The Importance of a Data Protection Officer in Estonia
Since the introduction of the European Union’s General Data Protection Regulation (GDPR), the need to have a separate Data Protection Officer in Estonia and elsewhere in the EU became evident. As per the GDPR, every business which markets good or services to customers within the European Union and collects data in the process must appoint a Data Protection Officer (DPO) who oversees protecting that data and its compliance.
The GDPR (Isikuandmete kaitse seadus) was introduced to the Estonian law on the 15th of January 2019, which made all Estonian companies obligated to comply with it. Furthermore, the Data Protection Officer in Estonia and his/her work related to it is supervised by the local Data Protection Inspectorate (Andmekaitse Inspektsioon – AKI).
The Estonian Data Protection Inspectorate operates independently in the area of government of the Ministry of Justice and supervises to ensure that people’s private information is adequately protected by businesses and information regarding the activities of local governmental agencies is sufficiently available to the public.
The right to protect personal data and the right to public information are constitutional rights in Estonia. This means that everyone has the right, per the Estonian constitution, to ask what data has been collected about them. The Data Protection Inspectorate also exercises control over the Electronic Communications Act (Elektroonilise side seadus) regarding the rules which concern direct marketing by electronic means of communication like e-mail and SMS.
As these there are quite many legal aspects that a Data Protection Officer in Estonia must consider daily, the need of having a real professional is very clear.
The Role of a Data Protection Officer
A DPO takes care of a very important area of compliance and ensures that your business is aligned with the local legislation as the GDPR and others we briefly covered above. One important aspect to know is that a DPO is not personally responsible for the GDPR compliance. Instead, it is the controller or the processor who must be able to prove legal compliance.
In most cases, a Data Protection Officer is also an IT professional or a legal expert as the position needs to be fulfilled by someone who is good with tech systems and/or familiar with the regulatory environment. Smaller businesses often can handle data protection compliance with just one person, while bigger companies need entire teams.
Tasks of a Data Protection Officer in Estonia
- Informing and advising the controller or the processor and the employees processing any personal data regarding their obligations related to the GDPR and other EU and Estonian data protection laws.
- Monitoring compliance with the data protection regulation, other EU or local data protection rules, and the data protection principles used by the controller or processor. This also includes the allocation of responsibilities, raising awareness and training staff who are involved in processing of personal data or related audits.
- Advising on and monitoring the functioning of the data protection impact assessment.
- Act as a point of contact for the Estonian supervisory authority and data subjects in matters related to the processing of personal data and notifying them about any data breaches, the risks, and the impact of those breaches.
- Notify customers and the supervisory authority about any data breaches, the impact of those data breaches, and the planned actions to lower risk levels.
Furthermore, many DPOs use different types of software which can help to monitor all data processing activities, data deletion timelines, and fulfillment of data subject rights, etc., which can make many work processes more streamlined and connected.
RCA's DPO & GDPR Service
Finding a Data Protection Officer as an employee that fits and understands your company can be a challenging task. This is especially as you really want to make sure that the position is taken by a person that can keep your company’s data protection compliance in check and risks low.
As a DPO in Estonia is not required to be an employee of the company but also an external legal entity and operating under a service contract, outsourcing might be also a very good idea.
We at RCA offer a GPDR & DPO service where one of our employees will take care of your Estonian company’s data protection. In addition, it is possible to have your GDPR risk analysis, impact assessment, internal policies and privacy policies prepared, get your GDPR system audited and get special advisory and consultations on GDPR.
If this sounds like something that your company needs and you want it to be taken care of by professionals, please feel free to reach out to us!