Skip to content
World Watch/Estonia/Data & Privacy

Data & Privacy Ā· Estonia

Data protection & GDPR compliance in Estonia (2026)

Comprehensive lawGDPR (EU 2016/679) directly applicable since 25 May 2018; supplemented by Estonia's Personal Data Protection Act (Isikuandmete kaitse seadus, in force 15 January 2019) and the Personal Data Protection Act Implementation Act (PDPAIA). National supervisory authority: Andmekaitse Inspektsioon (AKI) / Data Protection Inspectorate.Country index 96 Ā· A+

Estonia shaded by its data & privacy status

Data protection in Estonia: comprehensive law, under GDPR (EU 2016/679) directly applicable since 25 May 2018; supplemented by Estonia's Personal Data Protection Act (Isikuandmete kaitse seadus, in force 15 January 2019) and the Personal Data Protection Act Implementation Act (PDPAIA). National supervisory authority: Andmekaitse Inspektsioon (AKI) / Data Protection Inspectorate..

Estonia's data-protection regime is anchored in the directly applicable GDPR, supplemented by the national Personal Data Protection Act (PDPA) adopted 12 December 2018 and in force from 15 January 2019, which implements the Law Enforcement Directive (EU 2016/680) and introduces permitted national derogations. The Andmekaitse Inspektsioon (AKI) serves as the independent supervisory authority under GDPR Article 51, holding a dual mandate over data protection and freedom of information. Enforcement was historically constrained by Estonia's misdemeanor procedural law, though AKI issued its largest-ever fine of €3 million in September 2025 against the Apotheka pharmacy loyalty-programme operator.

GDPR & data protection in Estonia

In Estonia, data protection is governed by the EU General Data Protection Regulation (GDPR), which applies directly and is enforced by the Data Protection Inspectorate (AKI).

Framework
the GDPR (Regulation (EU) 2016/679) plus the national data-protection act
Supervisory authority
the Data Protection Inspectorate (AKI)
Applies to
any organisation processing the personal data of people in Estonia, wherever the organisation is based
Maximum fine
€20 million or 4% of global annual turnover, whichever is higher
Breach notification
within 72 hours of becoming aware, to the supervisory authority
DPO
required for large-scale monitoring or large-scale special-category processing

The GDPR is bloc-wide; Estonia supplements it with a national data-protection act and its own supervisory authority.

GDPR in Estonia: FAQ

Does the GDPR apply in Estonia?

Yes. As an EU/EEA member, Estonia applies the GDPR (Regulation (EU) 2016/679) directly, enforced by the Data Protection Inspectorate (AKI).

Who enforces data protection law in Estonia?

The Data Protection Inspectorate (AKI).

What are the GDPR fines in Estonia?

Up to €20 million or 4% of global annual turnover, whichever is higher.

Do you need a Data Protection Officer in Estonia?

A DPO is required where you carry out large-scale monitoring or process special-category data at scale.

How quickly must a data breach be reported in Estonia?

Personal-data breaches must be notified to the supervisory authority within 72 hours of becoming aware.

Key points

Primary Legal Basis

The GDPR has applied directly in Estonia since 25 May 2018. The national PDPA (2019) operates only where the GDPR does not directly govern a matter or explicitly permits Member State derogations; it does not duplicate but supplements the Regulation.

National Derogations & Special Provisions

The PDPA primarily transposes the Law Enforcement Directive (EU 2016/680) for police and criminal-justice processing, and specifies additional lawful grounds for journalistic, scientific, historical-research, archiving-in-public-interest, and creditworthiness-assessment purposes.

Supervisory Authority: AKI

The Andmekaitse Inspektsioon (AKI) is Estonia's GDPR Article 51 supervisory authority and also the freedom-of-information regulator. AKI received 4,162 inquiries in 2024 according to its annual report published March 2026, and participates in the European Data Protection Board.

Sanctions & Enforcement

AKI may impose administrative fines up to €20 million or 4% of global annual turnover (whichever is higher). Estonia's misdemeanor procedural framework historically produced very low fine levels, but in September 2025 AKI issued a record €3 million fine against Allium UPI OÜ (Apotheka pharmacy) after a 2024 breach exposed data of over 750,000 individuals.

Data Subject Rights

Estonian residents hold the full GDPR suite of rights, access, rectification, erasure, portability, objection, and restriction of processing, and may lodge complaints with AKI. Estonia's mature e-government infrastructure (eesti.ee portal, digital ID) supports practical exercise of these rights.

EU-Level Overlay

As an EU member state Estonia is fully subject to the EDPB's binding decisions and consistency mechanism. Cross-cutting EU frameworks, NIS2 (cybersecurity incident reporting to AKI as competent authority), the EU AI Act (high-risk AI obligations), and the DSA (online-platform transparency), layer additional data-handling requirements on top of the GDPR/PDPA baseline.

Estonia - other topics

Data & Privacy in other countries

Last verified 5/24/2026 Ā· Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite Ā· Explore the full world map →