​The privacy of individuals was compromised 115 times according to the violation notices submitted to the Estonian Data Protection Inspectorate in 2019. The recorded incidents were mostly due to the data controller's negligence or lack of awareness, which on four occasions resulted in the employee's dismissal.

In 2019, the Data Protection Inspectorate registered incidents in both state and municipal authorities, as well as in health care, finance, transport, communications and education services, and a large number of incidents occurred while providing web services. When comparing public and private service providers, the number of incidents is more or less the same. 

According to the technology director Urmo Parm, the violations can be divided into two categories. The first category is technology-related incidents due to outdated and insecure software and the second is human activity, whether it is a single error or a neglect that can result in the damage to many other people.

Many mistakes come from negligence and ignorance like opening a phishing email. Parm comments that as an innovative e-government, all data processors should already be able to implement basic security technologies that prevent phishing scams, such as DMARC protocol. The STARTTLS encryption method allows secure transmission of emails.

The past year had also four cases where companies decided to dismiss employees who violated data protection rules. Drastic measures were implemented, for example, in case of employees who accessed another person's data from the information system without reason. Another contract was terminated with an employee who allowed third parties to access security recordings.

Compared to 2018 the number of violation notices has grown, but not all data controllers notify of the incidents and a lot more is happening to people´s data than is known. Public awareness of data protection has certainly not yet reached a level where we can always feel secure, however the situation is gradually improving. 

Cases where the Inspectorate has been notified of incidents where an employee disclosed sensitive information, for example by e-mail, to the wrong recipient can never be completely prevented. However, training can prevent wrong people getting access to a large number of sensitive private information or user account information due to inadequate information system setup.

The obligation to report violations comes from the GDPR which entered into force in May 2018. According to the legislation, the data controller must inform the supervisory authority of incidents that threaten the privacy of the individual or which may include a potential breach of privacy. The Inspectorate must be notified within 72 hours.

More information on data protection updates from Germany, Spain, Latvia and Finland can be found here.

If you have any questions, please don’t hesitate to contact us:


Rödl & Partner Advokaadibüroo OÜ

T +372 6068 650