Estonian Public Broadcasting – Complaint Upheld (Estonia, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Estonian DPA ruled that the Estonian Public Broadcasting must remove a person's photos and pseudonymize their name from news articles. The DPA found that keeping the person's identity visible no longer served a public interest after many years. This case highlights the importance of protecting individuals' privacy, especially for non-public figures.
What happened
The DPA ordered the Estonian Public Broadcasting to remove a person's photos and change their name in articles.
Who was affected
A private individual whose photos and name were published in news articles was affected.
What the authority found
The DPA concluded that the broadcaster's continued display of the person's identity was excessive and not justified by public interest.
Why this matters
This decision emphasizes that the need for privacy increases over time, especially for individuals who are not public figures. Companies should regularly review how they handle personal data to avoid infringing on privacy rights.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The data subject filed a complained with the Estonian DPA (AKI) on 11 December 2023. They alleged a violation of Article 4 of the Estonian Personal Data Protection Act (as it implements the GDPR in national law) by the Estonian Public Broadcaster (the controller). The data subject requested an order against the controller to remove the data subject’s photos from articles and to pseudonymise their name. In its first decision on 28 June 2024, the DPA found no violation against the controller. The data subject appealed the DPA's decision. In the appeal, the court ordered the DPA to re-examine the data subject’s complaint. Subsequently, the DPA sent a proposal to the controller to remove the data subject’s photos and pseudonymise their name. The controller rejected the proposal and offered the alternative of de-indexing the articles concerning the data subject. The data subject rejected the option of de-indexing the articles. The DPA found that displaying the name of a data subject in a news article years after the original publishing no longer serves the purpose for which the data were processed. Specifically, the DPA found that there was no public interest in the data subject’s identity, since they were not a public figure. At the same time, it noted that fraud as a criminal offence is a matter of public interest. However, the DPA emphasised that reporting the offence can be done without publishing personal data. Finally, the DPA noted that public interest diminishes over time and 14 years had passed since the oldest articles were published. Additionally, the DPA found the infringement on the data subject’s rights to be excessive and an obstacle to their hiring prospects, amounting to a permanent infringement on the rights of a rehabilitated person. The DPA emphasised the vulnerability of the data subject due to the information being disclosed over the internet. Finally, the DPA found that de-indexing would reduce the availability of the articles, but would no
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Estonian Public Broadcasting in EE
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Estonian Public Broadcasting - Estonia (2025). Retrieved from cookiefines.eu
Last updated: