Estonia’s New Amendment to Data Privacy Law, GDPR
Estonia’s Personal Data Protection Act 2018 or the PDPA for short is a data protection law that was recently amended in 2018 and enacted the following year. The PDPA was passed for the purposes of implementing the provisions of the General Data Protection Regulation into Estonian law, as Estonia is a member state of the European Union. As such, the PDPA both establishes the legal framework that must be followed when collecting or processing personal data within Estonia, and also gives Estonia’s Data Protection Inspectorate or the DPI for short the authority to impose punishments against individuals and organizations who fail to comply with the provisions set forth in the law.
What are the variations between the EU’s GDPR law and Estonia’s PDPA?
When compared with the provisions of the EU’s GDPR law, the provisions of the PDPA remain largely unchanged. However, as it relates to regulations concerning data retention, there are some differences between the two laws. Under the PDPA, “data and documents submitted to a registrar in a format that can be reproduced in writing for an entry to be made shall be preserved by the registrar for ten years after making the respective entry.” Alternatively, “personal data collected for the purpose of carrying out the check are retained for a period of ten years following the completion of the check, expiry of the contract or document serving as the basis for the performance of the task specified in subsection (2) of this section or termination of the checked employment or service relationship. After the expiry of this term, the data are deleted.”
Conversely, the PDPA also sets forth certain conditions as it pertains to the collection and processing of personal data that is obtained from public spaces within Estonia. As stated in the law, “Unless otherwise provided by law, upon making in public places audio or visual recordings intended for future disclosure, the consent of data subjects shall be substituted for an obligation to notify data subjects in a manner which allows persons to understand the fact of the recording of the audio or visual images and give persons an opportunity to object to the recording of their person if they so wish. The notification obligation does not apply in the case of public events, recording of which for the purposes of the disclosure may be reasonably presumed.”
What are the rights of data subjects under the PDPA?
The rights of data subjects under the PDPA are identical to those that are provided to citizens who reside within other EU member states. These rights include:
- The right to be informed.
- The right to access.
- The right to rectification.
- The right to erasure.
- The right to object or opt-out.
- The right to not be subject to automated decision-making.
In terms of the enforcement of the PDPA, the DPI has the regulatory power to enforce the provisions established in the law. To this end, the DPI has the authority to demand certain restrictions concerning the collection and processing of personal data, such as mandating that a particular data controller or processor erase or rectify personal data they have improperly collected or processed. Moreover, the DPI also has the authority to demand that a particular individual or organization operating within Estonia terminate its data processing operations altogether. Additionally, the DPI also has the authority to impose fines “of up to €20 million or up to 4% of the total global annual turnover for a business’s previous financial year, whichever amount is higher.”
Through the passing of the PDPA and the implementation of the EU’s GPDR law, Estonia set a new standard for data protection within their country. As Estonia’s first PDPA was passed in 1996, the country is similar to many other countries throughout the continent of Europe that have an extensive legal history as it relates to providing data protection. Through the precedence of such legislation, as well as the provisions of the EU’s GDPR law, Estonian citizens can have the peace of mind that they will be able to pursue multiple legal avenues should their personal data be misused without their consent, or if any of their rights under the law are otherwise violated.