Estonian Public Broadcasting – Complaint Upheld (Estonia, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The data subject filed a complained with the Estonian DPA (AKI) on 11 December 2023. They alleged a violation of Article 4 of the Estonian Personal Data Protection Act (as it implements the GDPR in national law) by the Estonian Public Broadcaster (the controller). The data subject requested an order against the controller to remove the data subject’s photos from articles and to pseudonymise their name. In its first decision on 28 June 2024, the DPA found no violation against the controller. The data subject appealed the DPA's decision. In the appeal, the court ordered the DPA to re-examine the data subject’s complaint. Subsequently, the DPA sent a proposal to the controller to remove the data subject’s photos and pseudonymise their name. The controller rejected the proposal and offered the alternative of de-indexing the articles concerning the data subject. The data subject rejected the option of de-indexing the articles. The DPA found that displaying the name of a data subject in a news article years after the original publishing no longer serves the purpose for which the data were processed. Specifically, the DPA found that there was no public interest in the data subject’s identity, since they were not a public figure. At the same time, it noted that fraud as a criminal offence is a matter of public interest. However, the DPA emphasised that reporting the offence can be done without publishing personal data. Finally, the DPA noted that public interest diminishes over time and 14 years had passed since the oldest articles were published. Additionally, the DPA found the infringement on the data subject’s rights to be excessive and an obstacle to their hiring prospects, amounting to a permanent infringement on the rights of a rehabilitated person. The DPA emphasised the vulnerability of the data subject due to the information being disclosed over the internet. Finally, the DPA found that de-indexing would reduce the availability of the articles, but would no
GDPR Articles Cited
National Law Articles
The data subject filed a complained with the Estonian DPA (AKI) on 11 December 2023. They alleged a violation of Article 4 of the Estonian Personal Data Protection Act (as it implements the GDPR in national law) by the Estonian Public Broadcaster (the controller). The data subject requested an order against the controller to remove the data subject’s photos from articles and to pseudonymise their name. In its first decision on 28 June 2024, the DPA found no violation against the controller. The data subject appealed the DPA's decision. In the appeal, the court ordered the DPA to re-examine the data subject’s complaint. Subsequently, the DPA sent a proposal to the controller to remove the data subject’s photos and pseudonymise their name. The controller rejected the proposal and offered the alternative of de-indexing the articles concerning the data subject. The data subject rejected the option of de-indexing the articles. The DPA found that displaying the name of a data subject in a news article years after the original publishing no longer serves the purpose for which the data were processed. Specifically, the DPA found that there was no public interest in the data subject’s identity, since they were not a public figure. At the same time, it noted that fraud as a criminal offence is a matter of public interest. However, the DPA emphasised that reporting the offence can be done without publishing personal data. Finally, the DPA noted that public interest diminishes over time and 14 years had passed since the oldest articles were published. Additionally, the DPA found the infringement on the data subject’s rights to be excessive and an obstacle to their hiring prospects, amounting to a permanent infringement on the rights of a rehabilitated person. The DPA emphasised the vulnerability of the data subject due to the information being disclosed over the internet. Finally, the DPA found that de-indexing would reduce the availability of the articles, but would no
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Estonian Public Broadcasting in EE
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Estonian Public Broadcasting - Estonia (2025). Retrieved from cookiefines.eu
Last updated: