Estonia

State and administrative supervision over compliance with PDPA as well as personal data related provisions of ECA shall be exercised by the Data Protection Inspectorate.
In the field of personal data protection, the Data Protection Inspectorate shall:
1) monitor compliance with the requirements provided by personal data legislation;
2) apply administrative coercion on the bases, to the extent and pursuant to the procedure prescribed by personal data legislation;
3) initiate misdemeanor proceedings where necessary and impose punishments;
4) co-operate with international data protection supervision organizations and foreign data protection supervision authorities and other competent foreign authorities and persons;
5) give instructions of advisory nature for application of personal data legislation;
6) perform other duties provided by personal data legislation.
In performing its functions, the Data Protection Inspectorate has the right to:
1) suspend the processing of personal data;
2) demand the rectification of inaccurate personal data;
3) prohibit the processing of personal data;
4) demand the closure or termination of processing of personal data, including destruction or forwarding to an archive;
5) where necessary, immediately apply, in order to prevent the damage to the rights and freedoms of persons, organizational, physical or information technology security measures for the protection of personal data pursuant to the procedure provided for in the Substitutive Enforcement and Penalty Payment Act, unless the personal data are processed by a state agency.
The Data Protection Inspectorate may initiate supervision proceedings on the basis of a complaint or on its own initiative.
The Data Protection Inspectorate may make enquiries to electronic communications undertakings about the data required for the identification of an end-user related to the identification tokens used in the public electronic communications network, except for the data relating to the fact of transmission of messages.
Upon exercise of administrative supervision, competent officials of the Data Protection Inspectorate have the right to enter, without hindrance, the premises or territory of a processor of personal data, demand relevant documents and other necessary information from persons, make copies of documents and access the equipment of a processor of personal data as well as the recorded data and the software used for data processing.
Officials of the Data Protection Inspectorate have the right to issue precepts to processors of personal data and adopt decisions for the purposes of ensuring compliance with this Act.
Upon failure to comply with a precept specified in subsection (1) of this section, the Data Protection Inspectorate may impose a penalty payment pursuant to the procedure provided for in the Substitutive Enforcement and Penalty Payment Act. The upper limit for a penalty payment is 9600 euros. Penalty payment shall not be imposed on state agencies.
If a state agency who is the processor of personal data fails to comply with the precept of the Data Protection Inspectorate within the term specified therein, the Data Protection Inspectorate shall file a protest with an administrative court pursuant to procedure provided for in the Code of Administrative Court Procedure.
If a processor of personal data fails to comply with a precept of the Data Protection Inspectorate, the Data Protection Inspectorate may address a superior agency, person or body of the processor of personal data for organisation of supervisory control or commencement of disciplinary proceedings against an official.
The Data Protection Inspectorate shall submit a report on compliance with this PDPA to the Constitutional Committee of the Riigikogu and to the Legal Chancellor by 1 April each year. The report shall provide an overview of the most important facts related to the compliance and application of this Act during the preceding calendar year. The head of the Data Protection Inspectorate may submit reports concerning significant matters which have an extensive effect or need prompt settlement which become known in the course of supervision over compliance with this Act to the Constitutional Committee of the Riigikogu and the Legal Chancellor.