Chapter 1 GENERAL PROVISIONS
§ 1. Purpose of Act
The purpose of this Act is to ensure that the public and every person has the opportunity to access information intended for public use, based on the principles of a democratic and social rule of law and an open society, and to create opportunities for the public to monitor the performance of public duties.
§ 2. Scope of application of Act
(1) This Act provides for:
1) the conditions of, procedure for and methods of access to and re-use of public information and the bases for refusal to grant access to information;
[RT I, 19.12.2012, 2 – entry into force 29.12.2012]
2) restricted public information and the procedure for granting access thereto to the extent not regulated by other Acts;
21) the bases for establishment and administration of databases, and supervision over the administration of databases;
[RT I 2007, 12, 66 – entry into force 01.01.2008]
3) the procedure for the exercise of state supervision and administrative supervision over the organisation of access to information.
[RT I, 06.01.2016, 1 – entry into force 16.01.2016]
(2) This Act does not apply:
1) to information which is classified as a state secret or as classified foreign information, until expiry of classification of such information;
[RT I 2007, 16, 77 – entry into force 01.01.2008]
2) upon granting access to records in the National Archives and local government archives pursuant to the procedure provided for in the Archives Act and on the basis thereof, except in the part of establishment of restrictions on access and the re-use of information;
[RT I, 06.01.2016, 1 – entry into force 16.01.2016]
3) upon responding to memoranda and requests for explanations pursuant to the procedure provided for in the Response to Memoranda and Requests for Explanations Act if responding requires the analysis and synthesis of the recorded information or the collection and documentation of additional information;
4) to restrictions on access to information and to special conditions of, the procedure for and methods of access if these are otherwise provided for in specific Acts or international agreements.
(3) The provisions of the Administrative Procedure Act apply to the administrative proceedings prescribed in this Act, taking account of the specifications provided for in this Act.
§ 3. Public information
(1) Public information (hereinafter information) is information which is recorded and documented in any manner and on any medium and which is obtained or created upon performance of public duties provided by law or legislation issued on the basis thereof.
(2) Access to information specified in subsection 1 of this section may be restricted pursuant to the procedure provided by law.
§ 31. Re-use of public information
(1) The re-use of information is the use of such public information, the public use of which is not restricted by law or pursuant to the procedure established by law (hereinafter open data), by natural persons or legal persons for commercial or non-commercial purposes other than the initial purpose within the public duties for which the information was obtained or produced. The exchange of information between holders of information for the performance of their public duties does not constitute re-use of information.
[RT I, 06.01.2016, 1 – entry into force 16.01.2016]
(2) A holder of information shall not enter into exclusive agreements for the re-use of information, unless this is necessary and justified in the public interest. The validity of the justification for an exclusive agreement shall be reviewed at least every three years. The holder of information shall publish the exclusive agreement on its website no later than two months before entry into force of thereof.
[RT I, 30.11.2021, 3 – entry into force 10.12.2021]
(3) Upon giving information for public use, the inviolability of the private life of persons, protection of copyrights, protection of national security, and protection of business secrets and other restricted information must be ensured. Before giving information for public use, the holder of information shall assess the need to establish restrictions on the public use of the information.
[RT I, 06.01.2016, 1 – entry into force 16.01.2016]
(4) If this is possible and appropriate, the holder of information shall grant access to open data in a file format which is structured so that software applications can easily identify, recognize and extract specific data, including individual statements of fact, and their internal structure (hereinafter machine-readable format), and in a format that is platform-independent and made available to the public without any restriction that impedes the re-use of documents (hereinafter open format) together with data descriptions describing data sets and data contained therein. If conversion of open data into digital format, machine-readable format or open format is impossible or would involve disproportionately great effort, the holder of information shall grant access to open data in their original format or in any other format.
[RT I, 30.11.2021, 3 – entry into force 10.12.2021]
(41) The format and data description specified in subsection 4 of this section shall comply with a written standard containing detailed requirements on how to ensure the interoperability of software.
[RT I, 30.11.2021, 3 – entry into force 10.12.2021]
(5) Information in respect of which restriction on access is established by law or to which access is restricted pursuant to the procedure established by law, including information to which access is granted pursuant to law only upon existence of legitimate interest or in respect of which special conditions of, procedure for and methods of access are established by law, is not for public use.
[RT I, 06.01.2016, 1 – entry into force 16.01.2016]
(6) The information specified in subsection 5 of this section shall not be given for public use or only such part of the information shall be given for public use which does not contain restricted information and if giving such part of the information for public use does not involve the risk of disclosure of restricted information.
[RT I, 06.01.2016, 1 – entry into force 16.01.2016]
(7) If information disclosed pursuant to law contains personal data, the public use of such information may be restricted if giving such information for public use would significantly breach the inviolability of the private life of the person.
[RT I, 06.01.2016, 1 – entry into force 16.01.2016]
(8) If giving information, which is disclosed pursuant to law and contains personal data, for public use breaches the inviolability of the private life of the person, such information shall be given for public use in a way which does not significantly breach the inviolability of the private life of the person.
[RT I, 30.11.2021, 3 – entry into force 10.12.2021]
(81) [Repealed – RT I, 30.11.2021, 3 – entry into force 10.12.2021]
(82) Data that are collected or produced in the course of scientific research activities and are used as evidence in the research process, or are commonly accepted in the research community as necessary to validate research findings and results (hereinafter research data), shall be made available for re-use if the production of research data has been funded from the budget of the state, local governments or legal persons in public law and researchers, research performing persons or research funding persons have already made them publicly available through an institutional or subject-based repository. Scientific publications shall not be deemed to be research data.
[RT I, 30.11.2021, 3 – entry into force 10.12.2021]
(83) Open data subject to frequent or real-time updates, in particular because of their volatility or rapid obsolescence, (hereinafter dynamic data) shall be made available for re-use immediately after collection, or in the case of a manual update immediately after the modification of the data, via an application programming interface (API) and, where relevant, as a bulk download. Where making dynamic data available for re-use immediately after collection would exceed the financial and technical capacities of the holder of information in a disproportionate manner, those dynamic data shall be made available within the shortest possible time frame and with technical restrictions that do not unduly impair the exploitation of their economic and social potential.
[RT I, 30.11.2021, 3 – entry into force 10.12.2021]
(9) The re-use of open data shall generally not be subject to conditions. If imposing conditions for making the data available for re-use is necessary in the public interest, such conditions shall be objective, proportionate and non-discriminatory. The conditions for re-use shall be available in a machine-readable and open format. The conditions for re-use shall be published by the agency specified in subsection 2 of § 321 of this Act in the Estonian information gateway.
[RT I, 30.11.2021, 3 – entry into force 10.12.2021]
§ 4. Principles of granting access to public information
(1) In order to ensure democracy, to enable public interest to be met and to enable all persons to exercise their rights and freedoms and perform their obligations, holders of information are required to ensure access to the information in their possession under the conditions and pursuant to the procedure provided by law.
(2) Access to information shall be ensured for every person in the quickest and easiest manner possible.
(3) Upon granting access to information, the inviolability of the private life of persons and protection of copyright shall be ensured.
[RT I, 19.12.2012, 2 – entry into force 29.12.2012]
(4) Access to information shall be granted without charge unless payment for the direct expenses relating to the release of the information is prescribed by law.
(41) A holder of information must publish the conditions for accessing the information and the amount to be charged for access and, if a person making a request for information so requires, provide explanations concerning the cost-orientation of the charges.
[RT I, 19.12.2012, 2 – entry into force 29.12.2012]
(42) The conditions for access shall not be unnecessarily restrictive or detrimental to competition.
[RT I, 19.12.2012, 2 – entry into force 29.12.2012]
(43) If a holder of information uses the information as input for activities falling outside the scope of the public duties, the same charge and other conditions shall apply upon supplying the holder with the information as apply to other applicants, thus ensuring equal treatment.
[RT I, 19.12.2012, 2 – entry into force 29.12.2012]
(5) Every person has the right to contest a restriction on access to information if such restriction violates the rights or freedoms of the person.
§ 41. High-value datasets
(1) Open data the re-use of which is associated with important benefits for society, the environment and the economy, in particular because of their suitability for the creation of value-added services, applications and new, high-quality and decent jobs, and of the number of potential beneficiaries of the value-added services and applications (hereinafter high-value datasets) shall be made available for re-use by the holder of information free of charge in a machine-readable format via a suitable API and, where relevant, as a bulk download.
(2) The thematic categories of high-value datasets are set out in Annex I to Directive (EU) 2019/1024 of the European Parliament and of the Council on open data and the re-use of public sector information (OJ L 172, 26.06.2019, p. 56-83) on the basis of Article 13(1) or (2) of the Directive. The list of high-value datasets and the condition and procedure for their publication and re-use shall be provided in the European Commission Implementing Regulation established on the basis of Article 14(1) of the same Directive.
(3) In addition to the provisions of subsection 2 of this section, the Government of the Republic or the minister in charge of the policy sector may establish by a regulation another category of high-value datasets and the list of the datasets thereof and the conditions and procedure for their publication and re-use.
(4) Libraries, museums and archives shall not be required to make high-value datasets available free of charge.
[RT I, 30.11.2021, 3 – 4¹ enters into force on the date the European Commission Implementing Regulation specified in Article 14(1) of Directive (EU) 2019/1024 of the European Parliament and of the Council becomes applicable.]
§ 5. Holders of information
(1) The following are holders of information:
1) state and local government agencies;
2) legal persons in public law;
3) legal persons in private law and natural persons under the conditions provided for in subsection 2 of this section.
(2) The obligations of holders of information extend to legal persons in private law and natural persons if the persons perform public duties pursuant to law, administrative legislation or contracts, including the provision of educational, health care, social or other public services, – with regard to information concerning the performance of their duties.
(3) The following are deemed to be equal to holders of information:
1) undertakings which have a dominant position in the market or special or exclusive rights or which are natural monopolies – with regard to information concerning the conditions and prices of the supply of goods and services and changes thereto;
2) sole proprietors, non-profit associations, foundations and companies – with regard to information concerning the use of funds allocated from the state or a local government budget for the performance of public duties or as support.
[RT I 2007, 12, 66 – entry into force 01.01.2008]
§ 6. Request for information
A request for information is a request to obtain or re-use information submitted to the holder of information pursuant to the procedure provided for in this Act by a person making the request for information.
[RT I, 06.01.2016, 1 – entry into force 16.01.2016]
§ 7. Person making request for information
Each person who submits a request for information to a holder of information pursuant to the procedure provided for in this Act is a person making a request for information.
§ 8. Access to information
(1) Access to information shall be granted by a holder of information by:
1) complying with a request for information;
2) disclosing information.
(2) Disclosure of information is the grant of access to information by a holder of information pursuant to the procedure provided by law, without a person being required to make a request for information.
(3) Access to open data also includes the right to re-use that information. If the holder of information has imposed conditions for the public use of information through a licence, the information shall be used pursuant to the conditions of the licence.
[RT I, 06.01.2016, 1 – entry into force 16.01.2016]
Chapter 2 ORGANISATION OF ACCESS TO INFORMATION
§ 9. Obligations of holders of information
(1) Holders of information are required to grant access to information in their possession pursuant to the procedure provided by law.
(2) Upon granting access to information, a holder of information is required:
1) to ensure access to the documents which the person making a request for information requests access to if the person making the request for information has the right to access the information;
2) to keep an account of documents in the possession thereof;
3) to disclose information subject to disclosure pursuant to the procedure provided by law;
4) to provide information to the public regularly on the performance of public duties;
5) to assist persons making requests for information;
6) to inform persons making requests for information of any valid restrictions on access to documents;
7) to ensure compliance with restrictions on access to information;
8) not to submit knowingly misleading, inaccurate or incorrect information and, in the case of doubt, is required to verify the correctness and accuracy of the information released.
§ 10. Organisation of access to information by holders of information
(1) The head of a holder of information or a holder of information who is a natural person is responsible for the organisation, by the holder of information and pursuant to law, of access to information.
(2) A holder of information may, using records management procedures or other documents, designate the structural units and officials or employees responsible for complying with requests for information and disclosing information, and the procedure for the internal processing of requests for information or of information subject to disclosure.
(3) If a holder of information does not establish the competence of officials or employees in complying with requests for information, each official or employee to whom a request for information is assigned for it to be complied with or to whom a request for information is submitted is responsible for complying with the request for information in a manner which meets the requirements.
(4) The head of a holder of information is responsible for the proper disclosure of information in a manner which meets the requirements unless organisation of the disclosure of information is assigned to another person by legislation.
§ 11. Document register of agency
(1) The document register of an agency is a digital database which is maintained by a state or local government agency or a legal person in public law in order to register documents received by the agency and prepared in the agency and to ensure access thereto.
[RT I 2007, 12, 66 – entry into force 01.01.2008]
(2) The Government of the Republic may establish requirements for document registers.
[RT I 2007, 12, 66 – entry into force 01.01.2008]
§ 12. Requirements for document registers
(1) The following shall be registered in a document register:
1) documents received by the agency and documents released by the agency, not later than on the working day following the day on which the documents are received or released;
[RT I 2007, 12, 66 – entry into force 01.01.2008]
2) legislation prepared and signed in the agency, on the date of signature thereof or the working day after such date;
[RT I 2007, 12, 66 – entry into force 01.01.2008]
3) contracts entered into on the working day after the date of signature thereof.
[RT I 2007, 12, 66 – entry into force 01.01.2008]
(2) Accounting documents need not be entered in a document register.
[RT I 2007, 12, 66 – entry into force 01.01.2008]
(21) Documents related to a person, which have been entered in another database and to which access of the person is ensured, are not required to be entered in the document register.
[RT I, 06.01.2016, 1 – entry into force 16.01.2016]
(3) At least the following information concerning received and released documents shall be entered in a document register:
1) from whom the documents are received or to whom they are released;
2) the date of receipt or release;
3) the manner in which the documents are received or released (by electronic mail, post, fax, courier or delivered in person);
4) requisite information on the documents;
5) the type of documents (petitions, memoranda, decisions, requests for information, letters, etc.);
6) restrictions on access to the documents.
(31) If the sender of documents received by an agency or the recipient of documents released from an agency is a natural person, information which would allow to identify the natural person shall not be indicated in public view of the document register.
[RT I, 06.01.2016, 1 – entry into force 16.01.2016]
(4) The term arising from law for processing or responding, the name of the structural unit responsible for the preparation of a response or the organisation of processing and the name of the official or employee who prepares the response shall also be entered in a document register concerning received documents and documents which need to be processed or responded to.
(41) Access shall be granted through the document register to electronic documents registered in a document register and contained in the document management system of the agency, unless access to such documents is restricted and except for documents which are published in the Riigi Teataja.
[RT I 2007, 12, 66 – entry into force 01.01.2008, access to documents registered in a document register and contained in the document management system of the agency, access to which is not restricted, shall be granted by registrars of the document register by 1 January 2009 at the latest]
(42) [Repealed – RT I, 19.12.2012, 2 – entry into force 29.12.2012]
(5) The registrars of document registers shall grant access to the document registers, shall create indexes and instructions in order to facilitate the finding of documents and ensure finding of documents by a full text search using a computer search system based on the data specified in subsection 3 of this section.
[RT I 2007, 12, 66 – entry into force 01.01.2008, finding of documents by a full text search shall be ensured by registrars of the document register by 1 January 2009 at the latest]
Chapter 3 GRANT OF ACCESS TO INFORMATION ON BASIS OF REQUESTS FOR INFORMATION
Division 1 Making Requests for Information and Acceptance of Requests for Information for Processing
§ 13. Manners of making requests for information
A person making a request for information shall make the request for information to a holder of information either:
1) orally, addressing a holder of information directly or by telephone, or
2) in writing, delivering a request for information personally or communicating it by post, fax or electronic mail.
§ 14. Requirements applicable to requests for information
(1) A request for information shall set out the following information orally or in writing:
1) the given name and surname of the person making the request for information;
2) the name of the legal person or agency in the case of a request for information made on behalf of an agency or legal person;
3) the contact details of the person making the request for information (postal or electronic mail address, or fax or telephone number), through which the holder of information could release the information or contact the person making the request for information;
4) the content of the information or the type, name and content of the document requested, or the requisite information on the document known to the person making the request for information;
5) the manner of complying with the request for information.
(2) If a person requests information which contains restricted personal data concerning him or her or third persons, the holder of information shall identify the person making the request for information. If a person requests restricted private personal data concerning a third person, he or she shall inform the holder of information of the basis and purpose of accessing the information.
[RT I 2007, 12, 66 – entry into force 01.01.2008]
(21) [Repealed – RT I, 30.11.2021, 3 – entry into force 10.12.2021]
(3) A holder of information has the right to request submission of a request for information in writing if the person making the request for information is not satisfied with the information provided orally.
(4) [Repealed – RT I 2007, 12, 66 – entry into force 01.01.2008]
(5) A person making a request for information shall not request access to information for personal purposes under the pretext of the performance of functions or duties or using his or her official position.
[RT I 2007, 12, 66 – entry into force 01.01.2008]
§ 15. Obligation of holders of information to assist persons making requests for information
(1) Holders of information are required to clearly explain the procedure for and the conditions and methods of access to information to persons making requests for information.
(2) Officials or employees of holders of information are required to assist persons making requests for information in every way during the making of requests for information and the identification of the information necessary for the persons making requests for information, the location of the information and the most suitable methods of access thereto.
(3) An official or employee of a holder of information who is not competent to comply with a request for information is required promptly to send the person making the request for information to an official or employee who has the corresponding competence, or promptly to communicate the request for information in writing to the specified official or employee.
(4) If a request for information does not indicate the method or the information which the person making the request for information is requesting, the holder of information shall promptly contact the person making the request for information in order to specify the request for information.
§ 16. Registration of requests for information
(1) A holder of information shall register a request for information on the date of receipt thereof or not later than on the working day following receipt.
(2) Information specified in subsection 1 of § 14 of this Act which is submitted by a person making a request for information and information concerning an employee or structural unit responsible for complying with the request for information and the due date for complying with the request for information shall be entered in the document register of a holder of information provided for in § 11 of this Act.
(3) A request for information need not be registered if:
1) it is anonymous;
2) it is made orally or electronically and is promptly complied with.
[RT I 2007, 12, 66 – entry into force 01.01.2008]
Division 2 Compliance with Requests for Information and Refusal to Comply with Requests for Information
§ 17. Manner of compliance with requests for information
(1) A holder of information shall comply with a request for information in the manner requested by the person making the request for information and shall release the information:
1) digitally to a transferable data medium or to an electronic mail address set out in the request for information;
2) as a copy or transcript of the document on paper either directly to the person making the request for information or to his or her postal address;
3) by fax;
4) orally;
5) for access at the holder of information;
6) in any other manner, taking into account the type of medium.
(2) A holder of information may refuse to comply with a request for information in a desired manner if:
1) there are no technical means therefor;
2) the type of medium does not enable compliance;
3) oral communication of the information would excessively hinder performance of the main duties of the holder of information due to the time this would take.
(3) At the request of a person making a request for information, a holder of information shall release copies of documents on paper if the type of medium and the contact details of the person making the request for information enable this and if the information has not been disclosed.
(4) At the request of a person making a request for information, a holder of information shall release information (including disclosed information) together with official confirmation if such confirmation is necessary in order to use the rights and freedoms and perform the obligations of the person making the request for information.
(5) Information shall be released orally only if:
1) information is requested concerning the processing of a petition, memorandum or other request submitted by the person making the request for information;
2) information is requested on whether information requested by the person making the request for information is in the possession of the holder of information.
(6) Upon compliance with a request for information orally, the person who complies with the request for information is not required to read documents aloud.
(7) In the cases provided for in subsection 2 of this section, a holder of information shall choose a suitable manner to comply with a request for information and shall, if possible, consult with the person making the request for information before complying with the request for information.
(8) If a request for information does not specify the manner for compliance requested by the person making the request for information and if it is not possible to specify the manner for compliance in consultation with the person making the request for information within the term prescribed for compliance with the request for information, the request for information shall be complied with on the basis of the details indicated therein in a manner chosen by the holder of information, and the holder of information shall, if possible, prefer the manner in which the request for information was made.
§ 18. Terms for compliance with requests for information and calculation of terms for processing
(1) A request for information shall be complied with promptly, but not later than within five working days.
(2) If a request for information cannot be complied with due to the insufficiency of the information submitted by the person making the request for information, the holder of information shall notify the person making the request for information thereof within five working days in order to specify the request for information.
(3) The terms for processing requests for information provided for in this Act shall be calculated as of the working day following registration of the requests for information.
§ 19. Extension of terms for compliance with requests for information
If a holder of information needs to specify a request for information or if identification of the information is time-consuming, the holder of information may extend the term for compliance with the request for information for up to 15 working days. The holder of information shall notify the person making the request for information of extension of the term together with the reasons therefor within five working days.
§ 20. Deeming requests for information to have been complied with
A request for information is deemed to have been complied with by the holder of information who receives the request for information if:
1) information is communicated to the person making the request for information in a manner provided by law;
2) the request for information is forwarded according to competence and the person making the request for information is notified thereof;
3) the possibility of accessing disclosed information is explained to the person making the request for information.
§ 21. Forwarding of requests for information according to competence
(1) If a holder of information does not possess the requested information, the holder of information shall ascertain the competent holder of information and forward the request for information promptly thereto, but not later than within five working days, and shall notify the person making the request for information thereof at the same time.
(2) It is permitted to refuse to forward a request for information made by telephone if the person making the request for information is informed of to whom the person should turn with the request for information.
(3) A holder of information who is a legal person in private law or a natural person may refuse to forward a request for information and shall in this case notify the person making the request for information promptly thereof, but not later than within five working days.
§ 22. Directing to disclosed information
If requested information has been disclosed pursuant to the procedure provided for in this or any other Act, the holder of information may promptly, but not later than within five working days, notify the person making the request for information thereof without releasing the information and shall in this case provide the person making the request with information concerning the method and place of access to the requested information, except in the case provided for in subsection 4 of § 17 of this Act.
§ 23. Refusal to comply with requests for information
(1) A holder of information shall refuse to comply with a request for information if:
1) restrictions on access apply to the requested information and the person making the request for information does not have the right to access the requested information;
2) the holder of information does not possess the requested information, does not know who possesses it, and is unable to identify the holder of the requested information;
3) compliance with the request for information is impossible because it is not evident from specification of the request for information which information the person making the request for information is requesting;
4) the person making the request for information has not paid the state fee or has not paid the expenses relating to compliance with the request for information if the state fee or other fee is prescribed by law and the holder of information has not withdrawn the claim for expenses incurred to be covered.
(2) A holder of information may refuse to comply with a request for information if:
1) the requested information has already been released to the person making the request for information and the person does not justify the need to obtain the information for a second time;
2) information requested from a natural person or a legal person in private law does not concern the performance of public duties;
3) compliance with the request for information would require a change in the organisation of work of the holder of information, hinder the performance of public duties imposed thereon or require unnecessarily disproportionate expenses due to the large volume of requested information;
4) the request for information cannot be complied with by a single release of information;
5) in order to comply with the request for information, information would have to be additionally systematised and analysed and new information would have to be documented on the basis thereof. Such request for information is deemed to be a request for explanation and shall be responded to pursuant to the procedure prescribed in the Response to Memoranda and Requests for Explanations Act;
6) a court has established that the active legal capacity of the person making the request for information is restricted;
7) there are no contact details concerning the person making the request for information.
(3) The holder of information shall notify the person making the request for information of refusal to comply with the request for information and the reason for such refusal within five working days.
[RT I 2007, 12, 66 – entry into force 01.01.2008]
§ 24. Registration of compliance with requests for information and refusal to comply therewith
[Repealed – RT I 2007, 12, 66 – entry into force 01.01.2008]
Division 3 Expenses Relating to Compliance with Requests for Information
§ 25. Covering expenses relating to compliance with requests for information
(1) A holder of information shall cover the expenses relating to compliance with requests for information unless otherwise prescribed by law. A holder of information shall cover the costs of making high-value datasets and research data available for re-use.
[RT I, 30.11.2021, 3 – entry into force 10.12.2021]
(2) A person making a request for information shall pay up to 0.19 euros per page for printouts and copies on paper starting from the twenty-first page, unless a state fee for the release of information is prescribed by law.
[RT I, 30.12.2010, 2 – entry into force 01.01.2011]
(3) Holders of information shall cover the expenses relating to compliance with requests for information made by state or local government agencies.
(4) Income from supplying information for re-use shall not exceed the costs incurred for the reproduction, provision and dissemination of open data as well as for anonymisation of personal data and protection of business secrets.
[RT I, 30.11.2021, 3 – entry into force 10.12.2021]
(5) Holders of information who must cover a substantial part of the costs arising from the performance of their public duties and holders of information specified in clause 3 of subsection 1 and subsection 3 of § 5 of this Act may include, in addition to the costs specified in subsection 4 of this section, a reasonable return on investment in the income received for supplying information for re-use. A reasonable return on investment shall be up to five percent higher than the fixed interest rate applicable to the main refinancing operations of the European Central Bank.
[RT I, 30.11.2021, 3 – entry into force 10.12.2021]
(6) If a fee is charged for the re-use of information, the holder of information shall publish the amount of the fee, the conditions for charging and the bases for calculation of the fee and, if necessary, shall organise the recalculation of the fees at least in every three years.
[RT I, 30.11.2021, 3 – entry into force 10.12.2021]
(7) Holders of information who must cover a substantial part of the costs arising from the performance of their public duties and charge a fee specified in subsection 5 of this section, shall notify the agency specified in subsection 2 of § 321 of this Act of charging the fee.
[RT I, 30.11.2021, 3 – entry into force 10.12.2021]
(8) The list of holders of information who charge a fee on the basis of subsection 5 of this section shall be published in the Estonian information gateway.
[RT I, 30.11.2021, 3 – entry into force 10.12.2021]
§ 26. Exemption from covering expenses
A holder of information may exempt a person making a request for information from covering expenses provided for in subsection 2 of § 25 of this Act if:
1) collection of the expenses is economically inefficient;
2) the person making the request for information needs the information for research work;
3) the person making the request for information needs the information in order to exercise the rights and freedoms of the person or to perform obligations and if the person making the request does not have the financial capacity to cover the expenses.
§ 27. Procedure for covering expenses
(1) A person making a request for information shall pay the holder of information before the information is released.
(2) The state fee for the release of information or a document shall be paid before the release of the information according to the rate provided by the State Fees Act.
[RT I 2006, 58, 439 – entry into force 01.01.2007]
(3) A holder of information is required to issue a receipt concerning the received amounts to the person making a request for information.
Chapter 4 DISCLOSURE OF INFORMATION
Division 1 Information Subject to Disclosure
§ 28. Obligation of holder of information to disclose information
(1) A holder of information is required to disclose the following existing information relating to the duties thereof:
1) generalised economic statistics and economic forecasts of the state and local governments;
2) generalised statistics relating to crime and misdemeanours;
3) statutes of state or local government agencies and their structural units;
4) formats of petitions and other documents submitted to state and local government agencies and instructions for the completion thereof;
5) job descriptions of state and local government officials;
6) composition of state and local government agencies, and the given names, surnames, education, areas of specialisation, telephone numbers and electronic mail addresses of officials filling the positions prescribed in such agencies;
7) information concerning danger to the life, health and property of persons;
8) reports on work results and the performance of duties in state and local government agencies;
9) names and electronic mail addresses of members of the supervisory boards and management boards of legal persons in public law;
10) management reports and income and expense statements of legal persons in public law;
11) budgets and draft budgets of state agencies, local governments and local government agencies, and reports on the implementation thereof;
12) information concerning the receipt of state budget revenue;
13) information concerning the state of the environment, environmental damage and dangerous environmental impact;
14) precepts issued or decisions made in the course of state supervision, administrative supervision or supervisory control as of the entry into force thereof;
[RT I, 06.01.2016, 1 – entry into force 16.01.2016]
15) draft Acts prepared by ministries and draft regulations of the Government of the Republic, together with explanatory memoranda, when such drafts are sent for approval or presentation to the Government of the Republic;
16) draft regulations of ministers and local governments together with explanatory memoranda before such drafts are submitted for passage;
17) draft concepts, development plans, programmes and other projects of general importance before such drafts are submitted to the competent bodies for approval, and the corresponding approved or adopted documents;
18) research or analyses ordered by the state or local government agencies;
[RT I 2007, 12, 66 – entry into force 01.01.2008]
19) information concerning unfilled positions in state or local government agencies;
20) information concerning public procurements which are being organised or have been organised by the state or local governments;
21) information concerning the use of assets and budgetary funds which the state or a local government has transferred to legal persons in private law founded by the state or local government or with the participation thereof;
22) programmes of public events;
23) changes in the work and duties of state and local government agencies which are related to services provided for persons, not later than ten days before implementation of the changes;
24) information concerning the consultation hours of heads of state and local government agencies;
25) salaries of officials of state and local government agencies and other income related to their functions, and salary guides of agencies pursuant to the procedure provided for in the Public Service Act;
[RT I, 06.07.2012, 1 – entry into force 01.04.2013]
26) information concerning the price formation of companies which have a dominant position in the market or special or exclusive rights or which are natural monopolies;
27) information concerning the provision of public services and concerning changes in the conditions and price of the provision of the service before implementation of such changes;
28) lists of the members of political parties;
29) court decisions entered into force with restrictions arising from law;
30) data contained in databases, access to which is not restricted;
[RT I 2007, 12, 66 – entry into force 01.01.2008]
31) the document register of the agency;
311) the purpose, scope and method of processing personal data, the communication of personal data to third persons, including other agencies, and the making of personal data available to the public, and the right of and procedure for a person to examine data concerning themselves;
[RT I, 19.12.2012, 2 – entry into force 29.12.2012]
312) open data subject to disclosure, information on the availability of open data and on licences, if necessary;
[RT I, 06.01.2016, 1 – entry into force 16.01.2016]
32) other information and documents concerning which the obligation to disclose is provided by an international agreement, an Act or legislation passed on the basis thereof or which the holder of information deems necessary to disclose.
(2) Upon the disclosure of information, the person who documents the disclosed information, the time the disclosed information is documented, the act (establishment, approval, registration or other official act) with which the disclosed information is documented, and the person from whom explanations concerning the disclosed information can be obtained shall be set out.
§ 29. Manners of disclosure of information
(1) The holders of information specified in § 31 of this Act shall disclose the information specified in subsection 1 of § 28 of this Act on a website, or shall add a link to a webpage through which the information can be accessed.
[RT I 2007, 12, 66 – entry into force 01.01.2008]
(2) In addition to a website, information specified in subsection 1 of § 28 of this Act may be disclosed:
1) in television or radio programmes or in the printed press;
[RT I, 06.01.2011, 1 – entry into force 16.01.2011]
2) by displaying the document for public examination in a local government agency or public library;
3) in an official publication;
4) in any other manner prescribed by an Act or legislation passed on the basis thereof.
(3) The open data specified in clauses 1–4, 7, 8, 10–13, 15–24, 26, 27, 311 and 312 of subsection 1 of § 28 of this Act shall be disclosed by the holder of information in the manner provided for in subsection 4 of § 31 of this Act.
[RT I, 30.11.2021, 3 – entry into force 10.12.2021]
(4) [Repealed – RT I, 30.11.2021, 3 – entry into force 10.12.2021]
(5) The holders of information specified in subsection 1 of § 434 of this Act shall establish restrictions on public use of the information specified in clause 30 of subsection 1 of § 28 of this Act pursuant to the provisions of § 31 of this Act and shall disclose the data of database given for public use (hereinafter open data of database), if this is possible and appropriate, in an up-to-date version and in a manner and format which allows to download the open data of database as a full set of data together with metadata in a machine-readable and open format. If conversion of the open data of database into machine-readable format or open format is impossible or would involve disproportionately great effort, the holder of information shall ensure disclosure of the open data of database in their original format or in any other format.
[RT I, 06.01.2016, 1 – entry into force 16.01.2016]
(6) The open data in machine-readable format must be accessible through the Estonian information gateway.
[RT I, 30.11.2021, 3 – entry into force 10.12.2021]
§ 30. Selecting manner of disclosure of information
(1) A holder of information is required to disclose information in a manner which ensures that it reaches every person who needs the information as quickly as possible. A holder of information is not required to carry out further systematisation or analysis of information for the information to be disclosed for the purposes of re-use if this would involve disproportionate effort..
[RT I, 19.12.2012, 2 – entry into force 29.12.2012]
(2) If the manner of disclosure of information is prescribed by a specific Act or an international agreement, the manner provided for in the specific Act or international agreement shall be used upon the disclosure of the information and information shall also be disclosed on a website if such obligation arises from § 31 of this Act.
(3) A holder of information is required to disclose promptly any information concerning danger which threatens the life, health or property of persons or the environment, and shall select the quickest and most suitable manner therefor in order to avert danger and alleviate the possible consequences.
(4) State and local government agencies are required to communicate information concerning events and facts and which is in their possession to providers of media services and the printed press for disclosure if public interest can be expected.
[RT I, 06.01.2011, 1 – entry into force 16.01.2011]
Division 2 Disclosure of Information in Public Data Communication Network
§ 31. Obligation to maintain website
(1) The Chancellery of the Riigikogu, the Office of the President of the Republic, the Office of the Chancellor of Justice, the National Audit Office, courts, government agencies and legal persons in public law are required to maintain websites for the disclosure of information.
[RT I 2008, 35, 213 – entry into force 01.01.2009]
(2) A city or rural municipality government shall organise the maintenance of a website in order to provide details of the activities of the bodies and agencies of the city or rural municipality and to disclose information in the possession thereof. On the basis of a contract, city and rural municipality governments may organise the maintenance of a joint website.
(3) The State Chancellery and ministries are required to take measures for the maintenance of websites by state agencies administered by them.
[RT I, 04.07.2017, 1 – entry into force 01.01.2018]
§ 32. Requirements for maintenance of websites and mobile applications
[RT I, 14.11.2018, 1 – entry into force 01.12.2018]
(1) A holder of information who maintains a website or mobile application shall:
1) inform the public of the opportunity to access the website or mobile application by disclosing a reference to the website or mobile application;
2) publish topical information on the website or in the mobile application;
3) not disclose inaccurate or misleading information on the website or in the mobile application;
4) set out on the website or in the mobile application, the date of disclosure of each document and when the information was updated;
5) promptly apply measures in order to remove any technical problems which hinder access to the website or the mobile application;
6) make the website or mobile application accessible according to the requirements established on the basis of subsection 2 of this section, except if this would involve disproportionately great effort;
7) disclose information describing the accessibility of the website or mobile application on the website or in the environment from where the mobile application can be downloaded.
(2) The minister in charge of the policy sector shall establish by a regulation the accessibility requirements for websites and mobile applications and the procedure for disclosure of information describing accessibility.
(3) The obligation of accessibility provided for in clause 6 of subsection 1 of this section does not extend to the content of websites and mobile applications specified in Article 1(4) of Directive (EU) 2016/2102 of the European Parliament and of the Council on the accessibility of the websites and mobile applications of public sector bodies (OJ L 327, 2.12.2016, p. 1-15).
(4) The effort is disproportionately great within the meaning of clause 6 of subsection 1 of this section if granting access to a website or a mobile application entails unreasonable costs, taking account of the size, resources and type of the holder of information and the frequency and duration of use of the website or the mobile application.
(5) It shall be possible to access directly the websites of agencies in the area of administration of the State Chancellery and ministries from the websites of the State Chancellery and ministries.
(6) The provisions of clauses 6 and 7 of subsection 1 of this section shall not apply to:
1) holders of information providing media services;
2) schools and pre-school child care institutions, except for disclosure of general information, including information on admissions, location and contact details;
3) persons deemed to be equal to holders of information specified in subsection 3 of § 5 of this Act.
[RT I, 14.11.2018, 1 – entry into force 01.12.2018]
§ 321. Estonian information gateway
(1) The Estonian information gateway is a website allowing access to public information related to the fields of activities of holders of information and the public services provided by them, and allowing access to public electronic services and to reusable information.
[RT I, 19.12.2012, 2 – entry into force 29.12.2012]
(2) Administration and development of the Estonian information gateway shall be ensured by the Ministry of Economic Affairs and Communications.
(3) The administrator of the Estonian information gateway in co-operation with holders of information shall ensure the presentation of information in the information gateway organised in a user-centric manner.
(4) The holder of information shall ensure the relevance and clarity of the information related to the holder of information presented in the Estonian information gateway, and shall ensure that this information is forwarded.
(5) The Government of the Republic may establish, by a regulation the requirements and procedure for the administration of the Estonian information gateway, for ensuring access to, developing and using the information therein and processing the personal data in the Estonian information gateway and for interfacing databases with the Estonian information gateway.
[RT I, 13.03.2019, 2 – entry into force 15.03.2019]
§ 33. Access to data communication network
Every person shall be afforded the opportunity to have free access to public information through the Internet in public libraries, pursuant to the procedure provided for in the Public Libraries Act.
Chapter 5 RESTRICTED INFORMATION
§ 34. Restricted information
(1) Restricted information is information to which access is restricted pursuant to the procedure established by law.
(2) Pursuant to this Act, the head of an agency may establish a restriction on access to information and classify information as information intended for internal use.
§ 35. Grounds for classification of information as internal
(1) A holder of information is required to classify the following as information intended for internal use:
1) information collected in criminal or misdemeanour proceedings, except for the information subject to disclosure under the conditions provided by the Code of Misdemeanour Procedure and the Code of Criminal Procedure;
2) information collected in the course of state supervision, administrative supervision and supervisory control proceedings until the entry into force of a decision made thereon;
[RT I, 06.01.2016, 1 – entry into force 16.01.2016]
3) information the disclosure of which would damage the foreign relations of the state;
31) information concerning the duties and staff of a structural unit and officials and employees and the duties of the officials and employees of a holder of information engaged in ensuring of internal security, development of national defence policy, organisation of national defence, including planning, preparation and conduct of national military defence, or organisation of the protection of state secrets and classified information of foreign states, if the disclosure of such information would endanger national defence or protection of state secrets and classified information of foreign states;
[RT I, 06.01.2016, 1 – entry into force 16.01.2016]
4) information concerning tables reflecting the armament and equipment, and the quantities of armament and equipment of the Defence Forces, unless such information is a state secret or classified foreign information;
[RT I 2008, 35, 213 – entry into force 01.01.2009]
5) information concerning the state assets to be transferred, in the event of mobilisation or increasing of military preparedness, into the possession of the Defence Forces;
51) information concerning the methods and tactics utilised by an investigative body in its activities, if the disclosure of such information could hinder detection of criminal offences or facilitate committing thereof;
[RT I, 06.01.2016, 1 – entry into force 16.01.2016]
52) information concerning the quantity of armament of the Police, unless such information is a state secret or classified foreign information;
[RT I, 22.03.2011, 1 – entry into force 01.04.2011]
6) information concerning the duty to grant use of a thing and the expropriation of a thing applied on the basis of the National Defence Act;
[RT I, 10.03.2022, 1 – entry into force 21.03.2022]
61) information the disclosure of which would endanger a national defence object or facilitate carrying out an attack against such object;
[RT I, 12.03.2015, 1 – entry into force 01.01.2016]
62) information concerning the amount of stocks and resources necessary for the performance of national defence tasks and for mitigating the consequences of an emergency, and the extent of and conditions for utilisation of such stocks;
[RT I, 12.03.2015, 1 – entry into force 01.01.2016]
7) information the disclosure of which would endanger objects protected under heritage conservation or museum objects belonging to a museum collection;
8) information the disclosure of which would endanger the protected areas or the preservation of protected species and their habitats;
9) information including a description of security systems, security organisations or security measures;
10) information on technological solutions if disclosure of such information would damage the interests of the holder of information or if classification of such information as internal is prescribed in a contract entered into with a person in private law;
11) information which contains special categories of personal data or data concerning commission of an offence or falling victim to an offence before a public court hearing, or making of a decision in the matter of the offence or termination of the court proceeding in the matter;
[RT I, 13.03.2019, 2 – entry into force 15.03.2019]
12) information which contains personal data if enabling access to such information significantly breaches the inviolability of private life of the data subject;
13) information which contains data revealing details of family life;
14) information concerning application for social assistance or social services;
15) information revealing mental or physical suffering endured by a person;
16) data collected on a person during the process of taxation, except data specified in § 27 of the Taxation Act;
[RT I, 07.12.2018, 1 – entry into force 01.01.2019]
17) information whose disclosure may violate a business secret;
18) reports of an internal audit before approval thereof by the head of the agency;
181) the risk assessment of vitally important services and information concerning the operational continuity plan;
[RT I 2009, 39, 262 – entry into force 24.07.2009]
182) information concerning notification of a personal data breach;
[RT I, 13.03.2019, 2 – entry into force 15.03.2019]
19) any other information provided by law.
[RT I 2007, 68, 420 – entry into force 01.01.2008]
(11) [Repealed – RT I, 19.12.2012, 2 – entry into force 29.12.2012]
(2) The head of a state or local government agency or a legal person in public law may classify the following as information intended for internal use:
1) draft legislation of general application before it is sent for approval or submitted for passage;
2) draft documents and accompanying documents before receipt or signature thereof;
[RT I 2007, 12, 66 – entry into force 01.01.2008]
3) in justified cases, documents addressed to persons within the agency which are not registered in the document register (opinions, notices, memoranda, certificates, advice, etc.);
4) information which may damage the interests of the state acting as a participant in the proceedings in a civil proceeding, until the court decision is made;
[RT I 2007, 12, 66 – entry into force 01.01.2008]
5) information related to the formation of stocks and provision of resources necessary for the performance of national defence tasks and for mitigating the consequences of an emergency, if the disclosure of such information could affect the formation of stocks and provision of resources.
[RT I, 12.03.2015, 1 – entry into force 01.01.2016]
(3) Information with a notation concerning restriction on access forwarded by a foreign state or an international organisation, which is not deemed to be classified foreign information pursuant to the State Secrets and Classified Information of Foreign States Act, is deemed to be information intended for internal use.
[RT I, 07.03.2023, 2 – entry into force 01.05.2023]
§ 36. Prohibition on classification of information as internal
(1) A holder of information who is a state or local government agency or a legal person in public law shall not classify the following as information intended for internal use:
1) results of public opinion polls;
2) generalised statistical surveys;
3) economic and social forecasts;
4) notices concerning the state of the environment and emissions;
[RT I, 08.07.2014, 3 – entry into force 01.08.2014]
5) reports on the work or the work-related success of the holder of information and information on the quality of the performance of duties and on managerial errors;
6) information which damages the reputation of a state or local government official, a legal person in private law performing public duties or a natural person, except special categories of personal data or personal data whose disclosure would breach the inviolability of the private life of the data subject;
[RT I, 13.03.2019, 2 – entry into force 15.03.2019]
7) information on the quality of goods and services arising from protection of the interests of consumers;
8) results of research or analyses conducted by the state or local governments or ordered thereby, unless disclosure of such information would endanger national defence or national security;
9) documents concerning the use of budgetary funds of the state, local governments or legal persons in public law and wages paid to persons employed under employment contracts and other remuneration and compensation paid from the budget;
[RT I, 13.03.2019, 2 – entry into force 15.03.2019]
10) information concerning the proprietary obligations of the holder of information;
11) information on the property of the holder of information;
12) precepts which have entered into force and legislation which is issued by way of state supervision, administrative supervision or supervisory control or under disciplinary procedure and information relating to punishments in force.
[RT I, 06.01.2016, 1 – entry into force 16.01.2016]
(2) The prohibition provided for in subsection 1 of this section also applies to:
1) non-profit associations, foundations or companies which are founded by the state, local governments or legal persons in public law or in which the state, local governments or legal persons in public law participate;
2) information pertaining to the use of funds allocated and assets transferred to legal persons in private law from the state or a local government budget.
§ 37. Restriction on access to private personal data
[Repealed – RT I 2003, 26, 158 – entry into force 01.10.2003]
§ 38. Access to information classified as internal only
(1) A holder of information shall disclose information concerning facts which arouse public interest and which are related to an offence or accident before the final clarification of the circumstances of the offence or accident to an extent which does not hinder the investigation or supervision or clarification of the reasons for the accident. The competent official who organises the investigation or supervision or who clarifies the circumstances of the accident shall decide on the extent of disclosure of such information.
(2) If the grant of access to information may cause the disclosure of restricted information, it shall be ensured that only the part of the information or document to which restrictions on access do not apply may be accessed.
(3) State and local government officials or employees have the right to access information which is classified as information intended for internal use in order to perform their duties. Such information shall not be communicated to third persons without the permission of the agency which establishes the restriction on access.
[RT I, 06.01.2016, 1 – entry into force 16.01.2016]
(31) If, in a case provided by law, access is requested for the performance of public duties to information which is classified as information intended for internal use, the holder of information shall be notified of the basis and purpose of accessing the information provided by law.
[RT I, 06.01.2016, 1 – entry into force 16.01.2016]
(4) The head of an agency may decide to grant access to information classified as internal to persons outside the agency if this does not damage the interests of the state or a local government.
[RT I 2003, 26, 158 – entry into force 01.10.2003]
§ 39. Access to information which contains personal data
[RT I 2003, 26, 158 – entry into force 01.10.2003]
(1) A holder of information shall grant access to personal data in its possession upon the existence of a basis provided for in Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1–88) or the law pursuant to the procedure provided for in this Act.
[RT I, 13.03.2019, 2 – entry into force 15.03.2019]
(2) A holder of information is required to maintain records concerning to whom, for what purpose, when, in which manner and which information classified as internal which contains personal data is released.
(3) [Repealed – RT I 2007, 12, 66 – entry into force 01.01.2008]
§ 40. Terms of restrictions on access
(1) A restriction on access to information intended for internal use applies as of the preparation or receipt of the documents for as long as necessary or until the arrival of the event, but not for longer than five years. The head of an agency may extend the term by up to five years if the reason for establishment of the restriction on access continues to exist.
[RT I 2007, 12, 66 – entry into force 01.01.2008]
(11) A restriction on access to information with a notation concerning restriction on access forwarded by a foreign state or an international organisation, which is deemed to be information intended for internal use, applies until the expiry of the term prescribed by the state or organisation that created the information.
[RT I, 07.03.2023, 2 – entry into force 01.05.2023]
(2) A restriction on access to documents pertaining to state supervision, administrative supervision and supervisory control and preparation of individual decisions of executive power applies until adoption of a decision unless another reason to restrict access to the information exists.
[RT I, 06.01.2016, 1 – entry into force 16.01.2016]
(3) A restriction on access to information classified as internal which contains private personal data applies for 75 years as of the receipt or documentation thereof or for 30 years as of the death of the person or, if it is impossible to establish death, for 110 years as of the birth of the person.
§ 41. Procedure for classification of information as internal
(1) Information shall be classified as information intended for internal use by the head of the agency.
(11) The head of an agency shall establish, in the list of documents, the series containing documents to which access may be restricted, and indicate the basis therefor provided by this Act or another Act. Establishment of restriction on access to specific documents shall be decided by the head of the agency or, pursuant to the list of documents established by the head of the agency, by a competent employee appointed by the head of the agency, based on the content of the document and the goal of the restriction on access.
[RT I 2007, 12, 66 – entry into force 01.01.2008]
(2) The person who prepares a document classified as information intended for internal use shall make a notation “ ASUTUSESISESEKS KASUTAMISEKS ” [“FOR INTERNAL USE”] in capital letters on the document or file of documents, if the medium enables this, or use the corresponding abbreviation AK. The name of the holder of information, the basis of the restriction on access, the final date for application of the restriction on access and the date on which the notation is made shall be added to the notation.
(3) A notation in Estonian which complies with subsection 2 of this section is made on documents bearing a notation concerning restriction on access forwarded by a foreign state or an international organisation, which are deemed to be information intended for internal use, if it is required by the state or organisation that created the information, if so provided by a international agreement or if it helps to explain the restriction on access or the term thereof.
[RT I, 07.03.2023, 2 – entry into force 01.05.2023]
(4) A holder of information who classifies information as internal shall promptly notify the holders of information to whom such information has been forwarded of its classification as internal.
[RT I 2007, 12, 66 – entry into force 01.01.2008]
§ 42. Invalidation of restriction on access
(1) A holder of information is required to invalidate a restriction on access if the reasons for establishment thereof cease to exist.
(2) If a restriction on access to a document is invalidated, a corresponding notation shall be made on the document.
(21) A notation concerning the invalidation of restriction on access is made on documents bearing a notation concerning restriction on access forwarded by a foreign state or an international organisation, which are deemed to be information intended for internal use, even if the documents have not been marked pursuant to subsection 3 of § 41 of this Act.
[RT I, 07.03.2023, 2 – entry into force 01.05.2023]
(3) A holder of information shall promptly give notice concerning the invalidation of restriction on access to the holders of information to whom such information has been forwarded.
[RT I 2007, 12, 66 – entry into force 01.01.2008]
§ 43. Protection of internal information
(1) A holder of information shall apply organisational, physical and information technology security measures in order to protect:
1) integrity of internal information – against accidental or intentional unauthorised alteration;
2) availability of internal information – against accidental or intentional destruction and prevention of access to data by entitled persons;
3) confidentiality of internal information – against accidental or intentional unauthorised access.
[RT I, 06.01.2016, 1 – entry into force 16.01.2016]
(2) Organisational, physical and information technology security measures must be applied for the protection of internal information, regardless of whether the information is in digital format or on paper.
[RT I, 06.01.2016, 1 – entry into force 16.01.2016]
(3) The Government of the Republic may establish, by a regulation, the list of organisational, physical and information technology security measures applied for the protection of the integrity, availability and confidentiality of internal information.
[RT I, 06.01.2016, 1 – entry into force 16.01.2016]
Chapter 51 DATABASES
[RT I 2007, 12, 66 - entry into force 01.01.2008]
§ 431. Database
(1) A database is a structured body of data processed within an information system of the state, local government or other person in public law or person in private law performing public duties which is established and used for the performance of functions provided in an Act, legislation issued on the basis thereof or an international agreement.
(2) A structured body of data processed within a database may consist exclusively of unique data contained in other databases.
[RT I 2007, 12, 66 – entry into force 01.01.2008]
(3) Collection of data in the database shall be based on the one-request-only principle.
[RT I, 15.03.2019, 2 – entry into force 01.04.2019]
§ 432. State information system
(1) The state information system consists of databases which are connected to the data exchange layer of the information system and registered in the administration system of the state information system, and of the systems supporting the maintenance of the databases.
[RT I, 06.01.2016, 1 – entry into force 16.01.2016]
(2) The minister in charge of the policy sector may establish, by a regulation, the procedure for the conduct of the information technology audit of the state information system, and the requirements for the initiation and implementation of and reporting on development projects relating to the state information system.
[RT I 2007, 12, 66 – entry into force 01.01.2008]
§ 433. Establishment of databases
(1) A database is established by an Act or legislation issued on the basis thereof.
(2) Establishment of separate databases for the collection of the same data is prohibited.
(3) Before the establishment of a database or changing the composition of the data collected in a database, introducing a database or terminating a database, the technical documentation of the database shall be approved by the Estonian Information System's Authority, the Data Protection Inspectorate and the Statistics Estonia.
[RT I, 21.05.2014, 2 – entry into force 31.05.2014]
(4) A database not belonging to the state information system which is kept only for fulfilling internal administration needs of an organisation or for inter-agency processing of documents need not be approved pursuant to the procedure provided in subsection 3 of this section.
(5) The specific conditions and procedure for obtaining the approval of the Estonian Information System's Authority and the Data Protection Inspectorate and, where necessary, also the technical and organisational requirements for establishment and maintenance of databases shall be provided by the regulation establishing the support system specified in clause 6 of subsection 1 of § 439 of this Act.
[RT I, 21.05.2014, 2 – entry into force 31.05.2014]
§ 434. Chief and authorised processors of database
(1) The chief processor (administrator) of a database is the state or local government agency, other legal person in public law or person in private law performing public duties who organises the introduction of the database and the administration of services and data. The chief processor of a database is responsible for the legality of the administration of the database and for developing the database.
[RT I, 14.03.2011, 3 – entry into force 24.03.2011]
(11) Statistics Estonia shall coordinate the area of data governance.
[RT I, 15.03.2019, 2 – entry into force 01.04.2019]
(12) The specific requirements and conditions of data governance shall be provided by a regulation of the Government of the Republic or a minister authorised thereby.
[RT I, 15.03.2019, 2 – entry into force 01.04.2019]
(2) The chief processor of a database may authorise, within the extent determined by the chief processor, another state or local government agency, legal person in public law or, based on a procurement contract or a contract under public law, a person in private law to perform the tasks of processing of data and housing of the database.
(3) An authorised processor is required to comply with the instructions of the chief processor in the processing of data and housing of the database, and shall ensure the security of the database.
(4) The chief processor of a database shall organise the establishment and administration of the central technological environment of a database established for the performance of the tasks imposed on or delegated to a local government by the state.
[RT I 2007, 12, 66 – entry into force 01.01.2008]
§ 435. Statutes of database
(1) The statutes of a database shall provide the procedure for maintaining the database, including the controller (administrator) of the database and where necessary, also the processor, the composition of the data to be collected in the database, persons submitting data and where necessary, also other organisational matters related to the keeping of the database.
[RT I, 13.03.2019, 2 – entry into force 15.03.2019]
(2) The persons submitting data shall be state or local government agencies or other persons in public or private law who have a duty provided by an Act or legislation issued on the basis thereof to submit data to the database or who submit the data voluntarily.
[RT I 2007, 12, 66 – entry into force 01.01.2008]
§ 436. Basic data and effect of data
(1) Basic data are the unique data collected in a database belonging to the state information system which are created in the process of performance of the public duties of the administrator of the database.
(2) The processing of data which are collected as basic data by another database belonging to the state information system shall be based on the basic data of the other database.
(3) Whether data are basic data shall be determined in the administration system of the state information system based on the technical documentation approved pursuant to subsection 3 of § 433 of this Act. The objective for establishing the database shall be the basis for determination whether data are basic data.
(4) Data are given legal effect by law.
[RT I 2007, 12, 66 – entry into force 01.01.2008]
§ 437. Registration of database
(1) A database shall be registered in the administration system of the state information system before the introduction of the database. The procedure for registration of databases shall be provided by the regulation establishing the support system specified in clause 6 of subsection 1 of § 439 of this Act.
(2) Before a database belonging to the state information system is registered, an official or employee of the Estonian Information System's Authority who has appropriate competence shall check and harmonise the technical conformity of the database, and the conformity of the data to be collected and the sources thereof with the requirements established by law or legislation issued on the basis thereof.
[RT I, 21.05.2014, 2 – entry into force 31.05.2014]
§ 438. Access to databases
(1) The data processed by a database shall be accessible to the public unless access thereto is restricted by or on the basis of law.
(2) [Repealed – RT I, 19.12.2012, 2 – entry into force 29.12.2012]
(3) In recording data relating to security authorities in state databases, shadow information may be used based on a classified directive of the head of the security authority.
[RT I 2007, 12, 66 – entry into force 01.01.2008]
§ 439. Support systems to state information system
(1) The following support systems for the maintenance of databases shall be established by a Regulation of the Government of the Republic:
1) the classifications system;
2) the geodetic system;
3) the system of address details;
4) [Repealed – RT I, 06.08.2020, 2 – entry into force 01.01.2023]
5) the data exchange layer of information systems;
6) the administration system of the state information system.
[RT I 2007, 12, 66 – entry into force 01.01.2008]
(2) The Government of the Republic may grant the right to establish the support systems specified in subsection 1 of this section and the procedure for application of such systems to the relevant minister.
[RT I 2007, 12, 66 – entry into force 01.01.2008]
(3) Use of support systems for the maintenance of the state information system is mandatory upon maintenance of all state and local government databases. The support systems specified in clauses 1, 2, and 6 of subsection 1 this section are mandatory for the maintenance of the database specified in subsection 4 of § 433 of this Act.
[RT I, 06.08.2022, 2 – entry into force 01.01.2023]
(4) An exception to the requirement to use systems supporting the state information system may be made, with the approval of the Ministry of Economic Affairs and Communications, concerning a database founded for the performance of the duties arising from an international agreement.
[RT I 2007, 12, 66 – entry into force 01.01.2008]
(5) Exchange of data with the databases belonging to the state information system and between the databases belonging to the state information system shall be carried out through the data exchange layer of the state information system.
[RT I, 06.01.2016, 1 – entry into force 16.01.2016]
(6) The provisions of subsection 5 of this section shall not restrict exchange of data through the data exchange layer of information systems between other legal persons.
[RT I, 06.01.2016, 1 – entry into force 16.01.2016]
Chapter 6 SUPERVISION
§ 44. Supervision over compliance with this Act
Supervision over compliance with this Act and legislation established on the basis thereof shall be exercised by:
1) the Data Protection Inspectorate;
2) the Estonian Information System's Authority;
[RT I, 13.03.2014, 4 – entry into force 01.07.2014]
3) Statistics Estonia;
[RT I, 15.03.2019, 2 – entry into force 01.04.2019]
4) the Consumer Protection and Technical Regulatory Authority.
[RT I, 30.11.2021, 3 – entry into force 10.12.2021]
§ 45. Supervisory competence of Data Protection Inspectorate
(1) The Data Protection Inspectorate shall exercise state and administrative supervision over holders of information during:
1) compliance with requests for information and the disclosure of information;
11) compliance with requirements for the maintenance of websites and mobile applications, except compliance with requirements for accessibility;
[RT I, 30.11.2021, 3 – entry into force 10.12.2021]
2) protection of information intended for internal use;
3) establishment, introduction, maintenance, reorganisation and termination of databases.
[RT I, 06.01.2016, 1 – entry into force 16.01.2016]
(2) The Data Protection Inspectorate may initiate supervision proceedings on the basis of a challenge or on its own initiative.
(3) [Repealed – RT I, 06.01.2016, 1 – entry into force 16.01.2016]
(4) The Data Protection Inspectorate may give recommended instructions for the implementation of this Act.
[RT I, 19.12.2012, 2 – entry into force 29.12.2012]
§ 46. Filing of challenges and actions concerning refusal to comply with request for information or unsatisfactory compliance with request for information
(1) A person whose rights provided for in this Act are violated may file a challenge with a supervisory body specified in § 44 of this Act or an action with an administrative court either personally or through a representative.
(2) If the Data Protection Inspectorate refuses to satisfy the challenge, the person who filed the challenge has the right to file a claim with an administrative court against the holder of information.
[RT I, 13.03.2019, 2 – entry into force 15.03.2019]
§ 47. Filing of challenge for initiation of state supervision proceedings
[Repealed – RT I 2007, 12, 66 – entry into force 01.01.2008]
§ 48. Review of complaints by Data Protection Inspectorate
[Repealed – RT I 2002, 61, 375 – entry into force 01.08.2002]
§ 49. Refusal of Data Protection Inspectorate to review complaint
[Repealed – RT I 2002, 61, 375 – entry into force 01.08.2002]
§ 50. Exercise of state supervision
[RT I, 13.03.2014, 4 – entry into force 01.07.2014]
In order to exercise state supervision provided for in this Act, the Data Protection Inspectorate may apply the specific state supervision measure provided for in §§ 30, 32, 49, 50 and 51 of the Law Enforcement Act on the basis of and pursuant to the procedure provided for in the Law Enforcement Act.
[RT I, 13.03.2014, 4 – entry into force 01.07.2014]
§ 51. Precept of Data Protection Inspectorate
[RT I 2003, 26, 158 – entry into force 01.10.2003]
(1) The Data Protection Inspectorate may issue a precept which requires a holder of information to bring its activities into accordance with law if the Inspectorate finds that the holder of information:
1) has refused illegally to comply with a request for information;
2) has not responded to a request for information within the prescribed term;
3) has not complied with a request for information as required;
4) has not processed a request for information as required;
5) has failed to disclose information subject to disclosure as required;
6) has not performed the obligation to maintain a website as required;
7) has established restrictions on access to information illegally;
8) has failed to establish restrictions on access to information provided by law;
9) has released information to which restrictions on access are established pursuant to this Act.
(2) [Repealed – RT I 2002, 61, 375 – entry into force 01.08.2002]
(3) Upon failure to comply with a precept specified in subsection 1 of this section, the Data Protection Inspectorate may impose a penalty payment pursuant to the procedure provided for in the Substitutive Enforcement and Penalty Payment Act. The upper limit for a penalty payment is 9600 euros.
[RT I, 12.07.2014, 1 – entry into force 01.01.2015]
§ 52. Compliance with precepts of Data Protection Inspectorate
(1) A holder of information shall, within five working days as of receipt of a precept, take measures to comply with the precept and shall notify the Data Protection Inspectorate thereof. The Data Protection Inspectorate shall publish the notice on its website.
(2) [Repealed – RT I 2002, 61, 375 – entry into force 01.08.2002]
§ 53. Application of Data Protection Inspectorate for organisation of supervisory control
(1) If a holder of information fails to comply with a precept of the Data Protection Inspectorate, the Data Protection Inspectorate may address a superior agency, person or body of the holder of information for organisation of supervisory control or commencement of disciplinary proceedings against an official.
(2) A person exercising supervisory control or a person with the right to commence disciplinary proceedings is required to review an application within one month as of receipt thereof and submit a reasoned opinion to the Data Protection Inspectorate. Upon supervisory control or commencement of disciplinary proceedings, the person exercising supervisory control or the person with the right to commence disciplinary proceedings is required to immediately notify the Data Protection Inspectorate of the results thereof.
[RT I, 12.07.2014, 1 – entry into force 01.01.2015]
§ 531. Supervision by Estonian Information System's Authority
[RT I, 13.03.2014, 4 – entry into force 01.07.2014]
(1) The Estonian Information System's Authority exercises administrative and state supervision over the connection to the data exchange layer of information systems.
[RT I, 06.08.2022, 2 – entry into force 01.01.2023]
(2) Upon exercise of state supervision specified in subsection 1 this section, the Estonian Information System's Authority may apply the specific state supervision measures provided for in §§ 30, 31, 32, 49, 50, 51 and 52 of the Law Enforcement Act on the basis of and pursuant to the procedure provided for in the Law Enforcement Act.
[RT I, 06.01.2016, 1 – entry into force 16.01.2016]
§ 532. Supervision by Statistics Estonia
Statistics Estonia shall exercise administrative supervision over compliance with data governance requirements.
[RT I, 15.03.2019, 2 – entry into force 01.04.2019]
§ 533. Consumer Protection and Technical Regulatory Authority
(1) The Consumer Protection and Technical Regulatory Authority shall exercise state and administrative supervision over holders of information concerning their compliance with the requirements for the accessibility of websites and mobile applications.
(2) The Consumer Protection and Technical Regulatory Authority may give recommended instructions for the implementation of the requirements for the accessibility of websites and mobile applications.
(3) Upon exercise of state supervision specified in subsection 1 this section, the Consumer Protection and Technical Regulatory Authority may apply the specific state supervision measures provided for in §§ 30, 32, 49, 50 and 51 of the Law Enforcement Act on the basis of and pursuant to the procedure provided for in the Law Enforcement Act.
[RT I, 30.11.2021, 3 – entry into force 10.12.2021]
§ 534. Compliance with precept issued by Consumer Protection and Technical Regulatory Authority
A holder of information shall, within five working days as of receipt of a precept, take measures to comply with the precept and notify the Consumer Protection and Technical Regulatory Authority thereof. The Consumer Protection and Technical Regulatory Authority shall publish the notice on its website.
[RT I, 30.11.2021, 3 – entry into force 10.12.2021]
§ 535. Application of Consumer Protection and Technical Regulatory Authority for organisation of supervisory control
(1) If a holder of information fails to comply with a precept of the Consumer Protection and Technical Regulatory Authority, the authority may address a superior agency, person or body of the holder of information for organisation of supervisory control or commencement of disciplinary proceedings against an official.
(2) A person exercising supervisory control or a person with the right to commence disciplinary proceedings is required to review an application within one month as of receipt thereof and submit a reasoned opinion to the Consumer Protection and Technical Regulatory Authority. Upon supervisory control or commencement of disciplinary proceedings, the person exercising supervisory control or the person with the right to commence disciplinary proceedings is required to immediately notify the Consumer Protection and Technical Regulatory Authority of the results thereof.
[RT I, 30.11.2021, 3 – entry into force 10.12.2021]
§ 54. Report of Data Protection Inspectorate on compliance with this Act
(1) The Data Protection Inspectorate shall submit a report on compliance, during the preceding year, with this Act to the Constitutional Committee of the Riigikogu and to the Legal Chancellor by 1 April each year.
[RT I 2007, 12, 66 – entry into force 01.01.2008]
(2) The report shall contain an overview of offences, the holders of information which committed the offences, challenges, precepts, misdemeanour proceedings initiated, punishments imposed, and other circumstances relating to the implementation of this Act.
(3) Reports shall be published on the website of the Data Protection Inspectorate.
(4) In addition to the regular reports specified in subsection 1 of this section, the head of the Data Protection Inspectorate may submit reports concerning significant matters which have an extensive effect or need prompt settlement which become known in the course of supervision over compliance with this Act to the Constitutional Committee of the Riigikogu and the Legal Chancellor.
[RT I, 12.07.2014, 1 – entry into force 01.01.2015]
Chapter 61 LIABILITY
[RT I 2002, 63, 387 - entry into force 01.09.2002]
§ 541. Violation of requirements for disclosure and release of public information
(1) Knowing release of incorrect public information or knowing disclosure or release of information intended for internal use
is punishable by a fine of up to 300 fine units.
[RT I, 12.07.2014, 1 – entry into force 01.01.2015]
(2) [Repealed – RT I, 12.07.2014, 1 – entry into force 01.01.2015]
(3) The Data Protection Inspectorate is the extra-judicial body which conducts proceedings in matters of misdemeanours provided for in this section.
[RT I 2003, 26, 158 – entry into force 01.10.2003]
Chapter 7 IMPLEMENTING PROVISIONS
§ 55. Access to public computer network in public libraries
The state and local governments shall ensure that there is the opportunity to access public information through the data communication network in public libraries by 2002.
§ 56. Commencement of maintenance of website
(1) Ministers within their area of government, and the State Secretary and county governors with respect to state agencies administered thereby shall establish schedules by 1 June 2001 for the transition to websites which comply with the requirements of this Act.
(2) Holders of information specified in § 31 of this Act shall create a website which complies with the requirements of this Act by 1 March 2002 at the latest.
§ 561. Application of requirements for maintenance of websites and mobile applications
(1) The provisions of clauses 6 and 7 of subsection 1 of § 32 or this Act shall apply to websites first published after 23 September 2018 as of 23 September 2019.
(2) The provisions of clauses 6 and 7 of subsection 1 of § 32 or this Act shall apply to websites first published before 23 September 2018 as of 23 September 2020.
(3) The requirements for the maintenance of mobile applications provided for in § 32 of this Act apply as of 23 June 2021.
[RT I, 14.11.2018, 1 – entry into force 01.12.2018]
§ 57. Bringing of procedure for access to information maintained in state and local government databases into accordance with law
The Government of the Republic, ministries and local government bodies shall bring legislation regulating the maintenance of databases into accordance with this Act and with the amendments made to the Databases Act by this Act by 1 January 2002.
§ 58. Bringing of records management procedures into accordance with this Act
(1) The Government of the Republic shall establish the bases for the records management procedures of state and local government agencies and legal persons in public law by 1 March 2001.
(2) Holders of information shall bring their records management procedures into accordance with this Act by 1 June 2001.
§ 581. Application of Chapter 51 of this Act
(1) The statutes for maintaining national registers established in accordance with the Databases Act and the databases maintained on the basis thereof, and other databases of the state and local governments shall be brought into conformity with this Act within six months after the repeal of the Databases Act.
[RT I 2007, 12, 66 – entry into force 01.01.2008]
(11) The regulations established on the basis of subsection 1 of § 439 of this Act may prescribe longer terms for the application of the systems supporting the state information system than the terms specified in subsection 1 of this section.
[RT I 2007, 67, 413 – entry into force 28.12.2007]
(2) Databases which are not compatible with the state information system, and databases which duplicate the collection of information of other databases or which collect interrelated data shall be merged, maintenance thereof shall be terminated or they shall be made compatible according to the requirements of Chapter 51 of this Act within six months after the repeal of the Databases Act.
[RT I 2007, 12, 66 – entry into force 01.01.2008]
(3) The transfer provided in subsections 1 and 2 shall be coordinated by the Ministry of Economic Affairs and Communications.
[RT I 2007, 12, 66 – entry into force 01.01.2008]
(4) A database registered in the national register of databases prior to the entry into force of Chapter 51 of this Act is deemed to be registered in the administration system of the state information system upon entry into force of Chapter 51 of this Act. The administrator of a database shall update the data of the database in the administration system of the state information system not later than within three months after the entry into force of Chapter 51 of this Act. Upon updating the data of a database, the basic data of the database shall be determined.
[RT I 2007, 12, 66 – entry into force 01.01.2008]
(5) The first sentence of subsection 4 of this section does not apply to the databases which are registered in the national register of databases but are not connected to the data exchange layer of the information system.
[RT I, 06.01.2016, 1 – entry into force 16.01.2016]
(6) Databases registered in the administration system of the state information system or which are deemed to be registered therein pursuant to subsection 4 of this section and are connected to the data exchange layer of the information system are deemed to be databases belonging to the state information system.
[RT I, 06.01.2016, 1 – entry into force 16.01.2016]
(7) The contracts for maintenance of databases concluded before the entry into force of Chapter 51 of this Act shall remain valid until the end of the term set forth therein.
[RT I 2007, 12, 66 – entry into force 01.01.2008]
(8) The requirements provided in this Act for databases belonging to the state information system shall apply to the Riigi Teataja and the official publication Ametlikud Teadaanded from the establishing of the necessary technical possibilities, but not later than from 1 July 2011.
[RT I 2010, 19, 101 – entry into force 01.06.2010]
§ 582. Application of provisions regulating the re-use of public information
(1) A holder of information shall disclose the open data specified in § 28 of this Act pursuant to the provisions of § 29 of this Act by 1 February 2016 at the latest.
[RT I, 06.01.2016, 1 – entry into force 16.01.2016]
(2) [Repealed – RT I, 06.01.2016, 1 – entry into force 16.01.2016]
(3) [Repealed – RT I, 06.01.2016, 1 – entry into force 16.01.2016]
§ 583. Making high-value datasets available free of charge
If making high-value datasets available free of charge would lead to a substantial impact on the budget of the holder of information who must cover a substantial part of the costs arising from the performance of its public duties, the holder of information must make high-value datasets available free of charge not later than two years after the European Commission Implementing Regulation specified in Article 14(1) of Directive (EU) 2019/1024 of the European Parliament and of the Council becomes applicable.
[RT I, 30.11.2021, 3 – entry into force 10.12.2021]
§ 59. – § 68. [Omitted from this text.]
§ 69. Entry into force of Act
This Act enters into force on 1 January 2001.