Data & Privacy Ā· Estonia
Data protection & GDPR compliance in Estonia (2026)
Estonia shaded by its data & privacy status
Data protection in Estonia: comprehensive law, under GDPR (EU 2016/679) directly applicable since 25 May 2018; supplemented by Estonia's Personal Data Protection Act (Isikuandmete kaitse seadus, in force 15 January 2019) and the Personal Data Protection Act Implementation Act (PDPAIA). National supervisory authority: Andmekaitse Inspektsioon (AKI) / Data Protection Inspectorate..
Estonia's data-protection regime is anchored in the directly applicable GDPR, supplemented by the national Personal Data Protection Act (PDPA) adopted 12 December 2018 and in force from 15 January 2019, which implements the Law Enforcement Directive (EU 2016/680) and introduces permitted national derogations. The Andmekaitse Inspektsioon (AKI) serves as the independent supervisory authority under GDPR Article 51, holding a dual mandate over data protection and freedom of information. Enforcement was historically constrained by Estonia's misdemeanor procedural law, though AKI issued its largest-ever fine of ā¬3 million in September 2025 against the Apotheka pharmacy loyalty-programme operator.
GDPR & data protection in Estonia
In Estonia, data protection is governed by the EU General Data Protection Regulation (GDPR), which applies directly and is enforced by the Data Protection Inspectorate (AKI).
- Framework
- the GDPR (Regulation (EU) 2016/679) plus the national data-protection act
- Supervisory authority
- the Data Protection Inspectorate (AKI)
- Applies to
- any organisation processing the personal data of people in Estonia, wherever the organisation is based
- Maximum fine
- ā¬20 million or 4% of global annual turnover, whichever is higher
- Breach notification
- within 72 hours of becoming aware, to the supervisory authority
- DPO
- required for large-scale monitoring or large-scale special-category processing
The GDPR is bloc-wide; Estonia supplements it with a national data-protection act and its own supervisory authority.
GDPR in Estonia: FAQ
Yes. As an EU/EEA member, Estonia applies the GDPR (Regulation (EU) 2016/679) directly, enforced by the Data Protection Inspectorate (AKI).
The Data Protection Inspectorate (AKI).
Up to ā¬20 million or 4% of global annual turnover, whichever is higher.
A DPO is required where you carry out large-scale monitoring or process special-category data at scale.
Personal-data breaches must be notified to the supervisory authority within 72 hours of becoming aware.
Key points
The GDPR has applied directly in Estonia since 25 May 2018. The national PDPA (2019) operates only where the GDPR does not directly govern a matter or explicitly permits Member State derogations; it does not duplicate but supplements the Regulation.
The PDPA primarily transposes the Law Enforcement Directive (EU 2016/680) for police and criminal-justice processing, and specifies additional lawful grounds for journalistic, scientific, historical-research, archiving-in-public-interest, and creditworthiness-assessment purposes.
The Andmekaitse Inspektsioon (AKI) is Estonia's GDPR Article 51 supervisory authority and also the freedom-of-information regulator. AKI received 4,162 inquiries in 2024 according to its annual report published March 2026, and participates in the European Data Protection Board.
AKI may impose administrative fines up to ā¬20 million or 4% of global annual turnover (whichever is higher). Estonia's misdemeanor procedural framework historically produced very low fine levels, but in September 2025 AKI issued a record ā¬3 million fine against Allium UPI OĆ (Apotheka pharmacy) after a 2024 breach exposed data of over 750,000 individuals.
Estonian residents hold the full GDPR suite of rights, access, rectification, erasure, portability, objection, and restriction of processing, and may lodge complaints with AKI. Estonia's mature e-government infrastructure (eesti.ee portal, digital ID) supports practical exercise of these rights.
As an EU member state Estonia is fully subject to the EDPB's binding decisions and consistency mechanism. Cross-cutting EU frameworks, NIS2 (cybersecurity incident reporting to AKI as competent authority), the EU AI Act (high-risk AI obligations), and the DSA (online-platform transparency), layer additional data-handling requirements on top of the GDPR/PDPA baseline.
Estonia - other topics
Data & Privacy in other countries
Last verified 5/24/2026 Ā· Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite Ā· Explore the full world map ā