AKI - 2.1-1/19/4627

From GDPRhub
Revision as of 12:04, 20 April 2020 by Sse (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Estonia |DPA-BG-Color= |DPAlogo=LogoEE.png |DPA_Abbrevation=AKI |DPA_With_Country=AKI (Estonia) |Case_Number_Name=Nr. 2.1-1 / 19/4627 |ECLI=...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AKI - Nr. 2.1-1 / 19/4627
LogoEE.png
Authority: AKI (Estonia)
Jurisdiction: Estonia
Relevant Law: Article 6 GDPR
Type: Complaint
Outcome: Other Outcome
Decided: 04.03.2020
Published:
Fine: None
Parties: n/a
National Case Number/Name: Nr. 2.1-1 / 19/4627
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Estonian
Original Source: AKI (in ET)
Initial Contributor: {{{Initial_Contributor}}}

The Estonian Data Protection Authority (AKI) emphasized that an existing legal basis for the publication of personal data does not entitle to re-use and disclose the published information for any purpose.

English Summary

Facts

The complainant submitted a complaint to the DPA regarding the disclosure of data relating to the complainant in the public registers. The personal data concerned relate to the personal stories of board members. The central issue was the fact that the complainant had not given his consent to the processing of personal data for the commercial register.

Dispute

The DPA had to decide whether the publication of data relating to members of a management board was lawful.

Holding

According to the law, the data of the members of the company's management board are published in the commercial register. The DPA emphasized this does not mean that these data may be re-used and disclosed for any purpose. Data that is disclosed in the open data portal can be unrestricted reused for commercial or non-commercial purposes. There must also be a legal basis for the re-use for other purposes. The Commercial Register disclosing the data of the members of the management board on the basis of law cannot guarantee that no one will use this data for other purposes without a legal basis. The Inspectorate has received several complaints regarding the disclosure of data in information portals and will decide this matter. If it turns out that there is no legal basis for processing the data, the Inspectorate will oblige to stop the illegal processing of personal data.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Estonian original. Please refer to the Estonian original for more details.


CONTEST DECISION
personal data protection in case no. 2.1-3 / 20/287
Decision maker
Chief Inspector of the Data Protection Inspectorate Elve Adamson
Time and place of making the decision 04.03.2020 in Tallinn,
Time to file a challenge
1/23/2020
The contested administrative act or
operation
Procedure of the Data Protection Inspectorate 22.01.2020
Decision No 2.1-1 / 19/4627 not to initiate proceedings
Challenger
Private person
address: Xxxxxxxx xxx xx, xxxxx Xxxxxxx
e-mail address : xxxx@xxxxxxxx.ee
RESOLUTION:
Pursuant to clause 85 2) of the Administrative Procedure Act (HMS)
I decide:
Uphold the challenge and process the complaint
CONTEST REFERENCE:
The appellant may challenge this decision within 30 days by submitting
an appeal to an administrative court in accordance with the Code of Administrative Court Procedure.
FACTUAL FACTS:
On 19.12.2019, the appellant submitted the following address
Google your face and last name from the internet search environment www.google.com, throws
to the front page at the bottom of the page https://creditreports.ee xxxx-xxxxxxx
Clicking on this link will open my personal story as a private individual - titled ‘Private
personal story "
This website article is not about a company, but about me as a Private Person and me
activities. Among other things, it describes how and when I started a business /… .. Private person
started business 19 years ago, when he was 26 years old. Starting his business remains
to the year 2000, a time when fresh capital from its first mistakes proper
õpp. / and how I have managed companies / ni. All in all, he has over the years
managed 4 companies. Today, he is still on the board of 4 companies, 2 of which are active
economic activity, 2 have been left to disappear (incl. VAT payers… / there
Page 2
2 (4)
characterize me /…. An individual has seen companies through the eyes of both a manager and an owner. Ta
continues to reach many and performs many roles, he is:… ../. It is clearly mine as
processing of personal data of a natural person. APPLICATION As far as I do not have my data
consent to the transfer of personal data to public registers, including the commercial register
processing in such a way that third parties can collect and use the data there
in turn, to create a database that characterizes me in my self, is done by them
processing such data in this form without my consent. Although from the commercial register various queries
it is possible to obtain certain information about the company by doing so, the commercial register does not have the right to publish information
together with the authorization to collect and compile data on natural persons such as
provide an opportunity to compile databases characterizing natural persons. Please check
the lawfulness of the processing of my Personal Data by the persons behind this website
and if they are in breach of my data processing, they will be penalized accordingly.
On 22 January 2020, the Data Protection Inspectorate did not initiate the proceedings on the following grounds
On 19.12.2019, you submitted a complaint to the Data Protection Inspectorate on the basis of the Personal Data Protection Act
in connection with the disclosure of data about you in public registers. Explain that you have not given
consent to the commercial register to process its personal data in such a way that third parties can
collect data there and use it to characterize you as a natural person
ScoreStorybook in the register (Register OÜ and Storybook OÜ). You believe that though
the commercial register is public, however, the commercial register does not have the right to disclose information by allowing other persons to do so
collect and use. You want the Data Protection Inspectorate to control the processing
legality and to penalize registrars in a situation where your rights are violated.
With regard to the commercial register, we explain that it is a national database, the purpose of which is to collect,
to preserve and disclose information on self-employed enterprises located in Estonia,
companies and branches of foreign companies (CC 1, § 22, 1). Pursuant to § 28 (1) of the CA.
The entries in the commercial register are public, which allows everyone the right to inspect the registry card and
with a business file and to receive copies of the registry card and the document in the business file.
Only the data prescribed by law are entered in the Commercial Register (§ 31 of the CA);
provisions of the Commercial Code (Ref. 2). As the legal basis for the commercial register derives from Article 6 (1) of the CCIP
even in this case, your consent to the processing of personal data cannot be obtained. In the commercial register
Disclosure of the data of the members of the management board is necessary to ensure business turnover - with the company
it is necessary for the persons carrying out the transactions to check the right of representation of the company's representative.
However, the above does not apply to all kinds of private information portals, as they do not exist
national and are not subject to the above disclosure provisions of the Commercial Code.
The Data Protection Inspectorate has started monitoring personal data in various information portals
processing (including the disclosure of data of invalid representatives) in order to
legal basis for data processing. We have asked all information portal operators for processing
an overview of the data and explanations of the legal basis for the disclosure of the data. In doing so
we must take into account that similar information portals operate in other EU countries and that from
In 2018, the processing of personal data will be regulated by the Pan-European General Data Protection Regulation, which
The aim is to harmonize the organization of personal data protection across Europe. So far not
unfortunately, a pan-European position on information portals.
Monitoring has been extensive, but we are currently summarizing and making decisions. Monitoring
We will certainly also inform the media of the decisions taken as a result, because it is
has a problem that affects many people.
Based on the above, the Data Protection Inspectorate will not start separately with regard to your personal data
monitoring procedure.
1 In the computer network: https://www.riigiteataja.ee/akt/128022019010
Page 3
3 (4)
CLAIMER'S CLAIM AND EXPLANATION:
On 19 December 2015, the applicant submitted to the Data Protection Inspectorate on the basis of the Personal Data Protection Act
a complaint regarding the disclosure of data about the Complainant in public registers. Complaint
The central issue was the fact that the applicant had not given his consent to the commercial register
the processing of personal data in such a way that third parties may collect such data, and
use in turn to characterize the Applicant as a natural person in the ScoreStorybook Registry
(Register OÜ and Storybook OÜ). In the complaint, the applicant considered that although the commercial register is
public, the commercial register shall not, however, have the right to publish information by allowing other persons to collect it, and
to use. The complainant requested that the Data Protection Inspectorate inspect the processing
legality and, in a situation where the rights of the complainant are violated, the registrars would be
1 complaint).
The Data Protection Inspectorate did not start with its letter No. 2.1.-1/19/4627 by its letter of 22.01.2020
described in respect of the act. The reasons of the Data Protection Inspectorate were summarized
the following:
a) The Commercial Register has the legal right to publish personal data
(b) The right of publication of commercial registers shall not apply to all forms of private law
information portals
c) The Data Protection Inspectorate has started monitoring personal data in various information portals
processing in order to determine their legal basis. Monitoring is extensive.
d) There is currently no pan-European position on such information portals. (Annex 2 Data protection
Inspection letter)
I received the letter from the Data Protection Inspectorate on 22.01.2020.
The failure of the Data Protection Inspectorate to initiate proceedings violates my rights insofar as I do
has not authorized the collection of its own data as a natural person, that they are in no private law
a legal person could display its revenue to the public through a website.
Me and only me have the right to control when, how and for what purpose mine
personal data are processed. The processing of personal data must be based on law. Referred to by me
there is no legal basis for the processing of personal data. Therefore, the proceeding should also have been initiated,
if the Data Protection Inspectorate itself admits in the same letter that they are already investigating (through monitoring),
whether or not such activities have a legal basis. None of the reasons given by the Inspectorate
give reason not to initiate proceedings.
In addition to the above, the letter of failure to initiate infringes my rights of defense in that it does not explain the act
my appeal.
I would like the Talent Protection Inspectorate to initiate proceedings regarding the processing of the described personal data.
GROUNDS FOR THE DATA PROTECTION INSPECTORATE:
Disclosure of personal data in the commercial register
There must be a legal basis for any processing of personal data. Processing of personal data
the legal bases are set out in an article of the European Union's General Regulation on the Protection of Personal Data (EDPS)
6. Thus, the consent of a person alone is not the legal basis for the processing of personal data. If
processing of personal data, including disclosure, takes place on the basis of law, the consent of the person is required
no it is not.
As according to the law, the data of the members of the company's management board are public in the commercial register, it will take place
disclosure of the data of the members of the management board in the commercial register on the basis of law. This as board members
the data are public in the commercial register by law, this does not mean that these data may be
Page 4
4 (4)
re-use and disclose for any purpose. Data that can be unrestricted
reused for commercial or non-commercial purposes is disclosed in the open data portal.
Regarding the data of the Commercial Register, only the data of companies have been disclosed on the open data portal, not
details of the members of the management board. Therefore, the data of the members of the management board disclosed in the commercial register must also be kept
be a legal basis for re-use for other purposes.
The Commercial Register disclosing the data of the members of the management board on the basis of law cannot guarantee that no one will
use this data for other purposes without a legal basis.
Processing of personal data in StoryBook
Because Storybook uses the commercial register to disclose the personal stories of board members
personal data must be available for processing and re-disclosure
legal basis. Because both Storybook's disclosure of personal stories and others
the Inspectorate has received several complaints regarding the disclosure of data in information portals, then
the Inspectorate started supervision regarding the processing of personal data in various information portals in order to:
find out the legal basis for data processing.
The aforementioned supervision also includes Storybook's activities in disclosing personal stories. If
If it turns out that there is no legal basis for processing the data, the Inspectorate also obliges Storybook
stop the illegal processing of personal data. In essence, the challenge also solves the above
the complainant's complaint, therefore the waiver did not initiate a separate procedure on the basis of the complainant's complaint.
In other words, a separate procedure was not initiated on the basis of the complaint, but the ongoing supervision was not carried out
the result would also have included the appellant's complaint, to which the substance of the complaint would have been joined
ongoing procedure.
The right of a person to lodge a complaint
Despite the fact that the Inspectorate has initiated an infringement procedure in the same case
without prejudice to the right of the person to lodge a complaint. Pursuant to Article 77 of the CCIP
paragraph 1, any person shall have the right to appeal to the supervisory authority, in particular in the Member State where:
his habitual residence, place of employment or the place where the alleged infringement took place, if the person considers that:
the processing of personal data concerning him infringes the Regulation. § of Personal Data Protection Act (IKS)
61 (1), the Data Protection Inspectorate shall resolve a complaint within 30 days after its submission
which may be extended by 60 days if necessary (§ 61 (2) of the IKS).
Due to the above, the Data Protection Inspectorate satisfies the challenge and accepts the submitter of the challenge
appeal procedure.
with respect
/signed digitally/
Elve Adamson
Inspector General
under the authority of the Director General