Digital Rights

The right to privacy and protection of personal data is increasingly under threat in the information age. Both the country’s expanding databases and the data collected by Internet companies make it possible to create detailed profiles based on peoples attitudes and behaviour and exploit them. The surveillance activities of security agencies (including stalking) and the storage of communication data are just some of the challenges Estonia faces.

The Estonian Human Rights Centre has directed attention to the problems related to the protection of personal data in Estonia and covered privacy issues in the “Human Rights in Estonia” report. The Human Rights Centre also deals with data protection consulting and strategic advocacy including strategic litigation.



Individual consulting and strategic litigation on topics related to privacy and data protection.

Read more

Digital Rights

Read more

Data protection rules

Each person has the right to control the data about them: personal data cannot be used with permission unless there is other legal basis for it.

There are strict rules regarding processing of personal data:

  • personal data cannot be processed without legal basis or consent of the individual;
  • personal data can only be processed for a specified purpose;
  • you can only collect and process personal data that is strictly necessary for the purpose;
  • personal data can be retained only as long as the purpose exists;
  • personal data must be kept secure and protected against unauthorised processing or access (including leaks and hacking);
  • the data controller must show that it respects the above principles, i.e. is accountable.

The person, whos data is processed (the data subject), has extensive rights:

  • the right to be informed about processing and the controller;
  • the right to access to their personal data and get a copy of it;
  • the right of rectifiction of incorrect data;
  • the right to erasure (so called “the right to be forgotten”);
  • the right to data portability to another service provider (from May 2018);
  • the right to object to processing of data, including for direct marketing purposes;
  • the right to object to automated processing when it creates legal consequences for the individual.

On 25 May 2018, the General Data Protection Regulation becomes in force in all EU Member States, including Estonia. This replaces the previous Member State level legal acts, such as the Personal Data Protection Act in Estonia.

In case of breach of data protection rules, it is possible to turn to independent data protection authorities, in Estonia this is the Data Protection Inspectorate. In case of violation of personal data by state and security/surveillance authorities, the Chancellor of Justice can also help. It is also possible to turn to the courts.