Estonian SA: Private person, legal bases for disclosure of data to unidentified persons

20 January 2023

Background information

  • Date of final decision: 03 January 2022
  • National Case
  • Controller: private person          
  • Legal Reference: Lawfulness of processing (Article 6(1) GDPR)                           
  • Decision: Precept, Order to comply. The decision is being challenged in the national court     
  • Key words: Publication of personal data in the Facebook groups


Summary of the Decision


Origin of the case

Estonian SA conducted a self-initiated monitoring in the Facebook groups that publish data of private persons in debt. These Facebook groups have the same private person as administrator, who is the controller of the published data.

According to the Personal Data Act (paragraph 10), transmission of personal data related to violation of any obligation to third parties is permitted for the purpose of assessment of the creditworthiness of the data subject and in case there is a legal basis for transmission of personal data. Therefore, the controller must assess the legal basis. The disclosure of the debt on the Internet to unidentified persons is against the (paragraph 10) of the Act.

The controller has objected to the initiation of the procedure on the grounds that data subjects can themselves contact the controller and, if necessary, initiate court proceedings directly against the controller. The controller also concluded that the data processing is for personal activity.


Key Findings

Estonian SA’s intervention is not precluded by the fact that the administrator has not prevented the data subjects from exercising their rights and that the District Court’s decision supports this position.

Each of the groups has 4600 – 14 800 members, therefore the data processing cannot be for personal purposes and that the purpose of these groups is to disclose the data to unidentified circle of persons.

Group administrator argued that they are not the controller. Nevertheless, the administrator itself pointed out, that in the event of a dispute, the administrator can stop data processing or make amendments in the data.

Estonian SA stated that the processing of non-payment data is not permitted if it would excessively damage the rights or freedoms of the data subject; the data controller does not have legitimate interest; and publication of debts does not have journalistic purpose. Therefore, only legal basis is the national Act (paragraph 10).



Estonian SA obliged the controller to stop disclosing other people's personal data in Facebook groups managed by controller without consent in accordance with Article 6(1)(a) of the GDPR.

Estonian SA issued a precept with a penalty payment of 5000 EUR to the controller.



The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.