Data protection & privacy laws in Estonia (2026)

The GDPR has applied directly in Estonia since 25 May 2018. The national PDPA (2019) operates only where the GDPR does not directly govern a matter or explicitly permits Member State derogations; it does not duplicate but supplements the Regulation.

The PDPA primarily transposes the Law Enforcement Directive (EU 2016/680) for police and criminal-justice processing, and specifies additional lawful grounds for journalistic, scientific, historical-research, archiving-in-public-interest, and creditworthiness-assessment purposes.

The Andmekaitse Inspektsioon (AKI) is Estonia's GDPR Article 51 supervisory authority and also the freedom-of-information regulator. AKI received 4,162 inquiries in 2024 according to its annual report published March 2026, and participates in the European Data Protection Board.

AKI may impose administrative fines up to €20 million or 4% of global annual turnover (whichever is higher). Estonia's misdemeanor procedural framework historically produced very low fine levels, but in September 2025 AKI issued a record €3 million fine against Allium UPI OÜ (Apotheka pharmacy) after a 2024 breach exposed data of over 750,000 individuals.

Estonian residents hold the full GDPR suite of rights—access, rectification, erasure, portability, objection, and restriction of processing—and may lodge complaints with AKI. Estonia's mature e-government infrastructure (eesti.ee portal, digital ID) supports practical exercise of these rights.

As an EU member state Estonia is fully subject to the EDPB's binding decisions and consistency mechanism. Cross-cutting EU frameworks—NIS2 (cybersecurity incident reporting to AKI as competent authority), the EU AI Act (high-risk AI obligations), and the DSA (online-platform transparency)—layer additional data-handling requirements on top of the GDPR/PDPA baseline.