[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fNrwNDf1zQclhPN8AmWPhm60XYOE7CmS738tK2IFf-LI":3},{"lesson":4},{"id":5,"slug":6,"article_id":7,"title":8,"body":9,"prevention":10,"framework_refs":11,"status":21,"created_at":22,"published_at":23,"article":24,"tags":27},"1b96e041-5ae0-4b11-997e-eb7906ab75ee","estonian-bailiff-ordered-to-honor-gdpr-data-subject-access-rights-despite-confidentiality-claims","616d7efc-b5bc-4f6f-b7b2-7619b8c226c8","Estonian Bailiff Ordered to Honor GDPR Data Subject Access Rights Despite Confidentiality Claims","A bailiff in Estonia incorrectly used professional secrecy obligations as a blanket justification to deny a data subject's Article 15 GDPR access request, which the AKI ruled was unlawful. This case highlights a common misunderstanding where organizations conflate internal confidentiality duties with the right to withhold personal data from the individuals that data concerns. GDPR data subject rights are not automatically overridden by professional secrecy — controllers must carefully assess each exemption on a case-by-case basis. Failing to honor valid access requests exposes organizations to regulatory enforcement, reputational damage, and erosion of individual trust. This ruling reinforces that all data controllers, regardless of sector, must embed GDPR compliance into their operational procedures.","**Immediate actions:**\n- Conduct a legal review of all existing confidentiality policies to identify where they may improperly conflict with GDPR data subject rights.\n- Establish a documented process for responding to Data Subject Access Requests (DSARs) within the statutory 30-day window.\n\n**Policy & Training improvements:**\n- Train all staff who handle personal data on the distinction between professional secrecy obligations and GDPR data subject rights.\n- Develop clear decision-tree guidelines for when confidentiality exemptions legally apply to DSARs versus when disclosure is mandatory.\n- Appoint or designate a Data Protection Officer (DPO) to review contested access requests before refusals are issued.\n\n**Long-term governance measures:**\n- Maintain a data processing register (Article 30 record) to enable prompt and accurate responses to access requests.\n- Schedule annual GDPR compliance audits to identify procedural gaps in handling data subject rights across all business units.",[12,13,14,15,16,17,18,19,20],"GDPR Article 15 (Right of Access by the Data Subject)","GDPR Article 12 (Transparent Information and Communication)","GDPR Article 23 (Restrictions on Data Subject Rights)","GDPR Article 37-39 (Data Protection Officer Requirements)","NIST SP 800-53 IP-1 (Individual Access)","NIST SP 800-53 AC-3 (Access Enforcement)","CIS Control 3 (Data Protection)","ISO\u002FIEC 27001 A.18.1 (Compliance with Legal and Contractual Requirements)","ITIL Service Design – Information Security Management","published","2026-06-18T14:20:47.022119+00:00","2026-06-18T14:20:46.922+00:00",{"id":7,"url":25,"title":26},"https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=AKI_(Estonia)_-_2.1-1\u002F25\u002F724-1566-19&diff=51915&oldid=0","AKI (Estonia) - 2.1-1\u002F25\u002F724-1566-19",[28,34,40],{"id":29,"name":30,"slug":31,"description":32,"color":33},"1ec88fde-2d0f-4ed8-932a-33f5ccc0fdc7","Access Control","access-control","Excessive privileges, missing MFA, weak auth","#f97316",{"id":35,"name":36,"slug":37,"description":38,"color":39},"c0dcc566-3654-4d70-8ede-262a198e732f","Regulatory Compliance","regulatory-compliance","GDPR, NIS2, DORA, sector-specific violations","#ec4899",{"id":41,"name":42,"slug":43,"description":44,"color":45},"c8b843a5-d5a7-41d1-8d3b-cabded09d2ef","Data Protection","data-protection","Unencrypted data, missing DLP, poor classification","#3b82f6"]