RKHKm - 4-23-742

From GDPRhub
Revision as of 15:04, 25 June 2024 by Im (talk | contribs)
RKHKm - 4-23-742
Courts logo1.png
Court: RKHKm (Estonia)
Jurisdiction: Estonia
Relevant Law: Article 32 GDPR
§ 29(1)(5) VTMS
§14
62(1) IKS
Decided: 20.06.2024
Published: 24.06.2024
Parties: Ida-Tallinna Keskhaigla
National Case Number/Name: 4-23-742
European Case Law Identifier:
Appeal from: Harju Maakohtu
Appeal to: Unknown
Original Language(s): Estonian
Original Source: Riigi Teataja (in Estonian)
Initial Contributor: im

The Supreme Court confirmed that in the case of unlawful disclosure of health data by hospital the now-amended Estonian Penal Code conflicted the EU law by requiring an identification of a responsible natural person in order to assign liability to a legal person.

English Summary

Facts

On 13 February 2023, the DPA imposed a fine of € 200,000 EUR to Ida Tallina Central Hospital (‘controller’) for unlawful disclosure of health data within the meaning of Article 9(1) GDPR. A member of the management board through them into an open bin outside of the hospital open to public access. For this conduct, the controller violated requirements under Article 32(1)(b) of the Estonian Personal Data Protection Act (‘PDPA’) to ensure the confidentiality of the services processing personal data. Pursuant to Article 62 PDPA, the controller committed a misdemeanour. The decision of the DPA was appealed.

On 31 August 2023, the Harju County Court (‘first instance court’) annulled the decision of the DPA and ruled that the controller could not be punished for committing a misdemeanour because of the principle of derivative liability applied. According to this principle:

1) a legal person, such as a hospital, can only be liable for an offence if the conduct of its body, member, manager, or competent representative met all the elements of a tort or delict, and

2) if the act was committed in the interests of the legal person. In this case, the violation was attributed to a member of the management board, however, the misconduct did not meet all the legal elements of the office and was done in the interest of the hospital. Since this was not the case, the hospital could be held liable for the alleged infringement.

On 21 December 2023, appeal against the decision of the first instance court was filed by an out of court proceeding which sought the annulment of the above decision.

The controller argued that the misdemeanour proceedings be terminated as the offence is time-barred according to 29(1)(5) VTMS.

Holding

The Supreme Court clarified that in Estonia, due to the unique structure of their legal system, fines for GDPR violations are imposed through misdemeanour procedures by a supervisory authority. The same is confirmed by the derogation for Estonia in recital 151 GDPR. This approach must have the same effect as fines imposed directly under the GDPR, ensuring that data breaches are effectively sanctioned even after the regulation comes into effect. As a result, the Supreme Court identified a contradiction between national law and EU law.

Under §14 of the Penal Code, requires an identification of a responsible natural person in order to assign liability to a legal person. On the other hand, under the GDPR, legal persons can be fined for certain type of data breaches without needing to identify the specific individual responsible for the violation. Same was confirmed by the CJEU decision in the Deutche Wohnen case in which the Court stated that the GDPR does not differentiate between natural and legal persons when determining liability for data breaches.

Moreover, the Supreme Court noted that national courts must ensure that EU law takes precedence over conflicting national laws. They must ignore any national provision that conflict with directly applicable EU law to ensure its full effect, regardless if the national law provides a higher standard of protection.

However, in the meantime, the Penal Code has been amended in a way that it provides broader grounds for liability attributable to the controller. More specifically, based on current version of Penal Code § 14(1)(2) it is not necessary to identify the natural person who committed the alleged act within the framework of the activities of the legal person and on behalf of the legal person in order to attribute liability for the violation of the requirements of the GDPR to the legal person.

At this moment, the Supreme Court cannot definitively determine whether the principles of foreseeability, definiteness, and non-retroactivity of law are met for retroactively applying liability guidelines to legal persons before 1 November 2023, the day the Penal Code was amended. If a court in a pending misdemeanour proceeding questions whether these general principles and the specific derogation for Estonia might justify not applying the GDPR, it can seek a preliminary ruling from the CJEU.

Nevertheless, the Supreme Court took into account the controller’s argument and assessed that pursuant to § 29(1)(5) of the Code of Misdemeanour Procedure (‘VTMS’), misdemeanour proceedings must be terminated upon expiry of the limitation period. In misdemeanour proceedings, the statute of limitations is an absolute obstacle to the proceedings, which does not allow further proceedings. Since two years have passed since the misdemeanour was completed on 11 February 2024, and the statute of limitations has not been suspended, the misdemeanour proceedings against the controller must be terminated.

The Supreme Court, therefore, annulled the decision of the first instance court and terminated the misdemeanour proceedings. This termination is based on § 29(1)(5) of the VTMS which states that proceedings must be terminated if the statute of limitations for the misdemeanour has expired. In addition, the Supreme Court ordered the state of Estonia to pay the controller €13 260 to cover the fees paid for the proceedings and lawyers chosen.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Estonian original. Please refer to the Estonian original for more details.

R I I G I C O H U S

                               CRIMINAL COLLEGE

                                        COURT DECISION
                                      On behalf of the Republic of Estonia


 Case number 4-23-742
 Decision date June 20, 2024
 Court composition Chairman Saale Lao, members Hannes Kiris and Nele Siitam
 Court case Aktiaseltsi Ida-Tallinn Central Hospital misdemeanor personal data

                                     according to § 62 (2) of the Defense Act
 Disputed court decision Harju County Court decision of August 31, 2023
 Complainant and type of complaint Out-of-court procedure Data Protection Inspectorate, cassation
 Other defense attorneys of Ida-Tallinn Central Hospital in the cassation proceedings, attorney-at-law
 parties Maarja Pild and barrister Karmen Turk
 Case review April 24, 2024, written procedure

RESOLUTION

1. Annul the decision of the Harju County Court of August 31, 2023 and terminate the misdemeanor proceedings

Due to the expiration of the statute of limitations for a misdemeanor on the basis of § 29 (1) p. 5 of VTMS.

2. Dismiss the cassation appeal.

3. Order 13,260 euros from the Republic of Estonia in favor of Aktiaseltsi Ida-Tallinn Central Hospital
to cover the fee paid to the defenders selected in the county court and cassation proceedings.

CIRCUMSTANCES AND PROCEDURE

1. With the decision of the Data Protection Inspectorate (AKI) dated February 13, 2023, AS Ida-Tallinn was punished
With a fine of 200,000 euros on the basis of § 62 (2) of the Personal Data Protection Act (IKS) of the Central Hospital.
The person subject to the procedure was punished for the fact that on February 11, 2022 AS Ida-Tallinn Keskhaigla
The garbage container in front of the Magdalena polyclinic contains publicly available health data
documents. This is a special type of data in the sense of art. 9, paragraph 1 of the General Regulation on the Protection of Personal Data (GPR).

with personal data. According to article 32, paragraph 1, point b of IKÜM, AS had the responsibility of Ida-Tallinn Central Hospital
ensure the confidentiality of services processing personal data. Enabling third parties
access to special types of personal data, AS Ida-Tallinn Keskhaigla violated the specified requirements and
committed the misdemeanor stipulated in § 62 of the Criminal Code.

2. The personal defense attorneys of the subject of the appeal procedure submitted to the Harju County Court, they requested an out-of-court hearing
annulment of the decision and termination of the procedure.

3. On August 31, 2023, the Harju County Court annulled the decision of AKI of February 13, 2023 and closed the proceedings
on the basis of § 29 subsection 1 point 1 of the Misdemeanor Procedure Code (VTMS). The county court took the view that
in the processing of personal data, the requirements of article 32 paragraph 1 point b of IKÜM were violated, but AS Ida-Tallinn

Punishing the Central Hospital for committing a misdemeanor was out of the question. The court explained that the act
the derivative liability provided for in § 14 (1) of the Penal Code (KarS) in force at the time of the commission
based on the principle, the legal entity was only liable if the executive employee of its body, its member 4-23-742

or in the behavior of a competent representative all the elements of the delict structure were present and if it was established that the act
was committed in the interest of a legal entity. In the present case, a violation of data protection requirements was alleged
to a member of the management board of the person subject to the procedure. Only personal data could be breached, Article 32(1)(b) of the IKYM

the controller, which was AS Ida-Tallinn Keskhaigla. Therefore, the member of the board could not be a member of § 62, subsection 1 of the IKS
to commit a misdemeanor qualified by
To attribute to AS Ida-Tallinn Keskhaigla.

POSITIONS OF THE PARTIES IN THE CASSATION PROCEEDINGS

4. On December 21, 2023, a cassation appeal was filed against the decision of the County Court of Harju, which
requests annulment of the decision of the county court and enforcement of the extrajudicial decision. Cashier's views

are as follows.

5. The county court does not correctly apply the substantive law, finding that a legal person is not a legal person as provided in § 62
to be punished for the commission of a misdemeanor only if a constituent act has been previously attributed
to an identified natural person. The above is contrary to IKYM art. 83 and the European Court (EC)
given in the Grand Chamber's decision of 5 December 2023 in case C-807/21 (hereinafter Deutsche Wohnen's decision)
with guidelines. § 14 of the Criminal Code must be followed when imposing a fine for the violations listed in Art. 83 of the IKÜM

not applicable to the extent that it is inconsistent with European Union (EU) law.

6. Amendments to § 14 of the KarS, which entered into force on November 1, 2023, do not eliminate the mentioned domestic and EU law
contradiction. Derivative liability has been waived in the case of torts of omission (KarS § 14 (2)), but
in the case of operational delicts (Section 14(1) of the Criminal Code), liability must still be assigned to a legal entity
to identify the natural person who violated obligations.

7. § 315 of the Code of Criminal Procedure (KrMS) allows the court decision to be made available to the parties

postpone the time, but the corresponding court order is not independently contestable. Collaborating with misdemeanors
with a short limitation period, this may lead to a situation where judicial review of the judgment is available
changing the time of making is not guaranteed. The county court extended the judgment available to the parties
making time three times. The assessor asks to clarify whether the court has to apply § 315 of the Criminal Code
consider the statute of limitations for the misdemeanor.

8. On April 24, 2024, the defenders of AS Ida-Tallinn Keskhaigla filed a cassation response, in which they request

dismiss the cassation, noting that the misdemeanor has expired and the misdemeanor procedure VTMS § 29(1)
excluded according to p. 5.

POSITION OF THE COLLEGE

9. The collegium first assesses the defenders' statement (I) regarding the statute of limitations for the misdemeanor and responds
then, to ensure the uniform application of the law, an out-of-court procedure in the manner of obiter dictum
raised substantive and procedural legal issues (II).  Finally, we summarize

the result of the cassation proceedings and the request for reimbursement of the legal expenses of the defenders is resolved (III).

                                                  I

10. According to the misdemeanor protocol, AS Ida-Tallinn Keskhaigla committed the misdemeanor on February 11, 2022.
According to Section 81(3) of the Criminal Code in force at the time the act was committed, the misdemeanor has expired if
two years have passed from completion to the entry into force of the decision made on it, if the law does not
provide for a three-year statute of limitations. The three-year term applicable to the misdemeanors provided for in Chapter 6 of the IKS

Paragraph 1 of IKS § 73, which provides for the limitation period, entered into force only on November 1, 2023. Nor does a misdemeanor case appear
from the material, the circumstances specified in § 81, subsection 7 of the Criminal Code, which would have caused the statute of limitations of the misdemeanor to stop.


                                                                                                 2(6) 4-23-742


Although the county court made a judgment before the expiration of the statute of limitations for the misdemeanor, the decision is not a cassation
entered into force due to submission.

11. According to VTMS § 29 (1) (5) misdemeanor proceedings must be terminated when the limitation period expires.
The statute of limitations is an absolute procedural impediment in misdemeanor proceedings, which does not allow the matter to proceed further

proceedings (e.g. RKKK 11.10.2016, 3-1-1-88-16, p. 8). Because the person subject to the procedure has been accused
Two years have passed since the completion of the misdemeanor on February 11, 2024, and the misdemeanor will not expire before then.
stopped, the misdemeanor proceedings against AS Ida-Tallinn Keskhaigla must be terminated.

                                                  II

12. Outside the limits of the cassation decision, the panel considers it necessary to explain the obiter dictum
the following in order.

13. IKS § 62, which stipulates the responsibility of the responsible and authorized processor of personal data in accordance with the requirements of the IKÜM

for infringement, falls within the scope of EU law. Thus, the cassator reasonably points out
to the position expressed in the EC Deutsche Wohnen decision, that IKÜM art. 58 (2) point (i) and art. 83 (1)
6 must be interpreted in such a way that they conflict with national legal regulations, according to which it is possible
impose a fine on the legal entity as the controller for the violation specified in paragraphs 4-6 of Art. 83
only if this violation has been previously attributed to an identified natural person. IKYM art-te 58
and 83 such interpretation applies in principle retroactively from the moment these provisions
entered into force (see e.g. EC 22.02.2022, C-430/21, p. 77).


14. In summary, the EC found in the Deutsche Wohnen decision that IKÜM does not differentiate liability
when determining natural and legal persons. The latter are not responsible for mere violations which
committed by their representatives, managers or administrators, but also for violations committed by them
any other person acting in the course of and on behalf of the business of the legal entity. To a legal entity
if the person in charge of personal data can be fined as specified in sections 4-6 of article 83 of the IKÜM
for violations, and the IKÜM does not stipulate that a violation must be established in order to impose a fine
committed natural person. IKYM regulates the prerequisites for setting fines listed in paragraphs 1-6 of art. 83

only EU law, which is why member states have no competence to establish additional substantive conditions
(see also EC 05.12.2023, C-683/21, p. 70).

15. According to the board's assessment, it follows from the above that it is not in accordance with EU law until October 31
2023 (including the year) the regulation of § 14 of the Criminal Code, which allowed a legal person IKÜM art 83
For the violations specified in subsections 4-6, a fine must be imposed in misdemeanor proceedings only if this violation
was previously attributed to an identified natural person (see e.g. RKKK 29.05.2020, 1-18-9594/31, p. 10).

16. According to established EC practice, the principle of EU law gives primacy to the national court

the obligation to ensure the full effect of requirements arising from EU law in the dispute under its proceedings,
omitting, where necessary, on its own initiative, any conflicting domestic law
with an EU legal provision having direct legal effect (see e.g. EK 24.07.2023, C-107/23, p. 95). EK is only
in limited cases confirmed the right of the national court to retain EU law for the protection of the person subject to the procedure
not applied and apply a higher national standard of fundamental rights protection. For example, conditional
from the contradiction with the general principle of criminal law nullum crimen nulla poena sine lege scripta stricta praevia,
according to which the solution of the question of guilt must be based on a well-defined and time of commission of the act

of the penalty norm established by law in force (§ 23 of the Constitution, § 2 subsection 1 and § 5 of the Criminal Code as well as
Article 7(1) of the European Convention for the Protection of Human Rights and Fundamental Freedoms and Article 49 of the EU Charter of Fundamental Rights
paragraph 1). When assessing whether a national court must fail to apply what is inconsistent with EU law
domestic law, the EC also prohibits foreseeability, definiteness and retroactive force
analyzed whether the EU legislator has harmonized the disputed norm and whether it is domestic


                                                                                                 3(6) 4-23-742


the application of the norm systematically prevents the imposition of effective and deterrent penalties (see e.g. EK
Grand Chamber 05.12.2017, C-42/17, p-d 29–62; cited C-107/23, paragraphs 95-125). The EC has also explained,
that although the principle of provisions in the Law on Crimes and Punishments (nullum crimen nulla poena sine lege)
cannot be interpreted as prohibiting the gradual refinement of penal norms, it may still do so

retroactive application of the new interpretation of the norm that provided for the violation. It is with such a case
act when the result of the judicial interpretation is not reasonably expected of the commission of the violation
at the moment, especially in view of the interpretation of the relevant provision prevalent in the jurisprudence at that time
(e.g. EC Grand Chamber 28.06.2005, joined cases C-189/02 P, C-202/02 P, C-205/02 P–C-208/02 P and
C-213/02 P, paragraphs 215-218 and the practice of the European Court of Human Rights referred to there). Provisions of criminal law
the principle of non-retroactivity also applies to fines of an administrative nature (see e.g
cited C-189/02, p 202; EC Grand Chamber 20.12.2017, C-521/15, p-d 145–146).


17. IKÜM is a regulation and therefore binding as a whole and directly applicable in all member states.
Recital 151 of the IKÜM describes, among other things, the exception applicable to Estonia: because Estonia
the legal system does not allow fines to be set according to the provisions of the IKÜM, fines are set in Estonia
supervisory authority within the framework of misdemeanor proceedings, provided that such application of the rules has
equivalent effect as fines imposed by supervisory authorities. So it will also be looked at after IKÜM
entering into force in Estonia, cases of violation of data protection requirements are handled in misdemeanor proceedings. Corresponding content
the elements of a misdemeanor are stipulated in the IKS (Chapter 6) and the Criminal Code (Articles 157 and 157 of the Criminal Code). As far as IKYM

violations are misdemeanors, then as a starting point, the provisions of the general part of KarS extend to punishing them
(KarS § 1 subsection 1 and § 3 subsection 2 in combination).

18. EC practice on the issue of predictability and retroactive force of the penalty norm has mainly developed
in connection with the statute of limitations for illegal activities and offenses damaging the financial interests of the EU (see e.g
EC Grand Chamber 08.09.2015, C-105/14; cited C-42/17 and C-107/23). There is no implementation of IKÜM provisions
EC has had to explain in this context so far. The college cannot be outside the specific
take a final position on the resolution of a misdemeanor case, whether foreseeability, definiteness or the law

principles of non-retroactivity are consistent with the legal one given in the Deutsche Wohnen decision
retroactive application of the guidelines concerning the responsibility of the person in those misdemeanor cases where blameworthy
The violation of IKÜM requirements took place before November 1, 2023. If the court has a pending
in misdemeanor proceedings, doubt as to whether the general principles of criminal law are applicable to Estonia in the IKÜM
with the established exception may be a reason not to apply IKÜM and to proceed from domestic fundamental rights
protection from a higher standard, he can ask the EC for a preliminary ruling (see also RKKK 01.07.2022, 1-20-1599/59,
page 43).


19. According to the assessor's assessment, the amendments to § 14 of the KarS, which entered into force on November 1, 2023, do not eliminate domestic
and the inconsistency of EU law, insofar as the derivative liability of the legal entity has only been waived
in the case of torts of omission (KarS § 14 (2)), but not for torts of activity. College of this
do not agree with the position.

20. § 14 paragraph 1 of KarS, which regulates the liability of a legal person, provides the prerequisites for punishing a legal person
for the offense committed by the activity. With the changes that entered into force on November 1, 2023, § 14 of the Criminal Code was retained

The derivative liability of a legal entity in subsection 1 clause 1 in the current sense, i.e. according to the mentioned provision is
in order to assign responsibility to a legal entity, it is still necessary to identify a natural person (a legal entity
body, its member, executive employee or competent representative), whose act can be attributed to a legal entity. § 14 of the Criminal Code
however, the bases of liability of a legal person have been expanded in comparison with the previous one in paragraph 1 p. 2.

21. According to § 14 (1) p. 2 of the valid KarS, a legal person is responsible for an act in the cases provided for in the law,
committed by any person in his interest or in breach of his legal obligations
on the order of the body or person specified in point 1 of paragraph 1 or the incomplete work organization of a legal entity

or due to supervision. One of the motivations for changing the law was the desire to expand the responsibility of a legal entity

                                                                                                 4(6) 4-23-742

conditions in such a way that, in the case of operational delicts, punishment would also be possible in the situation where the act was committed
the natural person who placed it is not identifiable or if it is not a body of a legal entity, its member,
with a senior employee or a competent representative (see 94 SE, composition of the Riigikogu XIV, explanatory note to the second draft

for reading, pages 5-7). Because a fine arising from art. 83 of the IKÜM shall be imposed on a legal entity
apply the current KarS § 14 in accordance with EU law (see also RKÜK 15.03.2022, 5-19-29/38, p. 41),
it is therefore not necessary to identify a legal entity for the violation of IKÜM requirements
a natural person who committed the reprehensible act in the framework of and on behalf of the activity of a legal entity.

22. In response to the cassator's arguments regarding the time of making the judgment available
extension, the panel notes the following. Although VTMS § 2, KrMS § 315 paragraph 2 and § 385 p 23
in combination, changing the time of making the court decision available to the parties is not an appeal

contestable, the control over the judge's activities is also ensured by the courts in the organization of misdemeanor proceedings
with supervision regulated by law. If the judge does not do what is necessary without good reason
procedural action, then the chairman of the court may decide on such a remedy for the administration of justice
implementation, which presumably allows the procedure to be completed within a reasonable time (Act on Courts
(KS) § 45 subsection 1). It can also be a failure to fulfill an official duty or an inappropriate performance
as a basis for the judge's disciplinary responsibility (CS § 87).


23. In the case at hand, the county court announced the final part of the judgment at the court session on August 31, 2023,
allowing the full judgment to be made available to the parties no later than October 6, 2023. The court ordered
On October 4, 2023, the new time for publishing the decision will be November 6, 2023, then November 27, 2023, and
at the latest on December 21, 2023. The county court made the full text of the decision available to the parties
on December 15, 2023. The disputed misdemeanor case is not complex in its content and, according to the collegium
there are no substantive reasons why the county judge could not keep his promise

deadlines, by repeatedly postponing the time of notifying the parties of the judgment (see also
RKKK 07.03.2024, 1-21-8941/64, p-d 26–27).

24. The court has the duty to ensure the speedy resolution of the misdemeanor case (VTMS § 2 and KrMS § 15). Procedure
in planning, as well as in changing the time of making the court decision available to the parties, the court shall consider otherwise
among others, take into account that misdemeanors generally expire within two years and the court must manage the proceedings
in such a way that it can be completed before the expiration date of the misdemeanor (see e.g. RKKK

01.06.2023, 4-22-3036/61, p 13). However, the obligation to process the misdemeanor case without delay also applies
in an out-of-court procedure. In the current case, it took AKI a year to reach a misdemeanor verdict. At the same time
it can be seen from the file that for more than seven months (18.02.2022–07.06.2022 and 29.06.2022–24.10.2022)
the matter was not processed on its merits. In summary, the court can be expected to conduct misdemeanor proceedings before
the expiration date only if he has been given a reasonable time to resolve the matter.

                                                 III


25. Based on the above and guided by § 174 p. 4 of the VTMS, the collegium cancels the Harju County Court
of the decision of August 31, 2023, and terminates the misdemeanor proceedings on the basis of § 29 (1) p. 5 of the VTMS, a misdemeanor
due to the expiration of the statute of limitations. The cassation of the out-of-court procedure remains unsatisfied.

26. The defenders of AS Ida-Tallinn Central Hospital request in the county court proceedings and in the cassation proceedings
reimbursement of the fees paid to the selected defenders in the total amount of 24,102 euros (without VAT).
According to the application and the invoices attached to it, the selected defenders provided legal aid in the county court

115 hours and 8 hours and 36 minutes in the cassation procedure, for which AS Ida-Tallinn was presented
Central hospital bills in the amount of 22,425 euros and 1,677 euros. The price of one working hour of defenders is 195 euros (excl
without VAT).VTMS § 23 states that in case of termination of misdemeanor proceedings, among other things, VTMS § 29
On the basis provided for in subsection 1 p. 5, the person subject to the procedure shall be compensated to the counsel selected at his request
reasonable fee paid.


                                                                                                 5(6) 4-23-742


27. The cost of one working hour of the defenders is reasonable. However, the collection cannot be considered reasonable
time spent on county court and cassation proceedings. The collegium agrees with the county court that the first
in the first-level proceedings, both the preparation of the procedural documents and the litigation were unfounded
related time expenditure, and agrees with the court's final conclusion that the fee paid in the county court must be counted

reasonable for 65 hours, i.e. in the amount of 12,675 euros (without VAT). Cassation response
The panel also does not consider the 8 hours and 36 minutes spent on preparation to be justified, taking into account that
the proceedings are terminated due to the statute of limitations of the misdemeanor and other claims of the defense counsel's cassation response
overlap to a significant extent with the views expressed in the earlier proceedings. The college counts
the fee paid to the defense counsel in the cassation procedure as reasonable in the amount of three hours
585 euros.

28. On the basis of § 23 and § 38 (1) of VTMS and § 186 (1) of KrMS, the board condemns AS Ida-Tallinn from the state

13,260 euros (without VAT) in favor of the Central Hospital in the county court and cassation proceedings
to cover fees paid to selected counsel.

(signed digitally)









































                                                                                             6(6)