COBALT successfully represented its clients in a dispute with Estonian Data Protection Inspectorate regarding settlement of a complaint lodged under the GDPR

Senior Associate Kadri Matteus successfully represented individual clients regarding a complaint lodged with the Estonian Data Protection Inspectorate for commencement of monitoring and issue of a precept on the basis of the GDPR. As AKI refused to hear the complaint, the applicants lodged an appeal with the administrative court. The court found that the administrative practice of the Data Protection Inspectorate was incompatible with the valid law and required the Data Protection Inspectorate to review the complaint before acceptance (administrative case no. 3-20-375).

The dispute concerned the complaint lodged by the data subjects under Article 77 (1) of the GDPR, whereunder every data subject shall have the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes the GDPR. The Data Protection Inspectorate refused to accept the complaint, and made a reference to subsection 4 (2) of the Law Enforcement Act, and the civil dispute between the data subjects and the data processor, and the opportunity of the data subjects to take their claim to a civil court, referring to the previous administrative practice of the Data Protection Inspectorate.

The court agreed with the complainants that the administrative practice of the Data Protection Inspectorate was incorrect and the Data Protection Inspectorate had formed its position only on the basis of its practice before the entry into force of the GDPR and had not taken into account of the rights of the complainants set forth in the GDPR. The national laws of Estonia shall be interpreted in alignment with the EU law, and the GDPR does not permit to refuse to accept a complaint lodged pursuant to the GDPR solely for the reason that the data subject can assert its claims in a civil court. The Data Protection Inspectorate would be able to refuse to hear the request if the request was manifestly unfounded or excessive within the meaning of Article 57 (4) of the GDPR due to its non-compliance with the prerequisites set forth in national laws, but the Data Protection Inspectorate did not refer to such circumstances while refusing to accept the complaint of the data subjects.

The dispute was supported by COBALT`s Intellectual Property and Infotechnology team members Specialist Counsel Aleksander Tsuiman and Associate Stella Raudsepp.