As also stipulated in Recital 151 of the GDPR, the Estonian legal system does not currently allow for administrative fines as set out in the GDPR. The rules on administrative fines may therefore be applied in such a manner that in Estonia the fine is imposed by the supervisory authority in the framework of a misdemeanour procedure.
The Estonian Data Protection Inspectorate has recommended to introduce the concept of administrative fines into the Estonian legal system already earlier, saying that sanctioning legal persons through misdemeanour proceedings is inefficient and burdensome to all parties involved. To the best of my knowledge, the Estonian Data Protection Inspectorate has not yet imposed any fines for GDPR violations. In the latest annual, the Head of the Inspectorate hinted that one reason for it was the uncomfortable nature of misdemeanour proceedings and the fact that GDPR fines are intended to be administrative fines by their nature.
According to the concept, the changes are likely to improve companies' compliance with the law, especially because the procedural process of imposing the fine is simplified and shortened.
It remains to be seen whether and how the concept of administrative fines will translate into law and whether that will change companies’ compliance with the GDPR and/or the number of fines issued in Estonia. The expected time for sending the draft for approval and opinion is summer 2020 and the expected time for entry into force is in the first quarter of 2021.
Article provided by: Mari-Liis Orav (TGS Baltic, Estonia)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database
Dr. Tobias Höllwarth (Managing Director INPLP)