Data Protection, Consent and Biometric Data in Estonia: requirements and categories

23 November 2012

ACCESS

Legal requirement

Access to information is guaranteed by the Constitution of the Republic of Estonia. Article 44 which provides that everyone have the right to freely receive information that is circulated for general use. Moreover, all state and local government authorities are obliged to provide information on their work at the request of Estonian citizens. However, it should be in accordance with the procedure defined by law and there are some exceptions provided, namely, information which is forbidden to disclose and information for internal use only are not subject under this provision.

Estonian citizens have the right to gather and request information about themselves from state and local government authorities. This right may be restricted by law in order to protect the rights and liberties of other persons, and the secrecy of children's ancestry, as well as to prevent a crime, or in the interests of apprehending a criminal or to clarify the truth for a court case. These right equally aplly to all people residing in Estonia: Estonian citizens, citizens of other states and stateless persons, unless law provides otherwise.

Article 45 of the Constitution states guarantees the freedom of speech. It provides right to everyone to freely circulate ideas, opinions, persuasions and other information which is held by any means like word, print, picture, etc. The right migt be restricted by law if necessary to protect public order or morals, rights and liberties, health, honor and reputation of others. Otehr restrictions may be imposed for state and local government officials for purpose of protecting state or business secrets or confidential information, as well as of protecting the family life and privacy of other persons and interest of justice.

Another mean of access to information is covered by Constitution of Estonia under Article 24 . It provides that court hearings are public and court judgments are also made public, unless the interests of juvenile, a matrimonial partner or victime require otherwise. Other restrictions that can be imposed to public court hearings when the session can be closed are, for example, for protection of state or business secrets, public morals or the family life or privacy of persons.

Article 26 guarantees right to inviolability of family life and privacy. State and local government authorities and their officials may not interfere with any person's family life or privacy, for the protection of health or public morals, public order, the rights and liberties of other persons, the prevention of a crime or the apprehension of a criminal. Article 43 covers provisions regarding secrecy of communication. It entitles everyone to secrecy of messages transmitted by post, telegram, telephone or other generally used means.

Personal Data Protection Act is aimed to protect the fundamental rights and freedoms of natural persons upon processing of personal data, above all the right to inviolability of private life. The principle of individual participation of processing personal data states that data subject have to be notified of data collected concerning him or her and to data subject the access has been granted to data concerning him or her. It gives right to the subject to demand correction of inaccurate or misleading data as well.

Communication of personal data or granting access to personal data to third persons for the purposes of processing is permitted without the consent of the data subject if the third person requests information obtained or created in the process of performance of public duties provided by an Act or legislation. In addition, condition that data requested does not contain any sensitive personal data and access to it has not been restricted for any other reasons should be fulfilled. Data Protection Act defines processing the data as any act performed with personal data, which includes granting access to data as well.

In case processing of personal data is not permitted, data subject has a right to demand termination of the disclosure or enabling access to the personal data. A processor is obliged to protect personal by taking organisational, physical and information technology measures. It includes the measures against accidental or intentional destruction and prevention of access to the data by entitled persons, in the part of the availability of data. Upon processing of personal data, the processor of personal data is required to prevent access of unauthorised persons to equipment used for processing personal data and ensure that every user of a data processing system only has access to personal data permitted to be processed by him or her, and to the data processing to which the person is authorised. The register is accessible to the public through the website of the Data Protection Inspectorate.

Public Information Act ensures that the public and every person has the opportunity to access information intended for public use. Act provides for the conditions of, procedure for and methods of access to public information and the bases for refusal to grant access as well as restricted public information and the procedure for granting access. Procedure of the exercise of state supervision over organisation of access to information also is provided. Provisions of Public Information Act does not apply to to information which is classified as a state secret and upon granting access to public records by archival agencies.

Holders of information are required to ensure access to the information in their possession. Access to information is ensured for every person in the quickest and easiest manner possible. When granting access to information, the inviolability of the private life of persons have to be ensured. Access to information is free of charge unless payment for the direct expenses relating to the release of the information is prescribed by law. However, every person keeps the right to contest a restriction on access to information if such restriction violates the rights or freedoms of the person.

Consumer Protection Act guarantees fundamental consumer rights. Therefore consumers have the right to obtain necessary and truthful information on the goods and services offered, and timely information on any risks relating goods or services. Consumers have the right to obtain information on the safety of goods and services offered as well as on aspects concerning protection of health, property and economic interests.

How is legal requirement typically addressed?

Definition of personal data is provided by Data Protection Act. Personal data is any data concerning an identified natural person or a natural person to be identified, regardless of the form or format in which such data exists. The Act distinguishes between personal data and sensitive personal data.

Categories / What type of data is protected from unauthorized access?

Personal data is protected by Data Protection Act. However, Criminal Code provides provisions regarding disclosure of confidential data. It states that in case disclosure by a doctor, medical assistant, nurse, midwife, psychologist, advocate, notary or other person of confidential data relating to the descent, genetic data, artificial insemination, family or health of a person which become known to the offender due to his or her professional activity violates legislation regulating the professional activity or other legislation, is punishable by a fine or deprivation of the right of employment in a particular position or operation in a particular area of activity or by detention or up to one year imprisonment.

BIOMETRIC DATA

Biometric data is sensitive personal data.Since 22 May 2007, the Republic of Estonia has been issuing biometric passports for Estonian citizens, putting the holder's biometric data onto a chip. Pursuant to the Identity Documents Act, the biometric data of the holder of a document may be processed only in the cases and under the conditions provided by law. The Government has established a database for identity documents that was established for internal use only and has a limited access.

Biometric data is covered under Identity Documents Act. Biometric data is the facial image, fingerprint images, signature or image of signature, and iris images. For specific purpose under this Act biometric data may be obtained from a person and such data may be processed. Biometric data of the holder may be processed only in cases and conditions provided by law.

Pursuant to the Identity Documents Act, identity (ID) cards are mandatory for all Estonian citizens over the age of 15 and resident aliens. In Estonia, an identity card is an internal document held by an Estonian citizen or an alien staying permanently in Estonia. The following personal data may be entered on it concerning its holder: name; date and place of birth, personal identification code; photo or facial image; sex; citizenship; fingerprint images; signature or image of signature; iris images; hair colour; other personal data as prescribed by an international agreement, a law or other legislation of general application established on the basis thereof. The first Estonian ID Card was issued on 28 January 2002. All ID cards enable the electronic identification of individuals and the digital signing of documents. As of 6 September 2010, there are over 1.1 million active ID cards, whereas the population of Estonia is 1.3 million. Over 37 million electronic signatures have been provided and more than 63 million electronic authentications have been made using the ID card since its launch in 2002.

Under the General Part of the Civil Code Act , digitally signed documents have the same probative value as documents with written signatures. The use of the digital signature is mandatory for public sector institutions. Digital signatures are used throughout the Estonian court system for communications between parties and by the Estonian Tax Board when receiving tax documents from individuals or businesses, and in order to conclude loan agreements with online banks. A personal identification number (PIN) is used to activate the card. For resident aliens with valid documents, the ID card also contains residence and work permit data. Any Estonian citizen over 14 years of age residing permanently in Estonia shall hold an identity card. In the same way, any alien residing permanently in Estonia on the basis of a valid residence permit or right of residence shall hold an identity card.

The ID-card can be used to get access to Internet-based services provided by the state as well as by private companies. Some of the services this card provides are: digital signatures, encryption, electronic voting, online banking, electronic tickets for public transportation, iPatient (an online patient information portal of the Esat Tallinn Central Hospital), online filing of tax forms with the Tax Board, registration of company-related information with the Company Registration Portal, etc.

The police are authorized to check the identity of a person on the basis of his identity card for safety reasons. Also, businesses selling alcoholic beverages are authorised to request an identity card from the individuals they sell them to who look like minors. Since May 2007 a "Mobile-ID service" gives customers the ability to identify themselves by using their mobile phone. The user enters into a contract to use the Mobile-ID services, swaps out his old SIM card for a new one and "gets the usual PIN and PUK keys plus additional codes needed for Internet-based personal identification and issuance of digital signatures."

There is neither a specific legislation nor reliable data or information regarding the use of RFID tags. However, it is the general data protection framework that is applicable to the processing of personal data through RFID technology.

In 2007, the Supreme Court issued a ruling regarding the right to have the court judgment not disclosed due to the personal data it included. The accused stated that the victims might be recognized and associated with him. The court ruled that the accused, as a person whose personal data are processed, may in general submit such a claim. However, the court found that no sensitive personal data about the accused was included in the court's decisicon. The sensitive data on the victims would have been anonymised in any case under the Code of Criminal Procedure (victims were underaged). The Supreme Court confirmed the principle recognised in criminal procedure that the disclosure of the defendant's identity in the court's decision is not a violation of his rights.

The definition of "private life" was analysed by the Supreme Court in 2009. Pursuant to the Penal Code the disclosure of information obtained in the course of professional activities and relating to the health, private life or commercial activities of another person by an individual who is required by law to maintain the confidentiality of such information, is punishable by a pecuniary punishment. In this case, the accused, as a police inspector, gave information about the victims' place of residence, registered vehicles and violations of law to a third person. The police inspector claimed that the forenamed data was neither private nor sensitive personal data. The Supreme Court held that "private life" includes the whole sphere of personal life, meaning that it also includes information on an individual’s place of residence, registered vehicles and violations of law.

CONSENT

Legal requirement

General rule: consent for processing personal data is required, unless in case of exceptions provided by law.

By submitting an application for a document where the biometric data is used, applicant gives consent for the capturing of the fingerprints of the applicant and for the taking of facial image and processing such data. Principle of restricted use provides that personal data shall be used for other purposes only with the consent of the data subject or with the permission of the competent authority.

Authorised processor may delegate the task of processing personal data to another person. However it can be done only with written consent of the chief processor. Personal data may be processed and disclosed in the media for journalistic purposes without the consent of the data subject, if there is predominant public interest therefore and this is in accordance with the principles of journalism ethics. Disclosure of information cannot cause excessive damage to the rights of a data subject.

The declaration of intention of a data subject whereby the person permits the processing of his or her personal data - the consent is valid only if it is based on the free will of the data subject. The consent clearly determines the data for the processing of which permission is given, the purpose of the processing of the data and the persons to whom communication of the data is permitted, the conditions for communicating the data to third persons and the rights of the data subject concerning further processing of his or her personal data. Silence or inactivity shall not be deemed a declaration of intention. Consent may be partial and conditional. Consent must be in format which can be reproduced in writing. Before obtaining a data subject's consent for the processing of personal data, the processor of personal data has an obligation to notify the data subject of the name, address and other contact details of the processor of the personal data. For processing sensitive personal data, the person must be explained that the data to be processed is sensitive personal data and the data subject's consent shall be obtained in a format which can be reproduced in writing.

A data subject has the right to prohibit, at all times, the processing of data concerning him or her for the purposes of research of consumer habits or direct marketing, and communication of data to third persons who intend to use such data for the research of consumer habits or direct marketing. The consent of data subject remains valid during the lifetime of data subject and for thirty years after the death. However, consent may be withdrawn by the data subject at any time.

After the death of a data subject, processing of personal data relating to the data subject is permitted only with the written consent of the successor, spouse, descendant or ascendant, brother or sister of the data subject, except if consent is not required for processing of the personal data or if thirty years have passed from the death of the data subject. The consent is not required if the personal data to be processed only contains the data subject's name, sex, date of birth and death and the fact of death.

There are several exceptions when the consent is not required for processing the data. Data concerning a data subject may be processed without the consent of the data subject for the needs of scientific research or official statistics only in coded form. Collected personal data may be processed for the purposes of scientific research or official statistics regardless of the purpose for which the personal data was initially collected.

Processing of personal data without consent of data subject may be permitted on basis of law, for performance of task prescribed by international agreement, in individual cases for the protection of the life, health or freedom of the data subject if obtaining consent of the data subject is impossible. Exception of the consent is also performance of contract unless the processed data is sensitive personal data.

Communication of personal data or granting access to personal data to third persons for the purposes of processing is permitted without the consent of the data subject if the third person to whom such data is communicated processes the personal data for the purposes of performing a task prescribed by law, in individual cases for the protection of the life, health or freedom of the data subject if it is impossible to obtain the consent of the data subject. Surveillance equipment transmitting or recording personal data may be used for the protection of persons or property only if this does not excessively damage the justified interests of the data subject and the collected data is used exclusively for the purpose for it is collected.

Processor of personal data is determining the purposes, categories, procedure and manner of processing personal data, as well as permission for communication of data to third persons.