Taking counsel: Protection of personal data in Estonia

  • 2007-04-25
  • By Kadi Kuusk [Teder, Glikman & Partnerid]
On Feb. 15, 2007 the Estonian Parliament adopted the new Personal Data Protection Act, which will go into force Jan. 1, 2008 and thereby replace the present PDPA. The purpose of the new act is to eliminate several drawbacks of the present PDPA and specify and homogenize the Estonian regulation with provisions of the Oct. 24, 1995 Directive 95/46/EC relating to the protection of individuals with respect to the processing of personal data and the free circulation of this data.

Major amendments in the new PDPA. The scope of application of the present PDPA, which was adopted in 2003, as well as of the new act, comprises:
- conditions and procedures for processing personal data;
- procedure for exercise of state supervision over processing of personal data; and
- liability for violation of personal data processing requirements

In comparison with the triple division of personal data in the present regulation (personal data, private personal data, sensitive personal data), the new PDPA provides a more reasonable dual division 's personal data and sensitive personal data. At the same time, due to practical reasons private personal data is not mentioned as type of data under special protection, the law prescribes special protection only in respect to sensitive personal data.
The new act will not change the principle that personal data may generally be processed only with the permission of the data subject and the restriction of administrative bodies to ask permission and process personal data merely for sport. An administrative authority may process personal data only in the course of performance of public duties in order to perform an obligation prescribed by law or international agreements.

The new PDPA expands implementation to processing personal data lawfully designated for public use. This includes personal data disclosed either by the data subject himself, on consent of the data subject or on legal basis. The reasoning here was that although it is quite ineffective to hide the formerly disclosed data, the data subject must still have a right to demand termination of disclosure and processing of the disclosed personal data. Thus, the data subject will have effective control over and judicial remedies regarding processing of his or her personal data.

Special regulation is also provided for public disclosure of personal data. Disclosure as a way of data processing with unpredictable effect and expansion may harm the data subject's rights significantly, but in some cases such public disclosure is necessary. As a rule, disclosure of personal data without relevant permission is prohibited. The new PDPA provides an exemption for disclosure of such personal data in media if it meets the following terms:
* dominant public interest;
* conformance with principles of good morals and press ethics;
* disclosure is not harmful to data subject's rights.
Dominant public interest is primarily related to public figures. The provisions regarding notification of processing of personal data and rights of the data subject are similar to those provided in the present act. The general rule is that the collection of personal data must be transparent. Processing of sensitive personal data must be registered with the EDPI.

At the request of a data subject, the chief processor and the authorized processor shall notify the data subject of the following:
- personal data relating to him or her;
- purposes of processing personal data;
- categories and sources of personal data;
- third persons or categories thereof to whom transmission of personal data is permitted;
- third persons to whom personal data has been transmitted
- name and address of the place of business of the chief processor.

EU member states, including Estonia, are obliged to secure sufficient protection of personal data in conformance with provisions of the Directive 95/46/EC. The new PDPA fully meets these requirements. The new PDPA will provide the data subjects with efficient means to control processing of their personal data and thus results in better protection of their private sphere.

Kadi Kuusk is a lawyer the law firm Teder, Glikman & Partnerid, a member of Baltic Legal Solutions, a pan-Baltic integrated legal network of law firms which includes Kronbergs & Cukste in Latvia and Jurevicius, Balciunas & Bartkus in Lithuania, dedicated to providing a quality 'one-stop shop' approach to clients' needs in the Baltics.