AKI (Estonia) - 2.1-1/19/4627
AKI - Nr. 2.1-1 / 19/4627 | |
---|---|
Authority: | AKI (Estonia) |
Jurisdiction: | Estonia |
Relevant Law: | Article 6 GDPR |
Type: | Complaint |
Outcome: | Other Outcome |
Started: | |
Decided: | 04.03.2020 |
Published: | |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | Nr. 2.1-1 / 19/4627 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Estonian |
Original Source: | AKI (in ET) |
Initial Contributor: | n/a |
The Estonian Data Protection Authority (AKI) emphasized that an existing legal basis for the publication of personal data does not entitle to re-use and disclose the published information for any purpose.
English Summary
Facts
The complainant submitted a complaint to the DPA regarding the disclosure of data relating to the complainant in the public registers. The personal data concerned relate to the personal stories of board members. The central issue was the fact that the complainant had not given his consent to the processing of personal data for the commercial register.
Dispute
The DPA had to decide whether the publication of data relating to members of a management board was lawful.
Holding
According to the law, the data of the members of the company's management board are published in the commercial register. The DPA emphasized this does not mean that these data may be re-used and disclosed for any purpose. Data that is disclosed in the open data portal can be unrestricted reused for commercial or non-commercial purposes. There must also be a legal basis for the re-use for other purposes. The Commercial Register disclosing the data of the members of the management board on the basis of law cannot guarantee that no one will use this data for other purposes without a legal basis. The Inspectorate has received several complaints regarding the disclosure of data in information portals and will decide this matter. If it turns out that there is no legal basis for processing the data, the Inspectorate will oblige to stop the illegal processing of personal data.
Comment
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Estonian original. Please refer to the Estonian original for more details.
CONTEST DECISION personal data protection in case no. 2.1-3 / 20/287 Decision maker Chief Inspector of the Data Protection Inspectorate Elve Adamson Time and place of making the decision 04.03.2020 in Tallinn, Time to file a challenge 1/23/2020 The contested administrative act or operation Procedure of the Data Protection Inspectorate 22.01.2020 Decision No 2.1-1 / 19/4627 not to initiate proceedings Challenger Private person address: Xxxxxxxx xxx xx, xxxxx Xxxxxxx e-mail address : xxxx@xxxxxxxx.ee RESOLUTION: Pursuant to clause 85 2) of the Administrative Procedure Act (HMS) I decide: Uphold the challenge and process the complaint CONTEST REFERENCE: The appellant may challenge this decision within 30 days by submitting an appeal to an administrative court in accordance with the Code of Administrative Court Procedure. FACTUAL FACTS: On 19.12.2019, the appellant submitted the following address Google your face and last name from the internet search environment www.google.com, throws to the front page at the bottom of the page https://creditreports.ee xxxx-xxxxxxx Clicking on this link will open my personal story as a private individual - titled ‘Private personal story " This website article is not about a company, but about me as a Private Person and me activities. Among other things, it describes how and when I started a business /… .. Private person started business 19 years ago, when he was 26 years old. Starting his business remains to the year 2000, a time when fresh capital from its first mistakes proper õpp. / and how I have managed companies / ni. All in all, he has over the years managed 4 companies. Today, he is still on the board of 4 companies, 2 of which are active economic activity, 2 have been left to disappear (incl. VAT payers… / there Page 2 2 (4) characterize me /…. An individual has seen companies through the eyes of both a manager and an owner. Ta continues to reach many and performs many roles, he is:… ../. It is clearly mine as processing of personal data of a natural person. APPLICATION As far as I do not have my data consent to the transfer of personal data to public registers, including the commercial register processing in such a way that third parties can collect and use the data there in turn, to create a database that characterizes me in my self, is done by them processing such data in this form without my consent. Although from the commercial register various queries it is possible to obtain certain information about the company by doing so, the commercial register does not have the right to publish information together with the authorization to collect and compile data on natural persons such as provide an opportunity to compile databases characterizing natural persons. Please check the lawfulness of the processing of my Personal Data by the persons behind this website and if they are in breach of my data processing, they will be penalized accordingly. On 22 January 2020, the Data Protection Inspectorate did not initiate the proceedings on the following grounds On 19.12.2019, you submitted a complaint to the Data Protection Inspectorate on the basis of the Personal Data Protection Act in connection with the disclosure of data about you in public registers. Explain that you have not given consent to the commercial register to process its personal data in such a way that third parties can collect data there and use it to characterize you as a natural person ScoreStorybook in the register (Register OÜ and Storybook OÜ). You believe that though the commercial register is public, however, the commercial register does not have the right to disclose information by allowing other persons to do so collect and use. You want the Data Protection Inspectorate to control the processing legality and to penalize registrars in a situation where your rights are violated. With regard to the commercial register, we explain that it is a national database, the purpose of which is to collect, to preserve and disclose information on self-employed enterprises located in Estonia, companies and branches of foreign companies (CC 1, § 22, 1). Pursuant to § 28 (1) of the CA. The entries in the commercial register are public, which allows everyone the right to inspect the registry card and with a business file and to receive copies of the registry card and the document in the business file. Only the data prescribed by law are entered in the Commercial Register (§ 31 of the CA); provisions of the Commercial Code (Ref. 2). As the legal basis for the commercial register derives from Article 6 (1) of the CCIP even in this case, your consent to the processing of personal data cannot be obtained. In the commercial register Disclosure of the data of the members of the management board is necessary to ensure business turnover - with the company it is necessary for the persons carrying out the transactions to check the right of representation of the company's representative. However, the above does not apply to all kinds of private information portals, as they do not exist national and are not subject to the above disclosure provisions of the Commercial Code. The Data Protection Inspectorate has started monitoring personal data in various information portals processing (including the disclosure of data of invalid representatives) in order to legal basis for data processing. We have asked all information portal operators for processing an overview of the data and explanations of the legal basis for the disclosure of the data. In doing so we must take into account that similar information portals operate in other EU countries and that from In 2018, the processing of personal data will be regulated by the Pan-European General Data Protection Regulation, which The aim is to harmonize the organization of personal data protection across Europe. So far not unfortunately, a pan-European position on information portals. Monitoring has been extensive, but we are currently summarizing and making decisions. Monitoring We will certainly also inform the media of the decisions taken as a result, because it is has a problem that affects many people. Based on the above, the Data Protection Inspectorate will not start separately with regard to your personal data monitoring procedure. 1 In the computer network: https://www.riigiteataja.ee/akt/128022019010 Page 3 3 (4) CLAIMER'S CLAIM AND EXPLANATION: On 19 December 2015, the applicant submitted to the Data Protection Inspectorate on the basis of the Personal Data Protection Act a complaint regarding the disclosure of data about the Complainant in public registers. Complaint The central issue was the fact that the applicant had not given his consent to the commercial register the processing of personal data in such a way that third parties may collect such data, and use in turn to characterize the Applicant as a natural person in the ScoreStorybook Registry (Register OÜ and Storybook OÜ). In the complaint, the applicant considered that although the commercial register is public, the commercial register shall not, however, have the right to publish information by allowing other persons to collect it, and to use. The complainant requested that the Data Protection Inspectorate inspect the processing legality and, in a situation where the rights of the complainant are violated, the registrars would be 1 complaint). The Data Protection Inspectorate did not start with its letter No. 2.1.-1/19/4627 by its letter of 22.01.2020 described in respect of the act. The reasons of the Data Protection Inspectorate were summarized the following: a) The Commercial Register has the legal right to publish personal data (b) The right of publication of commercial registers shall not apply to all forms of private law information portals c) The Data Protection Inspectorate has started monitoring personal data in various information portals processing in order to determine their legal basis. Monitoring is extensive. d) There is currently no pan-European position on such information portals. (Annex 2 Data protection Inspection letter) I received the letter from the Data Protection Inspectorate on 22.01.2020. The failure of the Data Protection Inspectorate to initiate proceedings violates my rights insofar as I do has not authorized the collection of its own data as a natural person, that they are in no private law a legal person could display its revenue to the public through a website. Me and only me have the right to control when, how and for what purpose mine personal data are processed. The processing of personal data must be based on law. Referred to by me there is no legal basis for the processing of personal data. Therefore, the proceeding should also have been initiated, if the Data Protection Inspectorate itself admits in the same letter that they are already investigating (through monitoring), whether or not such activities have a legal basis. None of the reasons given by the Inspectorate give reason not to initiate proceedings. In addition to the above, the letter of failure to initiate infringes my rights of defense in that it does not explain the act my appeal. I would like the Talent Protection Inspectorate to initiate proceedings regarding the processing of the described personal data. GROUNDS FOR THE DATA PROTECTION INSPECTORATE: Disclosure of personal data in the commercial register There must be a legal basis for any processing of personal data. Processing of personal data the legal bases are set out in an article of the European Union's General Regulation on the Protection of Personal Data (EDPS) 6. Thus, the consent of a person alone is not the legal basis for the processing of personal data. If processing of personal data, including disclosure, takes place on the basis of law, the consent of the person is required no it is not. As according to the law, the data of the members of the company's management board are public in the commercial register, it will take place disclosure of the data of the members of the management board in the commercial register on the basis of law. This as board members the data are public in the commercial register by law, this does not mean that these data may be Page 4 4 (4) re-use and disclose for any purpose. Data that can be unrestricted reused for commercial or non-commercial purposes is disclosed in the open data portal. Regarding the data of the Commercial Register, only the data of companies have been disclosed on the open data portal, not details of the members of the management board. Therefore, the data of the members of the management board disclosed in the commercial register must also be kept be a legal basis for re-use for other purposes. The Commercial Register disclosing the data of the members of the management board on the basis of law cannot guarantee that no one will use this data for other purposes without a legal basis. Processing of personal data in StoryBook Because Storybook uses the commercial register to disclose the personal stories of board members personal data must be available for processing and re-disclosure legal basis. Because both Storybook's disclosure of personal stories and others the Inspectorate has received several complaints regarding the disclosure of data in information portals, then the Inspectorate started supervision regarding the processing of personal data in various information portals in order to: find out the legal basis for data processing. The aforementioned supervision also includes Storybook's activities in disclosing personal stories. If If it turns out that there is no legal basis for processing the data, the Inspectorate also obliges Storybook stop the illegal processing of personal data. In essence, the challenge also solves the above the complainant's complaint, therefore the waiver did not initiate a separate procedure on the basis of the complainant's complaint. In other words, a separate procedure was not initiated on the basis of the complaint, but the ongoing supervision was not carried out the result would also have included the appellant's complaint, to which the substance of the complaint would have been joined ongoing procedure. The right of a person to lodge a complaint Despite the fact that the Inspectorate has initiated an infringement procedure in the same case without prejudice to the right of the person to lodge a complaint. Pursuant to Article 77 of the CCIP paragraph 1, any person shall have the right to appeal to the supervisory authority, in particular in the Member State where: his habitual residence, place of employment or the place where the alleged infringement took place, if the person considers that: the processing of personal data concerning him infringes the Regulation. § of Personal Data Protection Act (IKS) 61 (1), the Data Protection Inspectorate shall resolve a complaint within 30 days after its submission which may be extended by 60 days if necessary (§ 61 (2) of the IKS). Due to the above, the Data Protection Inspectorate satisfies the challenge and accepts the submitter of the challenge appeal procedure. with respect /signed digitally/ Elve Adamson Inspector General under the authority of the Director General