Page 1

Contents

Easy search for laws and nationwide

SEARCH

Enter the title, keyword or official abbreviation of the act

the titles of the full texts of the regulations
Related court decisions

Advanced search

Classification

Statistics

References

Drafts

Court information

Legal news

Help

English

My RT

Text size:

Keywords (show)
Systematic classification: ADMINISTRATIVE LAW → Population law
Systematic classification: ADMINISTRATIVE LAW → Right to information, databases and statistics
Systematic classification: CRIMINAL LAW → Misdemeanors

Personal Data Protection Act (abbreviation - IKS)
Legislation

EU law

Court decisions

Learn more

Reminders

Procedural informationImplementing agencies

Download

Print

RSS

Help

English translation

Publisher: Riigikogu
See digital stamp

Type of act: Law
Text type: original text-full text
Date of entry into force of the wording: 15.01.2019
Expiry date: Currently valid
Publication note: RT I, 04.01.2019, 11

Announced
President of the Republic
Decision No. 367 of 21.12.2018

Personal Data Protection Act 1
Adopted on 12.12.2018

Chapter 1
General settings
§ 1. Scope of application of Act
(1) This Act regulates:
1) the protection of individuals with regard to the processing of personal data to the extent that it clarifies and complements the provisions contained in the European Parliament and of the Council
Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC
(General Regulation on the protection of personal data) (OJ L 119, 4.5.2016, pp. 1-88);
2) the protection of natural persons in the processing of personal data by law enforcement authorities in the prevention, detection and processing of criminal offenses and in the
execution.
(2) This Act provides:
1) standards for the implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council;
2) standards to transpose Directive (EU) 2016/680 of the European Parliament and of the Council on the protection of individuals with regard to the activities of competent authorities
the prevention, investigation, detection and prosecution of criminal offenses or the execution of criminal penalties for the processing of personal data
and the free movement of such data and repealing Council Framework Decision 2008/977 / JHA (OJ L 119, 4.5.2016, pp. 89-131);
3) the procedure for exercising state and administrative supervision over compliance with the requirements for the processing of personal data;
4) liability for violation of the requirements for the processing of personal data.
§ 2. Specifications of scope of application of Act and Regulation (EU) 2016/679 of the European Parliament and of the Council
This Act and Regulation (EU) 2016/679 of the European Parliament and of the Council apply to:
1) offense proceedings and court proceedings with the specifications provided for in procedural codes;
2) constitutional institutions insofar as it does not concern the performance of their constitutional functions and is not regulated in the
special laws.
§ 3. Application of Administrative Procedure Act
The provisions of the Administrative Procedure Act apply to administrative proceedings prescribed in this Act, taking into account the specifications provided for in this Act.

Chapter 2
Specialties of personal data processing
§ 4. Processing of personal data for journalistic purposes
Personal data may be processed for journalistic purposes without the consent of the data subject, in particular in the media, if this is in the public interest and is
in accordance with the principles of journalistic ethics. Disclosure of personal data must not unduly prejudice the rights of the data subject.
§ 5. Processing of personal data for academic, artistic and literary self-expression
Personal data may be processed for the purposes of academic, artistic and literary self-expression without the consent of the data subject, in particular if:
it does not unduly prejudice the rights of the data subject.
§ 6. Processing of personal data for the needs of scientific and historical research and official statistics
(1) Personal data may be processed for the purposes of scientific or historical research or official statistics without the consent of the data subject, in particular pseudonymous or
in a form which affords an equivalent level of data protection. Before transferring personal data for processing for the purposes of scientific or historical research or official statistics
personal data shall be replaced by data in a form which is pseudonymous or offers an equivalent level of data protection.
(2) Depseudonymisation or any other means by which non-personally identifiable information is re-identified shall be permitted only for additional scientific purposes.
or for historical research or official statistics. The controller of the personal data designates by name the person who has access to the depseudonymisation
available data.
(3) For the purposes of scientific or historical research or official statistics, the processing of data concerning him or her without the consent of the data subject
in an identifiable form is permitted only if the following conditions are met:
1) after the removal of the data enabling identification, the purposes of data processing are no longer achievable or would be unreasonably difficult
to achieve;
2) in the opinion of the producer of scientific or historical research or official statistics, there is an overriding public interest therein;
3) on the basis of the personal data processed, the scope of the obligations of the data subject is not changed or the rights of the data subject are not adversely affected in any other way.
(4) If a scientific or historical research is based on a special type of personal data, the ethics committee of the relevant field shall review the information provided for in this section.
compliance with the conditions. If there is no ethics committee in the field of science, the Data Protection Inspectorate monitors compliance with the requirements. Preserved in the National Archives
the National Archives has the rights of the ethics committee with regard to personal data.
(5) For the purposes of this Act, research also includes analyzes and research by the executive power which are carried out in the context of policy-making.
for this purpose. In order to compile them, the executive power has the right to query the database of another controller or processor and to process the received data.
personal data. Before starting the processing of the specified personal data, the Data Protection Inspectorate shall verify compliance with the conditions provided for in this section,
unless the objectives of the policy research and the scope of the processing of personal data derive from the legislation.
(6) Where personal data are processed for the purposes of scientific or historical research or official statistics, the controller or processor may
restrict the data subject's rights under Articles 15, 16, 18 and 21 of Council Regulation (EU) 2016/679 to the extent that the exercise of those rights is likely to
makes it impossible or significantly impedes the achievement of the objective of scientific or historical research or official statistics.
§ 7. Processing of personal data for the purpose of archiving in the public interest
(1) If personal data are processed for the purpose of archiving in the public interest, the controller or authorized processor may
restrict the data subject's rights under Articles 15, 16 and 18 to 21 of Regulation (EU) 2016/679 to the extent that the exercise of those rights is likely to alter
impossible or significantly impede the attainment of the objective of archiving in the public interest.
(2) The rights of a data subject specified in subsection (1) of this section may be restricted in order not to endanger the status, authenticity,
reliability, integrity and usability.

Chapter 3
Other cases in the processing of personal data
§ 8. Processing of personal data of child upon provision of information society services
(1) Where Article 6 (1) (a) of Regulation (EU) 2016/679 of the European Parliament and of the Council applies directly to the provision of information society services
processing of the child's personal data is permitted only if the child is at least 13 years old.
(2) If a child is younger than 13 years of age, the processing of personal data is permitted only in the case and to the extent to which the consent of the child has been given.
legal representative.
§ 9. Processing of personal data after death of data subject
(1) The consent of a data subject is valid during the lifetime of the data subject and for 10 years after the death of the data subject, unless the data subject has decided otherwise. If
the data subject has died as a minor, his or her consent shall be valid for 20 years after the death of the data subject.
(2) After the death of a data subject, the processing of his or her personal data is permitted with the consent of the successor of the data subject, unless:
1) 10 years have passed since the death of the data subject;
2) 20 years have passed since the death of the data subject who died as a minor;
3) personal data is processed on another legal basis.
(3) In the presence of several successors, the processing of personal data of a data subject is permitted with the consent of any of them.
(4) The consent specified in subsection (1) of this section is not required if the personal data to be processed are only the name, sex, birth and birth of the data subject.
time of death, fact of death and time and place of burial.
§ 10. Processing of personal data in connection with breach of obligation
(1) The transfer of personal data related to a breach of a debt relationship to a third party and the processing of the transferred data by a third party is permitted.
for the purpose of assessing the creditworthiness of the data subject or for any other similar purpose and only if the controller or processor is
has checked the accuracy of the data transmitted and the legal basis for the transmission of personal data and has registered the data transmission.
(2) For the purpose specified in subsection (1) of this section, the collection and transmission of data to a third party is not permitted if:
1) it is a special type of processing of personal data within the meaning of Article 9 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council;
2) it is information concerning the commission of an offense or becoming a victim thereof before a public court session or a decision in a matter concerning an offense
or termination of the proceedings;
3) it would unduly prejudice the rights or freedoms of the data subject;
4) less than 30 days have elapsed since the breach of contract;
5) more than five years have passed since the end of the breach of the obligation.
§ 11. Processing of personal data in public places
Unless otherwise provided by law, in the case of recording as sound or image material for public purposes in a public place, the data subject
informing him of his consent in a form which enables him to understand the fact of the recording of the audio or video material and to record himself if he so wishes;
to avoid. The obligation to provide information does not apply to public events, the recording of which can reasonably be expected to be made public.

Chapter 4
Processing of personal data by law enforcement authorities in the prevention, detection and prosecution of criminal offenses; and
enforcement of the sentence
Section 1
General settings
§ 12. Application of this Chapter
(1) This Chapter applies to the processing of personal data by law enforcement agencies upon prevention, detection and processing of an offense, and
enforcement of the sentence.
(2) This Chapter does not apply to the processing of personal data in the exercise of state supervision or administrative supervision.
(3) This Chapter prescribes the specifications applicable to law enforcement agencies. The European Parliament and the Council shall not apply to law enforcement agencies
Regulation (EU) 2016/679, subject to this Act.
§ 13. Terms
(1) For the purposes of this Chapter, terms are used in Articles 4 and 9 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council.
(2) For the purposes of this Chapter, a law enforcement agency is an agency or a structural unit of an agency which is competent to prevent an offense on the basis of law,
detect and prosecute or enforce a sentence.

Section 2
Principles
§ 14. Principles of processing personal data
The following principles must be observed when processing personal data:
1) lawfulness and fairness - personal data are processed lawfully and fairly;
2) "purposefulness" means that personal data are collected for specified, explicit and legitimate purposes and are not processed in a way which is
contrary to the objectives of the
3) "quality" means that personal data must be adequate, relevant and not excessive in relation to the purposes for which they are processed;
4) accuracy - personal data must be correct and, if necessary, kept up to date; reasonable steps shall be taken to ensure that the purpose of the processing is met
incorrect personal data shall be deleted or rectified immediately;
5) "retention" means the storage of personal data in a form which permits identification of data subjects for no longer than is necessary for that purpose,
the purposes for which the personal data are processed;
6) "security" means the processing of personal data in a way which ensures its security, including protection against unauthorized or unlawful processing and against accidental processing;
loss, destruction or damage by appropriate technical or organizational measures.
§ 15. Legality of processing of personal data
A law enforcement authority may process personal data on the basis of law if their processing is necessary for the prevention, detection or processing of an offense, or
to perform a task arising from the purpose of the enforcement of the sentence.
§ 16. Processing of personal data for purposes other than the original
(1) Processing of personal data by the same or another chief processor for a purpose other than the original purpose provided for in subsection 12 (1) of this Act,
for which personal data are collected is permitted in so far as:
1) the chief processor has a basis arising from law or legislation of the European Union for the processing of personal data for such purposes, and
2) such processing of personal data is necessary pursuant to law or legislation of the European Union and is proportionate to the aim pursued.
(2) Personal data collected or to be collected by a law enforcement agency for the purposes provided for in subsection 12 (1) of this Act shall not be processed in any other way.
purposes, except in the cases provided for in subsection (1) of this section or if such processing is permitted by law or legislation of the European Union. If
personal data are processed for such other purposes, Regulation (EU) 2016/679 of the European Parliament and of the Council shall apply, unless
personal data are processed in the course of activities which do not fall within the scope of that Regulation. In a situation where the purpose of the processing is not covered
within the scope of that Regulation, Estonian law shall apply.
(3) If a law enforcement agency also performs functions other than those provided for in subsection 12 (1) of this Act pursuant to law
Regulation (EU) 2016/679 of the European Parliament and of the Council shall apply to the processing of personal data for that purpose. In a situation where processing
the purpose does not fall within the scope of that Regulation, Estonian law shall apply.
§ 17. Retention of personal data
(1) A term for storage of personal data processed by law or regulation shall be established. Exceptionally, if there is no time limit for the storage of personal data
established by law or regulation, that time limit shall be set by the controller.
(2) The term of storage established on the basis of subsection (1) of this section may be extended only in justified cases, unless the period of storage
the deadline is set out in the legislative act.
(3) If it is not possible to set a specific retention period, the controller shall implement legal and technological measures which:
enable the need for continuous data processing to be assessed on an ongoing basis.
(4) If the term for storage of personal data expires, the chief processor and the authorized processor are required to permanently delete personal data. To do this, must be responsible
the processor to implement appropriate legal and technological measures.
§ 18. Distinction of different categories of data subjects
Where possible and appropriate, the controller shall distinguish between the persons subject to the proceedings as different categories of data subjects when processing personal data,
suspects, accused persons, victims, witnesses, detainees, detainees, probationers and other persons.
§ 19. Distinction of personal data based on assessments
As far as possible, the controller shall distinguish factual personal data from personal data based on personal assessments.
§ 20. Specifications for processing of special types of personal data
(1) The processing of special types of personal data is permitted only if it is strictly necessary and only in the following cases:
1) the admissibility of processing is provided by legislation;
2) the processing is necessary for the protection of the vital interests of the data subject or another natural person, or
3) personal data which the data subject has obviously disclosed himself or herself are processed.
(2) Appropriate measures for the protection of the rights and freedoms of data subjects are applied to the processing of special types of personal data specified in subsection (1) of this section.
safeguards.
§ 21. Automated processing
(1) It is prohibited to make a decision based only on automated processing, including profile analysis, if this leads to the data subject:
adverse legal consequences or other significant effects on him. Such a decision may be taken if a decision is permitted
a law laying down appropriate measures to protect the rights and freedoms and legitimate interests of the data subject.
(2) A data subject has the right to submit objections to the chief processor regarding the decision specified in subsection (1) of this section on the basis of his or her legitimate interest.
protection.
(3) The decision specified in subsection (1) of this section shall not be based on special types of personal data, unless appropriate measures are applied.
to protect the rights, freedoms and legitimate interests of the data subject.
(4) A decision based on profile analysis which results in discrimination against natural persons on the basis of a specific type of personal data is prohibited.

Section 3
Rights of the data subject
§ 22. Information made available to data subject
(1) The chief processor is required to disclose the following information:
1) the intended purpose of the processing of personal data;
2) the right of a person to inspect his or her personal data and to correct, delete or restrict the information and the procedure for exercising the rights;
3) the name and contact details of the chief processor and the data protection specialist;
4) contact information of the Data Protection Inspectorate;
5) the right to submit a complaint to the Data Protection Inspectorate if the rights of the data subject have been violated during the processing of personal data.
(2) Disclosure of information on the website of the chief processor or to another data subject is deemed to be disclosure specified in subsection (1) of this section.
in an easily accessible location.
§ 23. Information provided upon notification of data subject
(1) If an obligation to notify a data subject of the processing of his or her personal data is provided by law, the chief processor shall provide the data subject with the following
more information:
1) the information specified in subsection 22 (1) of this Act;
2) the legal basis for the processing of personal data;
3) the term for storage of personal data or the bases for determining the term of storage;
4) the categories of recipients to whom personal data are transmitted;
5) if necessary, other additional information.
(2) In cases provided by law, the chief processor may submit the information specified in subsection (1) of this section to the data subject later, restrict its
or not if it may:
1) obstruct or damage the prevention, detection or proceeding of an offense or the execution of a punishment;
2) harm the rights and freedoms of another person;
3) endanger national security;
4) endanger the protection of public order;
5) obstruct an official investigation or proceeding.
§ 24. Right of data subject to receive information and personal data concerning himself or herself
(1) A data subject has the right to receive confirmation from the chief processor that his or her personal data is processed. At the request of the data subject, the responsible
notify the data subject of the processor:
1) personal data concerning him or her and the categories of relevant personal data;
2) existing information concerning the origin of personal data;
3) the purpose and legal basis for the processing of personal data;
4) the recipients or categories thereof to whom the personal data of the data subject have been disclosed;
5) the bases for determining the proposed term for storage of personal data or the term for storage;
6) the right to request the chief processor to correct, delete or restrict the processing of personal data of the data subject;
7) the right to submit a complaint to the Data Protection Inspectorate and the contact details of the Data Protection Inspectorate.
(2) In cases provided by law, the chief processor may submit the information specified in subsection (1) of this section to the data subject later, restrict its
or refuse to issue it if it may:
1) obstruct or damage the prevention, detection or proceeding of an offense or the execution of a punishment;
2) harm the rights and freedoms of another person;
3) endanger national security;
4) endanger the protection of public order;
5) obstruct an official investigation or proceeding.
(3) The chief processor shall immediately notify the data subject in writing of the restriction of access to the information specified in subsection (1) of this section or
refusal of access and the reasons therefor. The controller may fail to state reasons if providing such information would lead to any
the occurrence of a circumstance specified in subsection (2) of this section.
(4) Upon notifying the data subject pursuant to subsection (3) of this section, the chief processor shall notify the data subject of his or her right to apply for a decision.
to challenge the Data Protection Inspectorate or a court.
(5) The chief processor shall document the factual and legal bases of the decision made on the basis of subsection (2) of this section and, if necessary, make information
available to the Data Protection Inspectorate.
§ 25. Right of data subject to demand correction and deletion of personal data
(1) A data subject has the right to demand that the chief processor correct personal data concerning him or her which is based on incorrect facts.
(2) A data subject has the right to demand that the chief processor supplement incomplete personal data concerning him or her if this is necessary for the processing of personal data.
appropriate for the purpose.
(3) A data subject has the right to demand the deletion of collected personal data from the chief processor if:
1) the processing of personal data is not permitted on the basis of law;
2) the principles of processing personal data were not taken into account in the processing of personal data, or
3) the chief processor is required to delete the data in order to comply with the law, court judgment, international agreement or other binding agreement.
obligation.
(4) Instead of deleting personal data, the chief processor shall restrict the processing thereof if:
1) the data subject contests the accuracy of the personal data and their accuracy or inaccuracy cannot be established, or
2) personal data must be stored for the purpose of verification.
(5) If, instead of deleting personal data, the chief processor has implemented the processing of personal data provided for in clause (4) 1) of this section
the controller must inform the data subject of the removal of such a restriction.
(6) The chief processor is required to immediately notify the data subject in writing if he or she refuses to correct or delete personal data or
and give reasons for the refusal. The controller may fail to state reasons if providing such information would lead to any
the occurrence of a circumstance specified in subsection 24 (2) of this Act.
(7) Upon notifying the data subject pursuant to subsection (6) of this section, the chief processor shall notify the data subject of his or her right to apply for a decision.
to challenge the Data Protection Inspectorate or a court.
§ 26. Obligation of chief processor to notify of correction, deletion of personal data and restriction of processing thereof
(1) Upon correction of personal data, the chief processor is required to immediately notify the competent authority from which the correction and the content of the correction are based.
incorrect personal data received.
(2) If personal data have been corrected or deleted on the basis of § 25 of this Act or their processing has been restricted, the chief processor is required to
inform the recipients to whom the data were previously transmitted.
(3) Recipients specified in subsection (2) of this section are required to correct or delete personal data falling within their area of ​responsibility, or
restrict their processing.
§ 27. Procedure for exercise of rights of data subject
(1) The controller is required to respond to a request of the data subject in a concise, comprehensible and easily accessible form, using a clear
and simple wording. If possible, the data subject's request shall be answered in the manner requested by the data subject.
(2) The chief processor shall notify the data subject without undue delay within one month after receipt of the request of the
operations.
(3) The chief processor may ask the data subject for reasonable information provided by law or legislation issued on the basis of law which accompanies the execution of the request.
reimbursement of costs or refuse to take the requested action if the data subject's request is unfounded or excessive.
(4) The chief processor shall identify the person of the data subject and his or her right to receive information and personal data concerning him or her or the right to request
correction and deletion.
§ 28. Right of data subject to apply to Data Protection Inspectorate
(1) If a data subject finds that his or her rights are violated upon processing of personal data, he or she has the right to file a complaint with the Data Protection Inspectorate.
(2) The Data Protection Inspectorate shall notify the data subject of the decision made on the basis of his or her complaint and of the right to appeal against the decision of the Data Protection Inspectorate.
to challenge in court.
(3) If the competent supervisory authority of another Member State of the European Union is competent to resolve a complaint of a data subject, the Data Protection Inspectorate shall direct
to submit a complaint to the competent supervisory authority of another Member State of the European Union.

Section 4
Responsibilities of the controller and the processor
§ 29. Chief and authorized processor
(1) The chief processor shall implement appropriate technical and organizational measures to ensure compliance with the requirements of this Act upon processing of personal data.
If necessary, the chief processor is required to prove compliance with the requirements provided for in this Act.
(2) The chief processor shall issue mandatory instructions to the authorized processor for the processing of personal data and shall be responsible for the compliance of the authorized processor with
requirements for the processing of personal data.
(3) The controller may only use authorized processors who provide sufficient assurance that they will implement the appropriate technical and
organizational measures in such a way that the processing of personal data complies with the requirements of this Act and ensures the protection of the rights of the data subject.
(4) An authorized processor may involve other authorized processors in the processing of personal data only on the basis of law or legislation issued on the basis of law, or
with the written consent of the controller and provided that the scope of the powers conferred on the controller is not exceeded. In the case of an authorization granted on the basis of written permission,
the controller shall always inform the controller of the addition or replacement of another controller. In this case, the controller may make changes
objections.
(5) If an authorized processor determines the purposes and means of the processing of personal data in violation of this Act, the authorized processor shall:
the processor responsible for its processing.
§ 30. Appointment and obligations of authorized processor
(1) The chief processor may appoint an authorized processor to process personal data on the basis of law, legislation issued on the basis of law or a written contract in which
sets out the content and duration, nature and purpose of the processing of personal data, the categories of personal data to be processed and the categories of data subjects; and
obligations and rights of the controller.
(2) The law specified in subsection (1) of this section, legislation issued on the basis of law or a contract shall in particular provide that the authorized processor is:
obliged to:
1) act only on the instructions of the chief processor;
2) ensure that the person authorized to process personal data maintains the confidentiality of personal data which has become known in the performance of his or her duties;
3) ensure the protection of the rights of the data subject;
4) after the termination of the provision of data processing services, delete or return to the chief processor all personal data at his or her choice and delete
existing copies, unless otherwise provided by law;
5) make available to the chief processor information related to the processing of personal data which is necessary for compliance with the requirements provided for in this section
to prove compliance;
6) comply with the conditions provided for in subsection 29 (4) of this Act and in this section for the involvement of another authorized processor.
§ 31. Co-responsible processors
(1) If two or more controllers jointly determine the purposes and means of the processing of personal data, they are co-controllers.
(2) The liability and scope of obligations of a co-chief processor shall be determined by law, legislation issued on the basis of law or between co-chief processors.
in the contract concluded.
(3) The contract specified in subsection (2) of this section shall specify a contact point for data subjects through which the data subject can
exercise their rights.
(4) A data subject may exercise the rights arising from this Act with respect to any chief processor.
§ 32. Processing of personal data on behalf of chief and authorized processor
(1) A person who processes personal data on behalf of the chief or authorized processor is required to process the personal data only in accordance with the instructions given by the chief processor if
the law does not provide otherwise.
(2) The right of a person to process personal data on behalf of the chief or authorized processor shall arise from law, legislation issued on the basis of law,
the contract concluded between the processor and the person or the act regulating the employment relationship.
§ 33. Integrated data protection and default data protection
(1) The chief and authorized processor shall take appropriate technical and organizational measures to determine the means of processing and to process personal data.
measures and implement them consistently.
(2) The controller and the processor shall implement appropriate technical and organizational measures to ensure that only
personal data necessary to achieve each specific purpose of the processing.
§ 34. Requirements for processing of personal data
When processing personal data, the chief and authorized processor is obliged to:
1) correct incorrect personal data;
2) delete personal data if the processing of personal data is not permitted on the basis of law or does not comply with the principles of processing of personal data;
3) notify the recipient if personal data have been transmitted illegally or incorrect personal data have been transmitted;
4) co-operate with the Data Protection Inspectorate.
§ 35. Requirements for transfer of personal data
(1) The chief processor is required to take and implement appropriate measures to ensure that incomplete, incorrect or outdated personal data are not
transmitted or made available.
(2) When transmitting personal data, the chief processor shall, if possible, add the necessary information which enables the competent authority receiving the data to assess
the accuracy, completeness, reliability and timeliness of personal data.
(3) Where special conditions apply to the processing of personal data, the controller shall inform the recipient of such transfers of such personal data.
conditions and the requirement to comply with them.
(4) When transmitting personal data to other recipients in the European Union and in accordance with Chapters 4 and 5 of Title V of the Treaty on the Functioning of the European Union
the authorities set up shall not be subject to any additional specific conditions for the processing of personal data compared to those applicable to the transfer of personal data
domestically.
§ 36. Logging
(1) The chief and authorized processor shall keep logs of at least the following personal data processing operations performed in automated systems:
1) collection;
2) amendment;
3) reading;
4) disclosure;
5) transmission;
6) merging;
7) deletion.
(2) Logs reflecting reading, disclosure and transmission shall make it possible to identify the grounds, date and time of the performance of the specified acts.
the time and the name of the person who read, disclosed or transmitted the personal data, as well as the names of the recipients of such personal data.
(3) Logs may be used to verify the lawfulness of personal data processing operations, for internal monitoring, to ensure the integrity and security of personal data.
and to conduct criminal proceedings.
(4) At the request of the Data Protection Inspectorate, the chief and authorized processor shall provide the information specified in subsection (1) of this section to the Data Protection Inspectorate.
available.
(5) The chief processor shall establish the terms for the preservation of logs.
§ 37. Registration of personal data processing acts
(1) The chief processor shall register all types of personal data processing operations performed under his or her responsibility. The following information must be recorded:
1) the name and contact details of the chief processor and, where appropriate, the co-chief processor;
2) the name and contact details of the data protection specialist;
3) the purposes of the processing of personal data;
4) the recipients or categories of recipients to whom personal data have been or will be disclosed;
5) a description of the categories of data subjects and categories of personal data;
6) where applicable, the use of profile analysis;
7) where applicable, the types of transfer of personal data to a third country or international organization;
8) information on the legal basis for the processing of personal data;
9) if possible, the terms prescribed for the deletion of special types of personal data;
10) if possible, a description of the organizational and technical security measures for the processing of personal data taken on the basis of § 43 of this Act.
(2) An authorized processor shall register all types of acts related to the processing of personal data performed on behalf of the chief processor. The following must be registered
information:
1) the name and contact details of the authorized processor, as well as the name and contact details of the chief processor on whose behalf the authorized processor acts;
2) where applicable, the name and contact details of the data protection officer;
3) the types of processing of personal data performed on behalf of the chief processor;
4) where applicable, the transfer of personal data to a third country or to an international organization, including data relating to that third country; or
to identify an international organization;
5) if possible, a description of the organizational and technical security measures for the processing of personal data taken on the basis of § 43 of this Act.
(3) The information specified in subsections (1) and (2) of this section shall be registered in a form that can be reproduced in writing.
(4) At the request of the Data Protection Inspectorate, the chief or authorized processor shall make the documents specified in subsections (1) and (2) of this section.
Available to the Inspectorate.
§ 38. Data protection impact assessment
(1) Before processing personal data, the chief processor shall assess the impact of the planned processing of personal data on the protection of personal data if the processing of personal data
processing may, given the nature, extent, context and purposes of the processing, pose a significant risk to the rights and freedoms of the natural person.

(2) An impact assessment shall include at least the following:
1) a systematic description of the planned personal data processing operations and processing purposes;
2) an assessment of the necessity and proportionality of the processing of personal data, taking into account the purposes of the processing of personal data;
3) an assessment of the threats concerning the rights and freedoms of the data subject;
4) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data, and
to demonstrate compliance with the law, taking into account the rights and legitimate interests of the data subject and other persons concerned.
§ 39. Consultation with Data Protection Inspectorate
(1) If a chief or authorized processor intends to process personal data which are entered in a new data collection to be created, he or she shall first consult
With the Data Protection Inspectorate in the following cases:
1) the data protection impact assessment issued on the basis of § 38 of this Act shows that the processing of personal data would result in a controller
high risk in the absence of risk mitigation measures by the
2) the nature of the processing of personal data poses a major threat to the rights and freedoms of the data subject.
(2) In order to assess the compliance of the processing of personal data with the requirements, the chief processor shall submit the following information to the Data Protection Inspectorate:
1) the data protection impact assessment provided for in § 38 of this Act;
2) the intended purpose and means of processing personal data;
3) measures and guarantees prescribed for the protection of the rights and freedoms of the data subject;
4) where applicable, the contact details of the data protection officer;
5) where applicable, the areas of responsibility of the chief processor, co-chief processors and authorized processors in the processing of personal data;
6) other information requested by the Data Protection Inspectorate.
(3) If, in the opinion of the Data Protection Inspectorate, the proposed processing of personal data specified in subsection (1) of this section would violate this Act
the Data Protection Inspectorate shall provide the controller and, where appropriate, the authorized processor with written advice on how to bring the data processing into line with this Regulation.
requirements of the law.
(4) The Data Protection Inspectorate shall provide advice to the chief or authorized processor within six weeks on the information specified in subsection (2) of this section.
upon receipt.
(5) The term specified in subsection (4) of this section may be extended by one month, taking into account the planned complexity of the processing of personal data.
The Data Protection Inspectorate shall notify the chief or authorized processor of the extension of the term within one month as of the receipt of the request for consultation.
The extension must be justified.
(6) The Data Protection Inspectorate may compile a list of personal data processing operations in respect of which the data specified in subsection (1) of this section are specified.
prior consultation required.

Section 5
Data Protection Specialist
§ 40. Appointment of data protection specialist
(1) A law enforcement agency shall appoint a data protection specialist. Courts are relieved of this obligation in the exercise of their judicial function.
(2) A law enforcement agency may appoint one data protection specialist for several agencies or bodies depending on their organizational structure and
size.
(3) The appointment of a data protection specialist shall be based on his or her professional skills and expert knowledge of data protection legislation and practice, and
the ability to perform the functions provided for in § 41 of this Act.
(4) A data protection specialist may be an official or employee employed by a law enforcement agency or perform duties on the basis of a service contract.
§ 41. Duties of data protection specialist
(1) A data protection specialist shall perform at least the following functions:
1) inform and advise the law enforcement agency and officials and employees processing personal data on its behalf in connection with their obligations arising from
this Act and other data protection rules of the European Union or its Member States;
2) ensures compliance with this Act, where applicable with other data protection standards of the European Union or its Member States, and with the internal control of the controller;
rules on the principles of personal data protection and awareness-raising for officials and staff involved in the processing of personal data, and
training;
3) provide advice in connection with data protection impact assessments and monitor its operation pursuant to § 38 of this Act;
4) co-operates with the Data Protection Inspectorate;
5) acts as a contact person of the Data Protection Inspectorate in matters concerning the processing of personal data, including the previous person provided for in § 39 of this Act;
during the consultation process, and shall consult on other issues as appropriate.
(2) A court data protection specialist shall not perform the duties specified in subsection (1) of this section with respect to activities related to the administration of justice of the court.
(3) A data protection specialist may perform other duties and responsibilities. The controller or processor shall ensure that such tasks and responsibilities do not
cause a conflict of interest for the data protection officer.
§ 42. Position of data protection specialist
(1) The chief processor shall ensure the proper and timely involvement of a data protection specialist in all matters concerning the protection of personal data.
(2) The chief processor shall support the data protection specialist in the performance of the tasks referred to in § 41 of this Act by giving him or her the
and the resources needed to maintain the level of expertise and access to personal data and their processing operations.
(3) The provisions of Article 38 (3) to (6) of Regulation (EU) 2016/679 of the European Parliament and of the Council shall apply to the position of a data protection officer.

Section 6
Security measures for the processing of personal data and notification of personal data breaches
§ 43. Security measures for processing of personal data
The controller and the processor are obliged to take and implement organizational and technical security measures for the protection of personal data in order to:
1) prohibit access by unauthorized persons to data processing equipment used for the processing of personal data;
2) prevent the unauthorized reading, copying, modification and removal of data carriers;
3) prevent the unauthorized entry of personal data and access to, alteration or deletion of stored personal data;
4) prevent the use of the data processing system by unauthorized persons by means of data communication means;
5) ensure that a user who is authorized to use an automated data processing system has access only to the personal data covered by his or her
access permit;
6) ensure the possibility to prove and determine to which authorities personal data have been transmitted or made available by means of data communication
and to which authorities they may be transmitted or made available;
7) ensure that it is possible to prove and establish which personal data have been input into automated data-processing systems and when and by whom
entered;
8) prevent the unauthorized reading, copying, modification or deletion of personal data during the transmission of personal data or the transport of data carriers;
9) ensure the possibility to restore the installed data processing systems in the event of an interruption;
10) ensure the functioning of the data processing system and notification of any operational errors that occur;
11) prevent distortion of personal data as a result of system failures.
§ 44. Notification of Data Protection Inspectorate of violation related to personal data
(1) If an infringement related to personal data is likely to endanger the rights and freedoms of a natural person, the chief processor shall notify of the infringement
To the Data Protection Inspectorate immediately, if possible within 72 hours after becoming aware of it.
(2) The authorized processor shall notify the chief processor immediately after becoming aware of the personal data breach.
(3) The following information shall be submitted in the notice specified in subsection (1) of this section:
1) the content of the breach, including the nature of the personal data breach, where possible the categories and approximate number of data subjects concerned, and
the categories and approximate number of personal data concerned;
2) the name and contact details of the data protection officer;
3) a description of the possible consequences of the personal data breach;
4) the measures taken or planned by the chief processor to resolve personal data breaches, including measures concerning possible breaches
to mitigate the adverse effects of
(4) If a personal data breach is notified to the Data Protection Inspectorate after the expiry of 72 hours after becoming aware thereof, the
on the grounds.
(5) If a personal data breach concerns personal data which have been transferred by a controller of another Member State of the European Union or to another
To the chief processor of a Member State of the European Union, the information referred to in subsection (3) of this section shall be forwarded without undue delay to that Member State
to the controller.
(6) The chief processor shall document all violations related to personal data specified in subsection (1) of this section, including the circumstances of the violation,
impact and corrective actions taken.
§ 45. Notification of data subject of personal data breach
(1) If a breach is likely to constitute a serious threat to the rights and freedoms of a natural person, the controller shall immediately inform the data subject
personal data breach.
(2) Upon notification specified in subsection (1) of this section, the nature of the personal data breach shall be described in clear and simple language and
at least the information specified in clauses 44 (3) 2) -4) of this Act.
(3) The notification specified in subsection (1) of this section is not required if at least one of the following conditions is met:
1) the controller has implemented appropriate technological and organizational safeguards and they have been applied in relation to personal data;
personal data affected by the breach;
2) the chief processor has taken subsequent measures which preclude the realization of a high risk specified in subsection (1) of this section by the data subject
rights and freedoms;
3) individual notification of the data subject would lead to disproportionate costs and the public has been informed of the breach.
(4) If the chief processor has not yet notified the data subject of a personal data breach, the Data Protection Inspectorate may
to assess the severity of deciding whether the notification of the data subject of a personal data breach is required or whether there is any incident in subsection (3) of this section
of these cases.
(5) A data subject may be notified of a violation specified in subsection (1) of this section later, to a limited extent or not notified if it may:
1) obstruct or damage the prevention, detection or proceeding of an offense or the execution of a punishment;
2) harm the rights and freedoms of another person;
3) endanger national security;
4) endanger the protection of public order;
5) obstruct an official investigation or proceeding.

Section 7
Transfer of personal data to a third country and to an international organization
§ 46. General conditions for transfer of personal data to third countries and international organizations
(1) Personal data may be transferred to a third country or international organization only if all of the following conditions are met:
1) the transfer is necessary for the prevention, detection or processing of an offense or for the execution of a punishment;
2) personal data are transferred to a controller in a third country or an international organization who is competent to prevent, detect and prosecute an offense; and
to prosecute or enforce the sentence;
3) the consent of another Member State of the European Union to the further use of the data if the data to be transmitted have been received from that Member State;
(4) In accordance with Article 36 of Directive (EU) 2016/680 of the European Parliament and of the Council, the European Commission has adopted a decision on the adequacy of protection or
in the absence of a decision, the adequate protection measures specified in § 47 of this Act have been taken or, in the absence thereof, the
s 48 mentioned exception;
5) upon transfer of personal data, it is ensured that the chief processor transferring the data is for the further transfer of personal data to another third country, or
prior consent of the international organization.
(2) If the permission specified in clause (1) 3) of this section for the transfer of personal data cannot be obtained in a timely manner and the transfer of personal data
necessary to prevent an immediate and serious threat to public policy in a country or a third country or to protect an essential interest of the country, personal data may be transferred
without the permit specified in clause (1) 3) of this section. Personal data shall be notified without delay of the exchange of data provided for in this paragraph
forwarded to the competent authority of a Member State of the European Union.
(3) Upon granting the consent specified in clause (1) 5) of this section, the chief or authorized processor shall take into account, inter alia, the seriousness of the offense,
the purpose of the initial transfer of personal data and the level of protection of personal data in the third country or international organization to which the personal data relate;
forwarded.
(4) Once the European Commission has adopted the decision referred to in Article 36 (5) of Directive (EU) 2016/680 of the European Parliament and of the Council, personal data may be
forward to a third country or international organization on the basis of §§ 47 and 48 of this Act.
§ 47. Transfer of personal data upon application of appropriate protection measures
If there is no decision of the European Commission specified in clause 46 (1) 4) of this Act on the adequacy of protection, personal data may be transferred to a third party
to a State or international organization in the following cases:
1) the appropriate protection measures to be taken for the protection of personal data are provided in a legally binding act;
2) the chief processor has assessed all the circumstances related to the transfer of personal data and has found that all aspects of the protection of personal data have been taken
appropriate safeguards.
§ 48. Transmission of personal data in exceptional cases
(1) If there is no decision of the European Commission specified in clause 46 (1) 4) of this Act concerning the adequacy of protection or there are no decisions specified in § 47
appropriate safeguards, the transfer of personal data to a third country or international organization shall be permitted if necessary:
1) to protect the rights and freedoms of the data subject or another person;
2) to protect the legitimate interests of the data subject;
3) for the prevention of an immediate and serious threat to public order;
4) for the prevention, detection or proceeding of a specific offense or for the execution of a punishment, or
5) for the preparation of a specific legal claim related to the purpose of prevention, detection or processing of a specific offense or execution of a punishment,
to present or defend.
(2) If the rights of a data subject are more important than the interest provided for in clauses (1) 4) and 5) of this section, the transfer of personal data is not
allowed.
§ 49. Transfer of personal data to recipient in third country
Personal data may be transferred directly to a recipient in a third country if all of the following conditions are met:
1) the transfer is strictly necessary for the performance of the task of the law enforcement authority which transfers the personal data for the prevention, detection or processing of an offense, or
for the purpose of enforcing a sentence;
2) the public interest outweighs the rights and freedoms of the data subject;
3) the transfer of personal data to an authority of a third country which is competent to prevent, detect and prosecute an offense or to enforce a sentence is not effective, or
appropriate;
4) the authority of the third country which is competent to prevent, detect and prosecute the offense or to enforce the sentence shall be notified immediately, unless:
if it is not effective or appropriate;
5) the recipient is informed of the specific purpose of the processing of personal data and is directed to process personal data only for the specified purpose.
§ 50. Notification of Data Protection Inspectorate and documentation of transfer of personal data
(1) The chief or authorized processor shall provide the Data Protection Inspectorate with an overview of the processing of personal data on the basis of clause 47 2) and 49) of this Act.
at least once a year.
(2) If personal data are transmitted on the basis of clause 47 2), subsection 48 (1) or § 49 of this Act, the chief or authorized processor shall document such
the details of the transmission, including the date and time of the transmission, the receiving competent authority, the explanation of the transmission and the personal data transmitted.
(3) At the request of the Data Protection Inspectorate, the chief or authorized processor shall make the documents specified in subsection (2) of this section available to him or her.

Chapter 5
State and administrative supervision
Section 1
Supervisory authority
§ 51. Establishment of independent supervisory authority
(1) Independent supervisory authority Article 51 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Directive
For the purposes of Article 41 of Regulation (EU) 2016/680, the Data Protection Inspectorate is.
(2) The Data Protection Inspectorate is independent in the performance of its functions and acts pursuant to this Act, the European Parliament and the Council
Regulation (EU) 2016/679, other laws and legislation established on the basis thereof.
§ 52. Qualification required for appointment to head of Data Protection Inspectorate
(1) A person with a higher education with management experience who has knowledge of the legal framework for the protection of personal data may work as the head of the Data Protection Inspectorate.
regulation and information and communication technologies, including information systems.
(2) During his or her term of office, the head of the Data Protection Inspectorate shall not participate in the activities of political parties or work in any other paid job or position, except
pedagogical and research work.
§ 53. Security check of candidate for head of Data Protection Inspectorate
(1) A candidate for the head of the Data Protection Inspectorate shall pass a security check before being appointed head of the Data Protection Inspectorate, unless:
he holds a valid authorization for access to a top-secret state secret or if, at the time of his candidature, he holds a post entitled to post
access to all levels of state secrecy.
(2) The Security Police Board shall perform security screening of a candidate for the head of the Data Protection Inspectorate pursuant to the procedure prescribed in the Security Authorities Act.
(3) In order to pass a security check, a candidate for the head of the Data Protection Inspectorate shall complete the application form of an applicant for a permit for access to state secrets and sign
consent allowing the security inspection authority to obtain information about itself from natural and legal persons during the security inspection
and state and local government agencies and bodies, and submits them to the Security Police Board through the Ministry of Justice.
(4) The Security Police Board shall forward the data collected as a result of security screening to the minister responsible for the field within three months as of the date of entry into force of this Regulation.
upon receipt of the documents specified in subsection (3) of the section, attaching his or her opinion on the compliance of the candidate for the head of the Data Protection Inspectorate with a state secret
access to the permit conditions.
(5) If the authority of the head of the Data Protection Inspectorate has expired before the term, the security check shall be conducted against the candidate for the head of the Data Protection Inspectorate.
within one month as of the receipt of the documents specified in subsection (3) of this section. With the permission of the Security Committee of the Government of the Republic,
to extend the term for performing a security inspection by one month if there is a clause 1 or 2 in subsection 33 (4) of the State Secrets and Classified Foreign Information Act
this circumstance or, within one month, the circumstance specified in clause 3 or 4 may occur.

(6) On the basis of the information collected in the course of the performed security inspection, a candidate for the position of the head of the Data Protection Inspectorate may be appointed within nine months.
as of the time when the Security Police Board forwarded the information collected during the security check to the minister responsible for the field. After that date,
Appoint a candidate for the head of the Data Protection Inspectorate after passing a new security check.
§ 54. Appointment to and removal from office of head of Data Protection Inspectorate
(1) The head of the Data Protection Inspectorate shall be appointed to office for five years by the Government of the Republic on the proposal of the minister responsible for the field, having previously
after hearing the position of the Constitutional Committee of the Riigikogu.
(2) The position of the Constitutional Committee of the Riigikogu shall be heard before the head of the Data Protection Inspectorate is released from office prematurely.
Page 2

§ 55. Competence of Data Protection Inspectorate upon accreditation of certification bodies
Competent body within the meaning of Article 43 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council competent to accredit certification bodies
with relevant expertise in the field of data protection is the Data Protection Inspectorate.

Section 2
Exercise of state and administrative supervision
§ 56. Competence of Data Protection Inspectorate in exercise of state and administrative supervision
(1) The requirements provided for in this Act, legislation established on the basis thereof and Regulation (EU) 2016/679 of the European Parliament and of the Council, and
the Data Protection Inspectorate exercises state and administrative supervision over compliance with the requirements established for the processing of personal data in other Acts.
(2) In addition to the provisions of Article 57 of Regulation (EU) 2016/679 of the European Parliament and of the Council, the Data Protection Inspectorate is competent to:
1) increase the awareness and understanding of the public, controllers and authorized processors of the risks involved in the processing of personal data,
standards and safeguards applicable to personal data and the rights relating to the processing of personal data; Data Protection may perform this task
Inspectorate to issue recommended instructions;
2) upon request, provide the data subject with information concerning the exercise of his or her rights arising from this Act and, in appropriate cases, make
cooperation with the supervisory authorities of other Member States of the European Union;
3) if necessary, initiate misdemeanor proceedings and apply a punishment if it is not possible to achieve in law by other administrative law measures, or
Compliance with the requirements set out in Regulation (EU) 2016/679 of the European Parliament and of the Council;
4) co-operate with international data protection supervision organizations and other data protection supervision agencies and other foreign countries
competent authorities and persons;
5) monitor relevant trends insofar as they affect the protection of personal data, in particular the development of information and communication technologies;
6) provide advice on the processing of personal data referred to in § 39 of this Act;
7) participate in the European Data Protection Board;
8) apply administrative coercion on the bases, to the extent and pursuant to the procedure prescribed by law;
9) submit opinions on matters related to the protection of personal data to the Riigikogu, the Government of the Republic, the Chancellor of Justice on its own initiative or on the basis of an application, and
other institutions and the public;
10) perform other functions arising from law.
(3) In addition to the provisions of Article 57 of Regulation (EU) 2016/679 of the European Parliament and of the Council, the Data Protection Inspectorate has the right to:
1) warn the chief processor and the authorized processor that the proposed processing of personal data is likely to violate this Act;
2) demand the correction of personal data;
3) demand the deletion of personal data;
4) demand restriction of the processing of personal data;
5) demand the termination of the processing of personal data, including destruction or transfer of archives;
6) apply, if necessary, substitute enforcement and penalty payments in order to prevent damage to the rights and freedoms of a person pursuant to the procedure provided for in the Act
immediate organizational, physical and IT security measures for the protection of personal data, unless the personal data are processed by a public authority;
7) establish a temporary or permanent restriction on the processing of personal data, including a prohibition on the processing of personal data;
8) initiate supervision proceedings on the basis of a complaint or on its own initiative.
§ 57. Special measures of state supervision
In order to exercise the state supervision provided for in this Act, the Data Protection Inspectorate may apply the provisions of §§ 30–32, 44 and 49– of the Law Enforcement Act.
53 special state supervision measures on the basis and pursuant to the procedure provided for in the Law Enforcement Act.
§ 58. Specifications of state supervision
(1) The Data Protection Inspectorate may apply Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council for the performance of state supervision.
measures provided for in
(2) The Data Protection Inspectorate may make an inquiry to an electronic communications undertaking concerning the information used in the public electronic communications network.
identification of the end-user related to the identifiers, with the exception of the
it is not possible to identify the end-user associated with the identifiers.
§ 59. Specifications of administrative supervision
(1) In exercising administrative supervision in accordance with Article 83 (7) of Regulation (EU) 2016/679 of the European Parliament and of the Council, the Data Protection Inspectorate may
and in the event of non-compliance with a precept issued pursuant to the provisions of §§ 751 and 752 of the Government of the Republic Act, apply to the recipient of the precept
to organize official supervision of a higher authority, person or the whole party or to initiate disciplinary proceedings against an official.
(2) A person exercising official supervision or a person who has the right to initiate disciplinary proceedings is required to review an application as of receipt thereof.
within one month and submit its reasoned opinion to the Data Protection Inspectorate. In the event of official supervision or the initiation of disciplinary proceedings
the supervisory authority or the person entitled to initiate disciplinary proceedings is obliged to inform the Data Protection Inspectorate without delay of the relevant
the results of the procedure.
(3) If a processor of personal data who is a state agency has not complied with a precept of the Data Protection Inspectorate within the term specified therein, the Data Protection
The Inspectorate shall file a protest with an administrative court pursuant to the procedure provided for in the Code of Administrative Court Procedure.
§ 60. Rate of penalty payment
In the event of non-compliance with a precept of the Data Protection Inspectorate, a penalty imposed pursuant to the procedure provided for in the Substitutive Enforcement and Penalty Payment Act is
up to EUR 20 000 000 or, in the case of an undertaking, up to 4% of its global annual
total turnover, whichever is greater.
§ 61. Term for review of appeal
(1) The Data Protection Inspectorate shall resolve a complaint within 30 days as of the submission of the complaint to the Data Protection Inspectorate.
(2) In order to further clarify the circumstances necessary for resolving a complaint, the Data Protection Inspectorate may extend the term for review of the complaint.
up to 60 days. The complainant must be notified in writing of the extension of the time limit.
(3) If it is necessary to cooperate with other relevant supervisory authorities in order to resolve the complaint, the examination of the complaint shall be extended by a reasonable time,
necessary to hear or express the views of the cooperating supervisory authorities.

Chapter 6
Responsibility
§ 62. Violation of obligations of chief processor and authorized processor
(1) The obligation of the controller or processor provided for in Articles 8, 11, 25 to 39, 42 and 43 of Regulation (EU) 2016/679 of the European Parliament and of the Council
for breach shall be punishable by a fine of up to EUR 10 000 000.
(2) For the same act, if committed by a legal person,
shall be liable to a fine of up to EUR 10 000 000 or up to 2% of its total annual worldwide turnover in the preceding business year, whichever is the lower;
whichever amount is greater.
§ 63. Violation of certification procedure
(1) For breach of the certification procedure provided for in Articles 42 and 43 of Regulation (EU) 2016/679 of the European Parliament and of the Council shall be punishable by a fine of up to EUR 10 000 000.
(2) For the same act, if committed by a legal person,
shall be liable to a fine of up to EUR 10 000 000 or up to 2% of its total annual worldwide turnover in the preceding business year, whichever is the lower;
whichever amount is greater.
§ 64. Violation of procedure for supervision of compliance with code of conduct
(1) Procedures for monitoring compliance with the Code of Conduct provided for in Article 41 (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council
for breach shall be punishable by a fine of up to EUR 10 000 000.
(2) For the same act, if committed by a legal person,
shall be liable to a fine of up to EUR 10 000 000 or up to 2% of its total annual worldwide turnover in the preceding business year, whichever is the lower;
whichever amount is greater.
§ 65. Violation of principles of processing of personal data
(1) Infringement of the principles on the processing of personal data set out in Article 5 of Regulation (EU) 2016/679 of the European Parliament and of the Council, as well as
for breach of the data subject's consent procedure laid down in Articles 5 to 7 and 9 of the Regulation,
shall be punishable by a fine of up to EUR 20 000 000.
(2) For the same act, if committed by a legal person,
shall be liable to a fine of up to EUR 20 000 000 or up to 4% of its total annual worldwide turnover in the preceding business year, whichever is the lower;
whichever amount is greater.
§ 66. Violation of rights of data subject
(1) Infringement of the data subject's rights under Articles 12 to 22 of Regulation (EU) 2016/679 of the European Parliament and of the Council shall be punishable by a fine of up to EUR 20 000 000.
(2) For the same act, if committed by a legal person,
shall be liable to a fine of up to EUR 20 000 000 or up to 4% of its total annual worldwide turnover in the preceding business year, whichever is the lower;
whichever amount is greater.
§ 67. Violation of procedure for transfer of personal data
(1) For breach of the procedure for the transfer of personal data laid down in Articles 44 to 49 of Regulation (EU) 2016/679 of the European Parliament and of the Council shall be punishable by a fine of up to EUR 20 000 000.
(2) For the same act, if committed by a legal person,
shall be liable to a fine of up to EUR 20 000 000 or up to 4% of its total annual worldwide turnover in the preceding business year, whichever is the lower;
whichever amount is greater.
§ 68. Violation of procedure provided for specialties of personal data processing
(1) For violation of the procedure provided for in Chapter 2 of this Act concerning the specialties of processing personal data shall be punishable by a fine of up to EUR 20 000 000.
(2) For the same act, if committed by a legal person,
shall be liable to a fine of up to EUR 20 000 000 or up to 4% of its total annual worldwide turnover in the preceding business year, whichever is the lower;
whichever amount is greater.
§ 69. Failure to comply with order of Data Protection Inspectorate
(1) For failure to comply with an order provided for in Article 58 (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council shall be punishable by a fine of up to EUR 20 000 000.
(2) For the same act, if committed by a legal person,
shall be liable to a fine of up to EUR 20 000 000 or up to 4% of its total annual worldwide turnover in the preceding business year, whichever is the lower;
whichever amount is greater.
§ 70. Violation of granting access to Data Protection Inspectorate
(1) for failure to comply with an order issued pursuant to Article 58 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council if
it does not allow the Data Protection Inspectorate access to personal data, other information or premises,
shall be punishable by a fine of up to EUR 20 000 000.
(2) For the same act, if committed by a legal person,
shall be liable to a fine of up to EUR 20 000 000 or up to 4% of its total annual worldwide turnover in the preceding business year, whichever is the lower;
whichever amount is greater.
§ 71. Illegal processing of personal data outside work or service duties
For the unlawful collection, viewing, reading, use, access to, or retrieval of, personal data
by a person who has access to personal data on the basis of his or her job or service duties, unless otherwise provided in §§ 157 and 1571 of the Penal Code
the offenses set out in
is punishable by a fine of up to 200 fine units.
§ 72. Violation of other requirements for processing of personal data
Violation of the requirements for the protection of personal data in the absence of the provisions of §§ 62–71 of this Act and §§ 157 and 1571 of the Penal Code
offenses, is punishable by a fine of up to 200 fine units.
§ 73. Procedure
The Data Protection Inspectorate conducts extra-judicial proceedings concerning the misdemeanors provided for in this Chapter.

Chapter 7
Implementing provisions
§ 74. Register of processors of personal data and persons responsible for protection of personal data
(1) Data in the register of processors of personal data and persons responsible for the protection of personal data shall be preserved archived for up to five years pursuant to this Act.
from the entry into force. Upon expiry of the term, the registry data will be deleted.
(2) An application for access to registry data shall be submitted to the Data Protection Inspectorate.
(3) A registry entry for the processing of sensitive personal data shall have informative significance until the end of the term of validity initially determined therefor.
§ 75. Repeal of Personal Data Protection Act
The Personal Data Protection Act (RT I 2007, 24, 127) is repealed.
§ 76. Entry into force of Act
This Act enters into force on 15 January 2019.

1 Directive (EU) 2016/680 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the competent authorities
for the prevention, investigation, detection and prosecution of criminal offenses or the
free movement of data and repealing Council Framework Decision 2008/977 / JHA (OJ L 119, 4.5.2016, pp. 89-131).

Eiki Nestor
Chairman of the Riigikogu

← Back | Top ↑

Facebook

Twitter

© State Chancellery 2010
© Ministry of Justice 2012
Riigi Teataja search assistance: 620 8148

The completion of the page was supported by the European Union

Feedback: email
Version 12.5.0

