The Privacy, Data Protection and Cybersecurity Law Review: Estonia


A globally unique feature about Estonia is that in Estonia about 99 per cent of public services are accessible online. Owing to such high level of digitalisation of the state, Estonia is widely known as one of the world's most advanced digital societies or the world's first digital state, and therefore often called 'e-Estonia'.2

Almost all Estonian residents hold a government granted electronic ID (eID), which enables digital signing that is legally equivalent to a handwritten signature, digital authentication and file encryption. As an example, there are currently more than 5,000 public and private services in Estonia where individuals can digitally identify themselves by using the eID. Furthermore, while the entire population of Estonia is only about 1.3 million, about 20 million digital transactions are made each month with the ID card, it being only one of the three main carriers of the eID (the other two being mobile-ID and Smart-ID) in Estonia.3

Owing to high level of digitalisation, critical services and personal data being accessible online, the Estonian government has, over the years, put significant focus and investment in cybersecurity related initiatives. In fact, many of the Estonian cybersecurity initiatives were caused by a major cyberattack against Estonia back in 2007 when Estonia became a target of the largest coordinated and politically motivated cyberattack against a single country.4

The Estonian focus on cybersecurity is also demonstrated by the fact that it was decided to locate both the NATO Cooperative Cyber Defence Centre of Excellence and the EU IT Agency in the capital of Estonia, Tallinn. Furthermore, Estonia was elected as a non-permanent member of the United Nations Security Council in 2020–21 and one of its main objectives is ensuring cybersecurity. In this respect, the Estonian Ministry of Foreign Affairs has stated that:

We wish to start a cybersecurity discussion among the members of the Security Council with the aim of raising their awareness of cybersecurity norms and how to apply existing international law in cyberspace.5

Hence, Estonia, as a frontrunner in digitalisation, is not only actively focusing on cybersecurity at the national level, but has also become one of the leaders in cybersecurity discussions globally.

However, as opposed to the highly advanced e-government and significant focus on cybersecurity in the public sector, the focus on cybersecurity is significantly lower in the Estonian private sector. Similarly, practice is showing that even two years after the General Data Protection Regulation6 (GDPR) became applicable, general awareness about data protection remains low in Estonia.

Regarding the regulatory approach, privacy, data protection and cybersecurity-related rules applicable in Estonia are found in several legal acts. The most important of these are:

  1. the Constitution of the Republic of Estonia;7
  2. the Personal Data Protection Act (PDPA);8
  3. the GDPR;
  4. the Public Information Act (PIA):9
  5. the Electronic Communications Act (ECA);10 and
  6. the Cybersecurity Act (CA).11

    The following sections of this chapter will describe in more detail the relevant legislative framework, as well as some of the most important and recent developments in the Estonian privacy, data protection and cybersecurity landscape.


    Public interest concerning privacy and data protection in Estonia significantly increased before and around May 2018 when the GDPR became applicable. The GDPR created lots of media attention on data protection and also triggered some panic among Estonian entrepreneurs owing to the potential of high penalties for GDPR infringements. However, even though the GDPR was widely discussed among the Estonian public, a special Eurobarometer survey on data protection published in June 2019 revealed that only 58 per cent of Estonians had heard of the GDPR.12 According to this result, Estonia was among the five EU Member States with the lowest level of awareness concerning the GDPR. Furthermore, the same survey revealed that only 28 per cent of Estonian respondents knew what the GDPR is about.13

    As at the time of writing, the level of awareness about the GDPR remains low in Estonia. For example, privacy lawyers in Estonia are well aware that many companies in Estonia have not started any data protection compliance activities, and only minimum steps have been taken towards GDPR compliance. This is often the case even with companies that are processing special categories of personal data (e.g., biometric data or health data) and whose data processing poses a high risk to individuals. Not complying with the rules on data protection is often also seen as a low risk by Estonian entrepreneurs.

    In addition to the general lack of awareness about applicable legal requirements, a reason for data protection being a low priority to many Estonian entrepreneurs is also the lack of GDPR enforcement – as of July 2020, no fines have been imposed for GDPR violations in Estonia. Lack of enforcement in Estonia can at least partly be explained by lack of resources in the Data Protection Inspectorate (DPI),14 the Estonian regulatory authority for data protection. For example, the Director General of the DPI stated in the DPI's 2019 annual report that:

    The Estonian data protection authority is practically the only such institution among the members of the European Data Protection Board that did not receive (and has still not received) additional resources to cope with the new tasks.15

    As regards enforcement, it is also important to note that Estonian legal system currently does not allow for administrative fines as set out in the GDPR. This is also stated in Recital 151 of the GDPR, which provides that:

    The rules on administrative fines may be applied in such a manner that in … Estonia the fine is imposed by the supervisory authority in the framework of a misdemeanour procedure, provided that such an application of the rules in [Estonia] has an equivalent effect to administrative fines imposed by supervisory authorities.

    In particular, under the current system in Estonia, financial penalties can be imposed for offences that, according to Estonian Penal Code, are divided into misdemeanours and criminal offences. Liability for GDPR infringements is stipulated in the PDPA, which entered into force in Estonia on 15 January 2019. The PDPA regulates the protection of natural persons upon processing of personal data to the extent in which it elaborates and supplements the provisions contained in the GDPR. According to the PDPA, GDPR infringements are punishable in Estonia by a fine as misdemeanours.

    However, although the PDPA also sets forth fines for GDPR violations in amounts that are equivalent to those set forth in the GDPR, the Penal Code in Estonia provides that the maximum fine for a legal person who commits a misdemeanour is €400,000. It is therefore disputable if, under the current system in Estonia, it is even possible to apply the maximum fines as set forth in the GDPR (i.e., up to €20 million, or in the case of an undertaking, up to 4 per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher). Furthermore, the current system in Estonia makes it difficult to impose fines for GDPR infringements. This is due to various procedural requirements (e.g., a short limitation period) with respect to misdemeanour proceedings.

    Owing to such legal obstacles, the Estonian legislator is currently considering various changes to Estonian national laws. In particular, on 6 May 2020, the Estonian Ministry of Justice announced16 that administrative fines will be introduced in the Estonian legal system, and a relevant concept about new administrative fine law was published.17 This new administrative fine proposal concerns infringements in the areas of data protection, finance and competition and is expected to become law in the first quarter of 2021.

    If adopted as a law, the concept will make it possible to apply fines in Estonia as set forth in EU law in administrative proceedings. Among the various changes that are expected with the new administrative fine system, it should be easier in the future to hold legal entities liable for data protection infringements. For example, in order to hold a legal entity liable under the current system, it is necessary to establish the guilt of a specific natural person. This will no longer be the case under the new system, which plans to introduce the principle of organisational fault.18


    i Privacy and data protection legislation and standards

    As stated above, Estonia has several different laws that make up the regulatory framework for privacy and data protection. This section will now discuss in more detail what each of these laws are about.

    The Constitution of the Republic of Estonia covers various aspects of the right to privacy. For instance, Section 26 of the Estonian Constitution provides that:

    Everyone is entitled to inviolability of his or her private and family life. Government agencies, local authorities, and their officials may not interfere with any person's private or family life, except in the cases and pursuant to a procedure provided by law to protect public health, public morality, public order or the rights and freedoms of others, to prevent a criminal offence, or to apprehend the offender.

    Similarly, Section 33 of the Estonian Constitution sets forth that the home is inviolable.

    Some other aspects of privacy can also be found in Section 42 (i.e., prohibition to gather or store information about the beliefs of a citizen of Estonia), Section 43 (i.e., the right to confidentiality of messages) and Section 44 (i.e., free access to information disseminated for public use). For example, Section 44 includes the right of a citizen to access information about himself or herself held by government agencies and local authorities and in government and local authority archives. Unless otherwise provided by law, the same right is applicable with respect to citizens of foreign states and stateless persons in Estonia.

    As regards personal data protection, the applicable law in Estonia is the PDPA. As stated above, the PDPA applies in Estonia in addition to the GDPR and contains certain supplementary provisions. In addition, the PDPA regulates the protection of natural persons upon processing of personal data by law enforcement authorities in the prevention, detection and proceedings of offences and execution of punishments.

    The adoption of the PDPA in Estonia was significantly delayed because the Estonian parliament was not able to reach an agreement on certain provisions in the first version of the draft PDPA. In particular, the law was hotly debated in Estonia in relation to processing of personal data for journalistic purposes, which was one of the specific grounds for personal data processing introduced by the PDPA. This provision provides that personal data may be processed and disclosed in the media for journalistic purposes without the consent of the data subject (and in particular disclosed in the media) if there is public interest and is, therefore, in accordance with the principles of journalism ethics. Such disclosure of personal data must not cause excessive damage to the rights of any data subjects.

    Among other specific provisions that were introduced by the PDPA are the processing of personal data after the death of a data subject; processing of personal data in connection with violation of obligation; and processing of personal data in public places. In particular, the legislator in Estonia decided that the consent of a data subject shall remain valid during the lifetime of the data subject and for 10 years after the death of the data subject, unless the data subject decided otherwise. If the data subject died as a minor, his or her consent shall be valid for the term of 20 years after the death of the data subject.

    As regards the processing of personal data in connection with violation of obligation, a special rule was introduced that provides that transmission of personal data related to violation of any obligation to third parties and processing of the transmitted data by any third party is permitted for the purpose of assessment of the creditworthiness of the data subject or for any other similar purposes, and only if the controller or processor has verified the accuracy of the data transmitted and the legal basis for transmission of personal data and registered the data transmission.

    As regards the processing of personal data in public places, the PDPA provides that, unless otherwise provided by law, upon the creation in public places of audio or visual recordings intended for future disclosure, the consent of data subjects shall be substituted by an obligation to notify the data subjects in a manner that allows the persons to understand the fact of the recording of the audio or visual images and gives the persons an opportunity to prevent the recording of their person if they so wish. The notification obligation does not apply in to public events, recording of which for the purposes of disclosure may be reasonably presumed.

    Finally, the Estonian legislator also decided to lower the age limit for the offering of information society services to a child. According to the GDPR, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years. Accordingly, the Estonian legislator chose to lower the age limit to 13 years.

    As stated above, the PDPA also stipulates the liability for GDPR infringements. In addition, the Estonian Penal Code19 provides for a few special grounds where criminal punishments can be imposed with respect to mishandling of personal data. For example, Section 157 of the Penal Code makes punishable disclosure of personal data obtained in professional activities by a person who is required by law not to disclose such information. Also, Section 157(1) of the Penal Code provides for imprisonment if there has been disclosure of special categories of personal data for personal gain or if significant damage was caused to another person. Furthermore, Section 157(2) of the Penal Code provides that the illegal use of another person's identity is punishable by up to three years' imprisonment.

    Also important in Estonia is the PIA, which ensures that every person has the opportunity to access information intended for public use, but at the same time includes restrictions regarding access to information containing personal data.

    Some specific but important regulation on data protection is also found in the ECA, which inter alia transposes into Estonian law the requirements arising from the e-Privacy Directive.20 For instance, the ECA sets forth a general obligation for communications undertakings to maintain the confidentiality of all information that becomes known in the process of provision of communications services and that concerns subscribers as well as other persons who have not entered into a contract for the provision of communications services but who use communications services with the consent of a subscriber.

    The ECA also includes a specific obligation of communications undertakings to notify to the DPI at the earliest opportunity cases of personal data breach that have taken place in connection with the provision of communications services. Other specific rules that are related to personal data under the ECA include, for example, the use of electronic contact details for direct marketing, processing of location data of subscribers and roaming service users.

    ii General obligations for data handlers

    As the GDPR is fully applicable in Estonia, general obligations for data handlers are those that are also set forth in the GDPR (e.g., the obligation to process personal data according to the data protection principles set forth in Article 5 of the GDPR, the obligation to have valid legal ground for data processing as set forth in Article 6 of the GDPR).

    Certain general obligations are also set forth by specific national laws that supplement the provisions of the GDPR (see above). In addition, there are some general provisions about privacy and data protection in the Estonian Employment Contracts Act (EECA).21 In particular, the EECA provides for a general obligation of employers to respect an employee's privacy and verify the performance of his or her duties in a manner that does not violate the employee's fundamental rights. In addition, the EECA provides for a general obligation of employers to ensure the processing of personal data of an employee in accordance with legislation.

    iii Data subject rights

    Data subject rights are applicable in Estonia as set forth in the GDPR. These include the following:

  7. the right to receive information with respect to the processing of personal data when the data is collected from the data subject (Article 13);
  8. the right to receive information with respect to the processing of personal data when the data is collected from third parties (Article 14);
  9. the right of access (Article 15);
  10. the right to rectification (Article 16);
  11. the right to erasure (Article 17);
  12. the right to restriction of processing (Article 18);
  13. the right to data portability (Article 20);
  14. the right to object (Article 21); and
  15. the right not to be subject to a decision based solely on automated processing, including profiling (Article 22).

iv Specific regulatory areas

Most requirements regarding personal data processing in Estonia arise from the GDPR. For example, there is no specific regulation on workplace privacy in Estonia. Instead, and as stated above, there are only some general obligations regarding the processing of personal data in the context of employment.

As regards the processing of personal data regarding children, Estonia chose to deviate from the age requirement set forth in the GDPR, by providing that if the child is below the age of 13 years (as opposed to the age limit of 16 years under the GDPR), processing of personal data is permitted only in the case and to the extent to which consent has been given by the legal representative of the child.

As regards financial privacy, the Credit Institutions Act (CIA)22 provides for some special rules on information subject to banking secrecy. In particular, it is stipulated in the CIA that customer data is subject to banking secrecy and is kept confidential. However, there are also some exceptions, such as the right of a credit institution to disclose information subject to banking secrecy to the Estonian Information System Authority upon conduct of state supervision provided in the Cybersecurity Act.

As regards government access to data, special rules are applicable under the ECA. Specifically, the ECA provides for the requirement of communications undertakings to retain various communications metadata (including, but not limited to location data) for the period of one year from the date of the communication and provide access to such data to government authorities. However, such rules in Estonia are highly problematic because the use of communications metadata is not limited to fighting serious crime, but can also be used for solving minor crimes and misdemeanours. Relevant data under the ECA can be used by any government authority with an investigative function, including the Data Protection Inspectorate, the Tax and Customs Board, the Environmental Inspectorate and the Financial Supervision Authority. All such authorities must be provided with access to such data pursuant to the Code of Misdemeanour Procedure.

Such regulation in Estonia is problematic as it conflicts with the judgment of the Court of Justice of the European Union (CJEU) in Tele2 Sverige AB and Watson23 from 21 December 2016, where the CJEU ruled that the e-Privacy Directive24 (i.e., the directive that is implemented in Estonia with the ECA) must be interpreted as prohibiting national legislation governing the protection and security of traffic and location data and, in particular, access of the competent national authorities to the retained data, where the objective pursued by that access, in the context of fighting crime, is not restricted solely to fighting serious crime, where access is not subject to prior review by a court or an independent administrative authority, and where there is no requirement that the data concerned should be retained within the European Union.

The ECA also provides for specific rules on direct marketing. According to the general rule under the ECA, the use of electronic contact details of a subscriber or user of communications services, who is a natural person, for direct marketing is allowed only with the person's prior consent. Electronic contact details are defined as details that enable the conveyance of information to a person over electronic communications networks, such as fax, email, SMS or MMS messages.

v Technological innovation

As one of the world's most advanced digital societies, Estonia is constantly innovating with the use of new technologies. Since Estonia is highly digitalised, such innovation usually also concerns the processing of personal data. One of the most recent of such innovations is a consent service that is currently being developed by the state.25

The idea behind the consent service is that since the state has lots of data about individuals (e.g., medical history) in various databases, it is possible to open up such data for the development of new services provided that individual gives his or her consent. This approach is unique as it is currently not known that such service has been implemented anywhere else in the world – where individual could give his or her digital consent to a third party (e.g., a private company) so that the third party could gain access to the personal data of the individual held in state databases.

Estonia is currently performing a legal analysis of the consent service and the prototype of the consent service is already being developed by the state.

International data transfer and data localisation

As the GDPR is fully applicable in Estonia, international data transfers must follow the requirements of the GDPR. This means that transfers of personal data to countries outside the European Economic Area (EEA) are restricted. Hence, in order to perform a restricted transfer of personal data from Estonia to outside of the EEA, special steps need to be taken. For example, personal data can be transferred outside of the EEA if it is established that the restricted transfer is covered by an adequacy decision. If no adequacy decision is made about the country where the data is transferred, then other appropriate safeguards (e.g., binding corporate rules or standard contractual clauses) must be used.

As regards data localisation, Estonia strongly opposes it and is one of the major proponents in the EU about free movement of data. Estonia also considered free movement of data as one of the most important priorities for Estonia during the Estonian Presidency of the EU from 1 July to 31 December 2017.26

Company policies and practices

As the GDPR is fully applicable in Estonia, companies need to follow the data protection requirements set forth in the GDPR. These obligations include, inter alia, transparency, including the obligation of controllers to have a privacy policy describing their processing of a personal data. However, owing to significant lack of awareness about the GDPR in Estonia, it is still common in Estonia that companies have no privacy policy available. Furthermore, even if a company has created a privacy policy, it is still common that there is no privacy policy about the processing of employee data. Hence, a vast majority of Estonian companies are not reaching the requirements of transparency.

Another frequent issue in Estonia is that companies usually have not performed a legitimate interest assessment when they rely on legitimate interests as a legal ground for data processing. Similarly, many Estonian companies that are under the obligation to perform a data protection impact assessment or the obligation to designate a data protection officer are still failing to comply with such obligations.

Discovery and disclosure

Under the ECA, a communications undertaking must grant a surveillance agency or security authority access to the communications network for the conduct of surveillance activities or for the restriction of the right to confidentiality of messages. Similarly, as stated above, the ECA in Estonia requires that communications metadata be forwarded to various government authorities with an investigative function.

Public and private enforcement

i Enforcement agencies

The enforcement agency in Estonia with respect to data protection is the DPI. The DPI exercises state and administrative supervision over compliance with the requirements provided for in the PDPA, legislation established on the basis thereof and the GDPR and the requirements established in other acts for processing of personal data.

ii Recent enforcement cases

No fines have been imposed in Estonia for GDPR infringements. As stated above, Estonia currently also does not have administrative fines as set forth in the GDPR.

iii Private litigation

In Estonia, it is possible for individuals to claim for compensation in respect of material and no material damage if their rights as data subjects are breached. However, as of July 2020, there is no information available of any finally resolved court cases where data subjects have claimed damage for infringement of their rights under the GDPR.

Considerations for foreign organisations

As a member of the EU, Estonia follows the relevant EU directives and regulations, including the GDPR, which is directly applicable to all Estonian businesses. Hence, any foreign organisation interested in doing business in Estonia or with Estonian counterparts can expect the business and legal environment to follow EU rules.

However, as also stated above, Estonian local authorities have so far not enforced the GDPR. Hence, as opposed to many other countries with active GDPR enforcement and significant number of fines (e.g., Spain, Romania and Hungary), foreign organisations can expect a very different environment in Estonia.

Cybersecurity and data breaches

As regards cybersecurity, the applicable law in Estonia is the CA, which entered into force on 23 May 2018. The CA provides for the requirements for the maintenance of network and information systems essential for the functioning of society and state and local authorities' network and information systems, liability and supervision as well as the basis for the prevention and resolution of cyber-incidents. The CA is the Estonian national law transposing the Directive on security of network and information systems (the NIS Directive).27

The Estonian authority that leads the development of national IT systems and ensures national cybersecurity, including the sustainable operation of a secure e-state, is the Information System Authority (ISA). As part of the ISA, there is also the ISA's Cybersecurity Incident Response Department, or the CERT-EE, which is the Estonian national cyber unit that continually monitors Estonian cyberspace and resolves cyber-incidents.

The CA requires operators of essential services and digital service providers to notify the ISA no later than 24 hours after becoming aware of a cyber-incident:

  1. that has a significant impact on the security of the system or the continuity of the service; and
  2. where a significant impact on the security of the system or the continuity of the service is not obvious but can be reasonably presumed.

According to the 2020 yearbook of the ISA,28 the CERT-EE received a total of 24,369 notifications of cyber-incidents in Estonia in 2019, while the number of such incidents in 2018 was 17,440 and in 2017 only 10,649 incidents were recorded. For 2019, this means an average of 67 notifications per day and three notifications per hour.29

As regards personal data breaches, during 2019 a total of only 115 notifications of a breach were reported to the DPI.30 One of the most discussed breaches concerned a local bike-sharing initiative at an Estonian local municipality. In this case, the Tartu City government notified the DPI of a breach in which a database with the information of about 20,000 users of the bike-sharing system was publicly accessible on the internet. The database revealed information about the users, including their names, email addresses, phone numbers, user IDs. Furthermore, it was possible to access data about the routes taken by the users, as well as the time of using the bikes. The DPI decided that since the security vulnerability was quickly eliminated, it would only issue a written reprimand in this matter.31

Another personal data breach that was also widely discussed concerned an Estonian online store, Charlot. In particular, it was revealed in July 2019 that the database of such online store containing personal data of about 14,000 Estonians was publicly accessible on the internet. When the breach was discovered, the manager of the company initially announced that no breach had occurred, but later admitted the breach. As at the time of writing, no detailed information is available about the final outcome of this incident, including what specific measures were taken by the DPI.32


Although Estonia has remained a country with no fines for GDPR infringements, it is likely that this situation will change in the future, especially as Estonia is planning to introduce an administrative fine system in the first quarter of 2021.

In the meantime, it is worth noting that the Director General of the DPI has stated about the priorities for 2020 that:

The one common theme and keyword of 2020 will certainly be monitoring equipment, especially video monitoring equipment. The European Data Protection Board also completed a corresponding guide last year, the adoption of which in Estonia is one of our goals in 2020.33

In addition, the Director General stated that:

We have marked the processing of data in research carried out via IT resources and the use of information systems and environments in institutions engaged in the area of medicine and education as our most important keywords for 2020.34

Hence, even though there is so far no GDPR enforcement in Estonia, companies should pay attention to the priorities of the DPI and also make sure that their processing activities are in compliance with the GDPR.


1 Risto Hübner is the managing partner at Estonian law firm Advokaadibüroo Nordx Legal.

2 Overview of e-Estonia, available at

3 The 2020 yearbook of the Information System Authority, page 9, available at

4 See, for example, 'Analysis of the 2007 Cyber Attacks against Estonia from the Information Warfare Perspective', Rain Ottis, available at

6 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), OJ L 119, 4.5.2016.

7 Estonian State Gazette - Riigi Teataja (RT) I, 15.05.2015.

8 RT I, 04.01.2019, 11.

9 RT I, 15.03.2019, 11.

10 RT I, 20.05.2020, 34.

11 RT I, 22.05.2018, 1.

12 Special Eurobarometer 487a Report, General Data Protection Regulation, table 14, available at

13 id.

14 The Data Protection Inspectorate exercises administrative supervision over compliance with the requirements provided for in the PDPA, the GDPR and also the PIA. Hence, the Estonian data protection authority is not only focused on the protection of personal data, but also oversees the compliance with the requirements of access to information intended for public use.

15 Estonian Data Protection Inspectorate, Annual Report 2019, Summary in English, available at

17 The concept of administrative law fine, available in Estonian at

18 id.

19 RT I, 10.07.2020, 18.

20 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector.

21 RT I, 09.07.2020, 4.

22 RT I, 10.07.2020, 20.

23 Joined Cases C-203/15 and C-698/15.

24 Supra footnote 20.

25 See supra footnote 3, pages 26–27.

26 See, for example, 'Estonia's EU presidency: digital Europe and the free movement of data', available at

27 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.

28 Supra footnote 3, page 30.

29 id.

30 Estonian Data Protection Inspectorate, Annual Report 2019, available in Estonian at

31 id.

32 'Toimus Eesti ajaloo suurim e-poe andemeleke: ripakil olid 14 000 eestlase isikuandmed', 03.07.2019, available in Estonian at

33 Supra footnote 15.

34 id.

Get unlimited access to all The Law Reviews content