Data protection rules

Each person has the right to control the data about them: personal data cannot be used with permission unless there is other legal basis for it.

There are strict rules regarding processing of personal data:

• personal data cannot be processed without legal basis or consent of the individual;
• personal data can only be processed for a specified purpose;
• you can only collect and process personal data that is strictly necessary for the purpose;
• personal data can be retained only as long as the purpose exists;
• personal data must be kept secure and protected against unauthorised processing or access (including leaks and hacking);
• the data controller must show that it respects the above principles, i.e. is accountable.

The person, whos data is processed (the data subject), has extensive rights:

• the right to be informed about processing and the controller;
• the right to access to their personal data and get a copy of it;
• the right of rectifiction of incorrect data;
• the right to erasure (so called “the right to be forgotten”);
• the right to data portability to another service provider (from May 2018);
• the right to object to processing of data, including for direct marketing purposes;
• the right to object to automated processing when it creates legal consequences for the individual.

On 25 May 2018, the General Data Protection Regulation becomes in force in all EU Member States, including Estonia. This replaces the previous Member State level legal acts, such as the Personal Data Protection Act in Estonia.

In case of breach of data protection rules, it is possible to turn to independent data protection authorities, in Estonia this is the Data Protection Inspectorate. In case of violation of personal data by state and security/surveillance authorities, the Chancellor of Justice can also help. It is also possible to turn to the courts.