AKI (Estonia) - 2.1.-1/21/1550

From GDPRhub
AKI (Estonia) - 2.1.-1/21/1550
Authority: AKI (Estonia)
Jurisdiction: Estonia
Relevant Law: Article 15 GDPR
Article 23 GDPR
Type: Complaint
Outcome: Partly Upheld
Decided: 03.06.2021
Fine: None
Parties: n/a
National Case Number/Name: 2.1.-1/21/1550
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Estonian
Original Source: Data Protection Inspectorate (in ET)
Initial Contributor: n/a

The Estonian DPA issued an opinion stating that a processor must respond to a pending access request or else face a EUR 2000 fine.

English Summary


The processor, Viimsi Uudised OÜ, published a story on its website featuring information about the Complainant. The Complainant responded by lodging a complaint with the DPA. The DPA reached out to the processor and asked it to either to issue a copy of the personal data to the Complaintant or to refuse to issue data by providing a clear reference to the national law that permits restriction of the rights of a person under Article 23 GDPR. The processor sent a reply but did not comply with the requests of the DPA. The data subject now submits an Art 15 GDPR access request from the processor.



The DPA clarified that data subject has the right to inspect the data collected about him / her pursuant to Article 15 GDPR and to receive explanations on the circumstances of the processing. This provision entitles the data subject to request a copy of their personal information. There is a journalistic exception, but refusal to release personal data should be justified through description of how the data of the data subject would be detrimental to third parties if transferred to him or her.

Because the data subject can ask for personal data about himself / herself under Article 15, the processor must comply or else face a EUR 2000 fine.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Estonian original. Please refer to the Estonian original for more details.

                                             PROTECTION OF PRIVACY AND TRANSPARENCY

                                                          INTERNAL USE
                                                          Holder of information: Data Protection Inspectorate
                                                          The access restriction is valid until: 03.06.2096
                                                          Basis: § 35 (1) 12) of the PSA

                              PRECAUTIONS WARNING
                       protection of personal data in case no. 2.1.-1/21/1550

 Preceptor Data Protection Inspectorate

 Time of precept and
 place 03.06.2021, Tallinn

                                 Viimsi Uudised OÜ
 Addressee of the precept - address: Pärnu county, Pärnu city, Pärnu city, Papli tn
 personal data processor 19-1, 80012
                                 e-mail address: ivo@rullrumm.ee

 Member of the board of the personal data processor
 responsible person

 Copy to the applicant: xxx

§ 56 (1), (2) (8), § 58 (1) and personal data protection law (IPS)
Articles 5 (2) and 6 of the General Regulation on the Protection of the Environment (ICZM) and Article 58 (1) (a) of the CCIP
and subject to the same paragraph (e) and Article 58 (2) (d), the inspection

mandatory precept:
Submit to XXX a copy of what is being processed about him / her pursuant to Article 15 of the CISA
personal data in so far as it does not infringe the rights and freedoms of others.

I set the deadline for compliance with the precept on 18.06.2021. a.

Notify the Data Protection Inspectorate of the fulfillment of the precept by the same deadline.

This injunction may be challenged within 30 days by submitting either:

a challenge to the Data Protection Inspectorate under the Administrative Procedure Act, or
an appeal to the Tallinn Administrative Court under the Code of Administrative Court Procedure (in this case,
no longer review the challenge in the same case).

Contestation of a precept does not suspend the obligation to comply with the precept or the measures necessary for enforcement


If the precept is not complied with by the specified term, the Data Protection Inspectorate shall appoint
to the addressee of the precept on the basis of § 60 of the Personal Data Protection Act:

                                  penalty payment of 2000 euros.

The penalty payment may be imposed repeatedly - until the precept is complied with. If the recipient does not pay

Tatari 39, Tallinn 10134/627 4135 / info@aki.ee / www.aki.ee / Registry code 70004235 penalty payment, it is forwarded to the bailiff to start enforcement proceedings. In this case, additional
bailiff's fees and other enforcement costs.

On 19.04.2021 XXX (the applicant) lodged a complaint with the Inspectorate through his representative XXX.

On 21.05.2021, the Inspectorate made a proposal to Viimsi Uudised OÜ (processor) at the latest
31.05.2021 to the applicant either to issue a copy of his personal data to the applicant or to refuse
clear indication of the national law which allows it
Restrict the rights of a person under Article 23 of the ECHR.

On 31.05.2021, the processor sent a reply to the Inspectorate, but did not comply with the proposal.

On 01.06.2021, the Inspectorate clarified to the processor that regardless of the transmission entered into force
not automatically terminate the supervision procedure of the Inspectorate and
is mandatory to complete the proposal. It was explained to the processor that these are two separate ones
procedure. The processor was also offered the opportunity for a telephone consultation, as from the latter
the reply revealed that the processor had misunderstood the proposal in relation to third parties
issuance of data (the proposal only required the processor to make a copy of the complainant's data
and it was clarified that the refusal to release third party data
under Article 15 (4) of the CCIP)
communicate only in writing. Therefore, the Inspectorate has no choice but to issue this precept.

Excerpt from the complaint of 19.04.2021:
On 08.12.2020, the portal operator published a story on its website entitled “The title of Viimsi Locomotive 2020
Andres Jaanus and Märt Puust received the XXX, the title of Viimsi Brake was awarded to XXX ”(Appendix 4). That story
page 4 of the pdf printout has the following text:
Viimsi Brake 2020 is XXX
According to the predominant opinion of the respondents (101 votes), the editorial board gave the title Viimsi Pidur 2020
alternate member of the council's Reform Party list for XXX. .Therefore, it is a valid law
means a person who possesses and possesses the information required by the publishers

The aforementioned posts were published by Ivo Rull. This has been proven
its when you move the mouse cursor by LAST NEWS onto which
then a link will open as shown in the adjacent image.

Summary. According to the text of the story on 08.12.2020, at least 101 different people had to be sent
toimetus@viimsiuudised.ee own "voice" and (some) also justifications. So Viimsi must
News OÜ has at least 101 different e-mails, to a greater or lesser extent (however
at least in the form of a name) the personal data of the data subject have been processed.

Viimsi Uudised OÜ is not a press release that does not approve personal data
based on the public interest and journalistic activity. But even without that fact
Viimsi Uudised OÜ should have issued information to the data subject regarding the processing of his or her personal data

On 19.02.2021, the data subject sent to Viimsi Uudised OÜ through a contractual representative
a letter of demand, in which he demanded, among other things, that Viimsi Uudised OÜ issue
materials containing his personal data to the data subject (Annexes 5 and 6). Viimsi Uudised OÜ
received the letter of request but ignored it (Annex 7).

For the legal reasons below, the data subject finds that Viimsi Uudised OÜ violated it
requirements for the processing of personal data and asks the Data Protection Inspectorate to start Viimsi
Uudised OÜ and to oblige Viimsi Uudised OÜ to comply with the law
the obligation to provide the data subject with information on the processing of his or her personal data and to issue

1In the computer network: https://viimsiuudised.ee/koik-uudised/tiitli-viimsi-vedur-2020-said-andres-jaanus-ja-mart-puust-
Viimsi-piduri-tiitliga-parjati .... personal data collected about the data subject.

In response to 31.05.2021:
In response to your proposal made on 21.05.21, I will send the Harju County Court on 01.02.2021
court ruling in civil case 2-20-19232 and the court ruling of Tallinn Circuit Court of 17.02.21
in Civil Case 2-20-19232 (attached).

As you can see, there is a final court decision by which Viimsi municipal politician XXX
an attempt to interfere with the independent community portal Viimsi News in the activities of data processing
arguments have been rejected.

I regret that XXX, through his representative XXX, has now tried to do Data Protection
A tool for harassing a media channel independent of the Inspectorate.

01.06.2021 in the answer:
Have you started to contest the decision made and entered into force in the court system of the Republic of Estonia?

I would also like to ask you for further clarification on how XXX supports you before giving a substantive answer
recommend personal data is not compromised by respondents who have assumed anonymity

Have I misunderstood anything if I assume that the Data Protection Inspectorate should not be granted
to defend the case not Viimsi's power politicians' interest in explaining to the reader in the survey
personal data of those who have shared critical values, but instead to protect those who
assumed your anonymity and privacy when participating in this survey?

I am also interested in whether the Data Protection Inspectorate has processed similar ones in the past
cases where, for example, someone is dissatisfied with the results of a Delfi or Postimees reader survey
the politician wants to know who has critically assessed his actions by name.


I Processing of personal data

First, we clarify that the General Regulation on the Protection of Personal Data (EDPS) applies to either personal data
fully or partially automated processing and non-automated processing of personal data
processing of such personal data if they form part of a data collection or if they are
intended to be included in the data collection. Thus, for example, only those that can be processed orally cannot be required

access or deletion of data.

Any processing of personal data must have a legal basis which is non-exhaustive
the list is set out in Article 6 (1) of the General Regulation on the Protection of Personal Data (EDPS)
the processing of personal data requires one of the grounds set out in Article 9 (2) of the CCIP.

Disclosure of personal data for journalistic purposes without consent can take place
on the basis of § 4 of the Personal Data Protection Act. However, it is clear that the processor has a position on the applicant

more information than the information disclosed in the article which is already known to the applicant and which
the applicant has not requested the filing. In the present case, the applicants are interested in that article
personal data collected about the applicant.

II The data subject's right to inspect his or her own data

The data subject has the right to inspect the data collected about him / her pursuant to Article 15 of the ICC
personal data and to receive explanations on the circumstances of the processing. This provision entitles the applicant

request a copy of your personal information, not other people's information. Nor does it mean the automatic right to receive a copy of a particular document. Article 15 of the
under paragraph 4, the right to obtain a copy is refused in so far as it is prejudicial to other persons
rights and freedoms. In addition, since the making of a media publication, it can be applied to the touch
also source protection for individuals.

In other words, the applicant is not entitled to receive other people's names or other information. He is right
to obtain data on one's own place, including any other claims or assessments of one's own place,
but without the name of another person. Only the fact that another person by the controller
the information provided about the complainant is in a derogatory and uncensored style, there is no basis for such

refusal to issue claims or assessments. To the applicant concerning himself
Refusal to disclose personal data should be justified by the way in which you provide your own data to him
would be detrimental to third parties.

It is the data controller 's own choice whether to provide the person with a copy of the original document / file, etc
detrimental to other persons) or to make a document only about the complainant's personal data

extract and provide a copy to the person.

We clarify that the processor has an obligation to respond to the person 's requirement of Article 15 of the CISA within one month, and
by failing to reply, the processor breached its obligation to reply. Nor did the processor perform
proposal of the Inspectorate and has not replied to the complainant within the time limit set there.

III Judicial proceedings vs. supervisory review proceedings

We also clarify that the initiated supervision procedure is a court proceeding
independent. 01.02.2021 In the ruling of Harju County Court no. 2-20-19232 the court has dismissed

the applicant's request to initiate a preliminary verification procedure. The court has ruled that the applicant
the purpose of initiating the pre-certification procedure is to identify the persons who provided his name
the title of Viimsi Brake 2020 nominee. In summary, the court has found that the person is known

the publisher, who is responsible for what has been published and against whom the complainant has the opportunity, if necessary, e.g.
To apply to a court on the basis of subsection 1046 (1) of the LPA. In doing so, the court has indicated that the applicant has
the possibility of ascertaining the relevant facts when the main proceedings have been instituted against the declarant.

In its proceedings, the court has only assessed whether a person has the right to apply to the court for that court
identify who has provided information about him to the media outlet. Submitted to the Inspectorate

in the application, the person asks for personal data about himself / herself under Article 15 of the CCIP, not others
people’s names, so these are different requirements that are not interdependent.
However, the court did not address the request for information about the applicant in the order.

/signed digitally/

Kadri Levand
under the authority of the Director General

2 Pursuant to § 15 (2) of the Media Services Act, a person processing information for journalistic purposes may not
publish data enabling his identification without the consent of the source of the information.