AKI (Estonia) - 2.1.-3/19/3971

From GDPRhub
AKI (Estonia) - 2.1.-1/19/126
Authority: AKI (Estonia)
Jurisdiction: Estonia
Relevant Law: Article 15 GDPR
Type: Complaint
Outcome: Rejected
Decided: 01.11.2019
Published: 13.11.2019
Fine: None
Parties: anonymous
National Case Number/Name: 2.1.-1/19/126
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Estonian
Original Source: AKI (in ET)
Initial Contributor: n/a

13 November: The DPA re-examined complaint about financial service provider’s incomplete response to data subject’s access request after appeal

The DPA examined appeal against its decision, with which it had closed a case against the financial service provider Luminor Pank AS. The appellant complained that the company, in response to his access request, provided an incomplete dataset in English. The DPA found that much of the data that the complainant found as missing is data that the complainant is expected to possess. So, it concluded that the company is not obliged to provide data that the data subject already possesses under Articles 13(4) and 14(5) GDPR. Thus, the DPA found that the company has adequately fulfilled the obligation to inform the data subject of the data processing as required by Articles 13-15 GDPR. Finally, the DPA pointed out that the complainant had indicated in its customer profile a language preference to use English, which justifies the data export in English (Article 12(1) GDPR).

English Summary


The bank – the controller- notified its client that his account had been closed. The bank did not provide any reasons for the termination of the contract. The client –the data subject- asked for clarification and submitted a subject access request to the controller. The controller provided only for a “limited extract of personal data in English”. The representative of the data subject considered that the controller failed to comply with its obligations under GDPR and submitted a complaint before the DPA. The data subject’s representative claimed that the controller did not provide for an exhaustive copy of their personal data. The controller claimed that it should not be subject to the obligations set out in Articles 15 and 17 to 21 GDPR due to domestic legal obligations. Indeed, it claimed it would be contrary to the Money Laundering and Terrorist Financial Prevention Act to disclose complaint’s personal data to their representative.


Is the access right exercised before credit institutions limited by the Money Laundering and Terrorist Financial Prevention Act?


The AKI found that the data subject’s rights should not adversely affect the rights and freedom of the others, pursuant to Article 15(4) GDPR. Also, it found that the national law - Money Laundering and Terrorist Financial Prevention Act - could restrict the data subject’s rights. As a consequence, the controller’s answer was lawful and proportionate.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the original for more details.

To be completed ...