The Privacy, Data Protection and Cybersecurity Law Review: Estonia


A globally unique feature about Estonia is that in Estonia about 99 per cent of public services are accessible online. Owing to such high level of digitalisation of the state, Estonia is widely known as one of the world's most advanced digital societies or the world's first digital state, and therefore often called 'e-Estonia'.2

Almost all Estonian residents hold a government granted electronic ID (eID), which enables digital signing that is legally equivalent to a handwritten signature, digital authentication and file encryption. As an example, there are more than 5,000 public and private services in Estonia where individuals can digitally identify themselves by using the eID. Furthermore, while the entire population of Estonia is only about 1.3 million, about 20 million digital transactions are made each month with the ID card, it being only one of the three main carriers of the eID (the other two being mobile-ID and Smart-ID) in Estonia.3

Owing to the high level of digitalisation, critical services and personal data being accessible online, the Estonian government has, over the years, put significant focus and investment in cybersecurity-related initiatives. In fact, many of the Estonian cybersecurity initiatives were caused by a major cyberattack against Estonia back in 2007 when Estonia became a target of the largest coordinated and politically motivated cyberattack against a single country.4

The Estonian focus on cybersecurity is also demonstrated by the fact that it was decided to locate both the NATO Cooperative Cyber Defence Centre of Excellence and the EU IT Agency in the capital of Estonia, Tallinn. Furthermore, Estonia was elected as a non-permanent member of the United Nations Security Council in 2020–21 and one of its main objectives is ensuring cybersecurity.

However, as opposed to the highly advanced e-government and significant focus on cybersecurity in the public sector, the focus on cybersecurity is significantly lower in the Estonian private sector. Similarly, practice is showing that even three years after the General Data Protection Regulation (GDPR)5 became applicable, general awareness about data protection remains low in Estonia.

Regarding the regulatory approach, privacy, data protection and cybersecurity-related rules applicable in Estonia are found in several legal acts. The most important of these are:

  1. the Constitution of the Republic of Estonia;6
  2. the Personal Data Protection Act (PDPA);7
  3. the GDPR;
  4. the Public Information Act (PIA);8
  5. the Electronic Communications Act (ECA);9 and
  6. the Cybersecurity Act (CA).10

The following sections of this chapter describe in more detail the relevant legislative framework, as well as some of the most important and recent developments in the Estonian privacy, data protection and cybersecurity landscape.

The year in review

Like the rest of the world, Estonia was seriously hit by the covid-19 pandemic in early 2020, and the health crisis is ongoing at the time of writing. The pandemic directly impacts the situation of privacy, data protection and cybersecurity, and over the past year the focus of most discussions in Estonia has strongly shifted to the processing of health data, including, but not limited to, the collection of information about covid-19 infections and vaccinations. The pandemic has also put significant and often unexpected pressure on the Estonian e-government and security of the state IT systems in general. For example, at the end of 2020, several Estonian ministries became targets of a cyberattack in which the personal data of almost 10,000 individuals infected with covid-19 was leaked.

Although the pandemic has created numerous heated debates and legal questions about the processing of personal data, including health data (e.g., if and to what extent employers can ask employees about their health status or request employees to be vaccinated, how to carry out contact tracing in a privacy-preserving manner and whether vaccinated individuals should have more rights than unvaccinated individuals), the level of awareness of data protection, including the GDPR, appears to remain low in Estonia. For example, privacy lawyers in Estonia are well aware that many companies and organisations in Estonia have not begun any data protection compliance activities even three years after the GDPR became applicable, or only minimum steps have been taken towards GDPR compliance.

In addition to the general lack of awareness about applicable legal requirements, another reason for data protection being a low priority in Estonia is the continuing lack of GDPR enforcement; as at July 2021, only a few minor sanctions have been imposed for data protection violations in Estonia.

As regards enforcement, it is also important to note that the Estonian legal system still does not allow for administrative fines as set out in the GDPR. This is also stated in Recital 151 of the GDPR, which provides that:

The rules on administrative fines may be applied in such a manner that in . . . Estonia the fine is imposed by the supervisory authority in the framework of a misdemeanour procedure, provided that such an application of the rules in [Estonia] has an equivalent effect to administrative fines imposed by supervisory authorities.

In particular, under the current system in Estonia, financial penalties can be imposed for offences that, according to the Estonian Penal Code, are divided into misdemeanours and criminal offences. Liability for GDPR infringements is stipulated in the PDPA, which entered into force in Estonia on 15 January 2019. The PDPA regulates the protection of natural persons upon the processing of personal data to the extent in which it elaborates and supplements the provisions contained in the GDPR. According to the PDPA, GDPR infringements are punishable in Estonia by fines as misdemeanours.

However, although the PDPA also sets forth fines for GDPR violations in amounts that are equivalent to those set forth in the GDPR, the Penal Code in Estonia provides that the maximum fine for a legal person who commits a misdemeanour is €400,000. It is therefore disputable if, under the current system in Estonia, it is even possible to apply the maximum fines as set forth in the GDPR (i.e., up to €20 million, or in the case of an undertaking, up to 4 per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher). Furthermore, the current system in Estonia makes it difficult to impose fines for GDPR infringements. This is due to various procedural requirements (e.g., a short limitation period) with respect to misdemeanour proceedings.

Owing to these legal obstacles, on 6 May 2020, the Estonian Ministry of Justice announced11 that administrative fines will be introduced in the Estonian legal system, and a relevant concept about new administrative fine law was published.12 This new administrative fine proposal concerns infringements in the areas of data protection, finance and competition and was expected to become law in the first quarter of 2021. However, as at July 2021, this initiative has not proceeded as expected, and it remains unclear when Estonia will introduce administrative fines for GDPR infringements. If adopted as a law, the concept will make it possible to apply fines as set forth in EU law in administrative proceedings. Among the various changes that are expected with the new administrative fine system, it should be easier in the future to hold legal entities liable for data protection infringements. For example, to hold a legal entity liable under the current system, it is necessary to establish the guilt of a specific natural person. This will no longer be the case under the new system, which plans to introduce the principle of organisational fault.13

In addition to the lack of administrative fines, the other significant issue causing a lack of effective enforcement of the GDPR in Estonia is the lack of resources in the Data Protection Inspectorate (DPI).14 Although the Director General of the DPI stated in the DPI's 2019 annual report that the DPI has not been provided with sufficient resources to cope with its new tasks,15 the situation did not improve in 2020. According to its 2020 annual report,16 the number of permanent employees in the DPI (19) has remained the same over the past four years, while its budget only increased by €1,000 in 2020 (the annual budget in 2019 was €750,000 while the budget in 2020 was €751,000). Furthermore, it appears that the lack of resources in the DPI has become so serious that the DPI has announced that this is now resulting in delays to its responses to requests.

Considering these circumstances, the challenge is only growing for Estonia to meet the requirements of Article 52 of the GDPR, which, inter alia, provides that each Member State must ensure that each supervisory authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers.

Regulatory framework

i Privacy and data protection legislation and standards

As stated above, Estonia has several different laws that make up the regulatory framework for privacy and data protection. This section discusses each of these laws in more detail.

The Constitution of the Republic of Estonia covers various aspects of the right to privacy. For instance, Section 26 of the Estonian Constitution provides that:

Everyone is entitled to inviolability of his or her private and family life. Government agencies, local authorities, and their officials may not interfere with any person's private or family life, except in the cases and pursuant to a procedure provided by law to protect public health, public morality, public order or the rights and freedoms of others, to prevent a criminal offence, or to apprehend the offender.

Similarly, Section 33 of the Estonian Constitution sets forth that the home is inviolable.

Some other aspects of privacy can also be found in Section 42 (prohibition to gather or store information about the beliefs of a citizen of Estonia), Section 43 (the right to confidentiality of messages) and Section 44 (free access to information disseminated for public use). For example, Section 44 includes the right of a citizen to access information about himself or herself held by government agencies and local authorities and in government and local authority archives. Unless otherwise provided by law, the same right is applicable with respect to citizens of foreign states and stateless persons in Estonia.

As regards personal data protection, the applicable law in Estonia is the PDPA. As stated above, the PDPA applies in Estonia in addition to the GDPR and contains certain supplementary provisions. In addition, the PDPA regulates the protection of natural persons upon processing of personal data by law enforcement authorities in the prevention, detection and proceedings of offences and execution of punishments.

Examples of specific provisions that were introduced by the PDPA are the processing of personal data:

  1. for journalistic purposes;
  2. after the death of a data subject;
  3. in connection with violation of obligation; and
  4. in public places.

In particular, the legislator in Estonia decided that the consent of a data subject shall remain valid during the lifetime of the data subject and for 10 years after the death of the data subject, unless the data subject decided otherwise. If the data subject died as a minor, his or her consent shall be valid for the term of 20 years after his or her death.

As regards the processing of personal data in connection with violation of obligation, a special rule is included in the PDPA that provides that transmission of personal data related to violation of any obligation to third parties and processing of the transmitted data by any third party is permitted for the purpose of assessment of the creditworthiness of the data subject or for any other similar purposes, and only if the controller or processor has verified the accuracy of the data transmitted and the legal basis for transmission of personal data and registered the data transmission.

As regards the processing of personal data in public places, the PDPA provides that, unless otherwise provided by law, upon the creation in public places of audio or visual recordings intended for future disclosure, the consent of data subjects shall be substituted by an obligation to notify the data subjects in a manner that allows the persons to understand the fact of the recording of the audio or visual images and gives the persons an opportunity to prevent the recording of their person if they so wish. The notification obligation does not apply to public events, recording of which for the purposes of disclosure may be reasonably presumed.

Finally, the PDPA also lowers the age limit for the offering of information society services to a child. According to the GDPR, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years. Accordingly, the Estonian legislator lowered the age limit to 13 years.

As stated above, the PDPA also stipulates the liability for GDPR infringements. In addition, the Estonian Penal Code17 provides for a few special grounds where punishments can be imposed with respect to mishandling of personal data (such offences are either misdemeanours or criminal offences). For example, Section 157 of the Penal Code makes punishable by fine disclosure of personal data obtained in professional activities by a person who is required by law not to disclose such information. Also, Section 157(1) of the Penal Code provides for imprisonment if there has been disclosure of special categories of personal data for personal gain or if significant damage was caused to another person. Furthermore, Section 157(2) of the Penal Code provides that the illegal use of another person's identity is punishable by up to three years' imprisonment.

Also important in Estonia is the PIA, which ensures that every person has the opportunity to access information intended for public use, but at the same time includes restrictions regarding access to information containing personal data.

Some specific but important regulation on data protection is also found in the ECA, which, inter alia, transposes into Estonian law the requirements arising from the ePrivacy Directive.18 For instance, the ECA sets forth a general obligation for communications undertakings to maintain the confidentiality of all information that becomes known in the process of provision of communications services and that concerns subscribers as well as other persons who have not entered into a contract for the provision of communications services but who use communications services with the consent of a subscriber.

The ECA also includes a specific obligation of communications undertakings to notify the DPI at the earliest opportunity cases of personal data breaches that have taken place in connection with the provision of communications services. Other specific rules that are related to personal data under the ECA include the use of electronic contact details for direct marketing and the processing of location data of subscribers and roaming service users.

ii General obligations for data handlers

As the GDPR is fully applicable in Estonia, general obligations for data handlers are those that are also set forth in the GDPR (e.g., the obligation to process personal data according to the data protection principles set forth in Article 5 of the GDPR, the obligation to have valid legal ground for data processing as set forth in Article 6 of the GDPR).

Certain general obligations are also set forth by specific national laws that supplement the provisions of the GDPR (see above). In addition, there are some general provisions about privacy and data protection in the Estonian Employment Contracts Act (EECA).19 In particular, the EECA provides for a general obligation of employers to respect an employee's privacy and verify the performance of his or her duties in a manner that does not violate the employee's fundamental rights. In addition, the EECA provides for a general obligation of employers to ensure the processing of personal data of an employee in accordance with legislation.

iii Data subject rights

Data subject rights are applicable in Estonia as set forth in the GDPR. These include the following:

  1. the right to receive information with respect to the processing of personal data when the data is collected from the data subject (Article 13);
  2. the right to receive information with respect to the processing of personal data when the data is collected from third parties (Article 14);
  3. the right of access (Article 15);
  4. the right to rectification (Article 16);
  5. the right to erasure (Article 17);
  6. the right to restriction of processing (Article 18);
  7. the right to data portability (Article 20);
  8. the right to object (Article 21); and
  9. the right not to be subject to a decision based solely on automated processing, including profiling (Article 22).

iv Specific regulatory areas

Most requirements regarding personal data processing in Estonia arise from the GDPR. For example, there is no specific regulation on workplace privacy in Estonia. Instead, and as stated above, there are only some general obligations regarding the processing of personal data in the context of employment.

As regards the processing of personal data regarding children, Estonia chose to deviate from the age requirement set forth in the GDPR, by providing that if the child is below the age of 13 years (as opposed to the age limit of 16 years under the GDPR), processing of personal data is permitted only in the case and to the extent to which consent has been given by the legal representative of the child.

As regards financial privacy, the Credit Institutions Act (CIA)20 provides for some special rules on information subject to banking secrecy. In particular, it is stipulated in the CIA that customer data is subject to banking secrecy and is kept confidential. However, there are also some exceptions, such as the right of a credit institution to disclose information subject to banking secrecy to the Estonian Information System Authority upon conduct of state supervision provided in the Cybersecurity Act.

Some specific rules on personal data processing have also been adopted in connection with prevention of the use of financial systems for money laundering and terrorist financing. Namely, the Money Laundering and Terrorist Financing Prevention Act,21 inter alia, provides some limitations of the rights of the data subject (e.g., rights of the data subject can be limited in the context of cooperation and information exchange for anti-money laundering purposes between obliged persons).

As regards direct marketing, the relevant rules are stipulated under the ECA, which provides that the use of electronic contact details of a subscriber or user of communications services, who is a natural person, for direct marketing is allowed only with the person's prior consent. Electronic contact details are defined as details that enable the conveyance of information to a person over electronic communications networks, such as fax, email or SMS or MMS messages.

In addition, as regards government access to data, special rules are also applicable under the ECA. Specifically, the ECA provides for the requirement of communications undertakings to retain various communications metadata (including, but not limited to, location data) for the period of one year from the date of the communication and to provide access to such data to government authorities. However, such rules are highly problematic in Estonia because the use of communications metadata is not limited to fighting serious crime, but can also be used for solving minor crimes and misdemeanours. Relevant data under the ECA can be used by any government authority with an investigative function, including the Data Protection Inspectorate, the Tax and Customs Board, the Environmental Inspectorate and the Financial Supervision Authority. All these authorities must be provided with access to the data pursuant to the Code of Misdemeanour Procedure.

This regulation is problematic in Estonia as it conflicts with several judgments of the Court of Justice of the European Union (CJEU). For example, it conflicts with the 21 December 2016 judgment in Tele2 Sverige AB and Watson,22 in which the CJEU ruled that the ePrivacy Directive23 (i.e., the Directive that is implemented in Estonia by the ECA) must be interpreted as prohibiting national legislation governing the protection and security of traffic and location data and, in particular, access of the competent national authorities to the retained data, where the objective pursued by that access, in the context of fighting crime, is not restricted solely to fighting serious crime, where access is not subject to prior review by a court or an independent administrative authority, and where there is no requirement that the data concerned should be retained within the European Union. In addition, on 2 March 2021, based on a reference for a preliminary ruling lodged by the Estonian Supreme Court in November 2018, the CJEU found in HK v. Prokuratuur24 that granting access to electronic communications data for general crime investigation purposes violates the ePrivacy Directive. Furthermore, considering various CJEU judgments, including the 6 October 2020 judgment in La Quadrature du Net,25 the Estonian Supreme Court finally decided on 18 June 202126 that communications traffic and location data, which must be retained by telecommunications companies in Estonia, cannot be requested for the investigation of criminal offences because the procedure for the retention and use of the data in Estonia is contrary to EU law. Requesting unlawfully retained data would also violate the right to privacy guaranteed by the Estonian Constitution.

v Technological innovation

As one of the world's most advanced digital societies, Estonia is constantly innovating with the use of new technologies. Because Estonia is highly digitalised, this innovation usually also concerns the processing of personal data. One of the most recent innovations is a consent service that is currently being developed by the state.27

The idea behind the consent service is that since the state has lots of data about individuals (e.g., medical history) in various databases, it is possible to open up such data for the development of new services provided that individual gives his or her consent. This approach is unique as it is currently not known that such service has been implemented anywhere else in the world – where individual could give his or her digital consent to a third party (e.g., a private company) so that the third party could gain access to the personal data of the individual held in state databases.

International data transfer and data localisation

As the GDPR is fully applicable in Estonia, international data transfers must follow its requirements. This means that transfers of personal data to countries outside the European Economic Area (EEA) are restricted. Hence, to perform a restricted transfer of personal data from Estonia to outside the EEA, special steps need to be taken. For example, personal data can be transferred outside the EEA if it is established that the restricted transfer is covered by an adequacy decision. If no adequacy decision is made about the country where the data is transferred, then other appropriate safeguards (e.g., binding corporate rules or standard contractual clauses) must be used. In addition, because of the 16 July 2020 judgment in Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (the Schrems II case),28 certain supplementary measures (e.g., encryption) may need to be taken when personal data is being transferred to a third country. However, as at July 2021, the DPI has not started to actively monitor nor enforce violations resulting from international data transfers in conflict with the Schrems II judgment. As regards data localisation, Estonia strongly opposes it and is one of the EU's major proponents of free movement of data. Estonia also considered free movement of data as one of its most important priorities during the Estonian presidency of the EU from 1 July to 31 December 2017.29

Company policies and practices

As the GDPR is fully applicable in Estonia, companies need to follow its data protection requirements. These obligations include transparency, along with the obligation of controllers to have a privacy policy describing their processing of personal data. However, owing to the continuing lack of awareness about the GDPR in Estonia, it is still common for Estonian companies to have no privacy policy. Relevant documents are often produced as a formality only, and they do not reflect the actual data processing of a company as data mapping has often not been performed. Furthermore, even if a company has created a privacy policy, it is still common for there to be no privacy policy on the processing of employee data. Hence, the vast majority of Estonian companies are not meeting the requirements of transparency.

Another frequent issue in Estonia is that companies usually have not performed a legitimate interest assessment (LIA) when they rely on legitimate interests as a legal ground for data processing. However, the situation should improve in the future as the only guideline issued by the DPI in 2020 was specifically on how to carry out an LIA.30 Similarly, many Estonian companies that are under the obligation to perform data protection impact assessments or to designate a data protection officer are still failing to comply with these obligations.

Discovery and disclosure

Under the ECA, a communications undertaking must grant a surveillance agency or security authority access to the communications network for the conduct of surveillance activities or for the restriction of the right to confidentiality of messages. Similarly, as stated above, the ECA in Estonia requires that communications metadata be forwarded to various government authorities with an investigative function.

Public and private enforcement

i Enforcement agencies

The enforcement agency in Estonia with respect to data protection is the DPI. The DPI exercises state and administrative supervision over compliance with the requirements provided for in the PDPA, legislation established on the basis thereof and the GDPR and the requirements established in other acts for processing of personal data.

ii Recent enforcement cases

As stated above, Estonia does not have administrative fines as set forth in the GDPR and only a small number of minor sanctions have been imposed for data protection violations. Nevertheless, 2020 brought several cases that also caught the attention of the media and the wider public. For example, on 30 November 2020, the DPI issued a precept with a one-day compliance deadline and a warning of a potential €100,000 penalty to three e-pharmacies in Estonia that provided access in the e-pharmacy system to the current medical prescriptions of persons without their consent, based on access to their personal ID code.31 The DPI assessed that this access to health data caused a very high risk to individuals.

iii Private litigation

In Estonia, it is possible for individuals to claim compensation for material and non-material damage if their rights as data subjects are breached. In this regard, a noteworthy decision was issued on 6 January 2021 by the Supreme Court of Estonia in a case that concerned unlawful processing of health data by an Estonian state authority, the Social Insurance Board (SIB).32 According to the facts of the case, it was possible to access the health data of a disabled person in the public document registry of the SIB for approximately two months. This was discovered by a journalist who wrote an article about the situation. Although the article did not contain any personal data about the disabled individual, the journalist had contacted the mother of that individual for comment. As a result, the mother claimed for non-material damages from the SIB for disclosing the health data of her disabled child on the internet. The SIB refused to compensate her and the case ended up in the Supreme Court of Estonia, which decided not to satisfy the claim.

Interestingly, although the Supreme Court found that there was, inter alia, a violation of the right to privacy, a violation of the GDPR and non-material damage caused to the individual, no financial compensation was awarded. The Court found that it was sufficient to only ascertain the unlawfulness of the measure that caused the damage. According to the Court, one of the reasons for this was that the personal data of the disabled individual had been accessed '[only] seven times', which included access by employees of the SIB itself. Furthermore, the SIB had reacted promptly to the incident and apologised.

Considerations for foreign organisations

As a member of the EU, Estonia follows the relevant EU directives and regulations, including the GDPR, which is directly applicable to all Estonian businesses and organisations. Hence, any foreign organisation interested in doing business in Estonia or with Estonian counterparts can expect the business and legal environment to follow EU rules.

However, as stated above, Estonian local authorities have not yet enforced the GDPR. Hence, as opposed to many other countries with active GDPR enforcement and significant numbers of fines (e.g., Spain), foreign organisations can expect a very different environment in Estonia.

Cybersecurity and data breaches

As regards cybersecurity, the applicable law in Estonia is the CA, which entered into force on 23 May 2018. The CA provides for the requirements for the maintenance of network and information systems essential for the functioning of society and state and local authorities' network and information systems, liability and supervision, as well as the basis for the prevention and resolution of cyber-incidents. The CA is the Estonian national law transposing the Directive on security of network and information systems (the NIS Directive).33

The Estonian authority that leads the development of national IT systems and ensures national cybersecurity, including the sustainable operation of a secure e-state, is the Information System Authority (ISA). As part of the ISA, there is also the ISA's Cybersecurity Incident Response Department, or the CERT-EE, which is the Estonian national cyber unit that continually monitors Estonian cyberspace and resolves cyber-incidents.

The CA requires operators of essential services and digital service providers to notify the ISA no later than 24 hours after becoming aware of a cyber-incident:

  1. that has a significant impact on the security of the system or the continuity of the service; and
  2. where a significant impact on the security of the system or the continuity of the service is not obvious but can be reasonably presumed.

According to the 2021 yearbook of the ISA,34 the CERT-EE received a total of 22,896 notifications of cyber-incidents in Estonia in 2020, while the number of these incidents in 2019 was 24,369. For 2020, this means an average of 63 notifications per day (in 2019, this number was 67).35

As regards personal data breaches, during 2020 a total of 138 notifications of a breach were reported to the DPI, which was a 20 per cent increase on 2019.36 One of the most discussed breaches concerned the above-mentioned e-pharmacies case in which it was possible to view current medical prescriptions of another person without his or her consent.

Another personal data breach that was widely discussed concerned the Ministry of Social Affairs, '[w]here the criminals successfully gained access to a web server and acquired information related to the COVID-19 pandemic about 9,158 individuals. The information was in a database on the compromised web server as a temporary solution.'37 Furthermore, in July 2021, the Estonian press reported that in the self-service environment of the state portal, the personal data of 336,733 people were accessible to individuals whose data was also in the database.38 In the latter case, although the breach concerned many people, the data was not very sensitive and only included the person's name, personal identification number, work position and, in some cases, details of previous employment.


Although Estonia has remained a country with a lack of GDPR enforcement, it is likely that this situation will change in the future, especially if it eventually introduces the administrative fine system. Hence, even though there is not yet any GDPR enforcement in Estonia, companies should pay attention to the priorities of the DPI and make sure that their data processing activities follow the GDPR.


1 Risto Hübner is the managing partner at Advokaadibüroo Nordx Legal.

2 Overview of e-Estonia, available at

3 The 2020 yearbook of the Information System Authority, page 9, available at

4 See, for example, 'Analysis of the 2007 Cyber Attacks against Estonia from the Information Warfare Perspective', Rain Ottis, available at

5 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), OJ L 119, 4.5.2016.

6 Estonian State Gazette – Riigi Teataja (RT) I, 15.05.2015.

7 RT I, 04.01.2019, 11.

8 RT I, 15.03.2019, 11.

9 RT I, 10.12.2020, 6.

10 RT I, 22.05.2018, 1.

12 The concept of administrative law fine, available in Estonian at

13 ibid.

14 The Data Protection Inspectorate exercises administrative supervision over compliance with the requirements provided for in the PDPA, the GDPR and the PIA. Hence, the Estonian data protection authority is not only focused on the protection of personal data, but also oversees compliance with the requirements of access to information intended for public use.

15 Estonian Data Protection Inspectorate, Annual Report 2019, summary in English, available at

16 Estonian Data Protection Inspectorate, Annual Report 2020, page 64, available at

17 RT I, 21.05.2021, 9.

18 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector.

19 RT I, 28.05.2021, 19.

20 RT I, 02.06.2021, 25.

21 RT I, 02.06.2021, 9.

22 Joined Cases C203/15 and C698/15.

23 See footnote 18.

24 Case C746/18.

25 Joined Cases C-511/18, C-512/18 and C-520/18.

26 Case 1-16-6179.

27 See footnote 3, pages 26–27.

28 Case C-311/18.

29 See, for example, 'Estonia's EU presidency: digital Europe and the free movement of data', available at

30 Guideline on Legitimate Interests, 15 May 2020, available in Estonian at

31 'The Estonian Data Protection Inspectorate obliged e-pharmacies to immediately terminate access to another person's prescription information', 8 December 2020, available at

32 Case 3-19-1207.

33 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.

35 ibid.

36 Estonian Data Protection Inspectorate, Annual Report 2020, page 61, available at

37 See footnote 34, pages 14–15.

38 'Riigiportaalis olid kättesaadavad üle 300 000 inimese andmed', Ärileht, available in Estonian at

The Law Reviews content