Data Advocacy for Estonia

As a member of the European Union, Estonia has implemented the EU Data Protection Directive 95/46/EC with the Personal Data Protection Act in force from 1 January 2008 (‘Act’).

Certain topics relating to protection of personal data and privacy are regulated under the Electronic Communications Act and the Information Society Services Act which implement Directive 2002/58 on Privacy and Electronic Communications (as amended by Directive 2009/136/EC).

Data retention requirements are established under the Electronic Communications Act, based on Directive 2006/24/EC. Even though this Directive has been declared invalid by the CJEU no relevant changes have been made in the Electronic Communications Act as a result.

The Estonian Data Protection Inspectorate has published several guidelines on its website, however such guidelines are of non binding nature.

19 Väike Ameerika St.,

10129 Tallinn


Telephone (+372) 627 4135

Email [email protected]

There is no requirement to appoint a data protection officer stipulated by the Act. Data Protection Officer may be appointed as an alternative to the registration of sensitive data processing (see previous section). The Data Protection Inspectorate must be immediately informed of the appointment of such person and termination of such person’s authority. Upon appointment of a person responsible for the protection of personal data, the Data Protection Inspectorate must be informed of the person’s name and contact details.

There is no general obligation to notify data breaches.

Where the data processor is processing sensitive personal data and has appointed a person responsible of the protection of personal data (Data Protection Officer), this person has to inform the processor of personal data of a violation or breach discovered. If the processor of personal data does not take measures to terminate the violation, then the person responsible for the protection of personal data has the obligation to inform the Data Protection Inspectorate of the discovered violation.

Opt-in regime: no direct marketing electronic mail can be legally sent without the express consent of the receiver, unless a pre-existing business or commercial relationship exists. (Consent is however not mandated for marketing to legal persons.)


Also, a specific opt out must be offered with each message. Disguised sender identities are prohibited, and a valid return address must be provided.


The term “Opt-Out Rule” means that the sending of e-marketing to the recipient is permitted on an opt-out basis if:

  • the recipient’s details were originally collected “in the context of a sale”.
  • the entity sending the marketing is the same legal entity that collected the recipient’s details initially.
  • the marketing relates to “similar” products and/or services for which the recipient’s details were originally obtained.
  • the recipient is given the opportunity free of charge to object to the e-marketing, both at the time their details were collected and in each subsequent communication.

Applicable Legislation:

Electronic Communications Act (‘ECA’


First party e-marketing

(entity that collects the data will send the e-marketing itself)

B2C: Opt-in. Opt-out permitted where Opt-Out Rule applies.

B2B: Opt-out

Third party e-marketing

(entity that collects the data will share with third party partner for e-marketing)

B2C: Opt-in

B2B: Opt-in.