aim is to ensure that an individual can know whether his or her personal data is being processed and, to verify the legality of such processing, the right of access to the data collected about him or her. The data subject first has the right to obtain confirmation from the controller whether the personal data pertaining to it are processed. If personal data is processed, the processor of personal data is obliged to inform the data subject of the information that the processor is obliged to disclose. Every data subject has the right to know and be informed of the purposes for which personal data are processed, the period in which they are processed, and the recipients of the data, including in third countries. In order to guarantee this right, it is sufficient for the data subject to have a full summary of the data in an understandable form, that is, data in a form that allows him or her to know about the data and to verify that it is correct and processed in accordance with the Personal Data Protection Act. The data processor may refuse to provide information, restrict its provision or provide it at a later stage if this may prevent or worsen the prevention, detection, prosecution or enforcement of sanctions, To prejudice the rights and freedoms of another person and if the disclosure of information could have a negative impact on national security.

  • Right to request termination of processing of personal data, correction, blocking, deletion of personal data

The data subject has the right to correction and deletion of personal data, in particular in the case of data based on facts. In particular, the data subject has the right to request the deletion of personal data if the processing of personal data is not permitted by law or violates the principles of processing personal data.

  • “The right to forget”

An update introduced by the General Data Protection Regulation, which means that a natural person has the right to require the data processor to delete his personal data without delay. Such a right applies, for example, if the controller no longer needs personal data for the purpose for which they were collected or processed – for example, if the company keeps a resume for future purposes, the person may request the deletion of the resume at any time. In addition, other cases provided for in article 17 of the General Regulations apply, including when a person withdraws his consent to the processing of data or when personal data has been processed illegally.

  • Right to data portability

The greatest significant change expected by the entire private sector is personal data portability. A person may take his or her digital data from Company A and hand it over to Company B. This means that a person has the right to request and obtain from the data controller all personal data concerning him or her that person has provided to the data processor. Transmission must mean all data that a person transmits directly either to himself or to the controller in the course of a person’s activity. For example, filling in web forms (creating an Internet shop, social media account) or sending an email, as well as data transmitted to the communication operator using a smart device (such as the location of the caller, the destination of the call). But also purchases recorded using a loyalty card in the store or data (such as heart rate, number of steps) that the human activity monitor transfers, for example, to a nutritionist. Data transmission should only apply to data processing based either on the consent of the person or on a contract concluded between the person and the data processor. Therefore, if data processing is done only on the basis of law, the right to data portability does not apply. According to the law, people’s personal data are processed, for example, by state and local authorities.

To ensure the right to data portability, the controller must transmit personal data to:

  1. structured;
  2. in a widely used format;
  3. machine readable.

In order for the controller to comply with these formalities, the Rules impose an additional condition that only personal data processed by automated means by the controller should be transmitted. Therefore, personal data on paper is not transferable.

A person may also require that one data processor transmit data directly to another data processor. This is where it’s technically feasible. This means that if a person wants to change, for example, an e-mail, bank or voice provider, he has the right to require that the current service provider transfer the personal data associated with that person directly to the new service provider, if technically possible.

At the same time, the transfer of data to a new service provider does not mean that the person should terminate their relationship with the current service provider. It also does not automatically mean that the current service provider should delete all personal data related to the person (even if the relationship with the customers is over).

  • Right of objection and automated individual decision-making

A person may ask not to be subjected to a solution based on automated processing, including profiling. Such a right arises when profiling has legal effects on him or her or has a significant impact on it. This is the case, for example, when a loan is made online and a loan application is rejected without human intervention.

What are your duties as a data processor?

  • The Controller must apply the principles of personal data processing to data processing. The principles governing the processing of personal data are those commonly stated in the Rules, such as the principles of legality, fairness, transparency and data minimization.
  • The data processor must process personal data securely. The economic operator is obliged to implement appropriate technical and organizational measures to ensure the level of safety corresponding to the threat. An example of such measures is the encryption of personal data. To protect personal data, security measures must be in place to protect it from unintentional or unauthorized processing, disclosure or destruction.
  • The Comptroller is obliged to provide the person with information on the conditions for processing his personal data and their rights. The Controller must inform the person about the processing of personal data in a concise, clear, understandable and easily accessible manner, using a clear and understandable language. Information shall be provided in writing or by other means, including, where appropriate, by electronic means.
  • Processing operations must be recorded. Enterprises or organizations with more than 250 employees should maintain a register of processing operations and make it available to the data protection supervisor upon request. In exceptional cases, small companies or organizations are also required to do so if the processing poses a risk to human rights and freedoms, the processing is not dependent on the particular case, special categories of personal data or data are processed, Criminal convictions and offences. It may seem that smaller companies have avoided registering processing operations here, but this is not a case of processing if operations are planned in advance, execution is organized and methodical, and data processing is clearly part of the business model of the data processor. This includes, for example, loyalty programs for service companies. In addition, all employers are processors of personal data (for example, data on employees, volunteers, interns, guests) and, according to the Inspection, do not process data only in each case. Thus, the processing of personal data concerning the organization’s own personnel cannot be excluded from the register.
  • Protection of children’s personal data. According to the General Regulations, children’s personal data, in particular, deserve special protection as children may not be sufficiently aware of the risks, consequences and safeguards involved and of their rights with regard to the processing of personal data. According to the new Personal Data Protection Act, which will enter into force in Estonia, the processing of personal data of a child in the provision of information society services is legal only if the child is at least 14 years old.
  • Obligation to appoint a data protection officer. General regulations require that certain processors of personal data appoint a data protection specialist. These include:
  • Public sector institutions or bodies – ministries, departments, inspectorates, general education schools, city and county authorities;
  • Data processors whose main activity is regular and systematic monitoring of data subjects on a large scale – for example, hospitals, a company providing security services at a shopping mall, credit institutions, insurance intermediaries, Telecommunication companies, hotels, recruitment and employment companies, hiring of prostitutes;
  • Data processors whose primary activity is the large-scale processing of special data or the large-scale processing of personal data related to criminal convictions and offenses, such as hospitals, family health centers, health researchers.


One of the biggest changes compared to the previous data protection regulations is the increase in fines. The maximum fine for non-compliance with the requirements set out in the General Regulation is 20 million euros or 4% of the company’s global turnover, whichever is higher. However, following the above points and bringing your company in line with the requirements of data processing, do not worry about large amounts of fines.

Protection of personal data in Estonia

Personal data protection is a topic that is becoming more and more relevant every day.

Since the implementation of the General Data Protection Regulation (GDPR) (EU) 2016/679, Personal Data Processors have been subject to new and strict obligations and high penalties for non-compliance. The aim of the regulation is to ensure the legality of the processing of personal data and to ensure a high level of protection of the privacy of individuals. In today’s world, it is no longer possible to work without processing personal data, and most companies have to process personal data in order to provide their services or sell the product.

The aim of Service is to help the company to work according to GDPR requirements, thereby reducing potential risks. To this end, we offer the following services:

  • preparing a legal overview of the situation, i.e. an audit, preparing an action plan on the results of the audit to ensure compliance with the GDPR;
  • performing the operations prescribed in the GDPR and consulting the client;
  • conducting a Data Protection Impact Assessment
  • compiling the registers required by the GDPR (Personal Data Processing Register, Violation Register);
  • preparation of legal documents: terms of data protection (privacy policy), internal rules related to the protection of personal data, documents required for the online company, e.g. terms of use of cookies, etc., Preparation of a contract between the controller and the processor (agreement on processing of personal data);
  • representation in disputes concerning personal data;
  • training on the protection of personal data;
  • we assist in communicating with supervisory authorities (ASAs).

We also offer the service of a data protection specialist, which includes consulting the company on all issues related to the processing of personal data.

Service provides legal services and will be happy to assist with Data protection (GDPR) preparation for your Estonian company.



Managing Associate

+372 5492 3720