| Dokumendiregister | Andmekaitse Inspektsioon |
| Viit | 2.2-9/25/601-2 |
| Registreeritud | 05.03.2025 |
| Sünkroonitud | 06.03.2025 |
| Liik | Väljaminev kiri |
| Funktsioon | 2.2 Loa- ja teavitamismenetlused |
| Sari | 2.2-9 Selgitustaotlused |
| Toimik | 2.2-9/2025 |
| Juurdepääsupiirang | Avalik |
| Juurdepääsupiirang | |
| Adressaat | Lawways |
| Saabumis/saatmisviis | Lawways |
| Vastutaja | Liina Kroonberg (Andmekaitse Inspektsioon, Koostöö valdkond, Koolitus- ja ennetustiim) |
| Originaal | Ava uues aknas |
ERAELU KAITSE JA RIIGI LÄBIPAISTVUSE EEST
Tatari tn 39 / 10134 Tallinn / 627 4135 / [email protected] / www.aki.ee / registrikood 70004235
Pauline Pasquer
Lawways
Yours: 20.02.2025 Ours: 05.03.2025 nr 2.2-9/25/601-2
Answer to request The Data Protection Inspectorate (EDPI) received your questions about registering data
protection officer (DPO) in Estonia. Firstly, does the notice of appointment of a DPO in EDPI
have to be in Estonian or can it be done in English as well. You also ask that if the notification
cannot be made through the e-Business Register, then do you have to contact EDPI, and if so,
what is the notification procedure.
The General Regulation on the Protection of Personal Data (GDPR) stipulates a number of rules
to which a data protection officer (DPO) must comply. Whether the company's data protection
officer meets these conditions, including being able to provide Estonian-speaking data subjects
with the necessary information and service, must be known by each company responsible
(controller).
In some cases, the notification to EDPI can also be done in English. However, we emphasize
that DPO must be able to communicate with both, data subjects and EDPI, in Estonian.
Companies must prepare appropriate data protection documentation (including privacy policy)
in Estonian for Estonian data subjects before data processing if the service is aimed at Estonian
residents. However, if the company is able to fulfill all relevant requirements (including
communication in Estonian) with a group-wide data protection officer, for example, then the
inspectorate sees no reason why companies should not be assign a group-wide (non-Estonian-
speaking) data protection officer.
Company must be able to comply with the GDPR. In any case, the controller i.e. the company, is
responsible for violations related to data processing, not the DPO. Which is why it is always
worth considering the decisions more thoroughly (including whether the appointed DPO provides
the service required at the local level) and choose a DPO who will really help the company.
We also note that the Data Protection Inspectorate accepts DPO appointment notices if:
1) the notice has been signed digitally or by hand by an authorized person, a company´s
manager etc., or a person entered in the business register as a representative of the
company/institution, or
2) if the signer acts on the basis of authorization, the notification is accompanied by a power
of attorney signed by the person entitled to represent. At the same time, a person entitled
to represent one company/institution cannot submit a report about another
company/institution without authorization - even if he is the linked company or a higher-
ranking institution.
2 (2)
As a result of the above, if necessary, a (signed) notification about the appointment of a data
protection officer can be forwarded to the inspectorate. The data protection officer becomes the
contact person of his employer in communication with inspectorate. To identify DPO, we need his
personal identification number or date of birth and citizenship (in addition to the date of
appointment, the name of the data protection officer and contact details). If there is no deadline,
we assume that the data protection officer position is without the term.
Although you have already referred to it, we note that the easiest way to report a DPO in Estonia
is to do it through the entrepreneur portal. In this case, it is no longer necessary to send a separate
notification to the EDPI. The notice can be entered by a person registered as a representative in
the e-business register.
If it is not possible to make a notification in the e-business register, it can be forwarded to EDPI
by e-mail to a address [email protected]. The inspectorate will send a separate reply, either to clarify
the data or to notify that the notice of DPO has been noted by EDPI.
You have the opportunity to read relevant information on the website of the EDPI (however, it is
mostly in Estonian):
- Andmekaitsespetsialisti määramisest;
- Andmekaitsespetsialisti ülesanded, teadmised ja oskused.
- Isikuandmete töötleja üldjuhendi 3. peatükk.
Explanations in English are published here: https://www.aki.ee/en/inspectorate-news-
information-dpo-s/information-dpo-s.
Hope my explanations are helpful. Best regards
Liina Kroonberg
lawyer
authorized by Director General
| Nimi | K.p. | Δ | Viit | Tüüp | Org | Osapooled |
|---|