Preservation for purpose of scientific research or official statistics
According to the Personal Data Protection Act, collected personal data may be processed for the purposes of scientific research regardless of the purpose for which the personal data was initially collected. Personal data collected for scientific research or official statistics may be stored in a coded form for the purposes of using it later for scientific research or official statistics (cf. Article 16-4).
The processing (including storing) of sensitive personal data is registered for a period of five years. A processor of personal data is then required to submit a new application for registration not later than three months prior to the expiry of the term for registration (cf. Article 27-3).
Principles of processing personal data
Upon processing of personal data, a processor of personal data is required to adhere to the following principles (cf. Article 6):
- The principle of legality - personal data shall be collected only in an honest and legal manner;
- The principle of purposefulness - personal data shall be collected only for the achievement of determined and lawful objectives, and they shall not be processed in a manner not conforming to the objectives of data processing;
- The principle of minimalism - personal data shall be collected only to the extent necessary for the achievement of determined purposes;
- The principle of restricted use - personal data shall be used for other purposes only with the consent of the data subject or with the permission of the competent authority;
- The principle of high quality of data - personal data shall be up-to-date, complete and necessary for the achievement of the purpose of data processing;
- The principle of security - security measures shall be applied in order to protect personal data from involuntary or unauthorised processing, disclosure or destruction;
- The principle of individual participation - the data subject shall be notified of data collected concerning him or her, the data subject shall be granted access to the data concerning him or her and the data subject has the right to demand the correction of inaccurate or misleading data.
Security measures for protection of personal data
A processor of personal data is required to take organisational, physical and information technology security measures to protect personal data against the following (cf. Article 25 (1)):
- accidental or intentional changing of the data, in the part of the integrity of data;
- accidental or intentional destruction and prevention of access to the data by entitled persons, in the part of the availability of data and;
- unauthorised processing, in the part of confidentiality of the data.
Upon processing of personal data, the processor of personal data is required to (cf. Article 25 (2)):
- prevent access of unauthorised persons to equipment used for processing personal data;
- prevent unauthorised reading, copying and alteration of data within the data processing system, and unauthorised transfer of data carriers;
- prevent unauthorised recording, alteration and deleting of personal data and to ensure that it be subsequently possible to determine when, by whom and which personal data were recorded, altered or deleted or when, by whom and which data were accessed in the data processing system;
- ensure that every user of a data processing system only has access to personal data permitted to be processed by him or her, and to the data processing to which the person is authorised;
- ensure the existence of information concerning the transmission of data: where, to whom and which personal data were transmitted and ensure the preservation of such data in an unaltered state;
- ensure that unauthorised reading, copying, alteration or erasure is not carried out in the course of transmission of personal data via data communication equipment, and upon transportation of data carriers;
- organise the work of enterprises, agencies and organisations in a manner that allows compliance with data protection requirements.
A processor of personal data is required to keep account of the equipment and software used for processing of personal data, and record the following data to (cf. Article 25 (2)):
- the name, type, location and name of the producer of the equipment;
- the name, version and name of the producer of the software, and the contact details of the producer.
The Personal Data Protection Act, 2008 [online]. Available at: <http://www.legaltext.ee/et/andmebaas/tekst.asp?loc=text&dok=XXXX041&keel.... [Accessed 5. June 2014].