Estonia’s Personal Data Protection Act (the PDPA) was adopted on 12 December 2018. The PDPA contains some derogations from the General Data Protection Regulation (the GDPR) but is mainly intended to implement the so called Law Enforcement Directive (EU) 2016/680. Since the entry into force of both the GDPR and the PDPA, companies in Estonia have been working towards achieving compliance with data protection principles. Local companies are beginning to understand slowly but surely the importance of minimising unlawful processing and of complying with obligations stipulated in privacy laws.

This article focuses on the derogations Estonia has adopted, the issues addressed in procedural practices of the supervisory authority — the Data Protection Inspectorate (the DPI) — and options for implementing the administrative fines to strengthen the enforcement of the rules of the GDPR.