AKI (Estonia) - EDPBI:ee:OSS:d:2022:343

From GDPRhub
Revision as of 12:01, 28 November 2022 by Kv (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Estonia |DPA-BG-Color= |DPAlogo=LogoEE.png |DPA_Abbrevation=AKI |DPA_With_Country=AKI (Estonia) |Case_Number_Name=EDPBI:ee:OSS:d:2022:343 |ECL...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AKI - EDPBI:ee:OSS:d:2022:343
LogoEE.png
Authority: AKI (Estonia)
Jurisdiction: Estonia
Relevant Law: Article 5(1)(e) GDPR
Article 7(2) GDPR
Article 17(1)(c) GDPR
Article 58(2)(b) GDPR
Article 60 GDPR
Type: Complaint
Outcome: Upheld
Started: 02.01.2020
Decided: 09.03.2022
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: EDPBI:ee:OSS:d:2022:343
European Case Law Identifier: EDPBI:ee:OSS:d:2022:343
Appeal: n/a
Original Language(s): English
Original Source: EDPB (in EN)
Initial Contributor: n/a

In an Article 60 procedure, the Estoanian DPA warned a controller pursuant of Article 58(2)(b) GDPR. The data subject was not able to create a user account without consenting to direct marketing,The controller also stored

English Summary

Facts

The data subject was unable to register as a user of the controller’s website without giving consent to direct marketing. The controller was a provider of consumer credit. The data subject was also not able to determine to which third parties his contact data was transferred to, how the data was used, and how long the data was stored. The third parties themselves had also not been specifically identified on the controller’s website. The data subject also stated that the controller had not appointed a DPO. The data subject filed a complaint at a German DPA (Not clear which German DPA) on 2 January 2020, which transferred the complaint on 7 May 2020 to the Estonian DPA (DPA), which was the lead supervisory authority in this Article 60 GDPR procedure. The DPA sent several inquiries to the controller. The controller clarified that the way it’s consent procedure for direct marketing was designed was the result of a ‘technical error’ and that it was now possible to register as a user without giving consent to direct marketing. The controller also specified that the maximum storage period for contact data of clients was 15 years, pursuant of national legislation. However, Paragraph 47 of the German Money laundering act (GwG) provides that the controller must retain personal data for only 5 years after the termination of a business relationship. This period can be extended to 10 years with permission from the competent supervisory authority. This personal data was amongst other sources collected by requesting a copy of an ID – card, which included categories of data such as name, time of birth, origin and citizenship, but also biometric data, such as eye colour and height. The DPA consulted the German DPA, which explained that pursuant of the German Money laundering act (GwG), the controller had to collect certain personal information for providing its service such as names and dates of birth, but that there were no legal grounds for processing other personal data, such as biometric data The controller also admitted that it had not yet appointed a DPO and was willing to reduce the storage period if the DPA deemed this period too long.

Holding

The DPA determined that the controller violated Article 7(2) GDPR, which required the controller to ask consent clearly in a distinguishable manner. The data subject could not refuse to give consent for electronic direct marketing when opening an account. The DPA also determined that the controller violated Article 5(1)(e) GDPR by applying an unreasonable long data storage period of 15 years. The DPA stated that storing personal data for ten years abstractly for claims under civil law is acceptable. If the data subject would object to storage of personal data for ten years, the controller would have to re-assess its legitimate interest of retaining the personal data of the data subject, looking at the concrete circumstances of the case (Article 21 GDPR). If it was determined that the need for defence of legal claims does not justify storage of the data subject’s personal data, then the data subject must be deleted immediately in accordance with 17(1)(c) GDPR. The DPA also stated that the controller violated the principle of data transparency, without citing any GDPR provision, because it was not clear to whom and to which third party personal data were transferred. The DPA confirmed that the controller had changed the procedure for asking consent for direct marketing and had therefore eliminated the violation. The DPA also stated that the controller had been given explanations regarding data storage periods which the controller had to take into account in the future. The DPA concluded by warning the controller pursuant of Article 58(2)(b) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

registration, itis possible to use the respective user accountafter confirming of having
       become acquaintedwith the privacy policy and risk review. Itis possible to skip giving
       consent to direct marketing and opting out of direct marketing does not restrict
       registering or using a user account.’

       2.2.                       explained that they ask a copy of the ID card and store the

       following personal data included therein: name, time of birth, origin, citizenship, place
       of birth, biometric data such as eye colour and height, bank account number, bank, user
       name, and contact data such as e-mail address, telephone number, and address.

       2.3.                       explained that they store contact data of clients in an archive
       with limited access for a term corresponding to the maximum limitation period of
       offences, which, pursuant to current legislation, is up to 15 years. In the opinion of

              , this term is not unreasonably long, as the widespread practice is to link the data
       storage period (10 years) to the limitation period (which in the case of civil transactions
       is up to 10 years).        confirmed that no other processing operations are undertaken
       with the contact data of users and the threat of harm to the rights and interests of users
       is minimal.


       2.4. Controller’s responses to the second inquery of the Inspectorate
       The Inspectorate made a follow-up query on 21 April 2020 in which it asked how
       consent to direct marketing was obtained earlier, before 20 April 2020.

       2.4.1.         answeredon 4 May2020 that asat20April 2020, a technical failure which
       prevented activating the ‘Confirm’ button (in Estonian ‘Kinnita’) if only the first two
       choices weremarked has been fixed. ‘Regrettably,            hadfailedtonoticethatthere

       was a technical faultrelated to the activation of the ‘Confirm’button and notone user
       of the portal, includingthe complainant, had drawnourattentionto this faultbefore the
       currentproceedings.Wefixedthetechnicalfaultimmediatelyafterreceivingtherelevant
       inquiry from the Data Protection Inspectorate and we confirmed that as at 20 April
       2020, the technical failure concerning the ‘Confirm’button hadbeen eliminated.’

       2.4.2. The controller gave the following explanation regarding biometrics:

       The biometric data (eye colour and height)originate from the complainant’s German
       ID card, which is differentfromthe Estonian ID card in that italso includes a person’s
       biometric data.          asks theusers to presenttheir identity documentforthe purpose
       of identifying the person in accordance with law (subsection 20 (1) of the Money
       Laundering and TerroristFinancing PreventionAct). For               the biometric data of
       German clients exist only on the ID document submitted by the user and              does

       notin any way use themseparately.

       2.4.3. In regard of data storage, the controller statedthe following:
       The referred storage period of15 years is derived fromthe maximum limitation period
       ofoffences(subsection18(8)ofthePenalCode).Theoffences,inconnectionwithwhich
                may needto submitcontactdatato the competentsupervisionauthority,include

       fraud (section 201 of the PenalCode) (separately computer-related fraud (section213   1
       of the PenalCode)), offences relating to money laundering (sections 394 and 394 of
       the PenalCode),orotheroffencesthatmaybecommitted bymisusing                    ’sservice.
       The example of the 10-year term was given as a reference to market practice. As it is
       impossible to preclude situations where            ’s service is also misused to commit
       offencesinadditiontoabreachof obligationsarisingfromcivillaw,                 appliesthe

       maximum limitation period of offences.



2(11)        2.5. Inspectorate’s consultation with the Germandata protection authority
        2.5.1.The Inspectorate asked the opinion of Germany regarding biometrics on 7 May
        2020. The German data protection authority explained that pursuant to the German
        Money Laundering Act (GwG) the controller has to establish the person’s first name,
        family name, place of birth, nationality, address and document number when identifying

        a person. The controller does not have any legal grounds to process other data included
        in the ID document.

        2.6. Forwarding the opinion of the Germanauthority and Estonian Inspectorate to
        the controller
        2.6.1.The Inspectorate forwarded a brief summary of the German authority’s opinion to

        the controller on 3 November 2020, presented new questions to             , and sharedits
        opinions  regarding storage periods. The Inspectorate also asked explanations
        concerning the appointment of a data protection specialist.

        2.6.2.In relation to retention of data, the Inspectorate gave the controller the following
        explanations:
        Section 47 of the Money Laundering and Terrorist Financing Prevention Act refers to

        retention of data for five years after termination of the business relationship. Pursuant
        to the Act, for the purpose of identification of persons and verification of submitted
        information, the obliged entity must retain the originals or copies of the documents
        specified in subsection 20 (2 ) and sections 21, 22, and 46 of the Act, information
        registered in accordance with section 46, and the documents serving as the basis for the
        establishment of a business relationship for five years after the termination of the
        business relationship.


        2.6.3.Pursuant to subsection 12 (2)of the Accounting Act,accounting source documents
        shall be preservedfor sevenyearsafterthe expiry oftheir termofvalidity. This provision
        is solely concerned with accounting source documents, including invoices and other
        documents, not contact data and clients' eye colour.


        2.6.4.Subsection 146 (1) of the General Part of the Civil Code Act enables retain data
        after termination of a contract for three years. Subsection 4 of the same section sets
        down that the limitation period for the claims specified in subsections (1)–(3) shall be
        ten years if the obligated person intentionally violated the person's obligations.

        2.6.5.The Inspectorate pointed out thatstorage of data for 15 years is not reasonable and
        that the limitation period of ten years requires a special ground and therefore it is not

        possible to retain data of all persons for ten years as a general practice relaying on this
        ground. The controller can store data for ten years under subsection 146 (4) of the
        General Partof the Civil Code Act solely if it is proven that the person whose data are
        stored for this long has intentionally violated the person’s obligations before the
        controller.


        2.6.6.The Inspectorate explained that therefore, it must be assessed on a case by case
        basis whether a person has intentionally violated their obligations. If such situation has
        not emerged, data cannot be stored for ten years.

        2.6.7.Based on the above, the Inspectorate found that the reasons given in support ofthe
        15-year storage period in reference to the Penal Code are not sufficient or
        understandable and consequently, the Inspectorate did not agree to the data storage

        period of 15 years. The Inspectorate found that even 10 years is not a reasonable period
        for storing data in exceptional cases and is conditional on intentional violation. The
        Inspectorate also mentioned that the data storage period does not comply with the

3(11)       principles set out in points (b) and (e) of Article 5 (1) of the General Data Protection
       Regulation.

       2.7. Controller's third response to the Inspectorate
       2.7.1.The controller answeredthe Inspectorate on 17 November 2020 as follows:
       As attoday,         hasnotyetappointedadataprotectionspecialist;however,weplan

       to appoint a data protection specialist and currently negotiations are being held. As
       soon as           has appointed a data protection specialist, we will notify the Data
       Protection Inspectorate thereofthroughthe Company Registration Portal(in Estonian
       ‘Ettevõtjaportaal’).

       2.7.2.IftheDataProtectionInspectorateisconvincedthatthe storageperiodof15years

       regarding strictly contactdata is unreasonable despite our explanations, we are ready
       to reduce the storage period of contact data to ten years based on the maximum
       limitation period of claims under civillaw. Although the limitation period of ten years
       applies only in case the obligated person violated his or her obligations intentionally,
       we have no means to determine whether the person violated his or her obligations
       intentionally before the actualsituation emerges. This could happen even after seven
       years.


       2.7.3.In our fieldof activity, disputes are likely to arise and therefore we have a clearly
       understandable interestto be able to protect our rights. Besides, taking into account
       that a person’s contact data are not deemed personal data of a special category or
       personaldata thatwould be sensitive in any other way, we do notconsider in this case
       the storage period often yearsto protectour rights and interestunreasonable.Thereby

       theprinciplesoflimitation ofprocessingofpersonaldataandretentionofpersonaldata
       have been complied with. In regard of storage of other data (taking into accountthe
       specific data category) thatthe Data Protection Inspectorate points out in their query
       of 3 November 2020, we willtake into accountthe specifiedtermlimits as presented by
       the Data Protection Inspectorate and prescribed by law.

       2.7.4.We note thatthe opinion of the German data protection authority is based on the

       German Money LaunderingActthatdoes notapply in the currentcase because
       as an Estonian company operates in compliance with Estonian legislation. Hence, we
       do notconsider the opinion ofthe German data protection authority relevant.

       2.7.5.Secondly, accordingto subsection 47 (1)of the Money Launderingand Terrorist
       Financing PreventionAct, retentionofcopies of the documents which serve as thebasis
       for identification and verification of personsis mandatory, meaning that nationallaw

       of Estonia has taken a differentapproachthan Germany. Although all the data shown
       on a German ID card are not necessary for us, we do not consider covering up the
       specific data on an identification document possible as it makes impossible to verify
       documentauthenticity.

       2.7.6.We maintain thatwe do notgather or process a person’s eye colour shownon his

       or her German ID card in any other way or for any other purpose than as partof the
       copy of the ID card. We also assure that only a very limited number of persons have
       access to the copies of identification documents andthey are used after they havebeen
       gathered.

       2.8. The Inspectorate’s explanations and questions of 28 January 2021 to the

       controller
       2.8.1.The Inspectorate forwarded one additional query to                             in
       relation to sharing information with third persons and explained the matter of storage

4(11)       periods.

       2.8.2.The Inspectorate stressedthat the controller has to assess separately in respect of
       eachperson whether the person has intentionally violated his or herobligations. If such
       situation has not occurred, data cannot be stored for ten years. In addition, the
       Inspectorate explained that ten years is abstractly acceptable in case of claims under

       civil law; however, if a data subject submits an objection concerning storage of data for
       ten years, then the processor has to re-assess its legitimate interest according to Article
       21 of the General Data Protection Regulation.

       2.8.3.The Inspectorate found that for that purpose, a legitimate interest analysis in
       respect of the specific person must be conducted, or the interests of parties concerning
       the storage of data must be considered that should give an answer to the question

       whether there is a need to store data of the data subject for ten years. The Inspectorate
       compiled legitimate interest instructions providing an overview of and explanations on
       how the rights of both parties should be considered andhow a legitimate interest analysis
       should be conducted in case of an objection. The instructions are made available here
       https://www.aki.ee/sites/default/files/dokumendid/oigustatud huvi juhend aki 26.05.
       2020.pdf.


       2.8.4. In addition, the complainant asked about sharing contact data with third persons.
                              wrote on 20 April 2020 that they do not transfer their clients’
       personal data to third persons. However, according to the privacy conditions of
                    , contact data are transferred to third persons for different reasons (the
       chapter on data sharing and chapter 7.5), for example, upon assigning a claim, etc.
       Consequently, inconsistency between the answergiven to the Inspectorate and the data

       protection conditions published on the home page is observed. The Inspectorate
       requested                       toshow in detail to which companies and basedon which
       legal grounds clients’ personal data/contact data are shared.

       2.9. Controller’s fourth response to the Inspectorate
       2.91.The controller answered on 4 February 2021 as follows:

       We agree that in our answer of 20 April 2020 it was mentioned that data are not
       transferred to third persons. We clarify and explain our response below. We share
       clients’ personaldata with third persons only:
       1) if it is specified in the privacy notice;or
       2) ifit is requiredunderapplicablelaw(e.g.whenweareobligedtosharepersonaldata
       with public authorities);or

       3) upon the client's consentor under the client’s order.

       2.9.2.In our response of 20 April 2020 we meant the concrete complainant, i.e. the
       complainant had not given us a separate order to transfer data to third persons. We
       admit thatthe generalwordingofour answermay have given anerroneous impression.
       We apologise for ambiguity of the answer and provide additional information about

       transfer of data below. When processing clients' personaldata we may transfer their
       personaldata to            s processors or third persons. Such transfer takes place only
       under the followingconditions:

       2.9.3.Processors
       We use carefully selected serviceproviders (processors)for processing clients’ personal

       data. Even so, we will remain completely responsible for clients' personal data. For
       example, we use following processors:
       1) service providers that organise marketing and conduct surveys, and providers of


5(11)       tools;
       2) service providers that performsearches in order to manage money launderingand
       terroristfinancing related risks;
       3) identification of persons serviceproviders;
       4) customer supportservice providers;
       5) accounting services providers;

       6) server administration and server hostingserviceproviders;
       7) IT services providers;
       8) other companies belonging to the same group as us thatprovide us services.

       2.9.4.Third persons
       As mentioned above, we share clients' personal data with third persons only if it is

       specified in the privacy notice, required under applicable law (e.g. we are obliged to
       share personaldata with public authorities), or upon the client’s consentor under the
       client’s order.

       2.9.5.We may share clients’ personaldata with the followingthird persons:
       1) for making transactions chosen by the client with other users through the portal. In

       such case, the legalbasis for transfer of personaldata is the conclusionor performance
       of a contract (point(b) of Article 6 (1)of the GDPR);
       2) for the performance ofthe contractwith intermediary paymentservice.In such case,
       the legalbasis for transfer ofpersonaldata is the performance of a contractconcluded
       between us (point(b) of Article 6 (1) of the GDPR);
       3) forthepurposesofourinternaladministrationwithcompaniesbelongingtothesame

       group as us. In such case, the legalbasis for transfer of personaldatais our legitimate
       interestto share data with companies belonging to thesame groupas usfor the purpose
       of internaladministration (point(f)of Article 6 (1)of the GDPR);
       4) for the purpose of directmarketing with the companies belonging to the same group
       as us. In such case, the legal basis for transfer of personaldata is the client’s consent
       (point(a) of Article 6 (1) of the GDPR);
       5) for the purpose of compliance with our legal obligations to which we are subject

       before public authorities andlawenforcement authorities. In such case, the legalbasis
       for transfer of personaldata is compliance with our obligations arising fromlaw (point
       (c) of Article 6 (1) of the GDPR);
       6) for the purpose of protecting our rights and interests with debt collectors, lawyers,
       bailiffs,andotherrelevantpersons.Insuchcase,thelegalbasisfortransferof personal
       data is our legitimate interest to protect our rights and interests (point(f) of Article 6

       (1) of the GDPR). We transfer clients’ personaldata only if we are convinced thatour
       legitimate interest does not override the client’s interest or fundamental rights and
       freedoms which require protection ofpersonaldata. As we generally transfer data only
       if it is actually necessary for the protectionof our rights and interests (or a clientis at
       faultor there is a suspicion of breach), itis legitimate in our opinion;
       7) for the purpose of compliance with our obligations to which we are subjectbefore

       auditors arising fromlaw. In such case, the legalbasis for transfer of personaldata is
       compliancewithourobligationsarisingfromlaw (point(c)of Article 6 (1)ofthe GDPR
       and Auditors Activities Act);
       8) for the purpose of compliance with our legal obligations or pursuing our or our
       transaction partner’s legitimate interests if such transfer is necessary as a result of a
       transaction concerningthe transfer of our activity or assets or in order to assess how
       perspective such transaction would be. In such case, the legal basis for transfer of

       personaldata is compliance with our obligations arising fromlaw (point(c)of Article
       6 (1) of the GDPR and the Law of the Obligations Act) or pursuing our or our
       transactionpartner’slegitimateinteresttomakeatransactionorassess howperspective


6(11)       it would be (point(f) of Article 6 (1) of the GDPR). We transfer a client’s personaldata
       solely if we are convincedthatour or our transaction partner’slegitimate interestdoes
       not override the client’s interests or fundamental rights and freedoms which require
       protection of personaldata.


       2.9.6.If the legalbasis for processingofclient’spersonaldatais pursuing our or a third
       person’s legitimate interest, the client has the right to receive additionalinformation
       and atany time objectsuch processing.

       2.10. SAPoland’s objection about the draftdecision
       2.10.1. Poland asked whether                    has a money laundering law

       in terms of the entity, ie the institution with which                       has money
       laundering and terrorism within the meaning of § 6 of the Prevention Act. The
       inspectorate asked the data controller on 09.08.2021 about the
       entity, whether they apply the money laundering actor not.

       2.10.2.                       replied that as of today,         is not yet an obligated

       person within the meaning of § 6 of the Money Laundering and Terrorist Financing
       Prevention Act. Nevertheless, there is money laundering the application of prevention
       measures is essentialgiven the nature of our activities. Among other things, such need
       is based on § 15 (application ofanti-money laundering measures within the Group)and
       § 24 (reliance on third party data). Not knowing exactly the question in the inquiry
       guarantees, we provide some explanations belowthat should help us understand our
       purposes forpersonalinformation

       anti-money launderingmeasures.

       2.10.3. For the sake of clarity, we must first clarify the relationship between
           and          and the                 .             is an obligated person within the
       meaning of § 6 (1) 2) of the Money Act and the Financial Supervision Authority a
       supervised creditor providing small loans to consumers.            is not the Financial
       Supervision Authority a supervised creditor (or other licensed entity) but acquires

                 Loan claims from AS. In addition,                  and
       belong to the same group.

       2.10.4. As an obligated person,              mustmake sure that the assets used in the
       business relationship are legitimate § 20 (3) and (4). After concluding the loan
       agreement,                assigns the claim to          so that              remains to
       continue to administer the claims as a creditor, butthe financialclaimis transferred to

               .        in turn assigns claims to its investors. In a very generalway, therefore,
       the money to be borrowed also comes outatthe end of the chain justfrominvestors as
       follows:
       1) investors investin         products;
       2)         transfers the money for the claimto              ;
       3)              becomes the owner of the money and transfers itto a specific consume

       asown funds.Becauseofthischainandbusiness,itis extremelyimportantthat
           can ensure that the business relationship is used the legitimacy of the origin of the
       assets and to be sure thatthey are notmoney laundering assets, so itis importantthat
                would also apply the requirements arisingfromthe Money LaunderingAct.

       2.10.5. In addition to the above,           has the right and obligation to apply the
       measures of RahaPTS pursuantto § 24 of Money LaunderingActactingas a third party

       on whose data the obligated person(eg the bank)relies. In practice, this is notpossible
                would be able to do business withoutanti-money launderingmeasures, as this
       would notbe possible.           mustalso have a bank accountthrough whichinvestors

7(11)       can make financialtransactions. The reason is that banks, as obligated entities, must
       also implement anti - money laundering measures;and In order for             to have a
       bank accountfor its business, the banks haveimposed an obligation on us apply anti-
       money laundering measures in full, as they are based onthe verification oftransaction
       data including our data.


       2.10.6. To this end, itgrants banks the right,inter alia, § 20 (1)4)and (6)ofthe Money
       Laundering Act and § 23 (2) of Money Laundering Act. In the application of due
       diligence measures, obligated parties have a wide discretion, including obligated
       persons customers (eg          ) to provide information on their customers (ie
       investors)sothatthebank canassesstheriskstoyourclientandtakeotherduediligence
       measures. The obligated person does not have to own collect data about customers
       themselves, but may rely on another person (ie their customer, in this case

       collected in accordance with § 24 of the Money Laundering Act. If             does not
       submit to the bank within the required terminformation aboutits customers (ie
       would not allow the bank to exercise due diligence), the bank would be entitled. To
       cancel the current account agreement entered into with            (§ 42 (4) of Money
       Laundering Act.

       2.10.7. On a similar basis,         also requires            to controlthe activities of

       investors because of them. The assets originally arising from the transactions will be
       used by              to grantcredit. Please also note EurLex-2 en In order to rely on
       the data collected by         pursuantto § 24 of the Money Laundering Act,
       doesnotneedtobeinthesenseoftheMoneyLaunderingActobligatedperson.Pursuant
       to § 24 of the Money Laundering Act, measures may be taken to prevent money
       laundering and terrorist financing other persons to collect and process the data

       necessary for its application. Under thatprovision, collect data are also available, for
       example,to companiesspecializingintheapplicationofduediligence(egVeriff),which
       are notthemselves.

       2.10.8. Money under the Actfor obligated persons, butwho process datafor obligated
       services to provide. This rightandobligationhas also been recognizedby theFATF: “A
       third party usually has a client an existing business relationship thatis separate from

       the relationship betweenthe clientand therelying institution, andapply its own rules of
       procedure when implementing due diligencemeasures.”              operates bylaw
       on a prescribed basis andin accordance with officialrecommendations.

       2.10.9. Pursuant to § 64 (1) of the Money Laundering Act, the State supervises the
       operation ofMoney Laundering DataOffice. Pleasenote that             has alsoreported
       on severaloccasions in the application of due diligence measures Money Laundering

       DataOfficesandhasnotreceivedanyfeedbackorotherinstructionsthat                  should
       not launder money prevent due diligence measures should perhaps not identify your
       customers in a business relationship unmonitored, without proving the origin of the
       assets used in the transaction,withoutcheckingthe sanctions,etc.

       2.10.10.Inaddition,weconfirmthattheapplicationof              'santi-moneylaundering
       measures is also monitored by sworn auditors. The last inspection was carried outby

       theauditfirm                  inMay2021,theresultsof whichwerepositive,ie
       has the right to apply anti-money laundering measures and they apply properly in
       accordancewith the regulations in force.

       2.10.11. As it seems from the above,                       belongs to the same group
                    (registry code:        ), which is anobligated person within the meaning

       of §6 (1) 2) of the Money Laundering Actand a creditor operating under the supervision

8(11)        of the Estonian Financial Supervision Authority, which provides small loans to
        consumers.                has also been issued a corresponding activity license by the
        Estonian Financial Supervision Authority.           is not a creditor (or other legal entity
        subject to an activity license obligation) under the supervision of the Financial
        Supervision Authority, but acquires loan claims from


        2.10.12. As an obligated person,               must make sure that the assets used in the
        business relationship are legitimate (§ 20 (3) and (4) of the Money Laundering Act).
        After concluding the loan agreement,                 assigns the claim to          so that
                     will continue to administer the claims as a creditor, and the financial claim
        will be transferredto        .        , in turn, assigns claims to its investors. Due to this
        chain and business activities, it is extremely important that              can ensure the
        legitimacy of the origin of the assets used in the business relationship and be sure that

        they are not money laundering assets, therefore it is important that          also applies
        the requirements arising from the Money Laundering Act.

        2.10.13. Pursuant to § 47 (7) of the Money Laundering Act, the stored data must be
        deleted after the expiry of the term, unless otherwise provided by the legislation
        regulating the relevant field. Data relevant to the prevention, detection or investigation
        of money laundering or terrorist financing may be kept for a longer period, but not more

        than five years after the expiry of the initial period, by order of the competent
        supervisory authority. Thus, the maximum retention period for personal data is 10 years.

3. Breaches identifiedduring supervisionproceedings

        3.1. In the course of the supervision proceedings, the Inspectorate found the following

        breaches of the General Data Protection Regulation: when opening an account the
        complainant could not refuse to give consent to electronic direct marketing, meaning
        that the complainant had to agree to direct marketing, although Article 7 (2) of the
        General Data Protection Regulation requires asking it clearly in a distinguishable
        manner.

        3.2. The Inspectorate found that the controller breached point (e) of Article 5 of the

        General Data Protection Regulation by applying an unreasonably long data storage
        period of 15 years. Storing data for ten years abstractly for claims under civil law is
        acceptable;however, if the data subject objects tostorage of data fortenyears,according
        to Article 21 of the General Data Protection Regulation the controller has to re-assess
        its legitimate interest of retaining the data of the specific person based on the concrete
        circumstances related to the person (including also whether claims exist and whether
        the data subject violated his or her obligations intentionally). If it is determined that the

        need for defence of legal claims does not justify storage of the particular person’s data,
        the data must be immediately deleted in accordance with point (c)of Article 17 (1).

        3.3. The controller gave the Inspectorate unclear answers regarding transfer of data to
        third persons which caused us to request more details several times and determine the
        actual situation. The controller breached the principle of data transparency, i.e. it was

        not clear to whom and which third persons data are transferred.

        3.4. The initial complaint related to the fact that the applicant did not have to agree to
        all the conditions for registering an account, including receiving direct marketing. This
        has been fixed by the data controller, where it was explained that it was atechnical error.

        3.5. The complaint stated that there was no retention period, as the complainant could

        not understand for how long the data will be restored. The data controller has explained

9(11)        that different legal grounds must be used, which are also regulated by law. If there is
        consent, there areno retention periods, if the consent to senddirect mail is revoked, then
        no more can be kept and sent.

        3.6. The period of retention of data is regulated by § 47 of the Money Laundering Act.
        Act§ 47 paragraph 1, 2, 3, 5, 6 states thatthe data controller must retain data for 5 years

        after after the termination of the business relationship. By order of the competent
        supervisory authority, the maximum retention period for personal data is 10 years.

        3.7. Thus, it must be assessedseparatelyfor each person whether a particular person has
        intentionally breachedhis or her obligations. The inspectorate further explained that 10
        years in the abstract for civil claims is acceptable, but if the data subject objects to 10
        years of data retention, the data subject must be reassessedin accordance with Article

        21 of the General Data Protection Regulation. The data controller did not argue further
        in this regard.

        4. Reprimand and termination of proceedings

        4.1. During the proceedings, the controller changed the procedure of asking consent to
        direct marketing and thereby eliminated the breach. The controller has been given

        explanations regarding data storage period that the controller has to take into account in
        future.

        4.2. Basedon the above, the Inspectorate terminates the supervisionproceedings
        and issues a reprimand to                              in accordance with point (b) of
        Article 58(2) of the GeneralData ProtectionRegulationand draws attentionto the

        requirements set out inthe GDPR:

        4.3. Article 7 (2): If the data subject’s consent is given in the context of a written
        declaration which also concerns other matters, the requestfor consent shall be presented
        in a manner which is clearly distinguishable from other matters, in an intelligible and
        easily accessible form, using clear and plain language. Any part of such a declaration
        which constitutes an infringement of this Regulation shall not be binding.


        4.4. Point (e) of Article 5 specifies storage limitation requirement: personal data arekept
        in a form which permits identification of data subjects for no longer than is necessary
        for the purposes for which the personal data are processed.

        4.5. Article 21 (1): The data subject shall have the right to object, on grounds relating to
        his or her particular situation, atany time to processing of personal data concerning him

        or her which is based on point (e) or (f) of Article 6 (1), including profiling based on
        those provisions. The controller shall no longer process the personal data unless the
        controller demonstrates compelling legitimate grounds for the processing which
        override the interests, rights and freedoms of the data subject or for the establishment,
        exercise or defence of legal claims.


        4.6. Article 12 (1): The controller shall provide any information referredto in Articles
        13 and 14 to the data subject in a concise, transparent, intelligible and easily accessible
        form, using clear and plain language.


         In view of the above, we shall terminate the supervisory proceeding.


         This decision may be challenged within 30 days by submitting one of the two:

10 (11)      -   A challenge to the Director General of the Estonian Data Protection Inspectorate
                                                               1
          pursuant to the Administrative Procedure Act , or
      -   An appeal to an administrative court under the Code of Administrative Court
          Procedure (in this case, the challenge in the same matter can no longer be reviewed).



Respectfully



Lawyer
Authorised by the Director General























































1https://www.riigiteataja.ee/en/eli/527032019002/consolide
2
 https://www.riigiteataja.ee/en/eli/512122019007/consolide
11 (11)