AKI (Estonia) - EDPBI:ee:OSS:d:2022:343: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Estonia |DPA-BG-Color= |DPAlogo=LogoEE.png |DPA_Abbrevation=AKI |DPA_With_Country=AKI (Estonia) |Case_Number_Name=EDPBI:ee:OSS:d:2022:343 |ECL...") |
No edit summary |
||
Line 67: | Line 67: | ||
}} | }} | ||
In an Article 60 procedure, the Estoanian DPA warned a controller pursuant of [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]]. The data subject was not able to create a user account without consenting to direct marketing,The controller also stored | In an Article 60 procedure, the Estoanian DPA warned a controller pursuant of [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]]. The data subject was not able to create a user account without consenting to direct marketing, The controller also stored personal data for a maximum period of 15 years and disclosed personal data to undefined third parties. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The data subject was unable to register as a user of the controller’s website without giving consent | The data subject was unable to register as a user of the controller’s website without giving consent for direct marketing. The controller was a provider of consumer credit. The data subject was also not able to determine to which third parties his contact data was transferred to, how the data was used and how long the data was stored. The third parties had also not been specifically identified on the controller’s website. The data subject also stated that the controller had not appointed a DPO. | ||
The data subject filed a complaint at a German DPA (Not clear which German DPA) on 2 January 2020, which transferred the complaint on 7 May 2020 to the Estonian DPA (DPA), which was the lead supervisory authority in this [[Article 60 GDPR]] procedure. | |||
The DPA sent several inquiries to the controller. The controller clarified that the way it’s consent procedure for direct marketing was designed was the result of a ‘technical error’ and that it was now possible to register as a user without giving consent to direct marketing. The controller also specified that the maximum storage period for contact data of clients was 15 years, pursuant of national legislation. However, Paragraph 47 of the German Money laundering act (GwG) provides that the controller must retain personal data for only 5 years after the termination of a business relationship. This period can be extended to 10 years with permission from the competent supervisory authority. | The DPA sent several inquiries to the controller. The controller clarified that the way it’s consent procedure for direct marketing was designed was the result of a ‘technical error’ and that it was now possible to register as a user without giving consent to direct marketing. The controller also specified that the maximum storage period for contact data of clients was 15 years, pursuant of national legislation. However, Paragraph 47 of the German Money laundering act (GwG) provides that the controller must retain personal data for only 5 years after the termination of a business relationship. This period can be extended to 10 years with permission from the competent supervisory authority. | ||
This personal data was amongst other sources collected by requesting a copy of an ID – card, which included categories of data such as name, time of birth, origin and citizenship, but also biometric data, such as eye colour and height. The DPA consulted the German DPA, which explained that pursuant of the German Money laundering act (GwG), the controller had to collect certain personal information for providing its service such as names and dates of birth, but that there were no legal grounds for processing other personal data, such as biometric data | This personal data was amongst other sources collected by requesting a copy of an ID – card, which included categories of data such as name, time of birth, origin and citizenship, but also biometric data, such as eye colour and height. The DPA consulted the German DPA, which explained that pursuant of the German Money laundering act (GwG), the controller had to collect certain personal information for providing its service such as names and dates of birth, but that there were no legal grounds for processing other personal data, such as biometric data | ||
The controller also admitted that it had not yet appointed a DPO and was willing to reduce the storage period if the DPA deemed this period too long. | The controller also admitted that it had not yet appointed a DPO and was willing to reduce the storage period if the DPA deemed this period too long. | ||
=== Holding === | === Holding === | ||
The DPA determined that the controller violated [[Article 7 GDPR#2|Article 7(2) GDPR]], which required the controller to ask consent clearly in a distinguishable manner. The data subject could not refuse to give consent for electronic direct marketing when opening an account. The DPA also determined that the controller violated [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]] by applying an unreasonable long data storage period of 15 years. The DPA stated that storing personal data for ten years abstractly for claims under civil law is acceptable. If the data subject would object to storage of personal data for ten years, the controller would have to re-assess its legitimate interest of retaining the personal data of the data subject, looking at the concrete circumstances of the case (Article 21 GDPR). If it was determined that the need for defence of legal claims does not justify storage of the data subject’s personal data, then the data subject must be deleted immediately in accordance with 17(1)(c) GDPR. The DPA also stated that the controller violated the principle of data transparency, without citing any GDPR provision, because it was not clear to whom and to which third party personal data were transferred. | The DPA determined that the controller violated [[Article 7 GDPR#2|Article 7(2) GDPR]], which required the controller to ask consent clearly in a distinguishable manner. The data subject could not refuse to give consent for electronic direct marketing when opening an account, whic resulted in the violation. | ||
The DPA also determined that the controller violated [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]] by applying an "unreasonable long" data storage period of 15 years. The DPA stated that storing personal data for ten years abstractly for claims under civil law is acceptable. If the data subject would object to storage of personal data for ten years, the controller would have to re-assess its legitimate interest of retaining the personal data of the data subject, looking at the concrete circumstances of the case (Article 21 GDPR). If it was determined that the need for defence of legal claims does not justify storage of the data subject’s personal data, then the data subject must be deleted immediately in accordance with 17(1)(c) GDPR. The DPA also stated that the controller violated the principle of data transparency, without citing any GDPR provision, because it was not clear to whom and to which third party personal data were transferred. | |||
The DPA confirmed that the controller had changed the procedure for asking consent for direct marketing and had therefore eliminated the violation. The DPA also stated that the controller had been given explanations regarding data storage periods which the controller had to take into account in the future. The DPA concluded by warning the controller pursuant of [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]]. | The DPA confirmed that the controller had changed the procedure for asking consent for direct marketing and had therefore eliminated the violation. The DPA also stated that the controller had been given explanations regarding data storage periods which the controller had to take into account in the future. The DPA concluded by warning the controller pursuant of [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]]. | ||
Revision as of 22:15, 28 November 2022
AKI - EDPBI:ee:OSS:d:2022:343 | |
---|---|
Authority: | AKI (Estonia) |
Jurisdiction: | Estonia |
Relevant Law: | Article 5(1)(e) GDPR Article 7(2) GDPR Article 17(1)(c) GDPR Article 58(2)(b) GDPR Article 60 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 02.01.2020 |
Decided: | 09.03.2022 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | EDPBI:ee:OSS:d:2022:343 |
European Case Law Identifier: | EDPBI:ee:OSS:d:2022:343 |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | EDPB (in EN) |
Initial Contributor: | n/a |
In an Article 60 procedure, the Estoanian DPA warned a controller pursuant of Article 58(2)(b) GDPR. The data subject was not able to create a user account without consenting to direct marketing, The controller also stored personal data for a maximum period of 15 years and disclosed personal data to undefined third parties.
English Summary
Facts
The data subject was unable to register as a user of the controller’s website without giving consent for direct marketing. The controller was a provider of consumer credit. The data subject was also not able to determine to which third parties his contact data was transferred to, how the data was used and how long the data was stored. The third parties had also not been specifically identified on the controller’s website. The data subject also stated that the controller had not appointed a DPO.
The data subject filed a complaint at a German DPA (Not clear which German DPA) on 2 January 2020, which transferred the complaint on 7 May 2020 to the Estonian DPA (DPA), which was the lead supervisory authority in this Article 60 GDPR procedure.
The DPA sent several inquiries to the controller. The controller clarified that the way it’s consent procedure for direct marketing was designed was the result of a ‘technical error’ and that it was now possible to register as a user without giving consent to direct marketing. The controller also specified that the maximum storage period for contact data of clients was 15 years, pursuant of national legislation. However, Paragraph 47 of the German Money laundering act (GwG) provides that the controller must retain personal data for only 5 years after the termination of a business relationship. This period can be extended to 10 years with permission from the competent supervisory authority.
This personal data was amongst other sources collected by requesting a copy of an ID – card, which included categories of data such as name, time of birth, origin and citizenship, but also biometric data, such as eye colour and height. The DPA consulted the German DPA, which explained that pursuant of the German Money laundering act (GwG), the controller had to collect certain personal information for providing its service such as names and dates of birth, but that there were no legal grounds for processing other personal data, such as biometric data The controller also admitted that it had not yet appointed a DPO and was willing to reduce the storage period if the DPA deemed this period too long.
Holding
The DPA determined that the controller violated Article 7(2) GDPR, which required the controller to ask consent clearly in a distinguishable manner. The data subject could not refuse to give consent for electronic direct marketing when opening an account, whic resulted in the violation.
The DPA also determined that the controller violated Article 5(1)(e) GDPR by applying an "unreasonable long" data storage period of 15 years. The DPA stated that storing personal data for ten years abstractly for claims under civil law is acceptable. If the data subject would object to storage of personal data for ten years, the controller would have to re-assess its legitimate interest of retaining the personal data of the data subject, looking at the concrete circumstances of the case (Article 21 GDPR). If it was determined that the need for defence of legal claims does not justify storage of the data subject’s personal data, then the data subject must be deleted immediately in accordance with 17(1)(c) GDPR. The DPA also stated that the controller violated the principle of data transparency, without citing any GDPR provision, because it was not clear to whom and to which third party personal data were transferred. The DPA confirmed that the controller had changed the procedure for asking consent for direct marketing and had therefore eliminated the violation. The DPA also stated that the controller had been given explanations regarding data storage periods which the controller had to take into account in the future. The DPA concluded by warning the controller pursuant of Article 58(2)(b) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
registration, itis possible to use the respective user accountafter confirming of having become acquaintedwith the privacy policy and risk review. Itis possible to skip giving consent to direct marketing and opting out of direct marketing does not restrict registering or using a user account.’ 2.2. explained that they ask a copy of the ID card and store the following personal data included therein: name, time of birth, origin, citizenship, place of birth, biometric data such as eye colour and height, bank account number, bank, user name, and contact data such as e-mail address, telephone number, and address. 2.3. explained that they store contact data of clients in an archive with limited access for a term corresponding to the maximum limitation period of offences, which, pursuant to current legislation, is up to 15 years. In the opinion of , this term is not unreasonably long, as the widespread practice is to link the data storage period (10 years) to the limitation period (which in the case of civil transactions is up to 10 years). confirmed that no other processing operations are undertaken with the contact data of users and the threat of harm to the rights and interests of users is minimal. 2.4. Controller’s responses to the second inquery of the Inspectorate The Inspectorate made a follow-up query on 21 April 2020 in which it asked how consent to direct marketing was obtained earlier, before 20 April 2020. 2.4.1. answeredon 4 May2020 that asat20April 2020, a technical failure which prevented activating the ‘Confirm’ button (in Estonian ‘Kinnita’) if only the first two choices weremarked has been fixed. ‘Regrettably, hadfailedtonoticethatthere was a technical faultrelated to the activation of the ‘Confirm’button and notone user of the portal, includingthe complainant, had drawnourattentionto this faultbefore the currentproceedings.Wefixedthetechnicalfaultimmediatelyafterreceivingtherelevant inquiry from the Data Protection Inspectorate and we confirmed that as at 20 April 2020, the technical failure concerning the ‘Confirm’button hadbeen eliminated.’ 2.4.2. The controller gave the following explanation regarding biometrics: The biometric data (eye colour and height)originate from the complainant’s German ID card, which is differentfromthe Estonian ID card in that italso includes a person’s biometric data. asks theusers to presenttheir identity documentforthe purpose of identifying the person in accordance with law (subsection 20 (1) of the Money Laundering and TerroristFinancing PreventionAct). For the biometric data of German clients exist only on the ID document submitted by the user and does notin any way use themseparately. 2.4.3. In regard of data storage, the controller statedthe following: The referred storage period of15 years is derived fromthe maximum limitation period ofoffences(subsection18(8)ofthePenalCode).Theoffences,inconnectionwithwhich may needto submitcontactdatato the competentsupervisionauthority,include fraud (section 201 of the PenalCode) (separately computer-related fraud (section213 1 of the PenalCode)), offences relating to money laundering (sections 394 and 394 of the PenalCode),orotheroffencesthatmaybecommitted bymisusing ’sservice. The example of the 10-year term was given as a reference to market practice. As it is impossible to preclude situations where ’s service is also misused to commit offencesinadditiontoabreachof obligationsarisingfromcivillaw, appliesthe maximum limitation period of offences. 2(11) 2.5. Inspectorate’s consultation with the Germandata protection authority 2.5.1.The Inspectorate asked the opinion of Germany regarding biometrics on 7 May 2020. The German data protection authority explained that pursuant to the German Money Laundering Act (GwG) the controller has to establish the person’s first name, family name, place of birth, nationality, address and document number when identifying a person. The controller does not have any legal grounds to process other data included in the ID document. 2.6. Forwarding the opinion of the Germanauthority and Estonian Inspectorate to the controller 2.6.1.The Inspectorate forwarded a brief summary of the German authority’s opinion to the controller on 3 November 2020, presented new questions to , and sharedits opinions regarding storage periods. The Inspectorate also asked explanations concerning the appointment of a data protection specialist. 2.6.2.In relation to retention of data, the Inspectorate gave the controller the following explanations: Section 47 of the Money Laundering and Terrorist Financing Prevention Act refers to retention of data for five years after termination of the business relationship. Pursuant to the Act, for the purpose of identification of persons and verification of submitted information, the obliged entity must retain the originals or copies of the documents specified in subsection 20 (2 ) and sections 21, 22, and 46 of the Act, information registered in accordance with section 46, and the documents serving as the basis for the establishment of a business relationship for five years after the termination of the business relationship. 2.6.3.Pursuant to subsection 12 (2)of the Accounting Act,accounting source documents shall be preservedfor sevenyearsafterthe expiry oftheir termofvalidity. This provision is solely concerned with accounting source documents, including invoices and other documents, not contact data and clients' eye colour. 2.6.4.Subsection 146 (1) of the General Part of the Civil Code Act enables retain data after termination of a contract for three years. Subsection 4 of the same section sets down that the limitation period for the claims specified in subsections (1)–(3) shall be ten years if the obligated person intentionally violated the person's obligations. 2.6.5.The Inspectorate pointed out thatstorage of data for 15 years is not reasonable and that the limitation period of ten years requires a special ground and therefore it is not possible to retain data of all persons for ten years as a general practice relaying on this ground. The controller can store data for ten years under subsection 146 (4) of the General Partof the Civil Code Act solely if it is proven that the person whose data are stored for this long has intentionally violated the person’s obligations before the controller. 2.6.6.The Inspectorate explained that therefore, it must be assessed on a case by case basis whether a person has intentionally violated their obligations. If such situation has not emerged, data cannot be stored for ten years. 2.6.7.Based on the above, the Inspectorate found that the reasons given in support ofthe 15-year storage period in reference to the Penal Code are not sufficient or understandable and consequently, the Inspectorate did not agree to the data storage period of 15 years. The Inspectorate found that even 10 years is not a reasonable period for storing data in exceptional cases and is conditional on intentional violation. The Inspectorate also mentioned that the data storage period does not comply with the 3(11) principles set out in points (b) and (e) of Article 5 (1) of the General Data Protection Regulation. 2.7. Controller's third response to the Inspectorate 2.7.1.The controller answeredthe Inspectorate on 17 November 2020 as follows: As attoday, hasnotyetappointedadataprotectionspecialist;however,weplan to appoint a data protection specialist and currently negotiations are being held. As soon as has appointed a data protection specialist, we will notify the Data Protection Inspectorate thereofthroughthe Company Registration Portal(in Estonian ‘Ettevõtjaportaal’). 2.7.2.IftheDataProtectionInspectorateisconvincedthatthe storageperiodof15years regarding strictly contactdata is unreasonable despite our explanations, we are ready to reduce the storage period of contact data to ten years based on the maximum limitation period of claims under civillaw. Although the limitation period of ten years applies only in case the obligated person violated his or her obligations intentionally, we have no means to determine whether the person violated his or her obligations intentionally before the actualsituation emerges. This could happen even after seven years. 2.7.3.In our fieldof activity, disputes are likely to arise and therefore we have a clearly understandable interestto be able to protect our rights. Besides, taking into account that a person’s contact data are not deemed personal data of a special category or personaldata thatwould be sensitive in any other way, we do notconsider in this case the storage period often yearsto protectour rights and interestunreasonable.Thereby theprinciplesoflimitation ofprocessingofpersonaldataandretentionofpersonaldata have been complied with. In regard of storage of other data (taking into accountthe specific data category) thatthe Data Protection Inspectorate points out in their query of 3 November 2020, we willtake into accountthe specifiedtermlimits as presented by the Data Protection Inspectorate and prescribed by law. 2.7.4.We note thatthe opinion of the German data protection authority is based on the German Money LaunderingActthatdoes notapply in the currentcase because as an Estonian company operates in compliance with Estonian legislation. Hence, we do notconsider the opinion ofthe German data protection authority relevant. 2.7.5.Secondly, accordingto subsection 47 (1)of the Money Launderingand Terrorist Financing PreventionAct, retentionofcopies of the documents which serve as thebasis for identification and verification of personsis mandatory, meaning that nationallaw of Estonia has taken a differentapproachthan Germany. Although all the data shown on a German ID card are not necessary for us, we do not consider covering up the specific data on an identification document possible as it makes impossible to verify documentauthenticity. 2.7.6.We maintain thatwe do notgather or process a person’s eye colour shownon his or her German ID card in any other way or for any other purpose than as partof the copy of the ID card. We also assure that only a very limited number of persons have access to the copies of identification documents andthey are used after they havebeen gathered. 2.8. The Inspectorate’s explanations and questions of 28 January 2021 to the controller 2.8.1.The Inspectorate forwarded one additional query to in relation to sharing information with third persons and explained the matter of storage 4(11) periods. 2.8.2.The Inspectorate stressedthat the controller has to assess separately in respect of eachperson whether the person has intentionally violated his or herobligations. If such situation has not occurred, data cannot be stored for ten years. In addition, the Inspectorate explained that ten years is abstractly acceptable in case of claims under civil law; however, if a data subject submits an objection concerning storage of data for ten years, then the processor has to re-assess its legitimate interest according to Article 21 of the General Data Protection Regulation. 2.8.3.The Inspectorate found that for that purpose, a legitimate interest analysis in respect of the specific person must be conducted, or the interests of parties concerning the storage of data must be considered that should give an answer to the question whether there is a need to store data of the data subject for ten years. The Inspectorate compiled legitimate interest instructions providing an overview of and explanations on how the rights of both parties should be considered andhow a legitimate interest analysis should be conducted in case of an objection. The instructions are made available here https://www.aki.ee/sites/default/files/dokumendid/oigustatud huvi juhend aki 26.05. 2020.pdf. 2.8.4. In addition, the complainant asked about sharing contact data with third persons. wrote on 20 April 2020 that they do not transfer their clients’ personal data to third persons. However, according to the privacy conditions of , contact data are transferred to third persons for different reasons (the chapter on data sharing and chapter 7.5), for example, upon assigning a claim, etc. Consequently, inconsistency between the answergiven to the Inspectorate and the data protection conditions published on the home page is observed. The Inspectorate requested toshow in detail to which companies and basedon which legal grounds clients’ personal data/contact data are shared. 2.9. Controller’s fourth response to the Inspectorate 2.91.The controller answered on 4 February 2021 as follows: We agree that in our answer of 20 April 2020 it was mentioned that data are not transferred to third persons. We clarify and explain our response below. We share clients’ personaldata with third persons only: 1) if it is specified in the privacy notice;or 2) ifit is requiredunderapplicablelaw(e.g.whenweareobligedtosharepersonaldata with public authorities);or 3) upon the client's consentor under the client’s order. 2.9.2.In our response of 20 April 2020 we meant the concrete complainant, i.e. the complainant had not given us a separate order to transfer data to third persons. We admit thatthe generalwordingofour answermay have given anerroneous impression. We apologise for ambiguity of the answer and provide additional information about transfer of data below. When processing clients' personaldata we may transfer their personaldata to s processors or third persons. Such transfer takes place only under the followingconditions: 2.9.3.Processors We use carefully selected serviceproviders (processors)for processing clients’ personal data. Even so, we will remain completely responsible for clients' personal data. For example, we use following processors: 1) service providers that organise marketing and conduct surveys, and providers of 5(11) tools; 2) service providers that performsearches in order to manage money launderingand terroristfinancing related risks; 3) identification of persons serviceproviders; 4) customer supportservice providers; 5) accounting services providers; 6) server administration and server hostingserviceproviders; 7) IT services providers; 8) other companies belonging to the same group as us thatprovide us services. 2.9.4.Third persons As mentioned above, we share clients' personal data with third persons only if it is specified in the privacy notice, required under applicable law (e.g. we are obliged to share personaldata with public authorities), or upon the client’s consentor under the client’s order. 2.9.5.We may share clients’ personaldata with the followingthird persons: 1) for making transactions chosen by the client with other users through the portal. In such case, the legalbasis for transfer of personaldata is the conclusionor performance of a contract (point(b) of Article 6 (1)of the GDPR); 2) for the performance ofthe contractwith intermediary paymentservice.In such case, the legalbasis for transfer ofpersonaldata is the performance of a contractconcluded between us (point(b) of Article 6 (1) of the GDPR); 3) forthepurposesofourinternaladministrationwithcompaniesbelongingtothesame group as us. In such case, the legalbasis for transfer of personaldatais our legitimate interestto share data with companies belonging to thesame groupas usfor the purpose of internaladministration (point(f)of Article 6 (1)of the GDPR); 4) for the purpose of directmarketing with the companies belonging to the same group as us. In such case, the legal basis for transfer of personaldata is the client’s consent (point(a) of Article 6 (1) of the GDPR); 5) for the purpose of compliance with our legal obligations to which we are subject before public authorities andlawenforcement authorities. In such case, the legalbasis for transfer of personaldata is compliance with our obligations arising fromlaw (point (c) of Article 6 (1) of the GDPR); 6) for the purpose of protecting our rights and interests with debt collectors, lawyers, bailiffs,andotherrelevantpersons.Insuchcase,thelegalbasisfortransferof personal data is our legitimate interest to protect our rights and interests (point(f) of Article 6 (1) of the GDPR). We transfer clients’ personaldata only if we are convinced thatour legitimate interest does not override the client’s interest or fundamental rights and freedoms which require protection ofpersonaldata. As we generally transfer data only if it is actually necessary for the protectionof our rights and interests (or a clientis at faultor there is a suspicion of breach), itis legitimate in our opinion; 7) for the purpose of compliance with our obligations to which we are subjectbefore auditors arising fromlaw. In such case, the legalbasis for transfer of personaldata is compliancewithourobligationsarisingfromlaw (point(c)of Article 6 (1)ofthe GDPR and Auditors Activities Act); 8) for the purpose of compliance with our legal obligations or pursuing our or our transaction partner’s legitimate interests if such transfer is necessary as a result of a transaction concerningthe transfer of our activity or assets or in order to assess how perspective such transaction would be. In such case, the legal basis for transfer of personaldata is compliance with our obligations arising fromlaw (point(c)of Article 6 (1) of the GDPR and the Law of the Obligations Act) or pursuing our or our transactionpartner’slegitimateinteresttomakeatransactionorassess howperspective 6(11) it would be (point(f) of Article 6 (1) of the GDPR). We transfer a client’s personaldata solely if we are convincedthatour or our transaction partner’slegitimate interestdoes not override the client’s interests or fundamental rights and freedoms which require protection of personaldata. 2.9.6.If the legalbasis for processingofclient’spersonaldatais pursuing our or a third person’s legitimate interest, the client has the right to receive additionalinformation and atany time objectsuch processing. 2.10. SAPoland’s objection about the draftdecision 2.10.1. Poland asked whether has a money laundering law in terms of the entity, ie the institution with which has money laundering and terrorism within the meaning of § 6 of the Prevention Act. The inspectorate asked the data controller on 09.08.2021 about the entity, whether they apply the money laundering actor not. 2.10.2. replied that as of today, is not yet an obligated person within the meaning of § 6 of the Money Laundering and Terrorist Financing Prevention Act. Nevertheless, there is money laundering the application of prevention measures is essentialgiven the nature of our activities. Among other things, such need is based on § 15 (application ofanti-money laundering measures within the Group)and § 24 (reliance on third party data). Not knowing exactly the question in the inquiry guarantees, we provide some explanations belowthat should help us understand our purposes forpersonalinformation anti-money launderingmeasures. 2.10.3. For the sake of clarity, we must first clarify the relationship between and and the . is an obligated person within the meaning of § 6 (1) 2) of the Money Act and the Financial Supervision Authority a supervised creditor providing small loans to consumers. is not the Financial Supervision Authority a supervised creditor (or other licensed entity) but acquires Loan claims from AS. In addition, and belong to the same group. 2.10.4. As an obligated person, mustmake sure that the assets used in the business relationship are legitimate § 20 (3) and (4). After concluding the loan agreement, assigns the claim to so that remains to continue to administer the claims as a creditor, butthe financialclaimis transferred to . in turn assigns claims to its investors. In a very generalway, therefore, the money to be borrowed also comes outatthe end of the chain justfrominvestors as follows: 1) investors investin products; 2) transfers the money for the claimto ; 3) becomes the owner of the money and transfers itto a specific consume asown funds.Becauseofthischainandbusiness,itis extremelyimportantthat can ensure that the business relationship is used the legitimacy of the origin of the assets and to be sure thatthey are notmoney laundering assets, so itis importantthat would also apply the requirements arisingfromthe Money LaunderingAct. 2.10.5. In addition to the above, has the right and obligation to apply the measures of RahaPTS pursuantto § 24 of Money LaunderingActactingas a third party on whose data the obligated person(eg the bank)relies. In practice, this is notpossible would be able to do business withoutanti-money launderingmeasures, as this would notbe possible. mustalso have a bank accountthrough whichinvestors 7(11) can make financialtransactions. The reason is that banks, as obligated entities, must also implement anti - money laundering measures;and In order for to have a bank accountfor its business, the banks haveimposed an obligation on us apply anti- money laundering measures in full, as they are based onthe verification oftransaction data including our data. 2.10.6. To this end, itgrants banks the right,inter alia, § 20 (1)4)and (6)ofthe Money Laundering Act and § 23 (2) of Money Laundering Act. In the application of due diligence measures, obligated parties have a wide discretion, including obligated persons customers (eg ) to provide information on their customers (ie investors)sothatthebank canassesstheriskstoyourclientandtakeotherduediligence measures. The obligated person does not have to own collect data about customers themselves, but may rely on another person (ie their customer, in this case collected in accordance with § 24 of the Money Laundering Act. If does not submit to the bank within the required terminformation aboutits customers (ie would not allow the bank to exercise due diligence), the bank would be entitled. To cancel the current account agreement entered into with (§ 42 (4) of Money Laundering Act. 2.10.7. On a similar basis, also requires to controlthe activities of investors because of them. The assets originally arising from the transactions will be used by to grantcredit. Please also note EurLex-2 en In order to rely on the data collected by pursuantto § 24 of the Money Laundering Act, doesnotneedtobeinthesenseoftheMoneyLaunderingActobligatedperson.Pursuant to § 24 of the Money Laundering Act, measures may be taken to prevent money laundering and terrorist financing other persons to collect and process the data necessary for its application. Under thatprovision, collect data are also available, for example,to companiesspecializingintheapplicationofduediligence(egVeriff),which are notthemselves. 2.10.8. Money under the Actfor obligated persons, butwho process datafor obligated services to provide. This rightandobligationhas also been recognizedby theFATF: “A third party usually has a client an existing business relationship thatis separate from the relationship betweenthe clientand therelying institution, andapply its own rules of procedure when implementing due diligencemeasures.” operates bylaw on a prescribed basis andin accordance with officialrecommendations. 2.10.9. Pursuant to § 64 (1) of the Money Laundering Act, the State supervises the operation ofMoney Laundering DataOffice. Pleasenote that has alsoreported on severaloccasions in the application of due diligence measures Money Laundering DataOfficesandhasnotreceivedanyfeedbackorotherinstructionsthat should not launder money prevent due diligence measures should perhaps not identify your customers in a business relationship unmonitored, without proving the origin of the assets used in the transaction,withoutcheckingthe sanctions,etc. 2.10.10.Inaddition,weconfirmthattheapplicationof 'santi-moneylaundering measures is also monitored by sworn auditors. The last inspection was carried outby theauditfirm inMay2021,theresultsof whichwerepositive,ie has the right to apply anti-money laundering measures and they apply properly in accordancewith the regulations in force. 2.10.11. As it seems from the above, belongs to the same group (registry code: ), which is anobligated person within the meaning of §6 (1) 2) of the Money Laundering Actand a creditor operating under the supervision 8(11) of the Estonian Financial Supervision Authority, which provides small loans to consumers. has also been issued a corresponding activity license by the Estonian Financial Supervision Authority. is not a creditor (or other legal entity subject to an activity license obligation) under the supervision of the Financial Supervision Authority, but acquires loan claims from 2.10.12. As an obligated person, must make sure that the assets used in the business relationship are legitimate (§ 20 (3) and (4) of the Money Laundering Act). After concluding the loan agreement, assigns the claim to so that will continue to administer the claims as a creditor, and the financial claim will be transferredto . , in turn, assigns claims to its investors. Due to this chain and business activities, it is extremely important that can ensure the legitimacy of the origin of the assets used in the business relationship and be sure that they are not money laundering assets, therefore it is important that also applies the requirements arising from the Money Laundering Act. 2.10.13. Pursuant to § 47 (7) of the Money Laundering Act, the stored data must be deleted after the expiry of the term, unless otherwise provided by the legislation regulating the relevant field. Data relevant to the prevention, detection or investigation of money laundering or terrorist financing may be kept for a longer period, but not more than five years after the expiry of the initial period, by order of the competent supervisory authority. Thus, the maximum retention period for personal data is 10 years. 3. Breaches identifiedduring supervisionproceedings 3.1. In the course of the supervision proceedings, the Inspectorate found the following breaches of the General Data Protection Regulation: when opening an account the complainant could not refuse to give consent to electronic direct marketing, meaning that the complainant had to agree to direct marketing, although Article 7 (2) of the General Data Protection Regulation requires asking it clearly in a distinguishable manner. 3.2. The Inspectorate found that the controller breached point (e) of Article 5 of the General Data Protection Regulation by applying an unreasonably long data storage period of 15 years. Storing data for ten years abstractly for claims under civil law is acceptable;however, if the data subject objects tostorage of data fortenyears,according to Article 21 of the General Data Protection Regulation the controller has to re-assess its legitimate interest of retaining the data of the specific person based on the concrete circumstances related to the person (including also whether claims exist and whether the data subject violated his or her obligations intentionally). If it is determined that the need for defence of legal claims does not justify storage of the particular person’s data, the data must be immediately deleted in accordance with point (c)of Article 17 (1). 3.3. The controller gave the Inspectorate unclear answers regarding transfer of data to third persons which caused us to request more details several times and determine the actual situation. The controller breached the principle of data transparency, i.e. it was not clear to whom and which third persons data are transferred. 3.4. The initial complaint related to the fact that the applicant did not have to agree to all the conditions for registering an account, including receiving direct marketing. This has been fixed by the data controller, where it was explained that it was atechnical error. 3.5. The complaint stated that there was no retention period, as the complainant could not understand for how long the data will be restored. The data controller has explained 9(11) that different legal grounds must be used, which are also regulated by law. If there is consent, there areno retention periods, if the consent to senddirect mail is revoked, then no more can be kept and sent. 3.6. The period of retention of data is regulated by § 47 of the Money Laundering Act. Act§ 47 paragraph 1, 2, 3, 5, 6 states thatthe data controller must retain data for 5 years after after the termination of the business relationship. By order of the competent supervisory authority, the maximum retention period for personal data is 10 years. 3.7. Thus, it must be assessedseparatelyfor each person whether a particular person has intentionally breachedhis or her obligations. The inspectorate further explained that 10 years in the abstract for civil claims is acceptable, but if the data subject objects to 10 years of data retention, the data subject must be reassessedin accordance with Article 21 of the General Data Protection Regulation. The data controller did not argue further in this regard. 4. Reprimand and termination of proceedings 4.1. During the proceedings, the controller changed the procedure of asking consent to direct marketing and thereby eliminated the breach. The controller has been given explanations regarding data storage period that the controller has to take into account in future. 4.2. Basedon the above, the Inspectorate terminates the supervisionproceedings and issues a reprimand to in accordance with point (b) of Article 58(2) of the GeneralData ProtectionRegulationand draws attentionto the requirements set out inthe GDPR: 4.3. Article 7 (2): If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the requestfor consent shall be presented in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding. 4.4. Point (e) of Article 5 specifies storage limitation requirement: personal data arekept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. 4.5. Article 21 (1): The data subject shall have the right to object, on grounds relating to his or her particular situation, atany time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6 (1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. 4.6. Article 12 (1): The controller shall provide any information referredto in Articles 13 and 14 to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language. In view of the above, we shall terminate the supervisory proceeding. This decision may be challenged within 30 days by submitting one of the two: 10 (11) - A challenge to the Director General of the Estonian Data Protection Inspectorate 1 pursuant to the Administrative Procedure Act , or - An appeal to an administrative court under the Code of Administrative Court Procedure (in this case, the challenge in the same matter can no longer be reviewed). Respectfully Lawyer Authorised by the Director General 1https://www.riigiteataja.ee/en/eli/527032019002/consolide 2 https://www.riigiteataja.ee/en/eli/512122019007/consolide 11 (11)