When changes to European Union law come into force, it will become much easier for the Data Protection Inspectorate to fine companies for data protection breaches, says Andres Ojaver, the data protection expert at Hedman Law Firm. Fine amounts could reach up to €20 million and, in some cases, even exceed that.
General Data Protection Regulation (GDPR) fines have so far failed to be enforced in Estonia, one reason being the inadequate definition of legal person liability, which allowed companies to postpone decisions regarding data protection.
As of 1 November, the situation will change, as amendments to the Penal Code and other laws adopted in March this year will enter into force, giving the Data Protection Inspectorate the right to impose fines for data protection breaches without prosecuting a specific natural person.
Hedman’s personal data protection expert Andres Ojaver pointed out that for five years, Estonian companies, as well as public authorities, have been operating in a situation where prioritising personal data protection has been problematic. “On the one hand, experts in the field recognise the seriousness of the shortcomings, but on the other hand, it is difficult to “sell” the need for change to the management, primarily because of the disproportionate cost and risk ratio and the potentially high fines have not been an argument so far. The ones bearing a loss, unfortunately, are the people whose privacy is protected by the GDPR,” Ojaver said.
The change coming into force in November will bring fines
While the Data Protection Inspectorate used to limit itself to issuing non-compliance levy warnings, as of 1 November, imposing fines will become much easier, and the fine rate will reach the level set by the GDPR. The fine rate can therefore reach up to €20 million from November and even exceed this in certain cases.
The Data Protection Inspectorate recommended that all data controllers in Estonia review and align their internal data processing processes with the requirements of the GDPR and also review the obligations of data controllers. In addition, companies and public authorities need to be well aware of what data they store, for what purposes they process it, for how long and who has access to it.
“These are the specific things that the inspectorate will ask about in their monitoring procedures, and this will be an indicator for them whether the institution or company has thought through and mapped out what is happening with the data they collect. If the data controller does not have the requested data to show, then this is a signal for the inspectorate to take a closer look,” Andres Ojaver referred to the position of the Data Protection Inspectorate and added that although November may seem far away, now would be the time to start conducting data audits and planning further actions if this has not been done yet.
For example, you could use the GDPR Register, a software solution developed in Estonia to help businesses and public authorities avoid data processing errors to create and keep records. The GDPR Register has been created in collaboration with IT experts and makes GDPR compliance simple and logical, helping to manage GDPR-related activities and documents and, in doing this, also ensuring compliance.