AKI (Estonia) - EDPBI:ee:OSS:d:2022:343
From GDPRhub
| AKI - EDPBI:ee:OSS:d:2022:343 | |
|---|---|
 | |
| Authority: | AKI (Estonia) |
| Jurisdiction: | Estonia |
| Relevant Law: | Article 5(1)(e) GDPR Article 7(2) GDPR Article 17(1)(c) GDPR Article 58(2)(b) GDPR Article 60 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 02.01.2020 |
| Decided: | 09.03.2022 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | EDPBI:ee:OSS:d:2022:343 |
| European Case Law Identifier: | EDPBI:ee:OSS:d:2022:343 |
| Appeal: | n/a |
| Original Language(s): | English |
| Original Source: | EDPB (in EN) |
| Initial Contributor: | n/a |
In an Article 60 GDPR procedure, the Estonian DPA warned a controller pursuant of Article 58(2)(b) GDPR. Among other things, the data subject was not able to create a user account without consenting to direct marketing in violation of Article 7(2) GDPR.
English Summary
Facts
The data subject was unable to register as a user of the controller’s website without giving consent for direct marketing. The nature and location of the controller was not specified, but it seemed to be some sort of financial service provider. The data subject was also not able to determine to which third parties his contact data was transferred to, how the data was used and for how long the data was stored. The third parties were also not specifically identified on the controller’s website. The data subject filed a complaint at a German DPA (not clear which German DPA) on 2 January 2020, which transferred the complaint on 7 May 2020 to the Estonian DPA (DPA), the lead supervisory authority in this Article 60 GDPR procedure.
The DPA sent several inquiries to the controller. The controller clarified that the way its consent procedure for direct marketing was designed was caused by a ‘technical error’. However, the controller had already changed this and it was now possible to register as a user without giving consent to direct marketing. The controller also specified that it asked for a copy of an ID card. It stored personal data included in this ID card. The controller mentioned that the maximum storage period for contact data specifically was 15 years, which was derived from requirements in national law. According to the controller, this data had to be saved for situations when the controller was obligated to submit data to competent supervision authorities, including data regarding offences that may have been committed using the controller's service.
The Estonian DPA consulted the German DPA, with regard to storage periods. The German DPA considered several German provisions, but determined that none of these provisions provided a data retention period of 15 years. For example, according paragraph 47 of the German money laundering Act, the controller must retain data for 5 years after the termination of a business relationship, which could be extended to 10 years by order of the competent supervisory authority.
Holding
The DPA determined that the controller violated Article 7(2) GDPR, which required the controller to ask consent clearly in a distinguishable manner. The data subject could not refuse to give consent for electronic direct marketing when opening an account, which resulted in the violation.
The DPA also determined that the controller violated Article 5(1)(e) GDPR by applying an "unreasonable long" data storage period of 15 years. The DPA confirmed that the retention of data was regulated by paragraph 47 of the Money laundering act and entailed 5 years after the termination of the business relationship. By order of the competent supervisory authority, this retention period could at maximum be 10 years. The DPA stated that storing personal data for ten years abstractly for claims under civil law was therefore acceptable. However, if the data subject would object to storage of personal data for ten years, the controller would have to re-assess its legitimate interest for storing the personal data of the data subject, looking at the concrete circumstances of the case (Article 21 GDPR). If the controller concluded that this storage of personal data was not necessary for the defense against legal claims, then the controller had to delete the personal data immediately in accordance with Article 17(1)(c) GDPR.
The DPA also stated that the controller violated the principle of data transparency, without citing any GDPR provision, because it was not clear to which third party personal data were transferred. The DPA added that it had asked the controller several times for clarification, while the controller only provided unclear answers.
The DPA confirmed that the controller had changed the procedure for asking consent for direct marketing and had therefore eliminated the violation. The DPA also stated that the controller had been given explanations regarding data storage periods which the controller had to take into account in the future. The DPA concluded by warning the controller pursuant of Article 58(2)(b) GDPR and closed the proceeding.
Comment
In paragraph 3 of the decision, there were a few unclear - or missing GDPR provisions:
3.2. The DPA states that the controller has breached point (e) of Article 5 GDPR. This should have most likely been Article 5(1)(e) GDPR.
3.3. The DPA states that the controller has breached the principle of data transparency, without referring to any GDPR Article.
--------------------------------------
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
registration, itis possible to use the respective user accountafter confirming of having
become acquaintedwith the privacy policy and risk review. Itis possible to skip giving
consent to direct marketing and opting out of direct marketing does not restrict
registering or using a user account.’
2.2. explained that they ask a copy of the ID card and store the
following personal data included therein: name, time of birth, origin, citizenship, place
of birth, biometric data such as eye colour and height, bank account number, bank, user
name, and contact data such as e-mail address, telephone number, and address.
2.3. explained that they store contact data of clients in an archive
with limited access for a term corresponding to the maximum limitation period of
offences, which, pursuant to current legislation, is up to 15 years. In the opinion of
, this term is not unreasonably long, as the widespread practice is to link the data
storage period (10 years) to the limitation period (which in the case of civil transactions
is up to 10 years). confirmed that no other processing operations are undertaken
with the contact data of users and the threat of harm to the rights and interests of users
is minimal.
2.4. Controller’s responses to the second inquery of the Inspectorate
The Inspectorate made a follow-up query on 21 April 2020 in which it asked how
consent to direct marketing was obtained earlier, before 20 April 2020.
2.4.1. answeredon 4 May2020 that asat20April 2020, a technical failure which
prevented activating the ‘Confirm’ button (in Estonian ‘Kinnita’) if only the first two
choices weremarked has been fixed. ‘Regrettably, hadfailedtonoticethatthere
was a technical faultrelated to the activation of the ‘Confirm’button and notone user
of the portal, includingthe complainant, had drawnourattentionto this faultbefore the
currentproceedings.Wefixedthetechnicalfaultimmediatelyafterreceivingtherelevant
inquiry from the Data Protection Inspectorate and we confirmed that as at 20 April
2020, the technical failure concerning the ‘Confirm’button hadbeen eliminated.’
2.4.2. The controller gave the following explanation regarding biometrics:
The biometric data (eye colour and height)originate from the complainant’s German
ID card, which is differentfromthe Estonian ID card in that italso includes a person’s
biometric data. asks theusers to presenttheir identity documentforthe purpose
of identifying the person in accordance with law (subsection 20 (1) of the Money
Laundering and TerroristFinancing PreventionAct). For the biometric data of
German clients exist only on the ID document submitted by the user and does
notin any way use themseparately.
2.4.3. In regard of data storage, the controller statedthe following:
The referred storage period of15 years is derived fromthe maximum limitation period
ofoffences(subsection18(8)ofthePenalCode).Theoffences,inconnectionwithwhich
may needto submitcontactdatato the competentsupervisionauthority,include
fraud (section 201 of the PenalCode) (separately computer-related fraud (section213 1
of the PenalCode)), offences relating to money laundering (sections 394 and 394 of
the PenalCode),orotheroffencesthatmaybecommitted bymisusing ’sservice.
The example of the 10-year term was given as a reference to market practice. As it is
impossible to preclude situations where ’s service is also misused to commit
offencesinadditiontoabreachof obligationsarisingfromcivillaw, appliesthe
maximum limitation period of offences.
2(11) 2.5. Inspectorate’s consultation with the Germandata protection authority
2.5.1.The Inspectorate asked the opinion of Germany regarding biometrics on 7 May
2020. The German data protection authority explained that pursuant to the German
Money Laundering Act (GwG) the controller has to establish the person’s first name,
family name, place of birth, nationality, address and document number when identifying
a person. The controller does not have any legal grounds to process other data included
in the ID document.
2.6. Forwarding the opinion of the Germanauthority and Estonian Inspectorate to
the controller
2.6.1.The Inspectorate forwarded a brief summary of the German authority’s opinion to
the controller on 3 November 2020, presented new questions to , and sharedits
opinions regarding storage periods. The Inspectorate also asked explanations
concerning the appointment of a data protection specialist.
2.6.2.In relation to retention of data, the Inspectorate gave the controller the following
explanations:
Section 47 of the Money Laundering and Terrorist Financing Prevention Act refers to
retention of data for five years after termination of the business relationship. Pursuant
to the Act, for the purpose of identification of persons and verification of submitted
information, the obliged entity must retain the originals or copies of the documents
specified in subsection 20 (2 ) and sections 21, 22, and 46 of the Act, information
registered in accordance with section 46, and the documents serving as the basis for the
establishment of a business relationship for five years after the termination of the
business relationship.
2.6.3.Pursuant to subsection 12 (2)of the Accounting Act,accounting source documents
shall be preservedfor sevenyearsafterthe expiry oftheir termofvalidity. This provision
is solely concerned with accounting source documents, including invoices and other
documents, not contact data and clients' eye colour.
2.6.4.Subsection 146 (1) of the General Part of the Civil Code Act enables retain data
after termination of a contract for three years. Subsection 4 of the same section sets
down that the limitation period for the claims specified in subsections (1)–(3) shall be
ten years if the obligated person intentionally violated the person's obligations.
2.6.5.The Inspectorate pointed out thatstorage of data for 15 years is not reasonable and
that the limitation period of ten years requires a special ground and therefore it is not
possible to retain data of all persons for ten years as a general practice relaying on this
ground. The controller can store data for ten years under subsection 146 (4) of the
General Partof the Civil Code Act solely if it is proven that the person whose data are
stored for this long has intentionally violated the person’s obligations before the
controller.
2.6.6.The Inspectorate explained that therefore, it must be assessed on a case by case
basis whether a person has intentionally violated their obligations. If such situation has
not emerged, data cannot be stored for ten years.
2.6.7.Based on the above, the Inspectorate found that the reasons given in support ofthe
15-year storage period in reference to the Penal Code are not sufficient or
understandable and consequently, the Inspectorate did not agree to the data storage
period of 15 years. The Inspectorate found that even 10 years is not a reasonable period
for storing data in exceptional cases and is conditional on intentional violation. The
Inspectorate also mentioned that the data storage period does not comply with the
3(11) principles set out in points (b) and (e) of Article 5 (1) of the General Data Protection
Regulation.
2.7. Controller's third response to the Inspectorate
2.7.1.The controller answeredthe Inspectorate on 17 November 2020 as follows:
As attoday, hasnotyetappointedadataprotectionspecialist;however,weplan
to appoint a data protection specialist and currently negotiations are being held. As
soon as has appointed a data protection specialist, we will notify the Data
Protection Inspectorate thereofthroughthe Company Registration Portal(in Estonian
‘Ettevõtjaportaal’).
2.7.2.IftheDataProtectionInspectorateisconvincedthatthe storageperiodof15years
regarding strictly contactdata is unreasonable despite our explanations, we are ready
to reduce the storage period of contact data to ten years based on the maximum
limitation period of claims under civillaw. Although the limitation period of ten years
applies only in case the obligated person violated his or her obligations intentionally,
we have no means to determine whether the person violated his or her obligations
intentionally before the actualsituation emerges. This could happen even after seven
years.
2.7.3.In our fieldof activity, disputes are likely to arise and therefore we have a clearly
understandable interestto be able to protect our rights. Besides, taking into account
that a person’s contact data are not deemed personal data of a special category or
personaldata thatwould be sensitive in any other way, we do notconsider in this case
the storage period often yearsto protectour rights and interestunreasonable.Thereby
theprinciplesoflimitation ofprocessingofpersonaldataandretentionofpersonaldata
have been complied with. In regard of storage of other data (taking into accountthe
specific data category) thatthe Data Protection Inspectorate points out in their query
of 3 November 2020, we willtake into accountthe specifiedtermlimits as presented by
the Data Protection Inspectorate and prescribed by law.
2.7.4.We note thatthe opinion of the German data protection authority is based on the
German Money LaunderingActthatdoes notapply in the currentcase because
as an Estonian company operates in compliance with Estonian legislation. Hence, we
do notconsider the opinion ofthe German data protection authority relevant.
2.7.5.Secondly, accordingto subsection 47 (1)of the Money Launderingand Terrorist
Financing PreventionAct, retentionofcopies of the documents which serve as thebasis
for identification and verification of personsis mandatory, meaning that nationallaw
of Estonia has taken a differentapproachthan Germany. Although all the data shown
on a German ID card are not necessary for us, we do not consider covering up the
specific data on an identification document possible as it makes impossible to verify
documentauthenticity.
2.7.6.We maintain thatwe do notgather or process a person’s eye colour shownon his
or her German ID card in any other way or for any other purpose than as partof the
copy of the ID card. We also assure that only a very limited number of persons have
access to the copies of identification documents andthey are used after they havebeen
gathered.
2.8. The Inspectorate’s explanations and questions of 28 January 2021 to the
controller
2.8.1.The Inspectorate forwarded one additional query to in
relation to sharing information with third persons and explained the matter of storage
4(11) periods.
2.8.2.The Inspectorate stressedthat the controller has to assess separately in respect of
eachperson whether the person has intentionally violated his or herobligations. If such
situation has not occurred, data cannot be stored for ten years. In addition, the
Inspectorate explained that ten years is abstractly acceptable in case of claims under
civil law; however, if a data subject submits an objection concerning storage of data for
ten years, then the processor has to re-assess its legitimate interest according to Article
21 of the General Data Protection Regulation.
2.8.3.The Inspectorate found that for that purpose, a legitimate interest analysis in
respect of the specific person must be conducted, or the interests of parties concerning
the storage of data must be considered that should give an answer to the question
whether there is a need to store data of the data subject for ten years. The Inspectorate
compiled legitimate interest instructions providing an overview of and explanations on
how the rights of both parties should be considered andhow a legitimate interest analysis
should be conducted in case of an objection. The instructions are made available here
https://www.aki.ee/sites/default/files/dokumendid/oigustatud huvi juhend aki 26.05.
2020.pdf.
2.8.4. In addition, the complainant asked about sharing contact data with third persons.
wrote on 20 April 2020 that they do not transfer their clients’
personal data to third persons. However, according to the privacy conditions of
, contact data are transferred to third persons for different reasons (the
chapter on data sharing and chapter 7.5), for example, upon assigning a claim, etc.
Consequently, inconsistency between the answergiven to the Inspectorate and the data
protection conditions published on the home page is observed. The Inspectorate
requested toshow in detail to which companies and basedon which
legal grounds clients’ personal data/contact data are shared.
2.9. Controller’s fourth response to the Inspectorate
2.91.The controller answered on 4 February 2021 as follows:
We agree that in our answer of 20 April 2020 it was mentioned that data are not
transferred to third persons. We clarify and explain our response below. We share
clients’ personaldata with third persons only:
1) if it is specified in the privacy notice;or
2) ifit is requiredunderapplicablelaw(e.g.whenweareobligedtosharepersonaldata
with public authorities);or
3) upon the client's consentor under the client’s order.
2.9.2.In our response of 20 April 2020 we meant the concrete complainant, i.e. the
complainant had not given us a separate order to transfer data to third persons. We
admit thatthe generalwordingofour answermay have given anerroneous impression.
We apologise for ambiguity of the answer and provide additional information about
transfer of data below. When processing clients' personaldata we may transfer their
personaldata to s processors or third persons. Such transfer takes place only
under the followingconditions:
2.9.3.Processors
We use carefully selected serviceproviders (processors)for processing clients’ personal
data. Even so, we will remain completely responsible for clients' personal data. For
example, we use following processors:
1) service providers that organise marketing and conduct surveys, and providers of
5(11) tools;
2) service providers that performsearches in order to manage money launderingand
terroristfinancing related risks;
3) identification of persons serviceproviders;
4) customer supportservice providers;
5) accounting services providers;
6) server administration and server hostingserviceproviders;
7) IT services providers;
8) other companies belonging to the same group as us thatprovide us services.
2.9.4.Third persons
As mentioned above, we share clients' personal data with third persons only if it is
specified in the privacy notice, required under applicable law (e.g. we are obliged to
share personaldata with public authorities), or upon the client’s consentor under the
client’s order.
2.9.5.We may share clients’ personaldata with the followingthird persons:
1) for making transactions chosen by the client with other users through the portal. In
such case, the legalbasis for transfer of personaldata is the conclusionor performance
of a contract (point(b) of Article 6 (1)of the GDPR);
2) for the performance ofthe contractwith intermediary paymentservice.In such case,
the legalbasis for transfer ofpersonaldata is the performance of a contractconcluded
between us (point(b) of Article 6 (1) of the GDPR);
3) forthepurposesofourinternaladministrationwithcompaniesbelongingtothesame
group as us. In such case, the legalbasis for transfer of personaldatais our legitimate
interestto share data with companies belonging to thesame groupas usfor the purpose
of internaladministration (point(f)of Article 6 (1)of the GDPR);
4) for the purpose of directmarketing with the companies belonging to the same group
as us. In such case, the legal basis for transfer of personaldata is the client’s consent
(point(a) of Article 6 (1) of the GDPR);
5) for the purpose of compliance with our legal obligations to which we are subject
before public authorities andlawenforcement authorities. In such case, the legalbasis
for transfer of personaldata is compliance with our obligations arising fromlaw (point
(c) of Article 6 (1) of the GDPR);
6) for the purpose of protecting our rights and interests with debt collectors, lawyers,
bailiffs,andotherrelevantpersons.Insuchcase,thelegalbasisfortransferof personal
data is our legitimate interest to protect our rights and interests (point(f) of Article 6
(1) of the GDPR). We transfer clients’ personaldata only if we are convinced thatour
legitimate interest does not override the client’s interest or fundamental rights and
freedoms which require protection ofpersonaldata. As we generally transfer data only
if it is actually necessary for the protectionof our rights and interests (or a clientis at
faultor there is a suspicion of breach), itis legitimate in our opinion;
7) for the purpose of compliance with our obligations to which we are subjectbefore
auditors arising fromlaw. In such case, the legalbasis for transfer of personaldata is
compliancewithourobligationsarisingfromlaw (point(c)of Article 6 (1)ofthe GDPR
and Auditors Activities Act);
8) for the purpose of compliance with our legal obligations or pursuing our or our
transaction partner’s legitimate interests if such transfer is necessary as a result of a
transaction concerningthe transfer of our activity or assets or in order to assess how
perspective such transaction would be. In such case, the legal basis for transfer of
personaldata is compliance with our obligations arising fromlaw (point(c)of Article
6 (1) of the GDPR and the Law of the Obligations Act) or pursuing our or our
transactionpartner’slegitimateinteresttomakeatransactionorassess howperspective
6(11) it would be (point(f) of Article 6 (1) of the GDPR). We transfer a client’s personaldata
solely if we are convincedthatour or our transaction partner’slegitimate interestdoes
not override the client’s interests or fundamental rights and freedoms which require
protection of personaldata.
2.9.6.If the legalbasis for processingofclient’spersonaldatais pursuing our or a third
person’s legitimate interest, the client has the right to receive additionalinformation
and atany time objectsuch processing.
2.10. SAPoland’s objection about the draftdecision
2.10.1. Poland asked whether has a money laundering law
in terms of the entity, ie the institution with which has money
laundering and terrorism within the meaning of § 6 of the Prevention Act. The
inspectorate asked the data controller on 09.08.2021 about the
entity, whether they apply the money laundering actor not.
2.10.2. replied that as of today, is not yet an obligated
person within the meaning of § 6 of the Money Laundering and Terrorist Financing
Prevention Act. Nevertheless, there is money laundering the application of prevention
measures is essentialgiven the nature of our activities. Among other things, such need
is based on § 15 (application ofanti-money laundering measures within the Group)and
§ 24 (reliance on third party data). Not knowing exactly the question in the inquiry
guarantees, we provide some explanations belowthat should help us understand our
purposes forpersonalinformation
anti-money launderingmeasures.
2.10.3. For the sake of clarity, we must first clarify the relationship between
and and the . is an obligated person within the
meaning of § 6 (1) 2) of the Money Act and the Financial Supervision Authority a
supervised creditor providing small loans to consumers. is not the Financial
Supervision Authority a supervised creditor (or other licensed entity) but acquires
Loan claims from AS. In addition, and
belong to the same group.
2.10.4. As an obligated person, mustmake sure that the assets used in the
business relationship are legitimate § 20 (3) and (4). After concluding the loan
agreement, assigns the claim to so that remains to
continue to administer the claims as a creditor, butthe financialclaimis transferred to
. in turn assigns claims to its investors. In a very generalway, therefore,
the money to be borrowed also comes outatthe end of the chain justfrominvestors as
follows:
1) investors investin products;
2) transfers the money for the claimto ;
3) becomes the owner of the money and transfers itto a specific consume
asown funds.Becauseofthischainandbusiness,itis extremelyimportantthat
can ensure that the business relationship is used the legitimacy of the origin of the
assets and to be sure thatthey are notmoney laundering assets, so itis importantthat
would also apply the requirements arisingfromthe Money LaunderingAct.
2.10.5. In addition to the above, has the right and obligation to apply the
measures of RahaPTS pursuantto § 24 of Money LaunderingActactingas a third party
on whose data the obligated person(eg the bank)relies. In practice, this is notpossible
would be able to do business withoutanti-money launderingmeasures, as this
would notbe possible. mustalso have a bank accountthrough whichinvestors
7(11) can make financialtransactions. The reason is that banks, as obligated entities, must
also implement anti - money laundering measures;and In order for to have a
bank accountfor its business, the banks haveimposed an obligation on us apply anti-
money laundering measures in full, as they are based onthe verification oftransaction
data including our data.
2.10.6. To this end, itgrants banks the right,inter alia, § 20 (1)4)and (6)ofthe Money
Laundering Act and § 23 (2) of Money Laundering Act. In the application of due
diligence measures, obligated parties have a wide discretion, including obligated
persons customers (eg ) to provide information on their customers (ie
investors)sothatthebank canassesstheriskstoyourclientandtakeotherduediligence
measures. The obligated person does not have to own collect data about customers
themselves, but may rely on another person (ie their customer, in this case
collected in accordance with § 24 of the Money Laundering Act. If does not
submit to the bank within the required terminformation aboutits customers (ie
would not allow the bank to exercise due diligence), the bank would be entitled. To
cancel the current account agreement entered into with (§ 42 (4) of Money
Laundering Act.
2.10.7. On a similar basis, also requires to controlthe activities of
investors because of them. The assets originally arising from the transactions will be
used by to grantcredit. Please also note EurLex-2 en In order to rely on
the data collected by pursuantto § 24 of the Money Laundering Act,
doesnotneedtobeinthesenseoftheMoneyLaunderingActobligatedperson.Pursuant
to § 24 of the Money Laundering Act, measures may be taken to prevent money
laundering and terrorist financing other persons to collect and process the data
necessary for its application. Under thatprovision, collect data are also available, for
example,to companiesspecializingintheapplicationofduediligence(egVeriff),which
are notthemselves.
2.10.8. Money under the Actfor obligated persons, butwho process datafor obligated
services to provide. This rightandobligationhas also been recognizedby theFATF: “A
third party usually has a client an existing business relationship thatis separate from
the relationship betweenthe clientand therelying institution, andapply its own rules of
procedure when implementing due diligencemeasures.” operates bylaw
on a prescribed basis andin accordance with officialrecommendations.
2.10.9. Pursuant to § 64 (1) of the Money Laundering Act, the State supervises the
operation ofMoney Laundering DataOffice. Pleasenote that has alsoreported
on severaloccasions in the application of due diligence measures Money Laundering
DataOfficesandhasnotreceivedanyfeedbackorotherinstructionsthat should
not launder money prevent due diligence measures should perhaps not identify your
customers in a business relationship unmonitored, without proving the origin of the
assets used in the transaction,withoutcheckingthe sanctions,etc.
2.10.10.Inaddition,weconfirmthattheapplicationof 'santi-moneylaundering
measures is also monitored by sworn auditors. The last inspection was carried outby
theauditfirm inMay2021,theresultsof whichwerepositive,ie
has the right to apply anti-money laundering measures and they apply properly in
accordancewith the regulations in force.
2.10.11. As it seems from the above, belongs to the same group
(registry code: ), which is anobligated person within the meaning
of §6 (1) 2) of the Money Laundering Actand a creditor operating under the supervision
8(11) of the Estonian Financial Supervision Authority, which provides small loans to
consumers. has also been issued a corresponding activity license by the
Estonian Financial Supervision Authority. is not a creditor (or other legal entity
subject to an activity license obligation) under the supervision of the Financial
Supervision Authority, but acquires loan claims from
2.10.12. As an obligated person, must make sure that the assets used in the
business relationship are legitimate (§ 20 (3) and (4) of the Money Laundering Act).
After concluding the loan agreement, assigns the claim to so that
will continue to administer the claims as a creditor, and the financial claim
will be transferredto . , in turn, assigns claims to its investors. Due to this
chain and business activities, it is extremely important that can ensure the
legitimacy of the origin of the assets used in the business relationship and be sure that
they are not money laundering assets, therefore it is important that also applies
the requirements arising from the Money Laundering Act.
2.10.13. Pursuant to § 47 (7) of the Money Laundering Act, the stored data must be
deleted after the expiry of the term, unless otherwise provided by the legislation
regulating the relevant field. Data relevant to the prevention, detection or investigation
of money laundering or terrorist financing may be kept for a longer period, but not more
than five years after the expiry of the initial period, by order of the competent
supervisory authority. Thus, the maximum retention period for personal data is 10 years.
3. Breaches identifiedduring supervisionproceedings
3.1. In the course of the supervision proceedings, the Inspectorate found the following
breaches of the General Data Protection Regulation: when opening an account the
complainant could not refuse to give consent to electronic direct marketing, meaning
that the complainant had to agree to direct marketing, although Article 7 (2) of the
General Data Protection Regulation requires asking it clearly in a distinguishable
manner.
3.2. The Inspectorate found that the controller breached point (e) of Article 5 of the
General Data Protection Regulation by applying an unreasonably long data storage
period of 15 years. Storing data for ten years abstractly for claims under civil law is
acceptable;however, if the data subject objects tostorage of data fortenyears,according
to Article 21 of the General Data Protection Regulation the controller has to re-assess
its legitimate interest of retaining the data of the specific person based on the concrete
circumstances related to the person (including also whether claims exist and whether
the data subject violated his or her obligations intentionally). If it is determined that the
need for defence of legal claims does not justify storage of the particular person’s data,
the data must be immediately deleted in accordance with point (c)of Article 17 (1).
3.3. The controller gave the Inspectorate unclear answers regarding transfer of data to
third persons which caused us to request more details several times and determine the
actual situation. The controller breached the principle of data transparency, i.e. it was
not clear to whom and which third persons data are transferred.
3.4. The initial complaint related to the fact that the applicant did not have to agree to
all the conditions for registering an account, including receiving direct marketing. This
has been fixed by the data controller, where it was explained that it was atechnical error.
3.5. The complaint stated that there was no retention period, as the complainant could
not understand for how long the data will be restored. The data controller has explained
9(11) that different legal grounds must be used, which are also regulated by law. If there is
consent, there areno retention periods, if the consent to senddirect mail is revoked, then
no more can be kept and sent.
3.6. The period of retention of data is regulated by § 47 of the Money Laundering Act.
Act§ 47 paragraph 1, 2, 3, 5, 6 states thatthe data controller must retain data for 5 years
after after the termination of the business relationship. By order of the competent
supervisory authority, the maximum retention period for personal data is 10 years.
3.7. Thus, it must be assessedseparatelyfor each person whether a particular person has
intentionally breachedhis or her obligations. The inspectorate further explained that 10
years in the abstract for civil claims is acceptable, but if the data subject objects to 10
years of data retention, the data subject must be reassessedin accordance with Article
21 of the General Data Protection Regulation. The data controller did not argue further
in this regard.
4. Reprimand and termination of proceedings
4.1. During the proceedings, the controller changed the procedure of asking consent to
direct marketing and thereby eliminated the breach. The controller has been given
explanations regarding data storage period that the controller has to take into account in
future.
4.2. Basedon the above, the Inspectorate terminates the supervisionproceedings
and issues a reprimand to in accordance with point (b) of
Article 58(2) of the GeneralData ProtectionRegulationand draws attentionto the
requirements set out inthe GDPR:
4.3. Article 7 (2): If the data subject’s consent is given in the context of a written
declaration which also concerns other matters, the requestfor consent shall be presented
in a manner which is clearly distinguishable from other matters, in an intelligible and
easily accessible form, using clear and plain language. Any part of such a declaration
which constitutes an infringement of this Regulation shall not be binding.
4.4. Point (e) of Article 5 specifies storage limitation requirement: personal data arekept
in a form which permits identification of data subjects for no longer than is necessary
for the purposes for which the personal data are processed.
4.5. Article 21 (1): The data subject shall have the right to object, on grounds relating to
his or her particular situation, atany time to processing of personal data concerning him
or her which is based on point (e) or (f) of Article 6 (1), including profiling based on
those provisions. The controller shall no longer process the personal data unless the
controller demonstrates compelling legitimate grounds for the processing which
override the interests, rights and freedoms of the data subject or for the establishment,
exercise or defence of legal claims.
4.6. Article 12 (1): The controller shall provide any information referredto in Articles
13 and 14 to the data subject in a concise, transparent, intelligible and easily accessible
form, using clear and plain language.
In view of the above, we shall terminate the supervisory proceeding.
This decision may be challenged within 30 days by submitting one of the two:
10 (11) - A challenge to the Director General of the Estonian Data Protection Inspectorate
1
pursuant to the Administrative Procedure Act , or
- An appeal to an administrative court under the Code of Administrative Court
Procedure (in this case, the challenge in the same matter can no longer be reviewed).
Respectfully
Lawyer
Authorised by the Director General
1https://www.riigiteataja.ee/en/eli/527032019002/consolide
2
https://www.riigiteataja.ee/en/eli/512122019007/consolide
11 (11)
