Register OÜ – Complaint Upheld (Estonia, 2025)

A user (the data subject) of the website inforegister.ee sent a request to access to the provider of the website, Register OÜ (the controller), asking for information regarding the users who followed their profile. On the website, users can monitor changes in a company’s board members, founders and shareholders. The controller refused to provide the data subject with the list of followers. Instead, the controller removed the followers and blocked the feature for the data subject for the future. Therefore, the data subject filed a complaint with the Estonian DPA against the controller. On 12 March 2025, the DPA requested the list of followers from the controller along with the legal basis under which the controller refused to provide the information to the data subject. The controller responded to the DPA’s request on 12 March 2025 without providing the list of followers, explaining that the controller had no legal basis to disclose the information. The controller claimed that the data subject’s right to access is limited by Article 15(4) GDPR (i.e. the protection of the rights and freedoms of others). The DPA followed up on 13 March 2025 with an explanation of its role in determining the limits of the data subject’s right to access and how it depends on receiving the list of followers from the controller. On 13 March 2025 the controller responded with a refusal to disclose the list to the DPA, explaining that it could not submit a list that no longer existed and, at the same time, that it could not determine with certainty the identity of the followers, which may lead to transferring inaccurate data. Moreover, the controller claimed it had no legal basis for transferring the list to the DPA and the transfer would go against Article 5(1)(a) and (c) GDPR (i.e. the principles of lawfulness, fairness and transparency, and data minimisation), being disproportionate and unjustified. The controller’s conclusion was that, while the DPA can make an assessment of