The e-Money Institutions Act of Estonia was revised in 2018 which included additional requirements for data protection. The changes are a part of the wider EU level data protection amendments stemming primarily from the GDPR. Therefore, it is no wonder that the e-Payment Institutions Act was amended to include these requirements. Consequently, those seeking to establish an e-money institution in Estonia ought to be aware of the added requirements.

Personal Data Processing Requirements:

Under the new Article 63² several limitations are applied to the processing of personal data. Chief among these is this obligation to not to ask or try to obtain data besides what is needed for the provision of the payment initiation service.

Furthermore, under the revised Article a similar prohibition to using or storing the client’s data for anything besides the information service explicitly requested by the client. In addition the Article sets out a total prohibition on storing sensitive data for the provision of payment initiation services. Therefore, following the GDPR definition of sensitive data, this would include political affiliations, trade union memberships or other religious beliefs among others. Moreover, the service provider must make sure that third parties do not have access to such data.

Additionally, the revised e-Money Institutions Act requires that personal data can only be stored until the expiry date of the limitations period connected with the services. Therefore, the balance between the interests of the individual who’s personal data is processed and that of the e-Money is maintained.

Managing Risks:

An entirely new obligation is the requirement to send to the Financial Supervision Authority, every year, by the 1^st of March an up-to-date assessment of the operational risks related to the payment services.  This obligation was introduced to make sure that the service provider implements effective security and control measures as required by the Article.

However, should an incident happen, an immediate notification must be sent to the Financial Supervision Authority. This obligation extends to inform clients affected if the incident may or does have an impact on the financial interests of the clients. Furthermore, a payment service provider must provide to the Financial Supervision Authority regularly statistical information regarding frauds related to various payment methods.