Data Protection
Data protection affects every company and authority that processes personal data of clients, employees, users or cooperation partners. The requirements arise mainly from the General Data Protection Regulation (GDPR) and the Estonian Personal Data Protection Act.
Processing of personal data must have a clear legal basis and must be understandable to the individual. For a company, this means among other things a carefully prepared privacy policy, a cookie consent solution, data processing agreements, internal rules and a working procedure for responding to data subject requests.
Data protection issues often arise in connection with websites, online shops, customer databases, employee data, direct marketing, cameras, cloud services and external service providers. The risk is not limited to a possible fine. Data processing that does not comply with the requirements may lead to supervisory proceedings, contractual disputes, damages claims and reputational harm.
Law Firm Namm helps companies and authorities bring their data protection practices into compliance and also advises individuals whose rights have been breached in the processing of personal data. We work in Estonian, Russian and English.
How we help in data protection matters
- Data protection advice on GDPR and the Personal Data Protection Act
- Drafting and reviewing privacy policies
- Advice on cookie information and consent solutions
- Drafting and reviewing data processing agreements (DPAs)
- Data protection audits and compliance assessments
- Advice on processing employees' personal data
- Advice on processing clients' and users' personal data
- Advice on direct marketing, newsletters and consent
- Advice on responding to personal data breaches and notification obligations
- Advice on responding to data subject requests
- Representation in proceedings before the Estonian Data Protection Inspectorate
- Advice on international data transfers
- Drafting internal data protection rules and procedures
- Resolving disputes related to personal data
Frequently Asked Questions
Does my company need to follow data protection rules at all?
In general, yes. If your company processes any personal data, such as data of clients, employees or cooperation partners, data protection rules apply. This does not depend on the size of the company. The difference is rather in the extent of the obligations that apply to a particular company, depending on the amount and nature of the data processed.
Do I need a privacy policy and what should it contain?
If you collect people’s data, for example through a website, online shop or service, a privacy policy is necessary in practice. It must explain clearly what data is collected, for what purpose, how long it is retained and what rights the individual has. A general or misleading privacy policy may not meet the requirements.
May I send advertising and newsletters to clients?
Direct marketing, such as advertising and newsletters, generally requires the person’s consent or another legal basis. Existing clients may be offered similar goods or services under certain conditions, but the person must always be given an easy way to unsubscribe. Failure to follow the rules may lead to complaints and supervisory proceedings.
A client asks for their data to be erased. Do I have to do this?
In certain cases, a person has the right to request erasure of their data, but this right is not unlimited. In some cases, a company has the right or even the obligation to retain data, for example because of accounting or statutory requirements. Each request must be assessed separately and answered within a reasonable time.
What should we do if a personal data breach occurs?
In the event of a personal data breach, it is necessary to assess quickly what data and how many people are affected and what the risk is to their rights. There is often an obligation to notify the Estonian Data Protection Inspectorate within a short time and, where necessary, also the affected people. In such a situation, it is important to act quickly and seek advice from an attorney where needed, because a correct response helps to reduce harm.
How serious can the consequences of a data protection breach be?
A breach of data protection requirements may lead to compliance notices and significant fines, as well as damages claims and reputational harm. The seriousness of the consequences depends on the nature and scale of the breach and on how the company has responded. Preventive compliance is usually considerably less costly than dealing with a breach later.
Do I need consent to use cookies on a website?
For many cookies, especially analytics and marketing cookies, the visitor’s consent is generally required. Consent may not be required for technically necessary cookies. It is important that the cookie solution gives the person a real and free choice and that consent is not treated as having been given automatically.
Do I need a data protection officer?
The appointment of a data protection officer (DPO) is mandatory only in certain cases, for example where the core activities of the company require extensive or systematic monitoring of data or the processing of special categories of personal data. This obligation does not apply to many smaller companies. We help assess whether such an obligation exists in a particular case.
What is a data processing agreement and when is it needed?
A data processing agreement (DPA) is an agreement entered into, for example, when one company processes personal data on behalf of another company, such as an IT, accounting or marketing service provider. This agreement sets out how data may be processed and how it must be protected. In many cases, such an agreement is required.
How long may personal data be retained?
As a general rule, personal data may be retained for as long as this is necessary for the purpose for which it was collected or for as long as the law requires retention. Retaining data indefinitely just in case is not permitted. It is sensible to set clear retention periods and to erase or anonymise the data after the period has expired.
Is it permitted to send data outside the European Economic Area?
Transfer of data outside the European Economic Area is possible, but additional conditions apply to ensure adequate protection of the data. Standard contractual clauses or other prescribed safeguards are often used for this purpose. Before using such services or partners, it is worth checking whether the transfer is properly arranged.
The Estonian Data Protection Inspectorate has opened proceedings against us. What should we do?
We recommend taking the proceedings seriously and responding to requests on time and in a considered manner. It is important to understand exactly what is being examined and to present your positions and explanations correctly. We help communicate with the inspectorate during the proceedings, prepare responses and represent you throughout the proceedings.