Exemption from consent
The former legislation in Estonia (Personal Data Protection Act, 2003) precluded any use of personal identifiable sensitive data without explicit written consent from the data subjects. In this manner, it prohibited all registry-based epidemiological research where record-linkage were based on personal identification number and/or names, since obtaining informed consent were logistically impossible (Veidebaum, 2005). This former Act made thus no use of the EC 94/95 Directive’s opportunity to exempt the processing of personal data for scientific purposes from some of the data protection requirements set forth in the Directive (Nõmper 2004).
However, the new Personal Data Protection Act (2008) mentions scientific research and official statistics explicitly, and has included certain exemptions from consent for the processing of personal data for these purposes. It is allowed to process personal data without the consent of the data subject for the needs of scientific research with the restriction that data allowing a person to be identified are substituted by a code (cf. Article 16-1). Further, personal identifiable data may be processed for research purposes without consent if the aims of the processing would otherwise not be achievable, there exist a predominant public interest for such processing and the volume of the obligations of the data subject is not changed on the basis of the processed personal data and the rights of the data subject are not excessively damaged in any other manner (cf. Article 16-2).
In addition there must be taken sufficient organisational, physical and information technology measures for the protection of the personal data, the processing of sensitive personal data must have been registered and the Data Protection Inspectorate must have verified compliance with the requirements and have heard the opinion of an ethics committee, if this has been founded based on law in the corresponding area (cf. Article 16-3).
Nõmper, A. 2004. Personal Data Protection Regulation in Estonia and Directive 95/46/EC. In: D. Beyleveld, D. Townend, S. Rouille-Mirza and J. Wright, ed. 2004. Implementation of the Data Protection Directive in Relation to Medical Research in Europe. Ashgate. pp. 73-85.
The Personal Data Protection Act, 2008 [online]. Available at: <http://www.legaltext.ee/et/andmebaas/tekst.asp?loc=text&dok=XXXX041&keel.... [Accessed 5. June 2014].
Veidebaum, T. 2005. Research Ethics in Estonia. In: D. Beyleveld, D. Townend and J. Wright, ed. 2005. Research Ethics Committees, Data Protection and Medical Research in European Countries. Ashgate. pp. 41-43.