AKI (Estonia) - 2.1-1/25/724-1566-19

Summary

The Estonian Data Protection Inspectorate (AKI) has ordered a bailiff to comply with a data subject's access request under Article 15 of the GDPR. The bailiff had initially refused to disclose information regarding the processing of personal data in enforcement proceedings, citing professional secrecy. However, the AKI ruled that this duty of confidentiality is not absolute and that bailiffs must disclose information to parties involved in proceedings, especially when it concerns data subject rights under GDPR.

Full text

Help AKI (Estonia) - 2.1-1/25/724-1566-19: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Latest revision as of 13:32, 18 June 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators89 edits Tag: submission [1.0] (No difference) Latest revision as of 13:32, 18 June 2026 AKI - 2.1-1/25/724-1566-19 Authority: AKI (Estonia) Jurisdiction: Estonia Relevant Law: Article 12(1) GDPR Article 15 GDPR Section 11(1) Estonian Bailiffs ActSection 23(2) IKÜM Type: Complaint Outcome: Upheld Started: 16.06.2025 Decided: 09.04.2026 Published: 17.06.2026 Fine: n/a Parties: Bailiff Rannar Liitmaa National Case Number/Name: 2.1-1/25/724-1566-19 European Case Law Identifier: n/a Appeal: Not appealed Original Language(s): Estonian Original Source: AKI (in ET) Initial Contributor: bms The DPA ordered a bailiff to respond to an Article 15 GDPR access request concerning personal data processed in enforcement proceedings. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts In May 2025, the DPA received a complaint from the data subject. The data subject had submitted several access requests under Article 15 GDPR to bailiff Rannar Liitmaa, the controller, concerning the processing of their personal data in enforcement proceedings. The data subject asked why their personal data had been collected, from which sources the controller had obtained information about a restricted Facebook group, and under what circumstances their personal data had been shared with third parties. The controller replied that the requested information was not subject to disclosure. In June 2025, the DPA forwarded the request to the controller and asked for a copy of the response. The controller relied on §11(1) of the Bailiffs Act, arguing that bailiffs are bound by professional secrecy and may not disclose information obtained in connection with official duties. The DPA initiated supervisory proceedings in August 2025. The controller provided explanations to the DPA, but did not answer the data subject’s questions and did not explain the legal basis or reasons for restricting their rights. The DPA sent several reminders and clarified that a blanket statement that the information was not subject to disclosure was insufficient. If the controller refused access in whole or in part, they had to provide the applicable legal basis and reasons. The controller did not comply with the recommendation or request an extension. Holding The DPA issued a mandatory order against the controller to ensure the exercise of the data subject’s rights. The DPA held that the controller had failed to properly respond to the access request under Article 15 GDPR. Providing explanations only to the DPA did not satisfy the controller’s obligations, as the response had to be addressed to the data subject. The DPA noted that the controller’s duty of confidentiality under §11(1) of the Bailiffs Act was not absolute. Under §11(3)(1) of the Bailiffs Act, a bailiff must disclose information obtained in the course of official duties to the parties to the proceedings. The DPA also stated that §11 of the Bailiffs Act, read together with Article 23 GDPR, may not be a sufficiently clear and precise basis for restricting data subject rights. In any event, restrictions must be assessed specifically. The controller had to determine which information was covered by professional secrecy and which information could still be disclosed. The DPA found that a blanket refusal was insufficient. The data subject had to be informed which data would be disclosed, which data would not be disclosed, how this assessment was carried out and, where access was refused, the legal basis for the restriction. The DPA ordered the controller to review the access request and provide the information required under Article 15(1) GDPR, unless valid grounds for restriction applied. If access was restricted in whole or in part, the controller had to provide the legal basis and a clear explanation. The controller also had to send a copy of the response to the DPA. No administrative fine was imposed. However, the DPA warned that failure to comply with the order would result in a €1,000 penalty payment, which could be imposed repeatedly until compliance. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Estonian original. Please refer to the Estonian original for more details. FOR THE PROTECTION OF PRIVACY AND STATE TRANSPARENCY PRECAUTION-WARNING in personal data protection case no. 2.1-1/25/724-1566-19 Precept maker Mari-Liis Uprus, lawyer of the Data Protection Inspectorate Time of precept making 09.04.2026 in Tallinn and place Recipient of the precept – Bailiff Rannar Liitmaa e-mail address of the personal data processor: rannar.liitmaa@taitur.just.ee Person responsible for the personal data processor Bailiff Rannar Liitmaa (reg. code 11823160) RESOLUTION Based on §56 (1) of the Personal Data Protection Act and Article 58 (2) (c) of the General Regulation on the Protection of Personal Data, the Data Protection Inspectorate issues a mandatory precept to bailiff Rannar Liitmaa for compliance: 1) To review XXX 11.12.2024 request and provide information in accordance with IKÜMart 15 subsection 1 on the circumstances of the processing of his personal data, if there are no grounds for restricting the right to access personal data and send a response to the e-mail address XXX; 2) if there is a basis to fully or partially restrict the applicant's right to receive information about the processing of his personal data, provide XXX with the relevant legal basis and a clear justification why the information cannot be fully or partially released; 3) forward a copy of the response sent by XXX to the Data Protection Inspectorate to the e-mail address info@aki.ee. The Data Protection Inspectorate sets the deadline for compliance with the precept as 23.04.2026. The compliance with the precept shall be notified no later than this deadline to the Data Protection Inspectorate by e-mail at info@aki.ee. CHALLENGE REFERENCE This precept can be challenged within 30 days by submitting either: - a challenge under the Administrative Procedure Act to the Director General of the Data Protection Inspectorate or - a complaint under the Code of Administrative Court Procedure to the administrative court (in this case, the challenge in the same matter can no longer be reviewed). Challenging the precept does not suspend the obligation to comply with it or the implementation of the measures necessary for compliance. PENALTY WARNING If the precept is not complied with by the specified deadline, the Data Protection Inspectorate will impose a penalty of 1,000 euros on the addressee of the precept based on § 60 of the Personal Data Protection Act. A penalty may be imposed repeatedly until the precept is complied with. If the addressee does not pay the penalty, it will be transferred to the bailiff to initiate enforcement proceedings. In this case, the penalty will be added to the bailiff's fee and other enforcement costs. WARNING OF MISLEADING PUNISHMENT For failure to comply with the precept pursuant to Article 58(2) of the General Data Protection Regulation, misdemeanor proceedings may be initiated on the basis of §69 of the Personal Data Protection Act. A person may be fined for this act. The extrajudicial proceedings for the misdemeanor are conducted by the Data Protection Inspectorate. FACTUAL CIRCUMSTANCES On 16.05.2025, the Data Protection Inspectorate (AKI) received a complaint from XXX (hereinafter the complainant), according to which he applied several times, including on 11.12.2024, to the bailiff Rannar Liitmaa (hereinafter the data processor) with a request to obtain information abo

Entities