M&M Inkasso OÜ – Violation Found (Estonia, 2022)

M&M Inkasso OÜ (the controller) was a debt collection company, which published information about debtors (data subjects), including names and photographs, on its website and social media (Facebook, Instagram and TikTok) as a form of retaliation. After receiving a tip from the public about the social media activities of the controller, the Estonian DPA started an ex officio investigation. During the proceedings, the controller explained that the publication was justified by "vital interests". Specifically, the posted content was supposed to prevent malicious exploitation of those who could get in contact with debtors. The controller also submitted that it had taken into consideration all other necessary legal considerations with a view to avoiding legal infringements and all information published on the company's website and social media was taken from the Internet and freely available. In its decision, the DPA assessed whether the controller had a valid legal basis to publish debt default data of the data subjects on social media. Firstly, the DPA referred to Recital 46 GDPR and Article 6(1)(d) GDPR, under which processing of personal data is lawful when it is necessary to protect the "vital interests of the data subject or of another natural person". However, the DPA noted that for the protection of vital interests of another natural person (who is not the data subject), this legal basis should only be used when no other, more suitable, legal basis exists. The DPA held that in the case of payment defaults, the creditor must first and foremost use the legal remedies listed in §101 of the Estonian Law of Obligations Act to obtain payment of the debt. According to the DPA, it was illegal to disclose individuals' payment default data solely as a means of retaliation. Therefore, the social media publications by the controller could not be considered as protecting the vital interest of creditors or other natural persons. Second, the DPA assessed whether the contro