In light of the GDPR, the Estonian Parliament adopted the Personal Data Protection Act (PDPA) and the Personal Data Protection Act Implementation Act (PDPAIA). The PDPA provides derogations and additional requirements to the GDPR, applying only when the GDPR does not directly govern a matter or explicitly allows Member States to introduce their own provisions. For instance, the PDPA regulates processing of personal data by law enforcement authorities for the prevention, detection, investigation and prosecution of criminal offences, as well as the imposition of punishments. Additionally, the PDPA: 

• provides special grounds for processing of personal data, such as journalistic purposes, academic, artistic and literary expression, for scientific and historical research and official statistics, archiving in public interest, and assessment of creditworthiness; and
• regulates other cases of processing personal data, such as processing children’s personal data for the provision of information society services, after the death of the data subject, in connection with violation of obligation, and in public places.

The PDPAIA contains provisions that amend other national laws to ensure their alignment with the GDPR.

In addition, from a data protection perspective, it is important to note that personal data is also protected at the constitutional level. For instance, the Estonian Constitution protects the inviolability of private and family life, requires the confidentiality of messages, ensures freedom of self-realisation, and gives the right to access information that public authorities have about the citizen. Together, these provisions provide the basis for the protection of personal data in Estonia.

The GDPR applies to any natural or legal person, public authority, agency, or other body that processes personal data wholly or partly by automated means, as well as to the processing of personal data that is not automated, provided that such data forms part of a filing system or is intended to form part of a filing system. 

The GDPR does not apply to the processing of personal data if: 

• the activity falls outside the scope of Union law;
• a Member State is carrying out activities related to policies on border checks, asylum and immigration;
• the processing is carried out by a natural person for purely personal or household purposes;
• the processing is done by competent authorities for the purposes of law enforcement.

The PDPA, on the other hand, also applies to law enforcement authorities upon processing personal data in the prevention, detection and proceedings of offences and execution of punishments. Both the PDPA and the GDPR apply to constitutional institutions in so far as this does not concern the performance of their constitutional duties and is not regulated in the specific acts that concern them.

The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. The GDPR also applies if the controller or processor is not established in the Union, but data subjects are, and the processing activities are related to:

• the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
• the monitoring of their behaviour so far as their behaviour takes place within the Union. 

The PDPA applies when Estonia is the relevant jurisdiction according to international laws.

The term ‘processing’ is defined in the GDPR as any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

The term ‘personal data’ is defined as any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. To conclude, basically every act or operation with data is considered to be processing.

The GDPR states that processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited. These categories are considered particularly sensitive and are referred to as special categories of personal data, which require additional protections and are subject to stricter processing conditions under the GDPR.

To further clarify, the GDPR defines genetic data, biometric data, and data concerning health as follows:

•  ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person, which gives unique information about the physiology or the health of that natural person and which results, in particular, from an analysis of a biological sample from the natural person in question;
• ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allows or confirms the unique identification of that natural person, such as facial images or dactyloscopic data;
• ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of healthcare services, which reveals information about their health status.
  

Therefore, personal data related to, for example, criminal allegations, proceedings or convictions, as well as financial data, are not considered to be special categories of personal data.

Under the GDPR, the processing of personal data (other than special categories of data) shall be lawful only if and to the extent that at least one of the following applies:

• the data subject has given consent to the processing of their personal data for one or more specific purposes;
• processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
• processing is necessary for compliance with a legal obligation to which the controller is subject;
• processing is necessary in order to protect the vital interests of the data subject or of another natural person;
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
• processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Moreover, the PDPA provides additional legal grounds that were mentioned before.

Consent, as the most common legal basis for personal data processing, is defined in the GDPR as any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them. 

The conditions for consent are outlined in the GDPR, which states that if the data subject’s consent is given in the context of a written declaration that also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. 

In addition, personal data must be processed in compliance with the data processing principles stated in the GDPR. This means that personal data shall be processed, for example, in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

In light of the personal data processing principles stated in the GDPR, the main obligations of data controllers in relation to data subjects are:

• Obligation to inform data subjects. The controller must inform data subjects of their data processing practices.
• Obligation to facilitate the exercise of data subject rights. The controller must enable and support data subjects in exercising their rights, such as the right to information, access, and erasure of their data, etc.
• Obligation to respond to objections and requests for restriction. The controller is required to respond to data subjects’ objections to the processing of their data or requests to restrict processing.
• Obligation to notify data subjects of a security breach. If a security breach occurs that is likely to result in a high risk to the rights and freedoms of individuals, the controller must notify the affected data subjects.
• Obligation to provide information on rights and how to exercise them. The controller must provide clear information regarding the rights of data subjects and the procedures for exercising those rights.

Other obligations of data controllers are mainly related to their operational activities. Such obligations are, for example:

• obligation to maintain a record of processing activities;
• obligation to conduct a Privacy by Design and by Default analysis;
• obligation to conduct a Data Protection Impact Assessment; and
• obligation to notify the competent supervisory authority in case of a personal data breach.

If a data processor is processing data on behalf of a controller, such processing shall be governed by a contract or other legal act. Therefore, the data processor’s obligations are stipulated in that contract or other legal act, although the GDPR specifies what such a contract or other legal act must stipulate. Based on this, the obligations of data processors are, for example:

• to process the personal data only on documented instructions from the controller;
• to implement appropriate technical and organisational measures to secure personal data;
• to delete or return all the personal data to the controller after the end of the provision of services relating to processing, unless otherwise required by Union or Member State law.

Under the GDPR, data subjects have the following rights:

• Right to access. The data subjects have the right to obtain confirmation as to whether personal data pertaining to them is being processed. If data is processed, they also have the right to know the purpose of the processing, the categories of personal data concerned and other relevant details, and access to the personal data.
• Right to rectification. The data subjects have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning them.
• Right to erasure. The data subjects have the right to obtain from the controller the erasure of personal data concerning them.
• Right to restriction of processing. The data subjects have the right to obtain from the controller restriction of processing in specific circumstances.
• Right to data portability. The data subjects have the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format.
• Right to object. The data subjects have the right to object to the processing of personal data concerning them in specified circumstances, including processing for profiling and marketing purposes.
• Right to not be subject to automated decision-making, including profiling. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affecting them.

In Estonia, the sending of commercial or direct marketing communications is regulated under the Electronic Communications Act (ECA). According to the ECA, the use of electronic contact details of a subscriber or user of communications services, who is a natural person, for direct marketing purposes is allowed only with the person’s prior consent.

The use of electronic contact details of a subscriber or user of communications services, who is a legal person, for direct marketing is allowed if:

• a clear and distinct opportunity is provided to refuse such use of contact details, free of charge and in an easy manner; and
• the person is allowed to exercise their right to refuse via an electronic communications network.

If a person obtains the electronic contact details of a buyer, who is a natural or legal person, in connection with selling a product or providing a service, those contact details may still be used, regardless of that person’s consent, for direct marketing of similar products or services to the buyer if:

• the buyer is given, upon the initial collection of electronic contact details, a clear and distinct opportunity to refuse such use of their contact details, free of charge and in an easy manner;
• the buyer is given, each time their electronic contact details are used for direct marketing, a clear and distinct opportunity to refuse such use of their contact details, free of charge and in an easy manner; and
• the buyer is allowed to exercise their right to refuse via an electronic communications network.

A transfer of personal data to a third country or an international organisation is regulated under the GDPR. According to the GDPR, a transfer of personal data to a third country or an international organisation may take place where the European Commission has decided that the third country, a territory, or one or more specified sectors within that third country, or the international organisation in question, ensures an adequate level of protection. Such a transfer does not require any specific authorisation.

In the absence of an adequacy decision, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. Depending on the safeguards implemented, authorisation from a supervisory authority may or may not be needed.

In the absence of an adequacy decision or appropriate safeguards, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only under specific conditions.

So far, the European Commission has recognised, for example, Japan, New Zealand, Switzerland and the United Kingdom under the GDPR and the Data Protection Law Enforcement Directive (LED), and the United States (commercial organisations participating in the EU–US Data Privacy Framework) as providing adequate protection under the GDPR.

In the meaning of the GDPR, the independent supervisory authority of Estonia is the Estonian Data Protection Inspectorate (DPI). In addition to tasks provided in the GDPR, the PDPA specifies that the DPI is competent to, for example:

• Improve the awareness and understanding of the public, controllers and processors of the risks in the processing of personal data, the standards and safeguards in force for processing and the rights related to processing of personal data. The Estonian Data Protection Inspectorate may give recommended instructions for the performance of this function.
• Provide information to data subjects upon request about the exercise of the rights arising from this Act and, where appropriate, co-operate for this purpose with the supervisory authorities of other Member States of the European Union.
• If necessary, initiate misdemeanour proceedings and impose a punishment, in the case no other administrative measures allow compliance to be achieved with the requirements provided by law or Regulation (EU) 2016/679 of the European Parliament and the Council.

Furthermore, in addition to the GDPR, the DPI has the right to, for example:

• warn controllers and processors that intended processing operations are likely to infringe this Act;
• demand rectification or erasure of personal data;
• demand restrictions or termination of processing of personal data;
• implement temporary or permanent restrictions on processing of personal data; and
• initiate supervision proceedings on the basis of a complaint or on its own initiative.

In Estonia, the sanctions and remedies for non-compliance with data protection laws differ from those outlined in the GDPR, particularly concerning administrative fines. The Estonian legal system does not recognise the concept of administrative fines as defined in the GDPR. Instead, administrative authorities, including the Estonian DPI, have the authority to impose penalty payments for non-compliance with a compliance notice issued by an administrative authority, and fines in the case of misdemeanours.

Specifically, the DPI has the following enforcement powers:

• To impose penalty payments, if the addressee fails to perform the obligation imposed by a precept within the term indicated in the warning.
• To impose fines in cases where a misdemeanour has been committed.
• To impose both a penalty payment and a fine for a misdemeanour simultaneously, if necessary to ensure compliance with data protection obligations.

The imposition of (administrative) fines under the GDPR shall be effective, proportionate, and dissuasive. Depending on the specifics of the infringement, the fines may reach up to EUR 20,000,000 in the case of a natural person, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. In Estonia, the largest fine imposed under the GDPR has been EUR 200,000. However, in most cases, the average amount of fines, as well as penalty payments, is around EUR 1,000.

In cases of an infringement of the GDPR, data subjects have a right to:

• lodge a complaint with a supervisory authority;
• seek judicial remedies against supervisory authority decisions;
• seek judicial remedies against controllers or processors;
• mandate not-for-profit organisations; and
• receive compensation and liability.