Data Protection in Estonia

Trends and Climate

Data protection law in Estonia is mainly based on European Union data protection legislation, thereby rendering the data protection laws in Estonia uniform with the overall international curve in the field for the most part. The current and near-future prospect of data protection legislation on the national level is rather static and will not bring any significant changes, as the industry is in expectation of the upcoming EU General Data Protection Regulation (GDPR), which will be applicable beginning May 25, 2018. While GDPR also allows for certain distinctions under national law, it is currently unclear which domestic specifics will be adopted. Another EU-level act that will impact national legislation is the NIS Directive (or the Directive on security of network and information systems), which also introduces new measures, e.g. concerning incident notification and the transposition period of which will also end in 2018. Currently the measures set forth by the NIS Directive are yet to be transposed into domestic legislation (draft acts are not available yet).

Legislation

There are three main acts of legislation which govern the collection, storage and use of personal data in Estonia. The first and perhaps the most relevant one is the Personal Data Protection Act that has been in force since Jan. 1, 2008 and which implements the EU Data Protection Directive 95/46/EC.

The other two relevant acts are the Electronic Communications Act and the Information Society Services Act, which also regulate certain aspects of personal data protection and are used as a national measure to transpose Directive 2002/58 on Privacy and Electronic Communications (as amended by Directive 2009/136/EC). The Electronic Communications Act also establishes data retention requirements as set forth by Directive 2006/24/EC. In contrast to the Court of Justice for the European Union’s (CJEU’s) 2014 Digital Rights Ireland Ltd. (C-293/12) decision to declare this directive invalid, no respective amendments have been carried out on a national level to the Electronic Communications Act.

In addition to acts of legislation, the data protection supervisory authority—the Estonian Data Protection Inspectorate has published several guidelines on its website concerning the application of personal data protection laws. Such guidelines are however, unlike laws, not of a binding nature but rather auxiliary material for data controllers and processors, intended to help them follow the legal requirements in practice.

Scope and Jurisdiction

The scope of persons of the Estonian personal data protection legislation encompasses “processors of personal data.” More precisely, under the Personal Data Protection Act, a “processor of personal data” is a natural or legal person, a branch of a foreign company or a state or local government agency who processes personal data or on whose assignment personal data is processed. A significant aspect about the term “processor of personal data” is that under the Personal Data Protection Act this is an umbrella term covering both, data controllers and data processors.

The scope of the Estonian Personal Data Protection Act does not, however, extend as far as to cover processing of personal data by natural persons for personal purposes or mere transmission of personal data through the Estonian territory, provided that no other processing of such data in Estonia occurs.

The scope of data covered by the Estonian Personal Data Protection Act covers any data concerning an identified or identifiable natural person, regardless of the form or format in which such data exists. In the Personal Data Protection Act, all this kind of data is collocated under the term “personal data.” Additionally, the act also introduces the term “sensitive personal data,” which covers data revealing delicate details about a person. The list of data regarded as sensitive personal data is similar to the list presented in Directive 95/46/EU, however additionally; Estonian legislation considers biometric and genetic data to be sensitive personal data.

With regard to registration of activities, there is no general requirement to register data processing in Estonia, registration is only required if the data controller processes sensitive personal data. The law also provides an alternative for registration—the appointment of a Data Protection Officer along with notifying the Estonian Data Protection Inspectorate. In order to specify—the appointment of a Data Protection Officer is not a general obligation, but an alternative to registration and such an appointment along with the personal details of the Officer as well as the fact of termination of their authority must be immediately communicated to the Data Protection Inspectorate. Accordingly, as there is no general obligation for registering all data processing activities in Estonia, there is also no publicly available comprehensive material on all the companies which process personal data. However, the information concerning companies that have registered sensitive data processing or have appointed a Data Protection Officer, is publicly available.

Enforcement

In Estonia, the authority to enforce data protection legislation lies on the Data Protection Inspectorate (Andmekaitse Inspektsioon). The Inspectorate holds the right to initiate supervisory proceedings over a data processor whether on the basis of a complaint or at its own initiative. Having initiated supervisory proceedings, the Inspectorate has several procedural rights, e.g. to suspend or prohibit the processing of personal data, apply additional security measures, impose sanctions etc.

Collection and Management of Personal Data

Collecting, storing and other types of processing of personal data is allowed on the occurrence of certain grounds set forth in the Personal Data Protection Act. The legal basis to collect and process personal data can arise from different situations: Firstly, where the data subject has given their unambiguous consent for data processing. Such consent, if not impossible due to a specific manner of data processing, must be given in a format which can be reproduced in writing (e.g. as an e-mail, a log in an information system etc.). If such consent is given together with another declaration of intention, the consent of the person must be clearly distinguishable.

Additionally, the legal basis to collect, store and process personal can arise directly from law, e.g. from a specific legal act or on the basis of the performance of a task prescribed by an international agreement or directly applicable legislation of the Council of the EU or the European Commission. Collecting, storing and processing of personal data is also allowed in individual cases for the protection of the life, health or freedom of the data subject or other person if obtaining the consent of the data subject is impossible and for performance of a contract entered into with the data subject or for ensuring the performance of such contract (unless the data to be processed are sensitive personal data).

There are no generally applicable time limitations or restrictions on the period for which an organisation may or must retain personal data. However, under the general principles, personal data may only be processed as long as required for the purposes of the processing. Certain data may have to be kept for a predetermined period based on a specific legal act. For example, accounting source documents must be conserved for seven years from the end of the corresponding financial year and written employment contracts must be preserved for 10 years after the expiry of the employment contract.

Under Estonian law, individuals have the right to access personal information concerning themselves that is held by an organisation. That is, unless accessing the personal data may damage rights and freedoms of other persons, endanger the protection of the confidentiality of filiation of a child, hinder the prevention of a criminal offence or apprehension of a criminal offender or complicate the ascertainment of the truth in a criminal proceeding. Individuals can also request deletion of their data given that such data is processed on the basis of consent. On the other hand, if the personal data is processed on the basis of law, such a right does not exist for the individual, however they may still demand the correction of inaccurate personal data.

Processing of personal data under Estonian law generally requires consent, with a few exceptions. This covers the situations where personal data is processed on the basis of law, for performance of a task prescribed by an international agreement or directly applicable legislation of the Council of the European Union or the European Commission. Consent is also not required in individual cases for the protection of the life, health or freedom of the data subject or other person if obtaining the consent of the data subject is impossible or for performance of a contract entered into with the data subject or for ensuring the performance of such contract (unless the data to be processed are sensitive personal data).

In the event where personal data is processed based on consent, it should be kept in mind that consent of the data subject is valid only provided that it is based on the data subject’s free will. The consent must clearly determine the scope and boundaries for which the permission is given, the purpose of the processing of the data and the persons to whom communication of the data is permitted. Additionally, the consent must set forth the conditions for communicating the data to third persons and the rights of the data subject concerning further processing of his or her personal data. Silence or inactivity is not deemed to be consent. Consent may also be partial and conditional. Prior to obtaining a data subject’s consent for the processing of personal data, the processor is obliged to notify the data subject of the name and contact details of the processor.

In the alternative scenario, where data processing is based on law instead of the subject’s consent, the data subject has the right to know the personal data concerning them that is being processed, the purposes of processing of personal data, the categories and source of personal data, third persons or categories to whom transfer of the personal data is permitted, third persons to whom the personal data of the data subject have been transferred, the name of the processor of the personal data or its representative and the address and other contact details of the processor of the personal data.

An important distinction applies to consent collected by a company from its employees. Such consent will, as a rule, be presumed to be void due to the nature of the subordination relationship between employers and their employees.

Data Security and Breach Notification

There are a number of security obligations that processors of personal data must comply with. For example, a specific and rather strict requirement under Estonian law is that the data controller and processor are required to keep account of the equipment and software under their control that is used for processing of personal data. As a more general rule, the Personal Data Protection Act sets forth that the processor of personal data must implement appropriate organisational, physical and information technology security measures for the protection of personal data against accidental or intentional unauthorised breaches.

However, in the event of a breach, there is no general obligation to notify data breaches to individuals. Only communications undertakings are required to inform their subscribers at the earliest opportunity if the personal data breach may adversely affect the personal data or privacy of a subscriber or a user whose data have been submitted to the communications undertaking by the subscriber. Neither is there a general obligation to notify data breaches to the authorities. Similarly, only communications undertakings are required to notify the Data Protection Inspectorate at the earliest opportunity if a data breach occurs.

The notification should be done as soon as possible, but no later than 24 hours after discovery of the breach. If all required information is not available, initial information regarding the breach must still be provided within 24 hours and additional information no later than three days after the initial notice and information was given. Additionally, where the data processor is processing sensitive personal data and has appointed a Data Protection Officer, this person has to inform the processor of personal data of a discovered violation or breach. If the processor of personal data does not take measures to terminate the violation, then the person responsible for the protection of personal data has the obligation to inform the Data Protection Inspectorate of the discovered violation.

The upcoming EU legislation (GDPR, NIS Directive and expectedly the reviewed ePrivacy directive) will bring changes into the described situations. For example, Articles 33-34 of GDPR set forth the rules for notifying a competent authority and the data subject about a security incident. The regulation stipulates that controllers shall notify the competent authority of the data breach within 72 hours and in the event where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall inform the data subject about the breach without delay.

Additionally, Article 16 of the NIS Directive provides digital service providers with the obligation to notify the competent authority or the CSIRT (computer security incident response team) without undue delay of any incident having a substantial impact on the provision of a service. It is also believed that additional measures will arise from the ePrivacy directive currently under revision.

Direct Marketing and Internet Use

Direct marketing, based on electronic contact details (e.g. e-mail, mobile numbers etc.) is regulated by the Electronic Communications Act. As a general rule, the subscriber must be able to consent to the electronic marketing. The requirements for this consent differ based on whether the concerned person is a legal entity or a natural person, and whether there is an existing client relationship between the parties. Additionally, customer consent must be obtained separately from other terms of the contract between the parties—i.e. it cannot be obtained in the standard terms presented to the customer. For example, in practice a checkbox separate from the acceptance of the standard terms is often used to obtain this kind of consent.

Opt-in is required if the addressee is a natural person, except in the case of an existing client relationship, where opt-out is permitted. The message itself must always include information to clearly determine the person on whose behalf the marketing material is sent, clearly distinguishable direct marketing information and clear instructions on how to refuse from receiving further direct marketing (e.g. an unsubscribe link). The refusal must be possible in an easy manner, using channels of electronic communication.

Reliance on an opt-out for natural persons in the framework of existing client relationships is subject to additional requirements, e.g. the direct marketing is in respect of similar goods or services and the recipient was given a possibility to opt-out at the collection of his/her personal data.

Real-time non-automated phone calls and regular mail in Estonia are subject to the opt-out condition.

Cookies

Due to the opt-out system, consent to cookies is not needed. The law does not refer specifically to browser settings or other applications to be adopted in order to exercise the right to refuse. We note that a draft law has been initiated under which an opt-in system for cookies will be applicable to providers of information society services. The amendment was initially planned to enter into force on 1 June 2015, but currently there is no information regarding the possible enforcement date.

Cross-Border Data Transfers

Cross-border transfer of personal data from Estonia is only allowed to countries with adequate level of data protection (i.e. EU/EEA member states and countries whose level of personal data protection has been evaluated as adequate by the European Commission). If personal data is transferred to a country whose level of personal data protection has not been evaluated as adequate by the European Commission, a prior authorisation has to be obtained from the Estonian Data Protection Inspectorate for such transfer.

However, cross-border transfer to countries without an adequate level of data protection is also, under certain exceptions, allowed without the authorisation of the Estonian Data Protection Inspectorate. This can happen by three alternatives - provided that the data subject has given respective consent, in individual cases for the protection of the life, health or freedom of the data subject or other person if obtaining the consent of the data subject is impossible or if the third person requests information obtained or created in the process of performance of public duties provided by an act or legislation issued on the basis thereof and the data requested do not contain any sensitive personal data and access to it has not been restricted for any other reasons.

Unless any of the aforementioned exceptions are applicable, the data processor must obtain the prior authorisation of the Data Protection Inspectorate even if the company is using the EU Standard Contract Clauses or relying on approved Binding Corporate Rules.

Third Parties

The Personal Data Protection Act establishes certain criteria for transferring personal data to third parties. In case of consent based processing the controller must inform the data subject about the conditions for communicating the data to third parties and the rights of the data subject concerning further processing of his or her personal data.

There are, however, certain limited situations where the transfer of personal data to a third party is permissible without the consent of the data subject. Transfer of personal data or granting access to personal data to third persons for the purposes of processing is permitted without the consent of the data subject if: (1) the third person processes the personal data for the purposes of performing a task prescribed by law, an international agreement or directly applicable legislation of the Council of the European Union or the European Commission; (2) in individual cases for the protection of the life, health or freedom of the data subject or other person if obtaining the consent of the data subject is impossible; (3) or if the third person requests information obtained or created in the process of performance of public duties provided by an Act or legislation issued on the basis thereof and the data requested do not contain any sensitive personal data and access to it has not been restricted for any other reasons.

Collection and communication of data to third persons for assessing the creditworthiness of persons or other such purpose is also permissible without the consent of the data subject if certain preconditions are met.

Penalties and Compensation

Non-compliance with data protection provisions arising from law can bring consequences under Estonian law. Violation of applicable data processing requirements is punishable by a fine of up to 1,200 euros ($1,286) for natural persons and up to 32,000 euros ($34,295) for legal persons.

Officials of Data Protection Inspectorate have the right to issue precepts to processors of personal data and adopt decisions for the purposes of ensuring compliance with the Act. Upon failure to comply with a precept, the Data Protection Inspectorate may impose a penalty payment in administrative proceedings. The upper limit for a penalty payment is 9,600 euros ($10,290) and this penalty payment may be imposed repeatedly until the non-compliance is removed.

There is no predetermined compensation for individuals prescribed in applicable legal acts. However, individuals are not precluded from presenting a civil claim for both, pecuniary and moral damages against the data controller or processor.

Cybersecurity Legislation, Regulation and Enforcement

There is no single legal act devised to regulate cybercrime or cybersecurity in Estonia. Different legal acts regulate the matter from a specific angle, therefore making the regulation scattered.

Estonia follows the examples and policy of the EU in the field of cybersecurity. No specific international standards have been adopted, meaning the activities which have been criminalized are similar to the developed practice in other countries. For example, the criminalised activities include illegal alteration, deletion, damaging or blocking of data in computer systems, unlawful removal or alteration, for commercial purposes, of the means of identification of terminal equipment used in an electronic communication network, illegal obtaining of access to computer systems by elimination or avoidance of means of protection etc.

The authority responsible for enforcing cybersecurity rules depends on the particular matter at hand. For example, compliance with the obligations of the communications undertakings are supervised by the Technical Regulatory Authority, matters related to the violation of personal data protection regulation are supervised by the Data Protection Inspectorate, application of the system of security measures for information systems in the public sector is supervised by the Estonian Information System’s Authority. The Police and Border Guard Board and the Prosecutor’s Office are responsible for investigation and prosecution in criminal matters.

Estonia is a signatory to the Budapest Convention on Cybercrime.

Cybersecurity Best Practice and Reporting

Insuring the company for cybersecurity breaches is not very common in Estonia and availability of corresponding products is limited. There are no general requirements for keeping records of cybercrime threats, attacks and breaches. There is no general obligation to report cybercrime threats, attacks and breaches to the relevant authorities. Only communications undertakings must report threats, attacks and breaches on personal data to the Data Protection Inspectorate or depending on the circumstances also to the Estonian Information System Authority.

Criminal Sanctions and Penalties

The penalty for a cybercrime depends on particular crime and the gravity of the crime. For natural persons the sanction is usually pecuniary punishment or imprisonment up to three or five years, for legal persons the sanction is pecuniary punishment. In case of a legal person, the court may impose a pecuniary punishment of 4,000 euros ($4,285)) to 16 million euros ($17.1 million0).

In case of failure to comply with cybersecurity regulations, the sanction depends on the particular violation and is usually punishable by a fine. The maximum fine is 32,000 euros ($34,290) for the violation of personal data protection requirements for legal persons. Violations of the obligations from the Electronic Communications Act are punishable by fines of up to 3,200 euros ($3,430).