Steps to comply with EU data protection regulation (GDPR) in Estonia
The GDPR stipulates that data controllers must maintain records of personal data processing activities. However, GDPR limits this obligation.
The obligation does not apply to an enterprise or an organization employing fewer than 250 persons unless the processing of data is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data.
As the aforementioned exceptions are quite vague, it should be examined how different data protection authorities (DPA’s) understand the obligation. The Estonian DPA, for example, is very strict and finds that a company should even keep a record of the processing of their own employees' data.
GDPR (General Data Protection Regulation) panic has created a need to review contracts more carefully before signing them, to make sure that one wouldn’t unexpectedly take on any new obligations regarding unknown subjects, that wouldn’t allow to focus on one’s main job obligations. Data processing contracts put massive obligations on the parties, including requirements for employees, devices, systems, security measures, certificates etc.
As we informed previously, legal entities, existing as at 1 December 2017, must submit information on their beneficial owners to the Register of Enterprises of the Republic of Latvia (the Register) until 1 March 2018.
New data processing principles, that will enter into force soon, will increase the administrative work load. The main principle of the young business culture is that one must work hard. Unfortunately, companies often fail to think about what would happen if the staff grew so large, that it would become impossible to be aware of everyone’s work, or what would happen if an employee would to quit.