Mydentist.ee – Complaint Upheld (Estonia, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Mydentist.ee published personal information about dentists without their permission, which led to complaints. The Estonian data protection authority warned the company for possibly breaking rules about handling personal data. This case highlights the importance of getting consent before sharing sensitive information.
What happened
Mydentist.ee published personal data of dentists and clinic employees without their consent.
Who was affected
Three dentists whose personal data was published on the Mydentist.ee website.
What the authority found
The Estonian data protection authority warned Mydentist.ee for potentially violating GDPR principles about lawfulness and transparency.
Why this matters
This warning shows that companies must be careful when handling personal data, especially health-related information. It serves as a reminder for website operators to ensure they have proper consent mechanisms in place.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Mydentist.ee (the controller), a website where users can book appointments with dentists and dental clinics, published personal data of dentists and other dental clinic employees with the aim of providing a booking service. The website allowed users to add a reason for booking the dental appointment and afterwards transmitted the information to the clinics. Three dentists (the data subjects) filed a complaint with the Estonian DPA because their personal data along with incorrect information about them were published on the controller's website without their consent. The DPA held that the controller may be in violation of the processing principles set out in Article 5(1)(a), (b) and (c) GDPR and issued a warning. Firstly, the DPA found that the controller may be in violation of Article 5(1)(a) GDPR (i.e. the principle of lawfulness, fairness and transparency) by collecting health-related data and transmitting it to clinics without providing clear information about the processing activities. In particular, no information regarding the processing of special categories of data was provided in the website’s privacy policy, contrary to the requirements in Article 13 and 14 GDPR. Furthermore, the DPA noted that the controller processed health-related data received from users when booking an appointment without taking into consideration that the data fall within a special category (Article 9(1) GDPR) and without providing an appropriate legal basis for the processing activities. In this sense, the DPA held that the controller could not rely on Article 6(1)(b) GDPR (i.e. performance of a contract) or Article 9(2)(h) GDPR (i.e. provision of health treatment) when collecting health-related data from users since the users did not conclude a contract with the controller. In addition, the DPA emphasised that the controller could not rely on Article 6(1)(f) GDPR (legitimate interest) for special categories of data. Moreover, the DPA noted that the controller could not r
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Mydentist.ee in EE
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Mydentist.ee - Estonia (2025). Retrieved from cookiefines.eu
Last updated: