The rights to privacy and data protection is under an increasing threat in the information age. It is threatened both by the growing databases of the state and data collected by companies, which allow to create detailed profiles of behaviours and attitudes of individuals and to exploit them for economic or political purposes. Surveillance activities (including mass-surveillance) and data retention are just some of the challenges that Estonia also faces.
Estonian Human Rights Centre has drawn the public’s attention to issues of data protection in Estonia. We have also included privacy issues in the report Human Rights in Estonia. We are open for cooperation in this area; we can also help to provide trainings on different aspects of data protection.
Data protection rules
Each person has the right to control the data about them: personal data cannot be used with permission unless there is other legal basis for it.
There are strict rules regarding processing of personal data:
- personal data cannot be processed without legal basis or consent of the individual;
- personal data can only be processed for a specified purpose;
- you can only collect and process personal data that is strictly necessary for the purpose;
- personal data can be retained only as long as the purpose exists;
- personal data must be kept secure and protected against unauthorised processing or access (including leaks and hacking);
- the data controller must show that it respects the above principles, i.e. is accountable.
The person, whos data is processed (the data subject), has extensive rights:
- the right to be informed about processing and the controller;
- the right to access to their personal data and get a copy of it;
- the right of rectifiction of incorrect data;
- the right to erasure (so called “the right to be forgotten”);
- the right to data portability to another service provider (from May 2018);
- the right to object to processing of data, including for direct marketing purposes;
- the right to object to automated processing when it creates legal consequences for the individual.
On 25 May 2018, the General Data Protection Regulation becomes in force in all EU Member States, including Estonia. This replaces the previous Member State level legal acts, such as the Personal Data Protection Act in Estonia.
In case of breach of data protection rules, it is possible to turn to independent data protection authorities, in Estonia this is the Data Protection Inspectorate. In case of violation of personal data by state and security/surveillance authorities, the Chancellor of Justice can also help. It is also possible to turn to the courts.