Mydentist.ee – Complaint Upheld (Estonia, 2025)

Mydentist.ee (the controller), a website where users can book appointments with dentists and dental clinics, published personal data of dentists and other dental clinic employees with the aim of providing a booking service. The website allowed users to add a reason for booking the dental appointment and afterwards transmitted the information to the clinics. Three dentists (the data subjects) filed a complaint with the Estonian DPA because their personal data along with incorrect information about them were published on the controller's website without their consent. The DPA held that the controller may be in violation of the processing principles set out in Article 5(1)(a), (b) and (c) GDPR and issued a warning. Firstly, the DPA found that the controller may be in violation of Article 5(1)(a) GDPR (i.e. the principle of lawfulness, fairness and transparency) by collecting health-related data and transmitting it to clinics without providing clear information about the processing activities. In particular, no information regarding the processing of special categories of data was provided in the website’s privacy policy, contrary to the requirements in Article 13 and 14 GDPR. Furthermore, the DPA noted that the controller processed health-related data received from users when booking an appointment without taking into consideration that the data fall within a special category (Article 9(1) GDPR) and without providing an appropriate legal basis for the processing activities. In this sense, the DPA held that the controller could not rely on Article 6(1)(b) GDPR (i.e. performance of a contract) or Article 9(2)(h) GDPR (i.e. provision of health treatment) when collecting health-related data from users since the users did not conclude a contract with the controller. In addition, the DPA emphasised that the controller could not rely on Article 6(1)(f) GDPR (legitimate interest) for special categories of data. Moreover, the DPA noted that the controller could not r