DirectMarketing OÜ – Complaint Upheld (Estonia, 2025)

The data subject contacted DirectMarketing OÜ (the controller) via email on 2 June 2025 requesting a copy of all their personal data processed by the controller. The data subject sent a second email to the controller on 10 June 2025. The controller did not reply to any of the data subject's requests. The data subject filed a complaint with the Estonian DPA on 29 June 2025 requesting help in receiving a copy of all their personal data processed by the controller and asking for those data to be deleted afterwards. The DPA forwarded the data subject’s request to the controller and initiated a supervisory procedure on 21 July 2025 due to a lack of response on the part of the controller. The controller confirmed over the phone on 11 August 2025 that it had received the DPA’s requests but did not submit a response to them by the time the DPA issued a decision on 05 September 2025. The DPA held that the controller must respond to the data subject’s request to access based on Article 15(3) GDPR, providing the data subject with a copy of their personal data or informing them of the grounds for refusal. Moreover, the controller must comply with the data subject’s request for erasure of personal data based on Article 17(1)(c) GDPR or inform them of the reasons for refusal. The DPA issued a warning and ordered the controller to respond to the data subject’s requests, or, failing to do so, receive a fine of €2,000 that may be imposed repeatedly until the controller complies with the order.