|
ESTONIA
The Estonian Data Protection Inspectorate website:
http://www.aki.ee/eng/
The Personal Data
Protection Act 2008:
http://www.aki.ee/download/1124/Personal%20Data%20Protection%20Act1.rtf
What needs to be
done prior to collection?
NOTIFY THE DATA
PROTECTION INSPECTORATE (SENSITIVE PERSONAL DATA ONLY)
Section 27 –
Obligation to register processing of sensitive personal data
(1) If a
processor of personal data has not appointed a personal responsible
for the protection of personal data provided in Section 30 of this
Article, the processor of personal data is required to register the
processing of sensitive personal data with the Data Protection
Inspectorate.
Section 28 –
Registration Application
(1)
A
registration application for entry in the register of processors of
personal data shall be submitted to the Data Protection Inspectorate
at least one month before processing of sensitive personal data
commences
(2)
A
registration application shall set out the following:
1)
The
name, registry or personal identification code, place of business,
seat or residence and other contact details of the processor of the
personal data, including the authorised processor;
2)
A
reference to the legal grounds of the processing of personal data,
3)
The
purposes of processing of personal data;
4)
The
categories of personal data;
5)
The
categories of persons whose data are processed;
6)
The
sources of personal data;
7)
Persons or categories thereof to whom transmission of personal data
is permitted;
8)
Place or places of processing personal data;
9)
The
conditions for transfer of personal data to foreign states;
10)
A
detailed description of the organisational, physical and information
technology security measures for the protection of personal data
specified in section 25 (2) of this Act;
11)
The
opinion of the ethics committee provided on the basis of section 16
(3) of this Act, if this exists
GAIN PERMISSION
FROM THE DATA SUBJECT
Section 10 –
Permission for processing Personal Data
(1)
Processing of personal data is permitted only with the consent of
the data subject unless otherwise provided by Law
Section 12 –
Consent of the Data Subject for processing of personal data
(1)
The
declaration of intention of a data subject whereby the person
permits the processing of his or her personal data (hereinafter
consent) is valid only if it is based on the free will of the data
subject. The consent shall clearly determine the data for the
processing of which permission is given, the purpose of the
processing of the data and the persons to whom communication of the
data is permitted, the conditions for communicating the data to
third persons and the rights of the data subject concerning further
processing of his or her personal data. Silence or inactivity shall
not be deemed a declaration of intention. Consent may be partial and
conditional
(2)
Consent shall be given in a format which can be reproduced in
writing unless adherence to such formality is not possible due to a
specific manner of data processing. If the consent is given together
with another declaration of intention, the consent of the person
must be clearly distinguishable
(3)
Before obtaining a data subject’s consent for the processing of
personal data, the processor of personal data shall notify the data
subject of the name, address and other contact details of the
processor of the personal data. If the personal data is to the
processed by the chief processor and authorised processor then the
name of the chief processor and authorised processor or the
representatives thereof and the address and other contact details of
the chief processor or authorised processor shall be communicated
and made available
(4)
For
processing sensitive personal data, the person must be explained
that the data to be used is sensitive personal data and the data
subject’s consent shall be obtain in a format which can be
reproduced in writing
(5)
A
data subject has the right to prohibit, at all times, the processing
of data concerning him or her for the purposes of research of
consumer habits or direct marketing, and communication of data to
third persons who intend to use such data for research of consumer
habits or direct marketing
(6)
The
consent of a data subject shall remain valid during the lifetime of
the data subject and for thirty years after the death of the data
subject unless the data subject has decided otherwise
(7)
Consent may be withdrawn by the data subject at any time. Withdrawal
of consent has no retroactive effect.
(8)
In
the case of a dispute it shall be presumed that the data subject has
not granted consent for the processing of his or her data. The
processor of personal data has the obligation to provide proof of
the consent of a data subject.
Section 14 –
Processing of personal data without the consent of the data subject
(1)
Processing of personal data is permitted without the consent of a
data subject if the personal data is to be processed:
1.
On
the basis of law;
2.
For
performance of a task prescribed by an international agreement or
directly applicable legislation of the Council of the European Union
or the European Commission;
3.
In
individual cases for the protection of the life, health or freedom
of the data subject if obtaining the consent of the data subject is
impossible
4.
For
performance of a contract entered into with the data subject or for
ensuring the performance of such contract unless the data to be
processed is sensitive personal data
Section 15 -
Notification of data subject of processing personal data
(1)
If
the source of personal data is any other than the data subject him
or herself, then after obtaining or amending of the personal data or
communicating the data to third persons, the processor of the
personal data must promptly inform the data subject of the content
and source of the personal data to be processed together with the
information specified in Section 12 (3)
(2)
A
data subject need not be informed of the processing of his or her
personal data:
1.
If
the data subject has granted consent for the processing of his or
her personal data;
2.
If
the data subject is aware of the circumstances specified in
subsection (1) of this section;
3.
If
the processing of the personal data is prescribed by law, an
international agreement or directly applicable legislation of the
Council of the European Union or the European Commission;
4.
If
informing the data subject is impossible;
5.
In
the cases provided for in Section 20 (1) of this Act
What needs to be
done prior to shipping?
Section 18 –
Transmission of Personal Data to Foreign Countries
(1)
Transmission of personal data from Estonia is permitted only to a
country which has a sufficient level of data protection
(2)
Transmission of personal data is permitted to the Member States of
the European Union and the States party to the agreement of the
European Economic Area, and to countries whose level of data
protection has be evaluated as sufficient by the European
Commission. Transmission of personal data is not permitted to a
country whose level of data protection has been evaluated as
insufficient by the European Commission
(3)
Personal data may be transmitted to a foreign country which does not
meet the conditions provided in subsection (1) of this section only
with the permission of the Data Protection Inspectorate if:
1.
The
chief processor guarantees, for that specific event, the protection
of the rights and inviolability of the private life of the data
subject in such country;
2.
Sufficient level of data protection is guaranteed in such country
for that specific case of data transmission. In evaluating the level
of data protection, the circumstances relating to the transmission
of personal data shall be taken into account, including the
composition of the data, the objectives and duration of processing,
the country of destination and final destination of the data, and
the law in force in that country.
(4)
The
Data Protection Inspectorate shall inform the European Commission of
the grant of the permission on the basis of subsection (3) of this
section
What are the
sanctions for non-compliance?
Section 23 –
Right of data subject to demand compensation of damage
If the rights of
a data subject have been violated upon processing of personal data,
the data subject has the right to demand the compensation of the
damage caused to him or her:
-
On the basis
and pursuant to the procedure provided by the State Liability
Act if the rights were violated in the process of performance of
a public duty, or
-
On the basis
and pursuant to the procedure provided by the Law of Obligations
Act if the rights were violated in a private law relationship
Section 42 –
Violation of the obligation to register the processing of sensitive
personal data and requirements for transmission of the personal data
to foreign countries and of obligation to notify the data subject
(1)
Violation of the obligation to register the processing of sensitive
personal data, violation of the requirements regarding security
measures to protect personal data or violation of other requirements
for the processing of personal data is punishable by a fine of up to
300 fine units
(2)
The
same act, if committed by a legal person, is punishable by a fine of
up to 500,000 Kroons
Please refer to
the Estonian Data Protection Inspectorate website for more details
on the Statute
|
