GDPR compliance for Estonian IT companies. Follow-up

Recently Legal IT Group in cooperation with Estonian startup CyberWise conducted a webinar about GDPR compliance for Estonian IT companies.

At this webinar, we discussed the scope of GDPR compliance, the specific regulation for Estonian companies and hacks for GDPR implementation.

Scope of GDPR compliance

The scope of privacy and security measures required for the company to be GDPR complaint depends on different variables: what kind of personal data are collected, the scope of data, companies’ activities and data sharing. It’s important to note that for some companies GDPR requires appointing a Data protection officer (DPO) and conduct Data Protection Impact Assessment (DPIA).

Despite it has been almost 2 years since GDPR came into force, some companies fail to apply proper privacy and security measures. In the EU perspective, among main problems are the insufficient technical and organizational measures to ensure information security, insufficient legal basis for data processing, non-compliance with general data processing principles. Being non-complaint may result in getting fines, including ones in a significant amount. The highest fines were imposed in the UK, Germany, France, Italy, Austria, and Sweden.


Specific GDPR regulation for Estonian IT companies


Estonia is part of the EU which means, GDPR is a must for all Estonian companies. As in other EU countries correctly defining the legal basis of the processing is one of the main GDPR compliance issues in Estonia. The other common problems include the processing of employees’ personal data, including video surveillance at the workplace and canceling access for former employees to companies. Also, transparency is one of the weak points in GDPR compliance.

estonian gdpr

To provide better regulation, Estonia adopted Personal Data Protection Act that elaborates and supplements the GDPR and regulates certain matters regarding privacy and security on the national level. This legal act came into force on January 15, 2019.

This act defines the independent supervisory authority Estonian Data Protection Inspectorate (DPI) that plays an important role in privacy and security implementation.

In addition to the tasks provided in Article 57 of the GDPR as supervisory authority Estonian DPI also raises awareness and understanding of the public, informs the data subjects, controllers and processors about personal data processing, create guidelines, provide information to the data subject.

The latest available statistics show that 46 precepts and 9 fines were imposed on companies violating GDPR. Analyzing statistics and work of DPI we can conclude that DPI’s role is much broader than just punishing those who fail to comply and, also, include measures such as warning in case of violations and providing an opportunity for companies to fix privacy and security issues.

The other regulation specified for Estonia is the processing of children’s personal data for the provision of information society services. According to the Personal Data Protection Act, this processing is permitted for children at least 13 years old. This regulation is related to the fact that Estonia is a digitalized country, most governmental and private services are available online, and it’s important to have the opportunity to have access to information society services.

gdpr, europe

Also, to avoid uncertainty, the Estonian DPI issued guidelines regarding “large scale processing”. DPI answered the question of how big is “big data” by defining it in numbers.

  • special categories of personal data or personal data relating to criminal offenses of 5000+ people;
  • personal data of high risk of 10 000+ people; 
  • other personal data of 50 000+ people. 

This means if the company proses data in the scope bigger than defined above, this processing falls into category “large scale processing” and relevant measures must be applied.


Tips and Tricks


To help companies comply with GDPR we would like to provide a certain recommendation

  1. Map your data. The most efficient way to start (and continue) with GDPR is to know that personal data you own. Keep in mind, personal data is not only about customers’ data, but also employees.
  2. Define whether you need to appoint DPO. Even if it’s not required by the GDPR to have DPO, make sure that you have a person responsible for privacy and security measures.
  3. Be specific in internal documents who has access to data, what is the legal basis of processing, how long data will be stored etc.
  4. Be transparent in external documents. Inform your customers about your policy. Most likely you will need a privacy policy and cookie policy to make this information publicly accessible.
  5. Be consistent and use a comprehensive Make sure that your external and internal documents match. Also, don’t forget to train employees so they are aware of company policy regarding privacy and security.
  6. Collect only data relevant to your service. Make sure you follow the data minimization principle and collect the only necessary information.
  7. Update privacy and security measures. Outdated security measures do not provide the required level of security, so it’s important to apply relevant measures.

Use the help of professionals. GDPR compliance may be a long and complicated process and professionals will help you to guide thought it.


this article was provided by our good partner – Cyberwise

Olga Vovk

Chief Legal Officer (aka Privacy Wizard) at Cyberwise

    Your question to IT lawyers