Privireal Home Page Privacy in Research, Ethics and Law
"examining the implementation of the Data Protection Directive 95/46/EC
in relation to medical research and the role of ethics committees"

Estonia - Data Protection

History of Data Protection in ESTONIA

Recent years have seen a startling growth of data protection legislation in Estonia. The first Personal Data Protection Act entered into force in July 1996. It was the first law to deal specifically with personal data. It was quickly followed by Databases Act of 1997, which regulated the establishment and maintenance of databases, and replaced the Soviet Socialist Republic State Registers Act of 1990.

On 1 January 1997, the Estonian Data Protection Inspectorate was established under the Personal Data Protection Act. The growth of legislation continued with the introduction of the Public Information Act and the Human Gene Research Act in 2001, both of which have repercussions for the use of personal data.

A new Personal Data Protection Act entered into force on 1 October 2003.

Summary of Data Protection in ESTONIA

Title of Data Protection Legislation Personal Data Protection Act 2003
Name of supervisory authority Estonian Data Protection Inspectorate
General Powers of supervisory authority The main task of the Data Protection Inspectorate is the independent supervision of the processing of personal data and keeping of databases, as well as organizing data protection activities. One of the most important functions of the Inspectorate is the continual monitoring and improvement of legislation (Section 36(1)(1) of the Act. The Inspectorate can also "provide recommended instructions for the implementation of this Act" (section 36(1)(5)) s36(1)(3) states that the inspectorate can impose punishments on those who breach the law. Section 36(2) lays down the actions the inspectorate can take if there is a breach. It can (1) suspend the processing of personal data; 2) demand the rectification of inaccurate personal data; 3) prohibit the processing of personal data; 4) demand the blocking or the termination of processing of personal data (including destruction or transfer to an archives); 5) promptly apply, if necessary, the organisational, physical and IT security measures to protect personal data pursuant to the procedure provided for in the Substitutive Enforcement and Penalty Payment Act (RT I 2001, 50, 283; 94, 580) in order to prevent damage to the rights and freedoms of persons; 6) demand relevant documents and other necessary information from persons and make copies of the documents.
Who has standing to notify the supervisory authority of breaches? Anybody, including ethics committees.
What are the penalties for data controllers if they breach the law? The penalty for breaching the law is a fine. See Personal Data Protection Act 2003, Chapter 9, s42.
Have any provisions been made for the processing of a national identification number or a general identifier, as per Article 8(7)? Yes. Processing of the 'personal identification code' is permitted without the consent of the data subject if processing of the personal identification code is prescribed in an international agreement, an Act or Regulation. See section 16 of the 2003 Act.
Is it necessary to obtain consent before processing personal data, or are alternatives available even when obtaining consent would not be impracticable or inappropriate? It is probably necessary to get consent when is not impracticable or inappropriate.
Does the Data Protection Legislation cover the deceased? Yes - consent is valid for up to 30 years after the data subject's death. Close relatives can also give consent for the data of their of their deceased family member to be processed.
Who is able to indirectly identify the data subject? Anybody

Laws and Regulations

Institutions