Estonia data protection 2025 saw a notably active fourth quarter, with the Data Protection Inspectorate (Andmekaitse Inspektsioon, or AKI) intensifying its supervisory activity, new guidance emerging on artificial intelligence and automated decision-making, and several enforcement decisions that carry direct implications for businesses operating in or through Estonia. This guide covers the key regulatory developments, enforcement trends, practical compliance obligations, and the strategic questions that international companies should be asking right now.
The most consequential development of the quarter was the finalisation of AKI';s updated guidelines on the processing of personal data in the context of AI-assisted tools. These guidelines, which build on the framework established by the General Data Protection Regulation (GDPR) as transposed and applied in Estonia under the Personal Data Protection Act (isikuandmete kaitse seadus), clarify how controllers must document their legitimate interest assessments when deploying machine-learning systems that profile individuals. The guidance makes clear that a generic reference to "legitimate interests" in a privacy notice is insufficient; controllers must produce a written balancing test that weighs the controller';s interest against the data subject';s reasonable expectations.
A second significant development concerns the Estonian implementation of the NIS2 Directive. Although NIS2 is primarily a cybersecurity instrument, its intersection with data protection obligations became clearer during the quarter. AKI and the Information System Authority (Riigi Infosüsteemi Amet, or RIA) issued a joint statement clarifying that a cybersecurity incident reportable under NIS2 may simultaneously trigger a personal data breach notification obligation under Article 33 of the GDPR. Controllers in essential and important sectors - including energy, transport, finance, and digital infrastructure - should treat the two notification tracks as parallel, not sequential.
The quarter also saw the Estonian Parliament (Riigikogu) advance amendments to the Electronic Communications Act (elektroonilise side seadus) that tighten the rules on cookie consent and tracking technologies. The amendments align Estonian law more closely with recent guidance from the European Data Protection Board (EDPB) on consent management platforms. Under the revised framework, pre-ticked boxes and consent obtained through dark patterns are explicitly prohibited, and controllers must be able to demonstrate that consent was freely given, specific, informed, and unambiguous.
AKI published several enforcement decisions during the quarter that illustrate the regulator';s current priorities. The decisions are instructive not because of the specific fines - which vary considerably by case - but because of the underlying compliance failures they expose.
One decision concerned a mid-sized Estonian e-commerce operator that had been sharing customer purchase data with a third-party analytics provider without a valid data processing agreement in place. AKI found a violation of Article 28 of the GDPR, which requires that any processor acting on behalf of a controller be bound by a written contract specifying the subject matter, duration, nature, and purpose of the processing. The operator had relied on the analytics provider';s standard terms of service, which AKI determined did not meet the minimum requirements of a data processing agreement. The practical lesson is that standard vendor terms rarely satisfy Article 28 in full, and controllers should insist on a bespoke or supplemented agreement.
A second decision involved a healthcare-adjacent service provider that had failed to carry out a Data Protection Impact Assessment (DPIA) before launching a new patient-facing application. Under Article 35 of the GDPR, a DPIA is mandatory where processing is likely to result in a high risk to individuals - and AKI';s list of processing activities that presumptively require a DPIA includes health data processing at scale. The controller had argued that the application processed only anonymised data, but AKI found that the anonymisation technique used was reversible and therefore the data remained personal data within the meaning of Article 4(1) of the GDPR. This decision reinforces the point that anonymisation must be robust and irreversible to take data outside the GDPR';s scope.
A third case involved a public sector body that had retained employee performance records beyond the retention period specified in its own privacy notice. AKI treated this as a violation of the storage limitation principle under Article 5(1)(e) of the GDPR. The case is a reminder that retention schedules are not merely administrative documents - they are binding commitments to data subjects, and failure to honour them is an enforcement risk.
In practice, founders and compliance officers should consider these decisions as a map of AKI';s current enforcement priorities: processor agreements, DPIA obligations, anonymisation standards, and retention discipline.
Cross-border data transfers remain a live compliance issue for Estonian companies with international operations, and the quarter brought several developments worth noting. The European Commission';s adequacy decisions and the Standard Contractual Clauses (SCCs) adopted under the GDPR continue to be the primary transfer mechanisms used by Estonian businesses. However, AKI signalled during the quarter that it intends to scrutinise transfer impact assessments (TIAs) more closely, particularly for transfers to jurisdictions where government access to personal data is a documented concern.
For Estonian companies using cloud infrastructure hosted outside the European Economic Area, the practical implication is that a TIA must go beyond a box-ticking exercise. AKI expects controllers to assess the legal framework of the destination country, the likelihood of government access requests, and the technical and organisational measures in place to mitigate the risk. Where the TIA reveals a residual risk that cannot be adequately mitigated, the transfer should not proceed on the basis of SCCs alone.
A non-obvious requirement that surfaces frequently in this context is the obligation to document the TIA in writing and to make it available to AKI on request. Many companies conduct an informal assessment but fail to produce a written record. This is a straightforward compliance gap that can be closed with relatively modest effort.
Estonia';s status as a digitally advanced jurisdiction also means that many Estonian companies act as processors for controllers established elsewhere in the EU. In that role, they are subject to the same GDPR obligations as any other processor, including the obligation to assist the controller in meeting its transfer obligations. A common mistake is for Estonian processors to assume that transfer compliance is solely the controller';s problem - in practice, processors are often better placed to assess the technical measures available and should engage proactively.
If your organisation is navigating cross-border transfer compliance or reviewing processor agreements, we can assist with documents and filings. Contact us at info@vlolawfirm.com.
Artificial intelligence and automated decision-making attracted significant regulatory attention during the quarter, reflecting a broader European trend. AKI';s updated guidance on AI-assisted processing, mentioned above, is the most concrete output, but the quarter also saw AKI participate in EDPB working groups on the intersection of the AI Act and the GDPR.
The practical implications for businesses are substantial. Article 22 of the GDPR restricts automated decision-making that produces legal or similarly significant effects on individuals. In Estonia, this provision has been applied in contexts ranging from automated credit scoring to algorithmic recruitment tools. AKI';s current position is that "similarly significant effects" should be interpreted broadly, capturing decisions that materially affect an individual';s access to services, employment, or financial products even if they do not produce strictly legal consequences.
For companies using AI tools in HR, marketing, or customer service, the compliance checklist has grown. Controllers must be able to:
A common mistake among international companies deploying AI tools in Estonia is to rely on the tool vendor';s documentation as a substitute for the controller';s own transparency obligations. The vendor';s documentation may explain how the model works in general terms, but the controller must translate that into a clear, accessible explanation for data subjects in the specific context of its own processing.
The AI Act, which applies directly in Estonia as an EU regulation, adds a further layer of obligation for providers and deployers of high-risk AI systems. While the AI Act and the GDPR operate on different legal bases, AKI has indicated that it will coordinate with the relevant market surveillance authority on cases where an AI system raises both data protection and AI Act concerns. Companies should therefore treat AI governance as a unified compliance domain rather than two separate workstreams.
Against the backdrop of the quarter';s developments, the following compliance priorities emerge for businesses operating in or through Estonia.
Processor agreement audit. The AKI decision on the e-commerce operator makes clear that processor agreements must be reviewed against the full requirements of Article 28. Controllers should audit their vendor contracts and identify any gaps. Processors should ensure that their standard terms are GDPR-compliant and that they can flow down obligations to sub-processors.
DPIA programme. Companies that have not conducted a systematic review of their processing activities against AKI';s list of high-risk operations should do so. The list includes, among others, large-scale processing of special categories of data, systematic monitoring of publicly accessible areas, and processing that involves new technologies. A DPIA is not a one-time exercise - it must be reviewed when the processing changes.
Retention schedule enforcement. The AKI decision on the public sector body is a reminder that retention schedules must be operationalised, not merely documented. Controllers should implement technical controls - such as automated deletion workflows - to ensure that data is deleted or anonymised when the retention period expires.
Cookie consent compliance. The amendments to the Electronic Communications Act require controllers to review their consent management platforms before the amendments take effect. Pre-ticked boxes must be removed, and consent flows must be redesigned to meet the freely given, specific, informed, and unambiguous standard. Controllers should also ensure that they can produce evidence of consent on request.
Transfer impact assessments. Companies transferring personal data outside the EEA should review their TIAs and ensure that they are documented in writing. Where the TIA reveals unacceptable residual risk, the controller should consider whether alternative transfer mechanisms or data localisation are appropriate.
In practice, founders and compliance managers should consider these priorities not as a checklist to be completed once but as an ongoing programme. Data protection compliance in Estonia, as elsewhere in the EU, is a continuous obligation, not a project with a defined end date.
We can help structure the compliance programme correctly the first time. Reach out to info@vlolawfirm.com to discuss your specific situation.
What is the most significant enforcement risk for foreign companies operating in Estonia right now?
The most immediate risk, based on recent AKI decisions, is inadequate processor agreements. Many foreign companies use Estonian service providers or operate Estonian subsidiaries that act as processors, and the contractual arrangements often do not meet the full requirements of Article 28 of the GDPR. AKI has shown a clear willingness to investigate and sanction controllers for this gap. A secondary risk is the failure to conduct DPIAs for high-risk processing activities, particularly in the health, finance, and HR sectors. Foreign companies should treat both issues as priority items in any compliance review.
How long does it typically take to bring a data protection compliance programme into good standing in Estonia?
The timeline depends heavily on the size and complexity of the organisation. A small company with straightforward processing activities can typically complete a gap analysis, update its documentation, and implement the necessary controls within a few months. A larger organisation with complex data flows, multiple processors, and cross-border transfers should expect the process to take longer - often six months to a year for a comprehensive programme. The key is to prioritise the highest-risk areas first, which in the current enforcement environment means processor agreements, DPIAs, and transfer compliance. Ongoing maintenance - including annual reviews and updates triggered by changes in processing - should be built into the programme from the outset.
Should Estonian companies treat the AI Act and the GDPR as separate compliance obligations?
In practice, the two instruments overlap significantly and should be managed as part of a unified AI governance framework. The AI Act imposes obligations on providers and deployers of high-risk AI systems that are distinct from GDPR obligations, but many of the underlying requirements - transparency, documentation, human oversight, risk assessment - are complementary. AKI has signalled that it will coordinate with market surveillance authorities on cases that raise both data protection and AI Act concerns, which means that a failure in one area is likely to attract scrutiny in the other. Companies should map their AI systems against both frameworks simultaneously and identify where a single control can satisfy multiple requirements.
The fourth quarter brought meaningful regulatory activity across AI governance, enforcement, cross-border transfers, and cookie consent in Estonia. The direction of travel is clear: AKI is an active regulator with a broad supervisory agenda, and the compliance bar continues to rise. Businesses that treat data protection as a one-time exercise rather than a continuous programme face growing enforcement risk.
VLO Law Firms advises international clients on data protection matters in Estonia. We can assist with GDPR compliance reviews, processor agreement drafting, DPIA preparation, transfer impact assessments, and regulatory engagement with AKI. To request a consultation, contact: info@vlolawfirm.com