Conditions for consent
As a general principle in the Estonian Personal Data Protection Act, the processing of personal data is allowed only based on the respective consent of the data subject, unless otherwise provided by law (cf. Article 10-1). In order to protect the interests of a data subject, a valid consent shall at least include the following issues (cf. Article 12, 1-8):
· which data are to be collected and processed
· the purpose of the processing of the data
· who has access to the data
· conditions for disclosure of data to third persons
· the rights of the data subject concerning further processing of personal data
· consent shall, if possible, be given in writing
· name, address and other contact details of the processor of the personal data explanation if the personal data to be processed is sensitive and if so, the data subject's consent shall be obtained in a format which can be reproduced in writing
· a consent shall remain valid until thirty years after the death of the data subject unless the data subject has decided otherwise
· consent may be withdrawn by the data subject at any time
After the death of a data subject, processing of his or her personal data is permitted only with the written consent of e.g. a successor, spouse or relative, if thirty years has not passed from the death of the data subject (cf. Article 13).
Nõmper, A. 2004. Personal Data Protection Regulation in Estonia and Directive 95/46/EC. In: D. Beyleveld, D. Townend, S. Rouille-Mirza and J. Wright, ed. 2004. Implementation of the Data Protection Directive in Relation to Medical Research in Europe. Ashgate. pp. 73-85.
The Personal Data Protection Act, 2008 [online]. Available at: <http://www.legaltext.ee/et/andmebaas/tekst.asp?loc=text&dok=XXXX041&keel.... [Accessed 5. June 2014].