Data Protection in Estonia
TOPIC – ACCESS
1. Legal requirement
Access to information is guaranteed by the Constitution of the Republic of Estonia. Article 44 which provides that everyone have the right to freely receive information that is circulated for general use. Moreover, all state and local government authorities are obliged to provide information on their work at the request of Estonian citizens. However, it should be in accordance with the procedure defined by law and there are some exceptions provided, namely, information which is forbidden to disclose and information for internal use only are not subject under this provision.
Estonian citizens have the right to gather and request information about themselves from state and local government authorities. This right may be restricted by law in order to protect the rights and liberties of other persons, and the secrecy of children's ancestry, as well as to prevent a crime, or in the interests of apprehending a criminal or to clarify the truth for a court case. These right equally aplly to all people residing in Estonia: Estonian citizens, citizens of other states and stateless persons, unless law provides otherwise.
Article 45 of the Constitution states guarantees the freedom of speech. It provides right to everyone to freely circulate ideas, opinions, persuasions and other information which is held by any means like word, print, picture, etc. The right migt be restricted by law if necessary to protect public order or morals, rights and liberties, health, honor and reputation of others. Otehr restrictions may be imposed for state and local government officials for purpose of protecting state or business secrets or confidential information, as well as of protecting the family life and privacy of other persons and interest of justice.
Another mean of access to information is covered by Constitution of Estonia under Article 24 . It provides that court hearings are public and court judgments are also made public, unless the interests of juvenile, a matrimonial partner or victime require otherwise. Other restrictions that can be imposed to public court hearings when the session can be closed are, for example, for protection of state or business secrets, public morals or the family life or privacy of persons.
Article 26 guarantees right to inviolability of family life and privacy. State and local government authorities and their officials may not interfere with any person's family life or privacy, for the protection of health or public morals, public order, the rights and liberties of other persons, the prevention of a crime or the apprehension of a criminal. Article 43 covers provisions regarding secrecy of communication. It entitles everyone to secrecy of messages transmitted by post, telegram, telephone or other generally used means.
Personal Data Protection Act is aimed to protect the fundamental rights and freedoms of natural persons upon processing of personal data, above all the right to inviolability of private life. The principle of individual participation of processing personal data states that data subject have to be notified of data collected concerning him or her and to data subject the access has been granted to data concerning him or her. It gives right to the subject to demand correction of inaccurate or misleading data as well.
Communication of personal data or granting access to personal data to third persons for the purposes of processing is permitted without the consent of the data subject if the third person requests information obtained or created in the process of performance of public duties provided by an Act or legislation. In addition, condition that data requested does not contain any sensitive personal data and access to it has not been restricted for any other reasons should be fulfilled. Data Protection Act defines processing the data as any act performed with personal data, which includes granting access to data as well.
In case processing of personal data is not permitted, data subject has a right to demand termination of the disclosure or enabling access to the personal data. A processor is obliged to protect personal by taking organisational, physical and information technology measures. It includes the measures against accidental or intentional destruction and prevention of access to the data by entitled persons, in the part of the availability of data. Upon processing of personal data, the processor of personal data is required to prevent access of unauthorised persons to equipment used for processing personal data and ensure that every user of a data processing system only has access to personal data permitted to be processed by him or her, and to the data processing to which the person is authorised. The register is accessible to the public through the website of the Data Protection Inspectorate.
Public Information Act ensures that the public and every person has the opportunity to access information intended for public use. Act provides for the conditions of, procedure for and methods of access to public information and the bases for refusal to grant access as well as restricted public information and the procedure for granting access. Procedure of the exercise of state supervision over organisation of access to information also is provided. Provisions of Public Information Act does not apply to to information which is classified as a state secret and upon granting access to public records by archival agencies.
Holders of information are required to ensure access to the information in their possession. Access to information is ensured for every person in the quickest and easiest manner possible. When granting access to information, the inviolability of the private life of persons have to be ensured. Access to information is free of charge unless payment for the direct expenses relating to the release of the information is prescribed by law. However, every person keeps the right to contest a restriction on access to information if such restriction violates the rights or freedoms of the person.
Consumer Protection Act guarantees fundamental consumer rights. Therefore consumers have the right to obtain necessary and truthful information on the goods and services offered, and timely information on any risks relating goods or services. Consumers have the right to obtain information on the safety of goods and services offered as well as on aspects concerning protection of health, property and economic interests.
2. How is legal requirement typically addressed?
Definition of personal data is provided by Data Protection Act. Personal data is any data concerning an identified natural person or a natural person to be identified, regardless of the form or format in which such data exists. The Act distinguishes between personal data and sensitive personal data.
3. Categories / What type of data is protected from unauthorized access?
Personal data is protected by Data Protection Act. However, Criminal Code provides provisions regarding disclosure of confidential data. It states that in case disclosure by a doctor, medical assistant, nurse, midwife, psychologist, advocate, notary or other person of confidential data relating to the descent, genetic data, artificial insemination, family or health of a person which become known to the offender due to his or her professional activity violates legislation regulating the professional activity or other legislation, is punishable by a fine or deprivation of the right of employment in a particular position or operation in a particular area of activity or by detention or up to one year imprisonment.
No templates available for this topic.
TOPIC: BIOMETRIC DATA
Biometric data is sensitive personal data.Since 22 May 2007, the Republic of Estonia has been issuing biometric passports for Estonian citizens, putting the holder's biometric data onto a chip. Pursuant to the Identity Documents Act, the biometric data of the holder of a document may be processed only in the cases and under the conditions provided by law. The Government has established a database for identity documents that was established for internal use only and has a limited access.
Biometric data is covered under Identity Documents Act. Biometric data is the facial image, fingerprint images, signature or image of signature, and iris images. For specific purpose under this Act biometric data may be obtained from a person and such data may be processed. Biometric data of the holder may be processed only in cases and conditions provided by law .
By submitting an application for a document where the biometric data is used, applicant gives consent for the capturing of the fingerprints of the applicant and for the taking of facial image and processing such data.
Pursuant to the Identity Documents Act, identity (ID) cards are mandatory for all Estonian citizens over the age of 15 and resident aliens. In Estonia, an identity card is an internal document held by an Estonian citizen or an alien staying permanently in Estonia. The following personal data may be entered on it concerning its holder: name; date and place of birth, personal identification code; photo or facial image; sex; citizenship; fingerprint images; signature or image of signature; iris images; hair colour; other personal data as prescribed by an international agreement, a law or other legislation of general application established on the basis thereof. The first Estonian ID Card was issued on 28 January 2002. All ID cards enable the electronic identification of individuals and the digital signing of documents. As of 6 September 2010, there are over 1.1 million active ID cards, whereas the population of Estonia is 1.3 million. Over 37 million electronic signatures have been provided and more than 63 million electronic authentications have been made using the ID card since its launch in 2002.
Under the General Part of the Civil Code Act , digitally signed documents have the same probative value as documents with written signatures. The use of the digital signature is mandatory for public sector institutions. Digital signatures are used throughout the Estonian court system for communications between parties and by the Estonian Tax Board when receiving tax documents from individuals or businesses, and in order to conclude loan agreements with online banks. A personal identification number (PIN) is used to activate the card. For resident aliens with valid documents, the ID card also contains residence and work permit data. Any Estonian citizen over 14 years of age residing permanently in Estonia shall hold an identity card. In the same way, any alien residing permanently in Estonia on the basis of a valid residence permit or right of residence shall hold an identity card.
The ID-card can be used to get access to Internet-based services provided by the state as well as by private companies. Some of the services this card provides are: digital signatures, encryption, electronic voting, online banking, electronic tickets for public transportation, iPatient (an online patient information portal of the Esat Tallinn Central Hospital), online filing of tax forms with the Tax Board, registration of company-related information with the Company Registration Portal, etc.
The police are authorized to check the identity of a person on the basis of his identity card for safety reasons. Also, businesses selling alcoholic beverages are authorised to request an identity card from the individuals they sell them to who look like minors. Since May 2007 a "Mobile-ID service" gives customers the ability to identify themselves by using their mobile phone. The user enters into a contract to use the Mobile-ID services, swaps out his old SIM card for a new one and "gets the usual PIN and PUK keys plus additional codes needed for Internet-based personal identification and issuance of digital signatures."
There is neither a specific legislation nor reliable data or information regarding the use of RFID tags. However, it is the general data protection framework that is applicable to the processing of personal data through RFID technology.
In 2007, the Supreme Court issued a ruling regarding the right to have the court judgment not disclosed due to the personal data it included. The accused stated that the victims might be recognized and associated with him. The court ruled that the accused, as a person whose personal data are processed, may in general submit such a claim. However, the court found that no sensitive personal data about the accused was included in the court's decisicon. The sensitive data on the victims would have been anonymised in any case under the Code of Criminal Procedure (victims were underaged). The Supreme Court confirmed the principle recognised in criminal procedure that the disclosure of the defendant's identity in the court's decision is not a violation of his rights.
The definition of "private life" was analysed by the Supreme Court in 2009. Pursuant to the Penal Code the disclosure of information obtained in the course of professional activities and relating to the health, private life or commercial activities of another person by an individual who is required by law to maintain the confidentiality of such information, is punishable by a pecuniary punishment. In this case, the accused, as a police inspector, gave information about the victims' place of residence, registered vehicles and violations of law to a third person. The police inspector claimed that the forenamed data was neither private nor sensitive personal data. The Supreme Court held that "private life" includes the whole sphere of personal life, meaning that it also includes information on an individual’s place of residence, registered vehicles and violations of law.
No additional comments on this topic.
No tempaltes available
General rule: consent for processing personal data is required, unless in case of exceptions provided by law.
By submitting an application for a document where the biometric data is used, applicant gives consent for the capturing of the fingerprints of the applicant and for the taking of facial image and processing such data. Principle of restricted use provides that personal data shall be used for other purposes only with the consent of the data subject or with the permission of the competent authority.
Authorised processor may delegate the task of processing personal data to another person. However it can be done only with written consent of the chief processor. Personal data may be processed and disclosed in the media for journalistic purposes without the consent of the data subject, if there is predominant public interest therefore and this is in accordance with the principles of journalism ethics. Disclosure of information cannot cause excessive damage to the rights of a data subject.
The declaration of intention of a data subject whereby the person permits the processing of his or her personal data - the consent is valid only if it is based on the free will of the data subject. The consent clearly determines the data for the processing of which permission is given, the purpose of the processing of the data and the persons to whom communication of the data is permitted, the conditions for communicating the data to third persons and the rights of the data subject concerning further processing of his or her personal data. Silence or inactivity shall not be deemed a declaration of intention. Consent may be partial and conditional. Consent must be in format which can be reproduced in writing. Before obtaining a data subject's consent for the processing of personal data, the processor of personal data has an obligation to notify the data subject of the name, address and other contact details of the processor of the personal data. For processing sensitive personal data, the person must be explained that the data to be processed is sensitive personal data and the data subject's consent shall be obtained in a format which can be reproduced in writing.
A data subject has the right to prohibit, at all times, the processing of data concerning him or her for the purposes of research of consumer habits or direct marketing, and communication of data to third persons who intend to use such data for the research of consumer habits or direct marketing. The consent of data subject remains valid during the lifetime of data subject and for thirty years after the death. However, consent may be withdrawn by the data subject at any time.
After the death of a data subject, processing of personal data relating to the data subject is permitted only with the written consent of the successor, spouse, descendant or ascendant, brother or sister of the data subject, except if consent is not required for processing of the personal data or if thirty years have passed from the death of the data subject. The consent is not required if the personal data to be processed only contains the data subject's name, sex, date of birth and death and the fact of death.
There are several exceptions when the consent is not required for processing the data. Data concerning a data subject may be processed without the consent of the data subject for the needs of scientific research or official statistics only in coded form. Collected personal data may be processed for the purposes of scientific research or official statistics regardless of the purpose for which the personal data was initially collected.
Processing of personal data without consent of data subject may be permitted on basis of law, for performance of task prescribed by international agreement, in individual cases for the protection of the life, health or freedom of the data subject if obtaining consent of the data subject is impossible. Exception of the consent is also performance of contract unless the processed data is sensitive personal data.
Communication of personal data or granting access to personal data to third persons for the purposes of processing is permitted without the consent of the data subject if the third person to whom such data is communicated processes the personal data for the purposes of performing a task prescribed by law, in individual cases for the protection of the life, health or freedom of the data subject if it is impossible to obtain the consent of the data subject. Surveillance equipment transmitting or recording personal data may be used for the protection of persons or property only if this does not excessively damage the justified interests of the data subject and the collected data is used exclusively for the purpose for it is collected.
Processor of personal data is determining the purposes, categories, procedure and manner of processing personal data, as well as permission for communication of data to third persons.
Personal data is any data concerning an identified natural person or a natural person to be identified, regardless of the form or format in which such data exists. The form or format (numerical, graphical, alphabetical, video, audio, etc. ) does not matter, as far as the information/data can be used to identify the person.
Sensitive personal data :
1) Data revealing political opinions or religious or philosophical beliefs, except data relating to being a member of a legal person in private law registered pursuant to the procedure provided by law;
2) Data revealing ethnic or racial origin;
3) Data on the state of health or disability;
4) Data on genetic information;
5) Biometric data (above all fingerprints, palm prints, eye iris images and genetic data);
6) Information on sex life;
7) Information on trade union membership;
8) Information concerning commission of an offence or falling victim to an offence before a public court hearing, making of a decision in the matter of the offence or termination of the court proceeding in the matter.
No templates available for this topic.
TOPIC: DATA CONTROLLER
A processor of personal data is a natural or legal person, a branch of a foreign company or a state or local government agency who processes personal data or on whose assignment personal data is processed. Processor can authorise another person or agency to process personal data by and administrative act or contract.
The Public Information Act was approved by the Parliament and entered into force on 1st January 2001. Supervision and enforcement of the Act will be conducted by the DPI. The law includes significant provisions on electronic access. Government departments and other holders of public information will have a duty to post information on the web, and e-mail requests must be treated as official requests for information. During the period from October 2005 to September 2006, the DPI received 99 complaints, requests for explanation or memoranda based on the Public Information Act. This resulted in 8 misdemeanour proceedings. The majority of the complaints stemmed either from government websites violating provisions of the PIA or failure of the website owner to comply with requests for information.
In 2006, the Centre of Registers of the Ministry of Justice was merged with the Ministry of Justice's IT division becoming the Centre of Registers and Information Systems of the Ministry of Justice. The purpose of the agency is to develop and administer the registers and infosystems in the Ministry of Justice and to provide communication and IT services. The regulation enacts usable information systems and related security measures systems in the maintenance of state and local governments' databases. The security measures system consists of the regulation of specifying security requirements and the description of data's organizational, physical and infotechnological security measures. The regulation comprises the description of security classes and levels. Security classes are divided into four components: time criticality, severity of consequences of delay, integrity and confidentiality. A new information policy action plan, taking into account the objectives and priorities of the EU information strategy i2010, is currently under discussion in the Ministry of Economic Affairs and Communications.
Estonian children have excellent access to the Internet. According to a survey carried out in 2008, 93 percent of children in the 6-16 age group use the Internet. However, in contrast to other EU countries, only 22 percent of parents expressed concerns that their child might be the victim of online grooming. In March 2008, a 16-year-old boy committed a suicide presumably due to an online molester who gathered indecent photographs of the victim that he threatened to publish. Apparently 43 Estonian minors were molested by the same person, who is currently in prison for preliminary investigation. This incident brought the importance of online youth safety acutely into the spotlight. In 2009, the Ministry of Social Affairs summoned a children’s online safety working group, which it has been coordinating ever since. The same Ministry also represents Estonia in the EU Safer Internet Programme. Estonian Union for Child Welfare has also been actively involved in the process of promoting online safety. Since 15 March 2010, online grooming is punishable by a pecuniary punishment or up to three years’ imprisonment. According to the explanatory memorandum of the Penal Code the purpose of the amendment is to prevent the sexual abuse of minors.
How is the legal requirement typically addressed?
The Personal Data Protection Act provide rules for processing the data that applies firs of all to processor:
1) The conditions and procedure for processing of personal data;
2) The procedure for the exercise of state supervision upon processing of personal data;
3) Liability for the violation of the requirements for processing of personal data.
In case of following points, data processing and person who controls the data are not processors are as follows:
1) Processing of personal data by natural persons for personal purposes;
2) Transmission of personal data through the Estonian territory without any other processing of such data in Estonia;
No information available.
No templates available for this topic.
TOPIC: DATA PROCESSING
Processing of personal data is any act performed with personal data, including the collection, recording, organisation, storage, alteration, disclosure, granting access to personal data, consultation and retrieval, use of personal data, communication, cross-usage, combination, closure, erasure or destruction of personal data or several of the aforementioned operations, regardless of the manner in which the operations are carried out or the means used.
When processing personal data, processor is required to apply and obey certain principles:
1) principle of legality - personal data needs to be collected only in an honest and legal manner;
2) principle of purposefulness - personal data must be collected only for the achievement of determined and lawful objectives, and cannot be processed in a manner not conforming to the objectives of data processing;
3) principle of minimalism - personal data must be collected only to the extent necessary for the achievement of determined purposes;
4) principle of restricted use - personal data must be used for other purposes only with the consent of the data subject or with the permission of the competent authority;
5) principle of high quality of data - personal data must be up-to-date, complete and necessary for the achievement of the purpose of data processing;
6) principle of security - security measures must be applied in order to protect personal data from involuntary or unauthorised processing, disclosure or destruction;
7) principle of individual participation - the data subject must be notified of data collected concerning him or her, the data subject must be granted access to the data concerning him or her and the data subject has the right to demand the correction of inaccurate or misleading data.
How is legal requirement typically addressed?
Processing of personal data is permitted only with the consent of the data subject unless otherwise provided by law. An administrative authority can process personal data only for the performance of public duties in order to perform obligations prescribed by law, an international agreement or directly applicable legislation of the Council of the European Union or the European Commission.
Certain processing requirements also need to be observed. Upon processing of personal data, a processor of personal data is required to:
1) immediately delete or close personal data which is not necessary for achieving the purposes thereof, unless otherwise provided by law;
2) guarantee that the personal data are accurate, and if necessary for achievement of the purposes, kept up to date;
3) ensure that incomplete and inaccurate personal data are closed, and necessary measures are immediately taken for amendment or rectification thereof;
4) ensure that inaccurate data are stored with a notation concerning their period of use together with accurate data;
5) ensure that personal data which are contested on the basis of accuracy are closed until the accuracy of the data is verified or the accurate data are determined;
6) upon rectification of personal data, inform the third persons who provided the personal data or to whom the personal data was forwarded if this is technically possible and does not result in disproportionate costs.
No comments available
No templates available
TOPIC: DATA SECURITY BREACH
Person who is responsible for protection of personal data, has the obligation to inform processor of personal data of violation discovered upon processing of data. Processor must immediately take measures to terminate the violation. If he/she does not act to prevent the violation, processor has an obligation to inform Data Protection Inspectorate of the discovered violation.
Officials of the Data Protection Inspectorate must maintain, for an unspecified term, the confidentiality of restricted data and personal data made known to them in the course of their official duties, in the event of a violation of personal data processing requirements, explain the nature of the violation to the processor of the personal data or a representative thereof and demand termination of the violation, as well as issue, in the case of violation of the requirements for processing personal data, a precept or initiate misdemeanour proceedings.
Chapter 7 of Personal Data Protection Act states provisions regarding liability. For example, violation of the obligation to register the processing of sensitive personal data, violation of the requirements regarding security measures to protect personal data or violation of other requirements for the processing of personal data is punishable by a fine of up to 300 fine units. However, in case of violation of the requirements regarding security measures to protect personal data or violation of other requirements for the processing of personal data for the elimination of the violation is not complied with is punishable by a fine of up to 300 fine units.
In 2004, the DPI was involved in two cases which found their way to the Supreme Court. Both of them dealt with access to public information. The first one concerned the DPI and the Estonian Tax and Customs Board.The case involved the Board’s register of documents and restriction on access. The Supreme Court upheld the previous decisions made by the administrative court and circuit court. According to them, the complaint made by the Board is not within the sphere of competence of the administrative court. Thus the decision made by the DPI (that the restriction is illegal) was not upheld by the courts. In November 2004, the restriction on access was made legal with the alteration of the Taxation Act.
Another key case involves the DPI and a private individual. The case was about the complaint made by a private person regarding the DPI's decision on appeal. According to the DPI's challenge, the private person (who was a member of a city council) had no right to request information about the wages and salaries of employees of the institutions administered by the city, because these employees are not officials. The Supreme Court decided that the private individual wanted to get information as a member of the City Council and, because of that, it was not even considered a request of information for the purposes of the Public Information Act. The Supreme Court repealed previous decisions made by the administrative court and circuit court, and concluded the proceeding because the employees of the institutions administrated by the city are not officials, and their salaries and wages are not public. The DPI's decision was upheld.
The bulk of cyber offences committed in Estonia are either computer-related fraud, the manufacture of works involving child pornography, or making child pornography available. Computer-related fraud formed 0.444 percent of all criminal offences against property in 2003, 0.464 percent in 2007 and 1.299 percent in 2008. Therefore, an increase in computer-related fraud can be seen. In 2008, 52 cases of manufacture of works involving child pornography or making child pornography available were registered. The Parliament has stated in its approval of development trends of criminal policy until 2018 that the fight against cybercrime has to focus on the prevention of sexual abuse of minors, major computer-related fraud and the spreading of computer viruses. Also, the Parliament has declared that cooperation with the private sector in crime prevention is needed in order to raise the awareness of potential victims. Therefore, the existence of sufficient amount of IT specialists in law enforcement authorities has to be assured.
The Cyber Security Strategy Committee is focused on preventing and combating cyber threats at a state level. The Committee is led by the Ministry of Defence. Estonia hosts the Cooperative Cyber Defence Centre of Excellence (CCD COE) that was formally established on the 14th of May 2008, in order to enhance NATO’s cyber defence capability. In the spring of 2010, the Ministry of the Interior submitted Estonia’s official proposal to host the Agency for the operational management of large-scale IT systems in the area of freedom, security and justice.
No additional comments
No templates available
TOPIC: DATA SUBJECTS RIGHTS
§ 8. Data subject.
A data subject is a person whose personal data are processed. Data subject has right to obtain information and personal data concerning him or her. When data subject is requesting information, processor is obliged to give information regarding personal data, purposes of processing of personal data, categories and source of data, third persons or categories to whom transmission of data is permitted, third persons to whom personal data has been transmitted, name of processor of personal data or representative and address /other contact details of the processor of personal data.
A data subject has the right to obtain personal data relating to him or her from the processor of personal data. Where possible, personal data is issued in the manner requested by the data subject. The processor of personal data is required to provide a data subject with information and the requested personal data or state the reasons for refusal to provide data or information within five working days after the date of receipt of the corresponding request. After the death of a data subject, his or her successor shall have the rights concerning the personal data of the data subject.
Data subject has right to demand termination of processing of personal data and correction, closure and deletion of personal data. Data subject has the right to demand the correction of inaccurate personal data concerning the data subject from the processor of his or her personal data. If processing of personal data is not permitted in law, data subject has the right to demand termination of processing, termination of disclosure or enabling the access to data, deletion or closure of collected data.
Moreover, data subject has right to sue the Data Protection Inspectorate in court if he/she finds that right were violated in processing of personal data. Data subject may demand compensation of damage if the rights of a data subject have been violated upon processing of personal data. It can be done on the basis and pursuant to the law.
In 2008, the Supreme Court deliberated over whether a request about one’s state of health can be considered as "processing" of personal data. An imprisoned person requested to see a doctor but, as a response to the prison guard’s question about the nature of his complaint, refused to disclose the exact ailment. The complainant found that, pursuant to the PDPA, the information about one’s state of health is confidential, and that the prison guard’s request was therefore not legitimate. The Supreme Court upheld the previous decisions made by the administrative and circuit court. It agreed that as the prison guard only made a reasoned request on the nature of the complainant’s complaint, no personal data was processed, and therefore the PDPA does not apply. The Supreme Court also agreed that in order to decide whether the need for a doctor is inevitable, the prison guard is entitled to know what the grounds of the imprisoned person’s request for a doctor are.
Another case that involved the DPI found its way to the Supreme Court in 2010. A former political party leader filed a request with a newspaper in 2008 to take down an online article published in 2004. As the publisher (the newspaper) declined, the plaintiff turned to the DPI. The latter compelled the newspaper to take down the online version of the article. The newspaper, in turn, found that the article and personal data it included had been published under the then newly elected party leader's consent, and that the PDPA allows the processing and disclosure of personal data for journalistic purposes even without the data subject's consent, provided that there is a predominant public interest and it is in accordance with the principles of journalism ethics. As the Supreme Court did not find any grounds to hear the matter, the decision of the circuit court entered into force. The circuit court ruled that the public interest towards a former party leader remains also after the data subject has finished his or her political activity. The court found that the need to preserve already published news for educational and historical purposes gives rise to a predominant public interest that outweighs the interests of the data subject.
No additional comments
No tempaltes available
TOPIC: DATA TRANSFER
Transmission of personal data through the Estonian territory without any other processing of such data in Estonia is excluded from the scope of Personal Data Protection Act. Processing of personal data that is meant to be communicated or transferred to third persons is permitted only if the third person has justified interest to process the data or the person communicating personal data has established justified interest of third person, verifying the accuracy of data to be transferred/communicated.
Transmission of personal data from Estonia is permitted only to a country which has a sufficient level of data protection. Transmission of personal data is permitted to Member States of European Union and States party to the Agreement of the European Economic Area. It can be done also to countries whose level of data protection has been evaluated as sufficient by the European Commission.
Personal data may be transmitted to a foreign country which does not meet the conditions only with the permission of the Data Protection Inspectorate if the chief processor guarantees the protection of the rights and inviolability of the private life of the data subject in such country or sufficient level of data protection is guaranteed in such country for that specific case of data transmission. Personal data may be transmitted to a foreign country which does not meet the conditions without the permission of the Data Protection Inspectorate if data subject has granted permission.
Estonia is a member of the Council of Europe and has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. In November 2001, Estonia ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108) (Convention No. 108). Also in November, Estonia signed and ratified the CoE Convention on Cybercrime.
Since 1st December 2009, after the Treaty of Lisbon entered into force, the Charter of Fundamental Rights became binding upon the Republic of Estonia.
No additional comments
No templates available
Estonian Law of Obligations Act sets out the possibility to enter in contract through the communication advice and regulates the contracts which are entered through the computer network. The provisions of contracts entered through the computer network do not apply if the contract is entered into by electronic mail or any other similar personal means of communication.
Any method which enables a consumer and a supplier who are not in the same place at the same time as one another to organise the exchange of information necessary for negotiations and entry into a contract, in particular the use of telephone, radio, computer, facsimile or television or the delivery of addressed or unaddressed printed matter, including a catalogue or a standard letter, to a consumer, or press advertising with an order form, is deemed to be use of a means of distance communication.
A contract for the delivery of goods or the provision of services entered into between a consumer and the person supplying the object or service for the purposes of the economic or professional activities thereof (supplier) is deemed to be a long distance contract if:1) the contract is entered into under a marketing or service-provision scheme used by the supplier for the entry into of such contracts, and 2) the contract is entered into after the supplier has made an offer or has made a proposal to the consumer to make an offer, and 3) the supplier and the consumer are not present simultaneously at the same place upon entry into the contract, and 4) the offer and the declaration of intent of the consumer to undertake contractual obligations (order) are made by a means of communication.
A contract for the provision of investment services and services permissible for management companies and for the conclusion of transactions permissible for credit institutions, an insurance contract and the provision of a service on the basis of a payment order is deemed to be a distance contract for the provision of financial services.
An offer may be communicated to the consumer by facsimile, telephone answering machine or electronic mail only with the prior consent of the consumer. Other means of communication which allow individual communication may be used for communicating an order only if the consumer has not expressly forbidden the use thereof. The supplier shall confirm receipt of an order immediately in electronic form.
The order and the confirmation of receipt of the order are deemed to have been received when the person to whom the order or confirmation is addressed has had the opportunity to examine it. The terms of the contract, including the standard terms, shall be presented to the customer in a manner which enables them to be saved and reproduced.
If a distance contract also conforms to the provisions concerning package travel contracts or contracts relating to purchase of right to use buildings on timeshare basis, the provisions of Law of Obligations Act apply together with the specifications provided for such types of contract. The provisions shall not preclude or restrict application of other provisions provided by law for the protection of consumers.
Within a reasonable period of time before a contract is entered into, the consumer shall be provided with the following information: 1) the name and address of the supplier; 2) the main characteristics of the goods or services; 3) the estimated time of entry into force of the contract; 4) the price of the goods or services, including taxes and other components of the price and the size thereof; 5) the size of the postal charges, transport costs and taxes which are not included in the price and the costs of using postal services or means of communication if such costs exceed the basic rate; 6) the procedure for payment for the goods or services and the circumstances relating to delivery of the goods or provision of the services and to performance of the contract; 7) the consumer's right of withdrawal; 8) the term of validity of the offer and the offered price; 9) the minimum term of the contract if the contract is performed continuously or recurrently during a specific term; 10) whether the supplier has the right to deliver goods or provide services other than those ordered or to refuse to deliver the goods or provide the services; 11) if the object is acquired or the service is used on credit, the right of the consumer to withdraw from the credit contract pursuant.
The information shall, taking into account the means of communication used, be provided in good faith, in a clear and comprehensible manner, in compliance with good morals and taking into account the need to protect persons with restricted active legal capacity and in a manner indicating the commercial purpose of the offer. In the case of communication by telephone, the name of the supplier and the commercial purpose of the telephone call shall be made clearly known to the consumer at the beginning of the conversation.
Information on contractual obligations, to be communicated to the consumer during the pre-contractual phase, shall be in conformity with the obligations which would result from the law presumed to be applicable to the distance contract if the latter were concluded.
In the case financial services are offered by voice telephony communications, subject to the explicit consent of the consumer only the following information may be given: 1) the name of the caller and his or her link with the supplier; 2) a description of the main characteristics of the financial service; 3) the price to be paid by the consumer to the supplier for the financial service, including all taxes paid via the supplier or, when an exact price cannot be indicated, the basis for the calculation of the price enabling the consumer to verify it; 4) reference to possible taxes and costs that are not included in the price and not paid via the supplier; 5) the existence or absence of the consumer’s right of withdrawal, the term and the conditions for withdrawal.
Unless the parties have agreed otherwise, the supplier shall execute an order of the consumer not later than within thirty days as of communication of the order. If a supplier is unable to execute an order, the supplier shall give corresponding notice to the consumer and shall refund all amounts paid by the consumer immediately but not later than within thirty days. In lieu of the goods or services ordered, the supplier may provide the consumer with goods or services of at least equivalent quality and price if this possibility was agreed on by the parties beforehand. In the case of withdrawal by the consumer, the costs relating to the return of the goods shall be borne by the supplier.
However the notion of protection of e-mails can be derived from concept of private and family life protected and established by Constitution. Article 43 which establish secrecy of communication, states that other generally used means besides messages by post, telegram, telephone are protected, therefore e-mail suits in this category.
Pursuant to the Trading Act, "e-trade" means the offer for sale, or sale of goods or services, on the Internet without the parties being simultaneously present. As the processing of personal data is permitted only with the data subject's consent, unless otherwise provided by law, commercial emails to physical persons can be sent to emails given by the addressees. Pursuant to the Law of Obligations Act, an offer may be communicated to the consumer by facsimile, telephone answering machine or electronic mail only with the consumer's prior consent. Furthermore, commercial emails can be sent only with the addressee’s prior consent ("opt-in"), whereby the addresseehas to have the possibility to prohibitsuch use of his or her contact data in the future. Violation of this obligation is punishable by a fine in misdemeanour proceedings amounting to approximately 1.150 EUR. For the same act, if it is committed by a legal person, the fine may go up to approximately 31.956 EUR.
No additional comments on this topic.
No tempaltes available
TOPIC: FAIR PROCESSING
According to the Personal Data Protection Act the processing of personal data is any act performed with personal data, including the collection, recording, organisation, storage, alteration, disclosure, granting access to personal data, consultation and retrieval, use of personal data, communication, cross-usage, combination, closure, erasure or destruction of personal data or several of the aforementioned operations, regardless of the manner in which the operations are carried out or the means used. A processor of personal data is a natural or legal person, a branch of a foreign company or a state or local government agency who processes personal data or on whose assignment personal data is processed.
Upon processing the processor of personal data must observe several principles of processing, those include principle of legality – collection of data must be held only in an honest and legal manner, as well as principle of purposefulness which means that data must be collected only for the achievement of determined and lawful objectives, which reflects fair processing.
Upon processing of personal data, a processor of personal data is required to adhere to the following principles: 1) principle of legality - personal data shall be collected only in an honest and legal manner; 2) principle of purposefulness - personal data shall be collected only for the achievement of determined and lawful objectives, and they shall not be processed in a manner not conforming to the objectives of data processing; 3) principle of minimalism - personal data shall be collected only to the extent necessary for the achievement of determined purposes; 4) principle of restricted use - personal data shall be used for other purposes only with the consent of the data subject or with the permission of the competent authority; 5) principle of high quality of data - personal data shall be up-to-date, complete and necessary for the achievement of the purpose of data processing; 6) principle of security - security measures shall be applied in order to protect personal data from involuntary or unauthorised processing, disclosure or destruction; 7) principle of individual participation - the data subject shall be notified of data collected concerning him or her, the data subject shall be granted access to the data concerning him or her and the data subject has the right to demand the correction of inaccurate or misleading data.
A processor of personal data shall determine:
1) The purposes of processing of personal data;
2) The categories of personal data to be processed;
3) The procedure for and manner of processing personal data;
4) Permission for communication of personal data to third persons.