Whistleblower law in Estonia #
Estonia implemented Directive (EU) 2019/1937 through the Rikkumisest teavitaja kaitse seadus (RTKS), which entered into force on 1 September 2024. Estonia’s framework is still relatively new, so the official law text matters more than mature administrative guidance pages.
Applicable law #
Who must establish an internal channel #
Private employers with at least 50 workers are the main business group required to establish an internal reporting channel. Public-sector coverage is broader under the act.
External reporting authority #
Estonia’s act works through competent authorities that handle the underlying subject matter of the breach rather than through one highly visible universal whistleblowing portal. In practice, organisations should therefore explain which authority is competent for the issues they cover instead of treating external reporting as a single generic route.
Data protection authority #
For GDPR complaints about the handling of report data, the relevant authority is the Estonian Data Protection Inspectorate (AKI) .
Key compliance points #
- Estonia’s law protects work-related reporting of breaches within the statutory scope, so companies should distinguish the legal whistleblowing process from any broader speak-up or HR intake.
- Because the regime is new, clear published instructions on scope, intake format and follow-up matter more than in older whistleblowing markets.
- Organisations handling sensitive reports should also pay attention to AKI guidance and breach-reporting expectations.
Official sources #
- RTKS — official text
- Chancellor of Justice — application page
- AKI — Estonian Data Protection Inspectorate
- AKI — contact page
Deploy your reporting channel →
Last updated: