25. the general data protection regulation (GDPR – general data protection regulation) will apply from May, which applies to all persons who process data about natural persons. Gertrud Sein, legal assistant at the NJORD Law Office, writes about the obligations and basic changes that come with it.


General regulation on personal data protection and public procurement

May 29 at 11:00-12:30
Trainer Sorainen Attorney at Law Tea Kookmaa.
Register now HERE!

Personal data protection is an area that affects every entrepreneur and institution, regardless of the field of activity. Personal data is processed whenever an operation is performed with data about a person, i.e. a data subject. This data can be located in different databases, hard disk, desktop, flash drives, chat programs, phone applications, e-mails, folders on the shelf, etc. The processing of personal data is not only the collection of personal data, but also, for example, the recording, storage, transmission and disclosure, destruction or reading. It is generally difficult to answer the questions of how much data there is in total and to whom it is available.

The General Data Protection Regulation (GDPR), approved by the European Parliament, entered into force on May 24, 2016 and will be applied after a two-year transition period, i.e. from May 25, 2018. The regulation replaces the previously valid Data Protection Directive. and is also directly applicable, which means that the regulation will replace, among other things, the previously valid Estonian Personal Data Protection Act.

The General Regulation applies to all persons who process data about natural persons. The purpose of this legislation is to ensure better protection of personal data by giving the person greater control over their data and to stop unjustified processing and storage of personal data. Therefore, if a company has a customer database, feedback or recommendation form, e-mail addresses, photos, security camera recordings, customer loyalty program data, resumes and other such data, the regulation is applicable to the company in any case. Therefore, all European Union companies and other organizations must be attentive and follow certain rules. After the regulation enters into force, data about natural persons must be protected in every company. The Data Protection Inspectorate (AKI) supervises compliance with the rules arising from the General Regulation.

The new General Data Protection Regulation includes new obligations for all companies that process data. In particular, the processor of personal data must ensure that the processing of personal data is lawful. Processing is lawful if at least one of the following conditions is met:

  • the data subject has given his consent to process his personal data;
  • the processing of personal data is necessary to fulfill the contract concluded with the participation of the data subject or to take measures prior to the conclusion of the contract;
  • the processing of personal data is necessary for the controller to fulfill a legal obligation;
  • the processing of personal data is necessary to protect the vital interests of the data subject or another natural person;
  • the processing of personal data is necessary to perform a task in the public interest or to exercise the public authority of the controller;
  • processing of personal data is necessary in case of legitimate interest of the data controller or a third party.

In order to understand to what extent the company has data on natural persons, a primary inventory in IT systems and databases should be organized. The processing of customer data does not only include active operations with customer data, such as correcting or changing customer data, but also the storage of customer data (both in paper documents and on servers and in the cloud), viewing of this data and all kinds of other operations must meet the requirements of the regulation.

The process could be facilitated if the company prepares relevant manuals for employees. The manual could state which applications and programs could be used when handling the employee’s data. The manual could also include instructions on how the employee must protect data known to the company even in normal situations.

What are the main changes?

When the new personal data protection regulation comes into effect, several important changes will also come into force compared to the previously valid laws.

  • The right to be forgotten

A person can demand the deletion of data if there is no longer a justification for processing the data or the data is no longer relevant. This means that companies must delete data at the request of a person.

  • Data included

The person must be able to access the personal data and provide it to him. A person has the right to move his data between different data processors. Data transmission must be done in a structured manner