Your data can be processed (used) by either public authorities or by actors in the private sector, namely, individuals and legal entities such as companies and organisations.

Controller & Processor

A person who determines the purposes and means of the processing of personal data is called a controller. A person who processes personal data on behalf of the controller is called a processor. A processor might be used by the controller when it lacks capacity for processing the data, for example the use of a cloud storage service. Also you, yourself, may be involved in the processing of other people’s data. For example, if your fellow students have shared their passport numbers and identity codes with you, so that you can buy online flight tickets for your joint trip, you have now become a user of their personal data.

However, there is an exception when you, as an individual, do not have to follow data protection rules: if you process someone’s personal data for purely personal or household activities and, at the same time, you don’t disclose this data to the public.


If there has been a personal data breach which might result in a risk to the rights and freedoms of a person whose data have been processed, the controller has to notify the Estonian Data Protection Inspectorate about this within 72 hours or less. If there is a high risk, the person also must be notified.

example A personal data breach of such a nature may be a publication of personal data of a particularly sensitive nature, such as data concerning personal health and sex life.


Last updated 08/06/2019