Dt: Created page with “{{DPAdecisionBOX |Jurisdiction=Estonia |DPA-BG-Color= |DPAlogo=LogoEE.png |DPA_Abbrevation=AKI |DPA_With_Country=AKI (Estonia) |Case_Number_Name=2.1.-4/25/1239-2660-6 |ECLI= |Original_Source_Name_1=AKI |Original_Source_Link_1=https://www.aki.ee/sites/default/files/documents/2026-01/Ettekirjutus-hoiatus%20isikuandmete%20kaitse%20asjas%20nr%202.1.-4%2025%201239-2660-6%20Zu%20Disain%20O%C3%9C.pdf |Original_Source_Language_1=Estonian |Original_Source_Language__Code_1=ET |…”
|Jurisdiction=Estonia
|DPA-BG-Color=
|DPAlogo=LogoEE.png
|DPA_Abbrevation=AKI
|DPA_With_Country=AKI (Estonia)
|Case_Number_Name=2.1.-4/25/1239-2660-6
|ECLI=
|Original_Source_Name_1=AKI
|Original_Source_Link_1=https://www.aki.ee/sites/default/files/documents/2026-01/Ettekirjutus-hoiatus%20isikuandmete%20kaitse%20asjas%20nr%202.1.-4%2025%201239-2660-6%20Zu%20Disain%20O%C3%9C.pdf
|Original_Source_Language_1=Estonian
|Original_Source_Language__Code_1=ET
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=
|Type=Investigation
|Outcome=Violation Found
|Date_Started=
|Date_Decided=06.10.2025
|Date_Published=
|Year=2025
|Fine=
|Currency=
|GDPR_Article_1=Article 5(1)(a) GDPR
|GDPR_Article_Link_1=Article 5 GDPR#1a
|GDPR_Article_2=Article 6(1) GDPR
|GDPR_Article_Link_2=Article 6 GDPR#1
|GDPR_Article_3=Article 6(1)(f) GDPR
|GDPR_Article_Link_3=Article 6 GDPR#1f
|GDPR_Article_4=
|GDPR_Article_Link_4=
|GDPR_Article_5=
|GDPR_Article_Link_5=
|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=
|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=
|Party_Name_1=Zu Disain OÜ
|Party_Link_1=
|Party_Name_2=
|Party_Link_2=
|Party_Name_3=
|Party_Link_3=
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=Unknown
|Appeal_To_Link=
|Initial_Contributor=
|
}}
The DPA ordered a company to delete all personal data collected from the electronic land register or, in case of refusal, to provide the legal basis under which it continues to process the data.
== English Summary ==
=== Facts ===
The Estonian land register is publicly accessible and includes information about immovable property and its owners.
A company, Zu Disain OÜ (the controller), used an automated solution (i.e. a script) to perform mass queries from the electronic land register.
The Estonian DPA (AKI) launched an investigation into the controller for its processing of personal data from the electronic land register.
=== Holding ===
The DPA noted that the controller may primarily rely on legitimate interest (Article 6(1)(f) GDPR) for the processing of personal data through automated queries. However, the DPA found that the controller could not have a legitimate interest for processing the data from the electronic land register due to its main business activity being non-specialised wholesale trade.
Thus, the DPA concluded that the controller did not have a legal basis for the processing of personal data from the electronic land register. Furthermore, the controller did not provide an official explanation to the DPA’s inquiry during the investigation.
Therefore, the DPA ordered the erasure of all personal data processed by the controller form the electronic land register, or, refusing to do so, a justification regarding the legal basis the controller relies upon for the processing activities. A penalty of €2,000 may be imposed repeatedly if the controller failed to comply with the order.
== Comment ==
”Share your comments here!”
== Further Resources ==
”Share blogs or news articles here!”
== English Machine Translation of the Decision ==
The decision below is a machine translation of the Estonian original. Please refer to the Estonian original for more details.
<pre>
PROTECTION OF PRIVACY AND STATE TRANSPARENCY
PRECAUTION-WARNING
in the case of personal data protection no. 2.1.-4/25/1239-2660-6
Precept maker: Kirsika Kuutma, lawyer of the Data Protection Inspectorate
Time of precept making 06.10.2025 in Tallinn
and place
Recipient of the precept – Zu Disain OÜ
personal data processor Registration code: 14090627
Email address: zu@zukker.eu
Personal data processor Member of the Management Board
responsible person
RESOLUTION
Based on § 56 (1) of the Personal Data Protection Act and Article 58 (2) (d) of the General Regulation on the Protection of Personal Data, the Data Protection Inspectorate issues a mandatory precept for the execution of:
1) Delete all personal data of natural persons that Zu Disain OÜ has collected from the electronic land register using an automated solution and that the company still retains,
and submit to the Data Protection Inspectorate a description of the process of deleting personal data
together with documents proving deletion;
2) If Zu Disain OÜ refuses to delete personal data collected from the electronic land register
about natural persons due to the existence of a legal basis (Article 6(1) of the Data Protection Act),
then justify to the Data Protection Inspectorate on which legal basis
Zu Disain OÜ continues to process their personal data and submit documents proving this,
also an analysis of legitimate interest based on Article 6(1)(f) of the Data Protection Act.
The Data Protection Inspectorate sets the deadline for compliance with the precept as 20.10.2025.
The compliance with the precept shall be notified to the Data Protection Inspectorate by this deadline at the e-mail address info@aki.ee.
CHALLENGE REFERENCE
This precept can be challenged within 30 days by submitting either:
– a challenge under the Administrative Procedure Act to the Director General of the Data Protection Inspectorate or
– a complaint under the Administrative Court Procedure Code to the administrative court (in this case, the challenge in the same matter can no longer be reviewed).
Challenging the precept does not suspend the obligation to comply with it or the implementation of the measures necessary for compliance.
PENALTY WARNING
If the precept is not complied with by the specified deadline, the Data Protection Inspectorate will impose on the addressee of the precept:
A penalty of 2,000 euros on the basis of § 60 of the Personal Data Protection Act.
A penalty may be imposed repeatedly until the precept is complied with. If the addressee does not pay the penalty,
it will be transferred to the bailiff to initiate enforcement proceedings. In this case, the penalty will be added to the bailiff’s fee and other enforcement costs.
WARNING OF MISLEADING PENALTIES
For failure to comply with the precept pursuant to Article 58(2) of the General Data Protection Regulation, misdemeanor proceedings may be initiated on the basis of §69 of the Personal Data Protection Act. For such an act, the person may be punished with a fine. The Data Protection Inspectorate is the extrajudicial investigator of the misdemeanor.
FACTS
On 15.08.2025, the Data Protection Inspectorate (hereinafter the Inspectorate) initiated ex officio proceedings against Zu Disain OÜ (hereinafter the data processor) and forwarded a proposal to the data processor to delete all data collected from the electronic land register about natural persons, for the collection of which an automated solution (script) was used and/or for the further processing of which there is no legal basis.
If the data processor refuses to comply with the proposal, the Inspectorate alternatively submitted a request, expecting clarifications from the data processor regarding the legal basis for data processing, etc.
On 15.08.2025, the data processor submitted informal responses to the Inspectorate’s proposal.
On 09.09.2025, the Inspectorate sent a reminder to the data processor that the data processor had not responded to the proposal by the deadline (i.e. 05.09.2025).
As of 06.10.2025, the data processor has not responded to the Inspectorate’s proposal and/or inquiry.
REASONS FOR THE DATA PROTECTION INSPECTORATE:
1
1. The requirements for the processing of personal data arise from the General Data Protection Regulation (GDPR) and, according to Article 4(1) thereof, personal data are any information relating to an identified or identifiable natural person (“data subject”); An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location information, an online identifier or to one or more physical, physiological, genetic, mental, economic, cultural or social characteristics of that natural person.
2. According to Article 26 of the GDPR, the principles of data protection should apply to any information relating to an identified or identifiable natural person, and the term personal data should therefore be interpreted broadly. Thus, in certain cases, information about objects (e.g. a car, a house, a property) may also provide information about a natural person if the object belongs to a specific person. The Working Party on Data Protection has cited the example that information about real estate may also be considered personal data under certain conditions.
3. General data of the immovable property corresponding to a specific personal identification code (e.g. immovable property number, immovable property type, cadastral identification number, cadastral unit address, cadastral unit area, special property number) are
in this case treated as personal data, because they can be linked to a specific person. This
1 Regulation (EU) 2016/679 of the European Parliament and of the Council.
2 Working Party on Data Protection established under Article 29. Opinion 4/2007 on the concept of personal data. WP 136, p. 9.
2 (5) This is so, among other reasons, because one of the mandatory data fields of the electronic land register is also
data on the owner(s) of the immovable property (Section 14 of the Land Register Act).
4. The controller of personal data is responsible for compliance with the requirements of the Personal Data Protection Act and must
be able to prove compliance with them (Article 5(2)).
5. The principle of public access to the land register applies in Estonia, which means that everyone has the right to receive
information about the data entered in the land register, including immovables and their owners
(Section 55(1) of the Law of Property Act, Section 74(1) of the Land Register Act). Since Zu Disain OÜ is
a legal person or a company that does not have a private life, it cannot rely on the personal purpose exception within the meaning of Article 2(2)(c) of the GDPR when processing data, i.e. making queries in the land register, and as a legal person data processor, it has an obligation to ensure compliance with the requirements of the GDPR.
6. According to Article 5(1)(a) of the GDPR, the processing of personal data must be lawful, fair and
transparent to the data subject. According to Article 6(1) of the GDPR, the processing of personal data is lawful
only if at least one of the conditions listed in points a to f is met. The controller must determine the valid legal basis for the processing of personal data before the data processing commences, not afterwards, in order to ensure that the planned data processing is lawful and lawful.
7. Since Zu Disain OÜ used an automated solution (script) to make queries, which made it possible to perform a mass query from the electronic land register, the person’s prior consent (Article 6(1)(a)) or the performance of a contract (Article 6(1)(b)) cannot be considered, for example. Therefore, in this case, the legal basis can primarily be legitimate interest (Article 6(1)(f)).
8. Legitimate interest may be the legal basis for processing provided that the interests or fundamental rights and freedoms of the data subject are not overridden, taking into account the reasonable expectations of the data subject based on his or her relationship with the controller. In any case, the existence of a legitimate interest should be carefully assessed, including whether the data subject could reasonably expect, at the time and in the context of the collection of the data, that the personal data might be processed for that purpose.
(IKÜM pp. 47).
9. The controller’s interest in processing some personal data does not automatically mean that it can
rely on the basis of legitimate interest. First, the controller must have a real and genuine legitimate interest in processing the data subjects’ data, second, the processing of personal data
must be necessary for the pursuit of that legitimate interest, and third, the interests or fundamental rights and freedoms of the data subject
must not override the legitimate interest of the controller. In addition, it must
be assessed whether the legitimate interest pursued by the data processing cannot reasonably be achieved in an equally
effective manner by other means which are less intrusive to the fundamental rights and freedoms of the data subjects.
10. Therefore, relying on legitimate interest presupposes that, before starting data processing, the data processor has analysed which measure is most appropriate to fulfil the purpose, considered the rights and freedoms of the data subjects and prepared a legitimate interest analysis. 4
11. Since the main activity of Zu Disain OÜ is, according to the data of the e-business register, non-specialised wholesale trade, it cannot be considered justified that the company has a legitimate interest in carrying out mass queries from the e-land register and thereby collecting (retaining) data on the real estate of natural persons for the purposes related to the field of activity. According to the data of the Centre of Registers and Information Systems (the administrator and developer of the e-land register), Zu Disain OÜ carried out 31,479 queries based on the personal identification code of natural persons in the period
31.10.2024-07.04.2025.
3European Court of Justice judgment C-252/21. P 106, 108.
4See more details in the Data Protection Inspectorate’s guide to legitimate interest analysis Legitimate interest | Data Protection Inspectorate
3 (5)12. Zu Disain OÜ has explained its vision of data processing in a telephone call with the processing officer on 15.08.2025 and in a subsequent e-mail, but since the data processor emphasized in both the telephone call and the e-mail that it does not want the issue to be treated as an official response, the AKI cannot treat the submitted
positions as legally binding, i.e. as an official response to the submitted proposal. Zu Disain OÜ
requested in a telephone call on 15.08.2025 that the AKI processing officer give a preliminary assessment of the submitted response (e-
letter), on the basis of which the data processor would formulate an official response. However, as the processing officer
repeatedly emphasized in the telephone call, the AKI cannot take the place of the data processor in finding a legal basis for its
activities. The proceeding officer also explained that, pursuant to § 40(1) of the Administrative Procedure Act, the data processor has the right to submit its opinion and objections to the AKI regarding the matter within the deadline specified in the proposal. The corresponding reference to the Administrative Procedure Act is also included in the proposal.
13. To date, Zu Disain OÜ has not responded to the AKI’s proposal and inquiry and
has therefore not provided any explanations as to the purpose and legal basis for the mass inquiries and
they are still being processed. Since the Inspectorate has not been provided with any justifications as to the legal basis for
the processing of data, there is no basis for their further retention and
the data must be deleted.
14. In accordance with §27lg2point3 of the Administrative Procedure Act, a document made or transmitted electronically
is deemed to have been delivered if the document or notice has been forwarded to the email address entered in the company’s commercial register. The Inspectorate has sent its
communications to the data processor to the email address appearing in the commercial register. Zu Disain OÜ called
and replied to the processing officer with a receipt on 15.08.2025, so the data processor
has received the Inspectorate’s proposal.
15. The Inspectorate has given Zu Disain OÜ a reasonable time to respond to the proposal, including the possibility for the recipient of the proposal to write to the Inspectorate in a timely manner and provide justification if the deadline for responding to the proposal is too short and submitting a comprehensive response would require a longer response time. In addition, the Inspectorate has sent a reminder to the data processor upon the expiration of the deadline for fulfilling the proposal (i.e.
05.09.2025). With the above, the Inspectorate has fulfilled its obligation under § 40(1) of the Administrative Procedure Act to give the participant in the proceedings an opportunity to submit their opinion and
objections on the matter before issuing an administrative act.
16. In accordance with § 58(1) of the Personal Data Protection Act and Article 58(2)(g) of the Personal Data Protection Act, the Inspectorate has the right to order the deletion of personal data.
17. Based on the above, the Inspectorate obliges Zu Disain OÜ to delete all personal data collected from the e-land register of natural persons
for which an automated solution has been used
and for which there is no legal basis for further processing (ICD Article
6, paragraph 1).
18. To prove compliance with the precept, Zu Disain OÜ must submit evidence confirming
the permanent deletion of the data, including a description of the data deletion process, screenshots,
log extracts, etc.
19. If Zu Disain OÜ refuses to delete personal data collected from the e-land register of natural persons
due to the existence of a legal basis (ICD Article 6, paragraph 1), then a justification must be provided as to the legal basis on which Zu Disain OÜ will continue to process their personal data
and documents proving this must be submitted, as well as an analysis of the legitimate interest based on Article 6, paragraph 1, point f of the ICD Article.
5The first sentence of the e-mail sent by the Data Processor on 15.08.2025 is “I am currently responding informally to the proposal submitted by AKI.”
4 (5)(digitally signed)
Kirsika Kuutma
Lawyer
Authorized by the Director General
5 (5)
</pre>