The state may process personal data only within the limits prescribed by law. The processing of personal data may be directly regulated in some legislation or derived from the need to comply with such an act. In addition to authorizing the processing, the law must also regulate which data is processed, how long data may be stored, and which safeguards must be used.
Does a person have the right to know what personal data the state has collected about him or her?
A person has the right to request information from the state as to what data is being collected and used and for which purpose, and the right to stop the unlawful collection, use and disclosure of personal data.
Such a right exists both under the General Data Protection Regulation (GDPR) and under specific laws, such as the Health Services Organisation Act, which requires patients to have access to their personal data in the health information system.
In Estonia, most personal data is in digital format and people can access personal data collected by authorities through the Eesti.ee web portal.
How to file a claim?
If a person does not have access to his or her personal data through the Eesti.ee portal and there are no special laws, then the person can submit a claim as an application in a free format to the authority. It would be better for the application to be digitally signed so that the authority can verify the identity of the claimant.
You can then expect a response within one month at the latest – the response time can only be extended by two months if the request is very complex and voluminous. However, the person must be informed about the extension of the response time also within a month. Claims for rights to process personal data are generally free of charge.
However, if the appeal is manifestly unfounded or repeated, the state may charge a reasonable fee or refuse to take measures, but always providing specific reasons.
The controller may submit the information at a later date, restrict its submission or refuse to release it if it may:
- prevent or obstruct the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties;
- harm the rights and freedoms of another person;
- endanger national security;
- endanger the protection of public security;
- obstruct an official investigation or proceeding.
Can authorities be punished for personal data breaches
Under the Personal Data Protection Regulation, some public authorities have already been penalized for personal data breaches. For example, a Norwegian city municipality was fined 170,000 EUR for failing to provide adequate security for the personal data of the municipality’s school staff and students, which led to illegal access to the data.
In Malta, the Land Board was fined 5,000 EUR for making more than 10 GB of sensitive personal data available to everyone due to insufficient security. A smaller fine of 3,200 EUR was imposed on the Office of the Mayor of Kecskemét of Hungary, for illegally disclosing the details of a person who had sued his employer and was then dismissed.