Taking counsel: Realization of personal data protection in Estonia

  • 2007-05-16
  • By Martina Proosa [Teder, Glikman & Partnerid]
The Constitution of the Republic of Estonia stipulates that everyone has the right to the inviolability of private and family life and state agencies, local governments and their officials cannot gather or store information about any person against the person's free will. The Constitution also provides restrictions on providing information collected about any person.

In order to carry this out, Parliament adopted the Personal Data Protection Act on Feb. 12, 2003. Starting Jan. 1, 2008 this Act will become invalid and be replaced by the new Personal Data Protection Act (the PDPA), which was adopted Feb. 15, 2007.
The general principle is that processing personal data is permitted only with consent of an individual. Any exceptions from this principle are allowed only if provided by law. According to the present Act, consent for processing personal data means a freely given specific and informed indication of the wishes of a data subject by which the data subject indicates his or her agreement to personal data relating to him or her being processed.

The consent will also include a clear estimation of the data to be processed, the purpose of processing and persons to whom disclosure of the data is permitted, as well as terms of disclosure of the data to third persons and the rights of the data subject in respect of further processing.

Pursuant to the amended Credit Institutions Act, which will go into force Jan. 1, 2008, consent on processing personal data as provided in the new PDPA may also be provided in standard terms of the credit institution. Namely, all data and estimations that are known to a credit institution concerning the clients of the credit institution or other credit institutions are deemed to be information subject to banking secrecy. The Credit Institutions Act provides similarly to the PDPA, that details of a client, which are subject to banking secrecy, may be disclosed by a credit institution to third persons only with the written consent of the client.
Pursuant to the present, as well as the new PDPA, a person is entitled to withdraw his or her consent, but such withdrawal has no retroactive effect. The consent of a person is valid during his or her lifetime and within 30 years after the person's death, if not otherwise provided by the person.

Generally, processing personal data without consent of the data subject is possible only for performance of public duties, for protection of third party's rights or public interests and for protection of life, health or freedom of the data subject or any third persons. The new Act shall add a possibility to use surveillance equipment transmitting or recording personal data without consent of the data subject for protection of persons or property, but with certain restrictions.
The new Act provides a special regulation of public disclosure of personal data. As a rule, public disclosure of personal data, similar to other ways of processing, is prohibited without consent of the data subject. Exceptionally, the new Act provides a right of disclosure in public media in the following conditions: 1) dominant public interest; 2) conformance with principles of good morals and press ethics; 3) disclosure is not harming the data subject's rights excessively.

For example, pursuant to the present Credit Institutions Act, a credit institution is permitted to disclose to another credit institution, without consent of a client, data regarding the client's history of payment obligations in order to calculate credit risk capital requirements and implement the principle of responsible borrowing. Starting Jan. 1, 2008, data involving a breach of client obligations can be disclosed not later than seven years from the time when the breach occurred, and personal data connected with breach of client's obligations not later than five years after the breach.
A person is entitled to claim compensation of damages if his or her rights have been violated while processing personal data. In addition, the law provides penalties for violation of the data processing rules. The fines for violation are up to 18,000 kroons (1,150 euros) for physical persons and up to 500,000 kroons if the violation is committed by a legal person.

Martina Proosa is a lawyer at the law firm Teder, Glikman & Partnerid, a member of Baltic Legal Solutions, a pan-Baltic integrated network of law firms, including Kronbergs & Cukste in Latvia and Jurevicius, Balciunas & Bartkus in Lithuania, dedicated to providing a quality 'one-stop shop' approach to clients' needs in the Baltics.