AKI (Estonia) - 2.1.-1/22/2643

From GDPRhub
Revision as of 10:51, 3 January 2023 by Kk (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AKI - 2.1.-1/22/2643
Authority: AKI (Estonia)
Jurisdiction: Estonia
Relevant Law: Article 4(1) GDPR
Article 6(1) GDPR
Article 17(1)(a) GDPR
Type: Complaint
Outcome: Upheld
Decided: 08.12.2022
Fine: 2500 EUR
Parties: n/a
National Case Number/Name: 2.1.-1/22/2643
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Estonian
Original Source: AKI (in ET)
Initial Contributor: n/a

The Estonian DPA ordered a controller to comply with an erasure request under Article 17 GDPR to delete a former work email address.

English Summary[edit | edit source]

Facts[edit | edit source]

The employment relationship between Retent AS (the controller) and the data subject ended in June 2022. Since then, the data subject repeatedly contacted the controller requesting the deletion of his former work email addresses. However, the controller did not block the address and continued sending emails to the data subject.

The data subject submitted a complaint before the Estonian DPA, which ordered the controller to comply with the data subject's request and delete the email addresses. However, the controller did not respond to the DPA's letters.

Holding[edit | edit source]

The DPA recalled that the name of a person contained in an e-mail address constitutes personal data in accordance with Article 4(1) GDPR. Personal data may only be processed if there is a valid legal basis referred to in Article 6(1) GDPR. As a general rule, an employee is given a named e-mail address to carry out tasks set out in the employment contract. Once the employment relationship ends, there is no longer a legal basis for the processing of the employee's personal data.

The data subject's former work e-mail addresses were still open despite the employment contract having ended and despite a request to delete the account. The DPA noted that Article 17(1)(a) GDPR requires the controller to erase personal data without undue delay where the personal data are no longer necessary for the purposes for which they were collected or otherwise processed. Since the controller had no legal basis for using the work email addresses, the continued disclosure of the data subject's personal data was unlawful. The DPA established a violation of Articles 6(1) and 17(1)(a) GDPR.

The DPA issued a mandatory injunction against the controller in order to put an end to the infringement as soon as possible and to guarantee the data subject's right to be forgotten under Article 17 GDPR. In case the controller does not comply with the injunction within a week, the DPA will impose a €2,500 fine for the GDPR infringements.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Estonian original. Please refer to the Estonian original for more details.


                                                        Owner of information: Data Protection Inspectorate
                                                        Note made: 07.12.2022
                                                        Access restriction is valid until: 07.12.2097
                                                        Basis: AvTS § 35 paragraph 1 point 12, AvTS § 35 paragraph 1 point 2

                               PRESCRIPTION WARNING
                        personal data protection case no. 2.1.-1/22/2643

                                Data Protection Inspectorate lawyer Annika Kaljula
Prescription maker

Time of making the prescription 08.12.2022 in Tallinn
and place

Addressee of the injunction – Retent AS
e-mail address of the personal data processor: retent@retent.ee

Personal data processor Board member Koit Pindmaa
responsible person


§ 56 subsection 1, subsection 2 point 8, § 58 subsection 1 of the Personal Data Protection Act (IKS) and
on the basis of Article 58(2)(g) of the General Regulation on Personal Data Protection and taking into account
I make a mandatory prescription to comply with Article 17:

Close the e-mail addresses Xx@retent.ee and Xx@retent.ee and send to the inspection and

                             a confirmation of this to the applicant as well.

I set the deadline for the execution of the order to be 15.12.2022.

Report compliance with the order by this deadline at the Data Protection Inspectorate's e-

mail to info@aki.ee.

This order can be challenged within 30 days by submitting either:
- a complaint to the Data Protection Inspectorate under the Administrative Procedure Act or
- a complaint to the administrative court according to the Code of Administrative Court Procedure (in this case it is no longer possible

to review the argument in the same matter).

Challenging an injunction does not suspend the obligation to fulfill it or the measures necessary for its fulfillment

If the injunction has not been fulfilled by the set deadline, the Data Protection Inspectorate will determine
to the addressee of the injunction on the basis of § 60 of the Personal Data Protection Act:

                                   Extortion money 2500 euros

A fine may be imposed repeatedly - until the injunction is fulfilled. If the recipient does not pay

Tatari tn 39 / 10134 Tallinn / 627 4135 / info@aki.ee / www.aki.ee
Registry code 70004235 extortion money, it will be forwarded to the bailiff to start enforcement proceedings. In this case, they are added
bailiff's fee and other enforcement costs for the enforcement money.

Protection of personal data against failure to comply with the injunction pursuant to Article 58 (2) of the General Regulation
misdemeanor proceedings may be initiated based on § 69 of the Personal Data Protection Act. For this act

a natural person may be fined up to 20,000,000 euros and a legal person
may be punished with a fine of up to 20,000,000 euros or up to 4 percent of his previous one
of the total worldwide annual turnover of the financial year, whichever is the amount
bigger. The out-of-court procedure for a misdemeanor is the Data Protection Inspectorate.

The Data Protection Inspectorate (inspection) received Xx's complaint regarding his former professional e-mail
by not deleting the addresses (Xx@retent.ee and Xx@retent.ee) of the former employer Retent AS

by. The employment relationship between Retent AS and Xx ended in June 2022, and after that the complainant
has repeatedly turned to Retent AS with a request to close his former professional e-mails
addresses. According to the applicant, however, the employer has not closed his e-mail addresses so far, and he can
continued emails from them.

Data Protection Inspectorate sent on 14.11.2022 Retent AS to the e-mail registered in the business register
retent@retent.ee proposal to close the e-mail addresses Xx@retent.ee and Xx@retent.ee and

send confirmation to the inspectorate (info@aki.ee) and to the complainant (Xx) at the latest
21.11.2022. In case the data processor does not agree with the proposal, the inspectorate asked to clarify,
on what legal basis are the professional e-mail addresses of former employee Xx of Retent AS kept
Xx@retent.ee and Xx@retent.ee still open. Because no answer by the specified date
came, the inspection sent the data processor a repeated proposal with the same content on 28.11.2022,
setting the deadline for the response to 5.12.2022 and warning the data processor to issue an injunction

and for the possibility of imposing fines in case of failure to respond.

As of this date, Retent AS has not responded to the inspection's proposal or asked
an additional extension of time to answer.

    1. Personal data is any information about an identified or identifiable natural person

       according to article 4, paragraph 1 of IKÜM. Therefore, personal data is also included in the e-mail address
       the person's name.
    2. Personal data may be processed only if there is an IKÜM in Article 6
       the stated legal basis (consent, contract performance, legal obligation, public
       task, legitimate interest).
    3. As a rule, the employee is given a named e-mail address for the tasks specified in the employment contract
       for fulfillment. After the end of the employment relationship, the personal data of the employee (name e-mail address) will not be

       no longer the original legal basis for processing (there is no employment contract).
    4. The employment relationship between Retent AS and Xx (complainant) ended in June 2022.
    5. The applicant's former work e-mail addresses (Xx@retent.ee and Xx@retent.ee) are
       still open, they continue to be used to receive emails and
       for transmission.
    6. The right to demand the deletion of your personal data (i.e. a named e-mail box) derives from IKÜM
       from Article 17, according to which the controller is obliged to delete personal data

       without unreasonable delay, if the personal data is no longer needed for the purpose for which
       in connection with which they have been collected or otherwise processed (Article 17(1)(a)).
    7. The applicant has repeatedly turned to Retent AS with the demand to close his former offices
       work email addresses.
    8. Because Retent AS does not have Xx to use work e-mail addresses after him
       termination of the employment relationship on a legal basis, keeping them open is contrary to the general regulation on the protection of personal data.
    9. Pursuant to article 5 paragraph 2 of the IKÜM, the legality of data processing must be proven
       data processor.
    10. According to IKS § 58 paragraph 1 and IKÜM article 58 paragraph 2 point g the inspection has
       the right to order the deletion of personal data based on Article 17.
    11. According to § 27 (2) point 3 of the Administrative Procedure Act (HMS) it is read

       a document made available or transmitted electronically as delivered if
       the document or message has been sent to the e-mail registered in the company's business register
       to the address.
    12. The inspection has sent a proposal and a repeated proposal in the commercial register of Retent AS
       to the reflected e-mail address and gave Retent AS a reasonable time to respond, including
       the inspection offered an opportunity to explain in case of disagreement with the proposal,
       on what legal basis are the professional e-mails of former employee Xx of Retent AS kept

       to XX@retent.ee and XX@retent.ee still open. With that is the inspection
       fulfilled the obligation arising from § 40 subsection 1 of the Administrative Procedure Act
       before the administrative act is issued, the party to the proceedings has the opportunity to present his opinion on the matter and
    13. Taking into account the factual circumstances and the fact that the applicant's e-mail addresses
       (XX@retent.ee and XX@retent.ee) is not available to keep it open

       to the knowledge of the inspection, a legal basis and the data processor has not responded
       to the two previous proposals made by the inspection, the inspection considers that mandatory
       issuing an injunction in this case is necessary in order to stop the offence
       as soon as possible and guarantee the complainant his right "to be forgotten" according to the IKÜM
       to Article 17.

(signed digitally)
Annika Kaljula
on the authority of the Director General