According to the Estonian Personal Data Protection Act, personal data are defined as any data concerning an identified natural person or a natural person to be identified, regardless of the form or format in which such data exists (Article 4-1). Sensitive personal data are defined as (cf. Article 4-2):
1) data revealing political opinions or religious or philosophical beliefs, except data relating to being a member of a legal person in private law registered pursuant to the procedure provided by law;
2) data revealing ethnic or racial origin;
3) data on the state of health or disability;
4) data on genetic information;
5) biometric data (above all fingerprints, palm prints, eye iris images and genetic data);
6) information on sex life;
7) information on trade union membership;
8) information concerning commission of an offence or falling victim to an offence before a public court hearing, making of a decision in the matter of the offence or termination of the court proceeding in the matter.
Obligation to register processing of sensitive personal data
According to Article 27, the data controller is required to notify the Data Protection Inspectorate of the processing of sensitive personal data. A notification process consists of the following phases:
- A registration application shall be submitted to the Inspectorate by the data processor at least one month before commencing the data processing;
- The Inspectorate shall, within 20 working days of receipt of the application, decide upon the registration of the processing. The Inspectorate may conduct an inspection of the premises of the data processors;
- The Inspectorate shall refuse to register the processing of the data if:
- There are no legal grounds for processing the data;
- The conditions for processing fail to comply with the requirements set forth by law;
- The organizational, physical and information technology measures implemented to protect he personal data fail to ensure the performance of requirements set forth by law.
The registration application shall consist of the following (cf. Article 28-2):
1) Name and other contact details of the processor of the personal data, including the authorized processor;
2) Reference to the legal grounds of the processing of personal data;
3) Purposes of processing of personal data;
4) Categories of personal data;
5) Categories of persons whose data are processed;
6) Sources of personal data;
7) Persons or categories to whom transmission of personal data is permitted;
8) Place or places of processing of personal data;
9) Conditions for transfer of personal data to foreign states;
10) -detailed description of the organizational, physical and information technology security measures for the protection of personal data (specified in subsection 25-2);
11) The opinion of the ethics committee provided on the basis of subsection 16 (3) of the Act, if this exists.
Processing of sensitive personal data is registered for a period of five years. A processor of personal data is then required to submit a new application for registration not later than three months prior to the expiry of the term for registration (cf. Article 27-3).
Exemption from the obligation duty
A processor of personal data does not need to register the processing of sensitive personal data with the Data Protection Inspectorate if the processor has appointed a person responsible for the protection of personal data. The Data Protection Inspectorate shall be informed of such person's authority, name and contact details. The appointed person responsible for the protection of personal data shall be independent from the processor of personal data and shall monitor the processing of personal data in accordance with the legislation. The responsible person shall also keep a register of the data processing performed by the processor of personal data. The register shall contain the data specified above in the registration application (cf. Article 30 (1)-(3)).
Additionally, the Inspectorate maintains a register containing information on registration of the processing of sensitive personal data and appointment of persons responsible for the protection of personal data. The register is available for public use through the Inspectorate’s web page.
Estonian Data Protection Inspectorate
The Personal Data Protection Act
Nõmper, A. 2004. Personal Data Protection Regulation in Estonia and Directive 95/46/EC. In: D. Beyleveld, D. Townend, S. Rouille-Mirza and J. Wright, ed. 2004. Implementation of the Data Protection Directive in Relation to Medical Research in Europe. Ashgate. pp. 73-85.
The Personal Data Protection Act, 2008 [online]. Available at: <http://www.legaltext.ee/et/andmebaas/tekst.asp?loc=text&dok=XXXX041&keel.... [Accessed 4. June 2014].