Support Centre

Estonia

Summary

Law: Personal Data Protection Act 2018 and the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR)

Regulator: Data Protection Inspectorate (DPI)

Summary: Estonia implemented the GDPR in 2018 through the Personal Data Protection Act 2018 (PDPA), which is closely aligned with the GDPR and does not derogate at all in areas such as the appointment of a data protection officer, data breach notification, or data subject rights. However, the PDPA states that the consent of a data subject remains valid for ten years after the death and 20 years if the data subject is a minor.

To date, the Data Protection Inspectorate (DPI), as the supervisory authority designated under the PDPA, has issued warnings with the potential for fines for non-compliance which relate to, for instance, video surveillance, the DPI's request for information, and the right to rectification. Furthermore, the DPI has issued guidance on automated decision-making, video surveillance, the main responsibilities of data controllers, and the processing of employees' email inboxes.

Insights

Article 37 of the General Data Protection Regulation (GDPR) obliges data controllers and processors to designate a data protection officer (DPO). As part of this obligation, data controllers and processors are also required to publish the contact details of the DPO and to communicate the DPO's contact details to relevant supervisory authorities. In part one of this Insight series, OneTrust DataGuidance focuses on the requirement to communicate DPO contact details to the relevant supervisory authorities, providing an overview on the rules and guidelines for DPO contact registration across Austria, Belgium, Bulgaria, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, and Greece.