Estonian businesses and GDPR — what the real requirements are
GDPR is not only a concern for large companies. Every Estonian business whose website collects data from EU citizens must follow the same rules.
Who GDPR applies to
GDPR applies to all organisations — large and small — that:
- Offer goods or services to EU citizens, OR
- Monitor the behaviour of EU citizens (including Google Analytics)
This means: if your website is visible in Europe and collects any data (including cookies, Google Analytics, a contact form), GDPR applies to you.
Which data is problematic
Cookies and tracking tools: Google Analytics collects IP addresses, device data and behaviour data. This is personal data processing — it requires consent.
Contact forms: Name, email address, phone number, message — all are personal data. You must explain what is done with them and how long they are stored.
Email marketing: Adding someone to a newsletter list requires explicit consent. "You will receive our newsletter" without a checkbox is not consent.
Recruitment forms: CVs and cover letters are sensitive personal data. A retention period must be defined.
What a website must do
1. Cookie consent
Before activating analytics and tracking cookies, the user must give consent. A simple "We use cookies" banner is not enough — there must be a way to give and refuse consent.
Consent must be:
- Freely given (not "consent or leave")
- Specific (different categories separately)
- Informed (a clear explanation)
- Unambiguous (a click on a button, not "by continuing you agree")
2. Privacy policy
Explains:
- What data is collected
- Why (legal basis for processing)
- How long it is stored
- Who it is shared with
- How users can request deletion
The privacy policy must be easy to find — typically in the footer.
3. Data retention periods
Data received through a contact form cannot stay on the server indefinitely. A period must be defined (e.g. one year) and data deleted after that.
4. Right to erasure
Users have the right to request deletion of their data. A process must exist to fulfil these requests.
Common mistakes on Estonian sites
Google Analytics without cookie consent — the most common issue. GA4 collects data immediately on page load, before the user has given consent.
Old "by continuing you consent to cookies" banner — this does not meet requirements. Pre-ticked consent is not consent.
Contact form data stored in email indefinitely — emails are personal data, and emails retained on a server require a retention policy.
Privacy policy missing or out of date — a pre-GDPR privacy policy no longer meets requirements.
What are the penalties
The Data Protection Inspectorate (DPI, Andmekaitse Inspektsioon) is the Estonian supervisory authority. Penalties range from:
- Warning and corrective order (the most common outcome for small businesses)
- Fine up to €10 million or 2% of annual turnover (for lesser violations)
- Fine up to €20 million or 4% of annual turnover (for serious violations)
Small businesses are not facing million-euro fines — but reputational damage and a mandatory remediation order are real.
Where to start
- Audit — map all data your site collects
- Cookie solution — install a proper cookie consent manager (e.g. CookieYes, Cookiebot, or a custom solution)
- Privacy policy — write or update it
- Processes — decide who is responsible for handling data deletion requests
Read more about GDPR on websites generally or contact us if you need help bringing your site into compliance.
Kaido Toomingas
WebPro Company OÜ
Need Drupal help?
If the article describes your situation, you do not have to read everything first. A real person will help you choose the next step.