- Date of final decision: 19 January 2022
- National Case
- Controller: Krediidiregister OÜ
- Legal Reference: Principles relating to processing of personal data (Article 5 GDPR), Lawfulness of processing (Article 6 GDPR), Conditions for consent (Article 7 GDPR), Transparency and information obligations (Articles 12 and 14 GDPR)
- Decision: Precept, Order to comply
- Key words: Publication of personal data on a website, legal basis for disclosure to third parties, data minimization, data retention, accuracy
Summary of the Decision
Origin of the case
Estonian SA conducted a self-initiated monitoring to map the situation of a personal data processing in information portals. The purpose was to find out which personal data and on which legal basis information portals are collecting and (re)disclosing and how people are informed about privacy-related aspects.
Estonian SA checked the website www.taust.ee whether it complies with the requirements in the GDPR. Estonian SA evaluated and analysed the documents, that were submitted to the Estonian SA, and also the actual data processing on the website.
It was found that when making a request by legal person’s name/registry code, a so-called company card is displayed, including the possibility to see the data of the legal representative (private person), e.g. their non-payment information (tax debts, payment faults). The non-payment information was shown only after the requester accepted that they have legitimate interest to see the data. It was possible to download or print the data.
The Estonian SA ordered the controller to:
- stop the disclosure of all valid and invalid data of natural persons related to a legal entity (payment defaults, tax debts, but also properties, court decisions);
- check whether each third-party had the legitimate interest before disclosing the data to them;
- limit the disclosed data in accordance with the interests of the third party;
- stop the disclosure of data to unidentified persons (users not logged in);
- stop the disclosure of invalid connections on the company/personal card;
- check the documents proving indebtedness before disclosing the data;
- provide the SA with clear and comprehensive legitimate interest analysis;
- terminate the usage of third-party cookies on the website as long as the person’s consent is obtained;
Estonian SA issued a precept with a penalty payment of 10 000 EUR for each unfulfilled point.
For further information: decision in national language
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.