Ask our legal expert!
Gencs Valters
Ask our legal expert!
Gencs Valters
Claim your FREE copy
Doing Business Guide in the Baltics.

Data controller and Data processing and Legal requirements in Estonia

26 November 2012
Facebook Twitter Linkedin





Legal requirements


A processor of personal data is a natural or legal person, a branch of a foreign company or a state or local government agency who processes personal data or on whose assignment personal data is processed. Processor can authorise another person or agency to process personal data by and administrative act or contract.

The Public Information Act was approved by the Parliament and entered into force on 1st January 2001. Supervision and enforcement of the Act will be conducted by the DPI. The law includes significant provisions on electronic access. Government departments and other holders of public information will have a duty to post information on the web, and e-mail requests must be treated as official requests for information. During the period from October 2005 to September 2006, the DPI received 99 complaints, requests for explanation or memoranda based on the Public Information Act. This resulted in 8 misdemeanour proceedings. The majority of the complaints stemmed either from government websites violating provisions of the PIA or failure of the website owner to comply with requests for information.

In 2006, the Centre of Registers of the Ministry of Justice was merged with the Ministry of Justice's IT division becoming the Centre of Registers and Information Systems of the Ministry of Justice. The purpose of the agency is to develop and administer the registers and infosystems in the Ministry of Justice and to provide communication and IT services. The regulation enacts usable information systems and related security measures systems in the maintenance of state and local governments' databases. The security measures system consists of the regulation of specifying security requirements and the description of data's organizational, physical and infotechnological security measures. The regulation comprises the description of security classes and levels. Security classes are divided into four components: time criticality, severity of consequences of delay, integrity and confidentiality. A new information policy action plan, taking into account the objectives and priorities of the EU information strategy i2010, is currently under discussion in the Ministry of Economic Affairs and Communications.

Estonian children have excellent access to the Internet. According to a survey carried out in 2008, 93 percent of children in the 6-16 age group use the Internet. However, in contrast to other EU countries, only 22 percent of parents expressed concerns that their child might be the victim of online grooming. In March 2008, a 16-year-old boy committed a suicide presumably due to an online molester who gathered indecent photographs of the victim that he threatened to publish. Apparently 43 Estonian minors were molested by the same person, who is currently in prison for preliminary investigation. This incident brought the importance of online youth safety acutely into the spotlight. In 2009, the Ministry of Social Affairs summoned a children’s online safety working group, which it has been coordinating ever since. The same Ministry also represents Estonia in the EU Safer Internet Programme. Estonian Union for Child Welfare has also been actively involved in the process of promoting online safety. Since 15 March 2010, online grooming is punishable by a pecuniary punishment or up to three years’ imprisonment. According to the explanatory memorandum of the Penal Code the purpose of the amendment is to prevent the sexual abuse of minors.


How is the legal requirement typically addressed?


The Personal Data Protection Act provide rules for processing the data that applies firs of all to processor:

1) The conditions and procedure for processing of personal data;

2) The procedure for the exercise of state supervision upon processing of personal data;

3)  Liability for the violation of the requirements for processing of personal data.

In case of following points, data processing and person who controls the data are not processors are as follows:

1) Processing of personal data by natural persons for personal purposes;

2) Transmission of personal data through the Estonian territory without any other processing of such data in Estonia;



Legal requirements


Processing of personal data is any act performed with personal data, including the collection, recording, organisation, storage, alteration, disclosure, granting access to personal data, consultation and retrieval, use of personal data, communication, cross-usage, combination, closure, erasure or destruction of personal data or several of the aforementioned operations, regardless of the manner in which the operations are carried out or the means used.

When processing personal data, processor is required to apply and obey certain principles:

1)  principle of legality - personal data needs to be collected only in an honest and legal manner;

2)  principle of purposefulness - personal data must be collected only for the achievement of determined and lawful objectives, and cannot  be processed in a manner not conforming to the objectives of data processing;

3)  principle of minimalism - personal data must be collected only to the extent necessary for the achievement of determined purposes;

4)  principle of restricted use - personal data must be used for other purposes only with the consent of the data subject or with the permission of the competent authority;

5)  principle of high quality of data - personal data must be up-to-date, complete and necessary for the achievement of the purpose of data processing;

6)  principle of security - security measures must be applied in order to protect personal data from involuntary or unauthorised processing, disclosure or destruction;

7)  principle of individual participation - the data subject must be notified of data collected concerning him or her, the data subject must be granted access to the data concerning him or her and the data subject has the right to demand the correction of inaccurate or misleading data.


How is legal requirement typically addressed?


Processing of personal data is permitted only with the consent of the data subject unless otherwise provided by law. An administrative authority can  process personal data only for the  performance of public duties in order to perform obligations prescribed by law, an international agreement or directly applicable legislation of the Council of the European Union or the European Commission.

Certain processing requirements also need to be observed. Upon processing of personal data, a processor of personal data is required to:

1)  immediately delete or close personal data which is not necessary for achieving the purposes thereof, unless otherwise provided by law;

2)  guarantee that the personal data are accurate, and if necessary for achievement of the purposes, kept up to date;

3)  ensure that incomplete and inaccurate personal data are closed, and necessary measures are immediately taken for amendment or rectification thereof;

4)  ensure that inaccurate data are stored with a notation concerning their period of use together with accurate data;

5)  ensure that personal data which are contested on the basis of accuracy are closed until the accuracy of the data is verified or the accurate data are determined;

6)  upon rectification of personal data, inform the third persons who provided the personal data or to whom the personal data was forwarded if this is technically possible and does not result in disproportionate costs.


For questions, please, contact Valters Gencs, attorney at law at

folow us folow us folow us rss

The material contained here is not to be construed as legal advice or opinion.

© Gencs Valters Law Firm, 2016
Claim your FREE copy
Doing Business Guide in the Baltics.