Estonia

Estonia Image
LEG-01:

Legislation enacted specifically for data privacy?< - Personal Data Protection Act 2007.

LEG-02:

Other legislation enacted that has sections that have some effect on data privacy?
– Electronic Communications Act 2004.
– Information Society Services Act 2004.
– Consumer Protection Act 2004.

LEG-03:

The Country is a member of an organisation that implements guidelines for data privacy.
– OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
– EU Data Protection Directive 1995/46/EC (DPD).
– EU Privacy and Electronic Communications Directive 2002/58/EC (EUPEC).
– EU Regulation 45/2001/EC (CIB).
Notes: “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ” is full title of DPD.
“Regulation (Ec) No 45/2001 of the European Parliament and of the Council Of 18 December2000.
On the Protection of Individuals With Regard to the Processing of Personal Data by the Community.
Institutions and Bodies and on the Free Movement of Such Data” is the full title of CIB.

LEG-04:

Local government has any Bills going through the legislative process.

LEG-05:

Regulations, standards or guidelines that are implemented and followed that have relation to data privacy.
– Convention on Cyber-crime 2001.
Notes: Signed but nit implemented.

LEG-06:

Has other state laws related to privacy.

PRI-01:

There is a requirement to establish a privacy authority to oversee privacy issues.
– Personal Data Protection Act 2007 Section 32.
– Consumer Protection Act 2004 Section 17 (1).
Notes: Data Protection Inspectorate (Personal Data Protection Act).
Consumer Protection Board (Consumer Protection Act).
Technical Surveillance Authority – Electronic Communication Division (with Ministry of Economic Affairs).

PRI-02:

There is a requirement to establish a privacy commissioner.

PRI-03:

The functions of the authority clearly set out.
– Personal Data Protection Act 2007 Section 33 (1), (2).
– Consumer Protection Act 2004 Section 17 (2).
– CIB Article 46.

PRI-04:

There is a requirement each company establishes their own privacy officer to ensure the company complies with policy.

PRI-05:

Contact details of the privacy officer are made available.

PRI-06:

Each company to have an internal privacy policy proposed and displayed.

PRI-07:

An internal audit process is outlined for each company.

PCP-01:

“Personal Information” is defined which gives examples and a clear outline .
– Personal Data Protection Act 2007 Section 4 (1).
Notes: Personal data.

PCP-02:

“Sensitive Information” is defined which gives examples and a clear outline
– Personal Data Protection Act 2007 Section 4 (2).
Notes: Personal data.

PCP-03:

Other types of information are defined that is viewed differently to personal or sensitive information.

PCP-04:

Consent is required from the individual involved.
– Personal Data Protection Act 2007 Section 10 (1), Section 12.
– CIB Article 5 (d).

PCP-05:

Type of consent required is either explicit or implicit.

PCP-06:

Consent needs to be written or verbal.
– Personal Data Protection Act 2007 Section 12 (2).

PCP-07:

Level of consent different for different age groups .

PCP-08:

Consent may be withdrawn at any time.
– Personal Data Protection Act 2007 Section 12 (7).

PCP-09:

The purpose is explained to the individual which must be a lawful purpose.
– Personal Data Protection Act 2007 Section 6, 7.
Notes: States the “Principles of processing personal data”.

PRO-01:

Individual has the ability to access their data by request.
– Personal Data Protection Act 2007 Section 6 7), 19.
– CIB Article 13.
Notes: Section 19 (4) clarifies rights to data after the data subjects death.

PRO-02:

Individual has the ability to update or amend their data for accuracy.
– Personal Data Protection Act 2007 Section 21 (1).
– CIB Article 14.

PRO-03:

Data can be sent to a third party for processing.
– Personal Data Protection Act 2007 Section 7 (3), 14 (2).
– CIB Article 9 1, 6.

PRO-04:

Data is only used for the purposed outlined at pre collection stage.
– Personal Data Protection Act 2007 Section 6 2).
– CIB Article 6 1.

PRO-05:

Encryption used for processing of data to ensure anonymity
– Personal Data Protection Act 2007 Section 25 (1).
Notes: Although encryption is not specified, encryption may be used if it is seen as a useful precaution.

PRO-06:

Unique identifiers can be used .
– Personal Data Protection Act 2007 Section 16 (1), (2).
Notes: For use in scientific research or official statistics.

PRO-07:

Information may not be disclosed, sold or interfered with.
– Personal Data Protection Act 2007 Section 25 (2).
– CIB Article 22 2.

PRO-08:

Offences are set out to deal with disclosure or other interference with data during the processing stage.
– Personal Data Protection Act 2007 Section 42, 43.

PRO-09:

A complaints process is setup to deal with any breach of privacy.
– Personal Data Protection Act 2007 Section 22, 38.
Notes: Section 22 alloes for recourse through Court.

STO-01:

All data is stored with at least a “reasonable” level of security.
– Personal Data Protection Act 2007 Section 25 (2), (3).
– CIB Article 22 1.

STO-02:

Encryption techniques used to store data.
– Personal Data Protection Act 2007 Section 25 (2).
– CIB Article 4 1 (e).
Notes: Although encryption is not specified, encryption may be used if it is seen as a reasonable protection method.

STO-03:

Data can be transferred to third-parties to use.
– Personal Data Protection Act 2007 Section 11 (6).
– CIB Articles 7 – 9.

STO-04:

Data can be stored off shore in different Country.
– Personal Data Protection Act 2007 Section 18.
– CIB Articles 22 1.

STO-05:

Data can be stored off site but in same Country.
– Personal Data Protection Act 2007 Section 25 (2).
– CIB Articles 22 1.
Notes: Although storage is not specified, storage may be off site if it is seen as a useful precaution.

STO-06:

Information is only kept by the collection agency for the least amount of time necessary needed for the outlined purpose to be fulfilled.
– Personal Data Protection Act 2007 Section 6 3), 24.
– CIB Article 4 1 (e).

STO-07:

Policies in place for destroying of data once consent is withdrawn or data is no longer needed.
– Personal Data Protection Act 2007 Section 21.

STO-08:

Offences are set out to deal with disclosure or other interference with data while it is stored.
– Personal Data Protection Act 2007 Section 42, 43.

STO-09:

Notification has to be given to individuals in case of a data breach.

STO-10:

Policy in place in case data collection agency ceases to operate.

STO-11:

Policy in place in case data collection agency is sold.

SPM-01:

A clear unsubscribe feature is available.
Notes: Applies opt-out. Meaning the recipient does not need to give consent to receive them.

SPM-02:

Commercial electronic messages contain clear and accurate contact information about the sender.
– Information Society Service Act 2004 Section 5 (2) 2).

SPM-03:

Subject line to be clear and not misleading.
– Information Society Service Act 2004 Section 5 (2) 1), 3).

SPM-04:

Addresses are obtained legally, not using means such as address harvesting tools and other software to obtain them.

SPM-05:

A form of a “Do Not Call” register is in place.

SPM-06:

Unsolicited commercial electronic messages are prohibited within the country.

SPM-07:

Unsolicited commercial electronic messages are prohibited to other countries.

INT-01:

A data collection agency required to notify the individual if they have been requested to hand over personal information.

INT-02:

A data collection agency can refuse to turn over personal information.

INT-03:

A warrant is needed to have the ability to intercept personal data.
– Electronic Communications Act 2004 Section 113.

INT-04:

Network operators and service providers have network design guidelines to follow to allow for interception execution.
– Electronic Communications Act 2004 Section 64 (1).

INT-05:

External countries have the ability to intercept data with permission from the host country.
– Electronic Communications Act 2004 Section 143.