Based on Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (or General Data Protection Regulation, GDPR), the general data protection principles have been established for the processing of any kind of personal data, including in research. With the entry into force of the GDPR, many significant changes were made in the legal framework of data protection.
Firstly, the GDPR is directly applicable, i.e., it applies as written and unlike directives, does not have to be transposed into Estonian law or established by a separate act. However, it must be implemented. In addition, around 130 legislative acts have been amended in Estonia to align them with the GDPR.
The GDPR provides general principles agreed upon by the EU member states but does not offer individual solutions for specific situations. That is why numerous guidelines, recommendations and best practices have been compiled to help people understand the provisions of the GDPR. These guidelines also aim to draw attention to respecting the obligation to protect personal data when conducting research.
Secondly, each EU member state can specify certain important exceptions by law. The processing of personal data in research is one of the areas that each member state regulates by national law. In Estonia, it is regulated by the Personal Data Protection Act, which, for example, specifies the requirement of the ethics committee’s approval that is not included in the GDPR. Thus, processing personal data in research is more complex, as both the GDPR and the Personal Data Protection Act must be complied with and understood.
What changed with the entry into force of the GDPR?
During the data protection reform in the European Union, several previously existing principles were clarified, and additional requirements were introduced for data controllers. In the following, some of the most important changes concerning research have been listed.
Changes in terminology: the former coding and decoding were replaced by pseudonymisation; instead of sensitive personal data, special categories of personal data were introduced in the GDPR. The phrase is also used as “personal data of special categories” in the Personal Data Protection Act.
Registration of controllers is no longer required. Previously, there was a system in Estonia where processors of special categories of personal data had to register with the Data Protection Inspectorate. Now, there is no such requirement. There is a general requirement to consult an ethics committee or, in the absence of a relevant committee, the Data Protection Inspectorate, to ensure the due processing of special categories of personal data.
New obligations of the controller. As a data controller, the University of Tartu has received several additional responsibilities: to publish its data protection policy, prepare an overview of the processing of personal data, appoint a data protection specialist, prepare data protection impact assessments, consult supervisory authorities and report breaches.
The processing of public personal data is limited. Previously, an exception was established under the Personal Data Protection Act, always allowing further processing of lawfully disclosed personal data.1 Such exception no longer exists, which means that a legal basis is also necessary for processing previously disclosed personal data; otherwise, the processing is unlawful. Fines were established. The Data Protection Inspectorate was given additional authority to impose fines for data protection breaches, up to 4% of total annual global turnover for companies and up to 20 million euros for other persons in the EU.