Answer to request

Dokumendiregister	Andmekaitse Inspektsioon
Viit	2.2-9/25/601-2
Registreeritud	05.03.2025
Sünkroonitud	06.03.2025
Liik	Väljaminev kiri
Funktsioon	2.2 Loa- ja teavitamismenetlused
Sari	2.2-9 Selgitustaotlused
Toimik	2.2-9/2025
Juurdepääsupiirang	Avalik
Juurdepääsupiirang
Adressaat	Lawways
Saabumis/saatmisviis	Lawways
Vastutaja	Liina Kroonberg (Andmekaitse Inspektsioon, Koostöö valdkond, Koolitus- ja ennetustiim)
Originaal	Ava uues aknas

Failid

Answer to request.pdf

ERAELU KAITSE JA RIIGI LÄBIPAISTVUSE EEST

Tatari tn 39 / 10134 Tallinn / 627 4135 / info@aki.ee / www.aki.ee / registrikood 70004235

Pauline Pasquer

Lawways

pauline.pasquer@lawways.com

Yours: 20.02.2025 Ours: 05.03.2025 nr 2.2-9/25/601-2

Answer to request The Data Protection Inspectorate (EDPI) received your questions about registering data

protection officer (DPO) in Estonia. Firstly, does the notice of appointment of a DPO in EDPI

have to be in Estonian or can it be done in English as well. You also ask that if the notification

cannot be made through the e-Business Register, then do you have to contact EDPI, and if so,

what is the notification procedure.

The General Regulation on the Protection of Personal Data (GDPR) stipulates a number of rules

to which a data protection officer (DPO) must comply. Whether the company's data protection

officer meets these conditions, including being able to provide Estonian-speaking data subjects

with the necessary information and service, must be known by each company responsible

(controller).

In some cases, the notification to EDPI can also be done in English. However, we emphasize

that DPO must be able to communicate with both, data subjects and EDPI, in Estonian.

Companies must prepare appropriate data protection documentation (including privacy policy)

in Estonian for Estonian data subjects before data processing if the service is aimed at Estonian

residents. However, if the company is able to fulfill all relevant requirements (including

communication in Estonian) with a group-wide data protection officer, for example, then the

inspectorate sees no reason why companies should not be assign a group-wide (non-Estonian-

speaking) data protection officer.

Company must be able to comply with the GDPR. In any case, the controller i.e. the company, is

responsible for violations related to data processing, not the DPO. Which is why it is always

worth considering the decisions more thoroughly (including whether the appointed DPO provides

the service required at the local level) and choose a DPO who will really help the company.

We also note that the Data Protection Inspectorate accepts DPO appointment notices if:

1) the notice has been signed digitally or by hand by an authorized person, a company´s

manager etc., or a person entered in the business register as a representative of the

company/institution, or

2) if the signer acts on the basis of authorization, the notification is accompanied by a power

of attorney signed by the person entitled to represent. At the same time, a person entitled

to represent one company/institution cannot submit a report about another

company/institution without authorization - even if he is the linked company or a higher-

ranking institution.

2 (2)

As a result of the above, if necessary, a (signed) notification about the appointment of a data

protection officer can be forwarded to the inspectorate. The data protection officer becomes the

contact person of his employer in communication with inspectorate. To identify DPO, we need his

personal identification number or date of birth and citizenship (in addition to the date of

appointment, the name of the data protection officer and contact details). If there is no deadline,

we assume that the data protection officer position is without the term.

Although you have already referred to it, we note that the easiest way to report a DPO in Estonia

is to do it through the entrepreneur portal. In this case, it is no longer necessary to send a separate

notification to the EDPI. The notice can be entered by a person registered as a representative in

the e-business register.

If it is not possible to make a notification in the e-business register, it can be forwarded to EDPI

by e-mail to a address info@aki.ee. The inspectorate will send a separate reply, either to clarify

the data or to notify that the notice of DPO has been noted by EDPI.

You have the opportunity to read relevant information on the website of the EDPI (however, it is

mostly in Estonian):

- Andmekaitsespetsialisti määramisest;

- Andmekaitsespetsialisti ülesanded, teadmised ja oskused.

- Isikuandmete töötleja üldjuhendi 3. peatükk.

Explanations in English are published here: https://www.aki.ee/en/inspectorate-news-

information-dpo-s/information-dpo-s.

Hope my explanations are helpful. Best regards

Liina Kroonberg

lawyer

authorized by Director General

Seosed

Nimi	K.p.	Δ	Viit	Tüüp	Org	Osapooled