AKI (Estonia) - 2.1.-1/23/2891-5

From GDPRhub
AKI - 2.1.-1/23/2891-5
Authority: AKI (Estonia)
Jurisdiction: Estonia
Relevant Law: Article 6(1)(a) GDPR
Article 6(1)(f) GDPR
§ 10 IKS
§ 4 IKS
Type: Other
Outcome: n/a
Started: 26.01.2023
Decided: 10.03.2023
Published: 12.04.2023
Fine: n/a
Parties: n/a
National Case Number/Name: 2.1.-1/23/2891-5
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Estonian
Original Source: Andmekaitse Inspektsioon (in ET)
Initial Contributor: Norman Aasma

The DPA held that the disclosure of personal data of debtors in a public Facebook group was unlawful and ordered the controller to stop the processing. The administrator of the group cannot rely on any legitimate or public interest.

English Summary


The controller opened a Facebook group aimed at sharing information about debtors in order to warn people not to carry out commercial transactions with them and to pressure them to settle their debts.

This Facebook group was public and the personal data published therein were available to everyone without any restrictions. Upon learning that their data had been published in the group, a data subject filed a complaint with the Estonian DPA.

The DPA launched an investigation and asked the controller to cease the activity. The controller failed to comply with the proposal.


The DPA pointed out that Article 4(7) GDPR defines the controller as the one who determines the purposes and means of the processing operations. In the case at hand, it held that the controller was the group administrator as they determined the group purposes (name and rules) and means (choice of social media platform, public group). Therefore, the administrator was considered responsible for ensuring that the disclosure of data in the group was lawful.

The DPA also highlighted that personal data processing needs to be grounded on one of the legal basis of Article 6 GDPR. In view of this, the DPA proceeded to analyze whether there was a legal basis for the processing.

Firstly, the DPA noted that the controller did not provide any evidence that data subjects have consented to the processing of their data. Thus, it was not possible to rely on Article 6(1)(a) GDPR.

Secondly, the DPA recalled that, according to Article 6(1)(f) GDPR, processing of personal data on the basis of a legitimate interest is only possible when these interests do not override the rights and freedoms of the data subjects. In the case at hand, the DPA held that the processing of personal data for the sole purpose of warning the public about debtor is not legitimate. Furthermore, the controller failed to provide the DPA with a legitimate interest assessment.

Thirdly, the DPA stated that there was no public interest in the publication of such debt data and, even if there was, it would still be necessary to comply with the Code of Journalistic Ethics, which was not done in this case.

Finally, regarding the provision contained in Article 10 of the Estonian Personal Data Protection Act, according to which the disclosure of a debtor's personal data is permitted after they breached their contractual obligation, the DPA clarified that the following requirements must be met: 1) the controller has verified that there is a legal basis for the disclosure; 2) the controller has verified the accuracy of the data; 3) the disclosure has been recorded (keeping a record of what data was disclosed to whom). The DPA considered that the controller did not check whether there was a legal basis for disclosing the data. As the debt data was published in the public domain, it was not possible to monitor who had access to these data, nor whether there was a legal basis for granting this access. Thus, it was not possible to rely on Article 10 of the Estonian Personal Data Protection Act .

For these reasons, the DPA held that the processing was illegal and ordered the controller to stop it.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Estonian original. Please refer to the Estonian original for more details.


                              PRESCRIPTION WARNING
                      personal data protection case no. 2.1.-1/23/2891-5

Alissa Hmelnitskaja, lawyer of the Data Protection Inspectorate, issued the order

Time of prescription
and place 10.03.2023 in Tallinn

Addressee of the prescription - XXX
e-mail address of the personal data processor: XXX

§ 56 subsection 1, subsection 2 point 8, § 58 subsection 1, § 10 of the Personal Data Protection Act (IKS) and
Article 58 paragraph 1 point d and paragraph 2 of the General Regulation on Personal Data Protection (GPR).

on the basis of clauses f and g, as well as taking into account Article 6 of the IKÜM, Data Protection does
Inspection to fulfill the mandatory prescription:
    1. Terminate the Facebook group "XXX" managed by XXX, without IKÜM Article 6
       Disclosure of other people's personal data without consent in accordance with subsection 1 point a.

I set 24.03.2023 as the deadline for fulfilling the injunction. Report the fulfillment of the prescription
by this deadline at the latest to the e-mail address of the Data Protection Inspectorate at info@aki.ee.

This order can be challenged within 30 days by submitting either:
- a complaint to the Data Protection Inspectorate under the Administrative Procedure Act or
- a complaint to the administrative court according to the Code of Administrative Court Procedure (in this case it is no longer possible
to review the argument in the same matter).

Challenging an injunction does not suspend the obligation to fulfill it or the measures necessary for its fulfillment


If the injunction has not been fulfilled by the set deadline, the Data Protection Inspectorate will determine
to the addressee of the injunction on the basis of § 60 of the Personal Data Protection Act:
                                  A fine of 1,500 euros.

A fine may be imposed repeatedly - until the injunction is fulfilled. If the recipient does not pay
extortion money, it is forwarded to the bailiff to start enforcement proceedings. In this case, they are added
bailiff's fee and other enforcement costs for the enforcement money.

Protection of personal data against failure to comply with the injunction pursuant to Article 58 (2) of the General Regulation
misdemeanor proceedings may be initiated based on § 69 of the Personal Data Protection Act. For this act

a natural person may be fined up to 20,000,000 euros and a legal person
Tatari tn 39 / 10134 Tallinn / 627 4135 / info@aki.ee / www.aki.ee
Registration code 70004235 may be punished with a fine of up to 20,000,000 euros or up to 4 percent of his previous
of the total worldwide annual turnover of the financial year, whichever is the amount
bigger. The out-of-court procedure for a misdemeanor is the Data Protection Inspectorate.

In the proceedings of the Data Protection Inspectorate (AKI) there is a person's complaint regarding the debt data of private individuals
with disclosure in the Facebook group "XXX". Therefore, AKI initiated the supervision procedure.

As part of the supervision procedure, on 26.01.2023 AKI made XXX (hereinafter also the data processor or
controller) proposal in personal data protection case no. 2.1.-1/23/2891-2, the content of which was
the following: "stop disclosing posts containing personal data in your managed
in the Facebook group "XXX". The deadline for responding to the proposal was 10.02.2023. In the proposal
drew the attention of the AKI, among others, to the possibility of making an injunction and imposing a fine and
to the right to file a case before issuing an administrative act in accordance with § 40 (1) of the Administrative Procedure Act

about your opinion and objections.

The data processor has received AKI's proposal and on 09.02.2023 expressed a desire to chat
with the official. The conversation took place on 15.02.2023 by telephone, during which the official gave
further clarifications on the proposal. As of 10.03.2023, the data processor is not AKI
completed the proposal.

Pursuant to article 4 point 1 of ICYM, personal data is any information identified or
about an identifiable natural person (data subject). An identifiable natural person is a person who can
to identify directly or indirectly, in particular on the basis of an identification feature such as a name,
personal code, location information; but also one or more physical, physiological of this natural person

based on the feature. Therefore, personal data also includes a person's name, image and other information that
enables identification.

In this case, it is a public Facebook group in which other people's actions are made
posts containing personal data. In the case of certain posts, it is a matter of warnings, perhaps
the purpose of the post is to warn other people to avoid entering into transactions with persons,
whose personal data is disclosed. At the same time, posts are also made in this group which

the purpose is to influence the debtor and pressure the debtor to pay off the debt. Examples:
    1) The post was made on 19.02.2023 at 13:02. On the computer network: XXX
    2) The post was made on 19.02.2023 at 13:00. On the computer network: XXX
    3) The post was made on 19.02.2023 at 13:06. On the computer network: XXX
    4) The post was made on 19.02.2023 at 13:01. On the computer network: XXX
    5) The post was made on 19.02.2023 at 13:06. On the computer network: XXX
    6) Cont

According to article 4 point 2 of the IKÜM, the processing of personal data is personal data or theirs
an automated or non-automated operation or set of operations performed with sets, incl
distributing them or otherwise making them available to the public.

Article 4 point 7 of IKÜM states that the responsible processor is a natural or legal person,
a public sector institution, agency or other body that, alone or together with others, determines

purposes and means of personal data processing. Facebook has determined that the group
the administrator (or data processor) has access to the Facebook group with full control.
This means that the data processor can change the name of the group or its privacy settings, can delete posts and comments written about it. It follows that the contested
As a Facebook group administrator, the data processor has the opportunity to change the name of the given group and
delete posts made in the group and comments made about it.

In addition, the data processor, as an administrator, has assigned the name of this group to "XXX" and is
made this group public, which has clearly directed the discussion in the group
(created a group for the purpose of allowing users to post on specific topics) and
due to the fact that the data processor made the group public, personal data will be disclosed there
unlimited for everyone.

Taking into account the above, AKI considers that the data processor is in accordance with Article 4, Clause 7 of the IKÜM
controller, as it determines the purposes of personal data processing (group name,
rules) and tools (choice of social media platform, public group). Data processor as a group
the administrator is responsible for ensuring that the disclosure of data is legal.

The principles of personal data processing are set out in Article 5 of the IKÜM, which must be followed by the person in charge
processor to follow, including the principle of legality. The processing of personal data is legal,
if it corresponds to one of the legal grounds set out in Article 6 of the IKÜM (consent, performance of the contract,
legal obligation, protection of vital interests, to fulfill a task in the public interest or

for the exercise of public authority, legitimate interest).

    1. IKYM article 6 paragraph 1 point a

IKÜM Article 6(1)(a) states that the processing of personal data is legal only if

if the data subject has given consent to process his personal data in one or more ways
for a specific purpose.

In article 4, clause 11 of the UNCLOS, consent is defined as "voluntary, specific, informed and
an unequivocal statement of intent to which the data subject either in the form of a statement or express consent

by expressing his consent to the processing of his personal data":

    a) The word "voluntary" means truly free choice and control for the data subject.
       In general, IKÜM stipulates that if the data subject does not have a real
       option if he feels compelled to consent or if he has to not consent

       failure to bear negative consequences, the consent is invalid. If consent is part
       of non-negotiable terms, shall not be deemed to have been voluntarily given. So no
       the consent shall be considered as consent given voluntarily if the data subject cannot be deprived of it
       refuse or withdraw consent without adverse consequences.
    b) "Specific" means that the consent of the data subject must be given "on one or

       for several specific purposes". According to IKÜM article 5 paragraph 1 point b precedes
       accurate, clear and lawful processing always planned for obtaining valid consent
       determining the goal. Necessity of specific consent together with Article 5 paragraph 1
       by delimiting the purpose according to point b, prevent the purposes of data processing
       gradual expansion or obfuscation after the data subject has provided

       your consent to data collection.
    c) IKÜM strengthens the requirement that consent must be informed. On the basis of Article 5 of the Convention
       One of the basic principles is transparency, which is closely related to legality and justice
       with the principle. Providing information to data subjects before obtaining their consent is
       important to enable data subjects to make an informed decision, to understand what

       they agree, and for example exercise their right to withdraw consent.

1 Facebook Help Center: https://www.facebook.com/help/901690736606156;
2Similarly, in decision C-210/16, the European Court has concluded that the administrator of the Facebook page is responsible
processor within the meaning of Article 2 point d of Directive 95/46. d) It is clearly stated in IKÜM that a statement from the data subject is required for consent or
       a clear action expressing consent, which means that it must always be given
       by taking active steps or providing confirmation. It should be obvious that
       the data subject has consented to the specific processing. Silence of the data subject or

       inaction and merely continuing to use the service cannot be considered an active choice
       to do.

In addition, the controller must keep in mind that the obligation to prove consent lies precisely
on him.

As a result of the above, the controller cannot rely on IKÜ Article 6(1)(a) because
has not provided AKI with proof that personal data is disclosed to the data subject
with consent and that the consent is valid in accordance with the provisions of article 4, clause 11 of the IKÜM

    2. IKYM article 6 paragraph 1 p f

IKÜM article 6 paragraph 1 point f, i.e. personal data processing on the basis of legitimate interest
the data processor must be convinced that the purpose of personal data processing is more compelling than

the rights and freedoms of the data subject and articles 21 (right to object) and 17 of the IKÜM
(right to deletion of data) the processing of personal data must be terminated if
the data processor is unable to prove that the processing is for a compelling legitimate reason that weighs
the interests, rights and freedoms of the data subject.

Processing of personal data on the basis of legitimate interest must be preceded by the data processor
the analysis carried out in terms of the legitimate interest and importance of the data processor and third parties,
analysis and subsequent weighing of the rights and interests of the data subject and their weighting
between the interests of the data processor and the data subject. 3

AKI is of the opinion that the processing of personal data for the mere purpose of public warning is not
legitimate on the basis of legitimate interest. In addition, the data controller is not entitled to the AKI
interest analysis.

    3. IKS § 10

In addition to the legal bases mentioned in Article 6 of the IKÜM, it is possible for debtors
to disclose data, rely on IKS § 10, which stipulates that with a breach of a debt relationship
disclosure of related personal data to a third party and processing of transmitted data
a third party is allowed to assess the creditworthiness of the data subject or otherwise

for the same purpose and only if all three conditions are met:
    1) the data processor has verified that there is a legal basis for data transmission;
    2) the data processor has checked the correctness of the data;
    3) the data transmission is registered (keeping information about who and what was transmitted).

In this case, according to AKI, the presumption that the data controller would have checked has not been met
legal basis for the transfer of personal data. However, the controller has disclosed
debt data in unlimited public view, which means that the data controller cannot
to check who can see the data and therefore also check whether the recipient of the data has
legal basis.

In addition, according to IKS § 10 (2) point 3, the processing of a person's debt data (including on Facebook)

3 AKI Guide to Legitimate Interest, page 6. Available on the computer network:
https://www.aki.ee/sites/default/files/dokumendid/oigudustu_huvi_juhend_aki_26.05.2020.pdfallowed if it would excessively harm the rights and freedoms of the data subject. So it comes
the data processor must assess whether the right of the data is based on the circumstances of each specific case
to the processing outweighs the interference caused to the privacy of the person or not.

AKI is of the opinion that in this case the disclosure of personal data of different people is
large-scale, as it is carried out via the Internet (including Facebook). Internet data

disclosure increases people's vulnerability, as the given environment is sometimes uncontrollable
and it is not possible to identify who has received information related to personal data and what is doing with it
forward with the information.

Therefore, on the basis of § 10 of the IKS, the requirements for disclosure of personal data are not met.

    4. IKS § 4

In certain cases, there may be a journalistic justification for disclosing some people's data
for the purpose. According to IKS § 4, personal data may be processed without the data subject's consent
for journalistic purposes, in particular to disclose in the media, if there is a public interest and that
is in line with the principles of journalistic ethics. Disclosure of personal data may not be excessive
harm the rights of the data subject.

In order to disclose personal data on the basis of § 4 of the IKS, three conditions must be met:
    1. there is a public interest in the disclosure of personal data;
    2. the disclosure is in accordance with the rules of journalistic ethics;
    3. the disclosure of personal data must not excessively harm the rights of the data subject.

According to AKI, the criterion of public interest is not met in this case. Public interest

the existence can be confirmed if the topic raised and personal data disclosed contribute
to debate in a democratic society. The latter could be the case, for example, if
a published opinion piece, for example, about why loans are taken lightly in Facebook groups in Estonia
are taken and, on the contrary, loans are given, but the disclosure of personal data of individual debtors such
does not have the driving force of the discussion.

Also, the data processor has not proven to AKI that the code of journalistic ethics has been met

requirements, because the data subject is not heard before publishing the debt data (p. of the Code).
4.2) and he is not given the opportunity to submit an objection (p. 5 of the Code).

AKI is of the opinion that data processing is accompanied by an obvious inviolability of the privacy of data subjects
interference, which, in addition to the lack of a legal basis, is also excessive considering the composition of the data.
For example, it is not legal to disclose photos of the debtor or other people, held with the person(s).
complete extracts of conversations, etc.

Since the criteria for the application of IKS § 4 have not been met, personal data cannot be obtained on the basis of IKS § 4
to disclose.

AKI notes that in the case of payment defaults, it must be borne in mind that in the event of arrears, there will be
in order to achieve payment of the debt, the creditor can primarily use § 101 of the Law of Obligations Act
listed legal remedies, one of which is to demand the performance of an obligation. of persons

the publication of payment default data is not only a pressure measure to achieve payment of the debt

Taking the above into account, AKI is of the opinion that in this case other people
There is no disclosure of personal data referred to in Article 6, paragraph 1 of the IKÜM
legal grounds and the data processor has not proven to AKI that the data

the legal basis for disclosure comes from IKS § 10. Personal data has been processed without any legal basis, therefore the controller must stop the processing of other people's
disclosure of posts containing personal data in the Facebook group "XXX".

According to IKS § 58 paragraph 1 and IKÜ Article 58 paragraph 2 points f and g, the inspection has the right
to issue an order to limit the processing of personal data. Considering that in a particular case
the personal data of natural persons is disclosed illegally and that the responsible processor is not

fulfilled the AKI's proposal of 26.01.2023, the AKI considers that making a mandatory injunction given
in the matter, it is necessary to end the offense as soon as possible.

(signed digitally)
Alissa Khmelnitskaya

on the authority of the Director General