Estonian SA: Krediidiregister OÜ, legal basis for disclosure of non-payment data to third parties, shortcomings in privacy policy

20 January 2023

Background information

  • Date of final decision: 19 January 2022  
  • National Case
  • Controller: Krediidiregister OÜ  
  • Legal Reference: Principles relating to processing of personal data (Article 5 GDPR), Lawfulness of processing (Article 6 GDPR), Conditions for consent (Article 7 GDPR), Transparency and information obligations (Articles 12 and 14 GDPR)                                 
  • Decision: Precept, Order to comply                      
  • Key words: Publication of personal data on a website, legal basis for disclosure to third parties, data minimization, data retention, accuracy


Summary of the Decision


Origin of the case

Estonian SA conducted a self-initiated monitoring to map the situation of a personal data processing in information portals. The purpose was to find out which personal data and on which legal basis information portals are collecting and (re)disclosing and how people are informed about privacy-related aspects.

Estonian SA checked the website whether it complies with the requirements in the GDPR. Estonian SA evaluated and analysed the documents, that were submitted to the Estonian SA, and also the actual data processing on the website.


Key Findings

It was found that when making a request by legal person’s name/registry code, a so-called company card is displayed, including the possibility to see the data of the legal representative (private person), e.g. their non-payment information (tax debts, payment faults). The non-payment information was shown only after the requester accepted that they have legitimate interest to see the data. It was possible to download or print the data.

Estonian SA also identified several shortcomings in the privacy policy. The SA also drew the controller’s attention to the data minimization and retention principles; the need for guarantee of the accuracy of the processed data and explained that the controller must assess whether to provide access to a requester and, if necessary, create technical and/or organizational measures for this.



The Estonian SA ordered the controller to:

  • stop the disclosure of all valid and invalid data of natural persons related to a legal entity (payment defaults, tax debts, but also properties, court decisions);
  • check whether each third-party had the legitimate interest before disclosing the data to them;
  • limit the disclosed data in accordance with the interests of the third party;
  • stop the disclosure of data to unidentified persons (users not logged in);
  • stop the disclosure of invalid connections on the company/personal card;
  • check the documents proving indebtedness before disclosing the data;
  • provide the SA with clear and comprehensive legitimate interest analysis;
  • bring the privacy policy in line with the GDPR;
  • terminate the usage of third-party cookies on the website as long as the person’s consent is obtained;
  • confirm the SA that upon receiving the contact details of data subject, the privacy policy is forwarded to the latter.

Estonian SA issued a precept with a penalty payment of 10 000 EUR for each unfulfilled point.

For further information: decision in national language

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.