Law: Personal Data Protection Act 2018 and the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR)

Regulator: Data Protection Inspectorate (DPI)

Summary: Estonia implemented the GDPR in 2018 through the Personal Data Protection Act 2018 (PDPA), which is closely aligned with the GDPR and does not derogate at all in areas such as the appointment of a data protection officer, data breach notification, or data subject rights. However, the PDPA states that the consent of a data subject remains valid for ten years after the death and 20 years if the data subject is a minor.

To date, the Data Protection Inspectorate (DPI), as the supervisory authority designated under the PDPA, has issued warnings with the potential for fines for non-compliance which relate to, for instance, video surveillance, the DPI's request for information, and the right to rectification. Furthermore, the DPI has issued guidance on automated decision-making, video surveillance, the main responsibilities of data controllers, and the processing of employees' email inboxes.