Nura OÜ – Complaint Upheld (Estonia, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Nura OÜ was warned by the Estonian DPA for not providing two patients with their requested medical information. This is important because it emphasizes the right of individuals to access their own health data. Companies in healthcare must ensure they comply with access requests to avoid penalties.
What happened
Nura OÜ did not provide two patients with copies of their medical data as requested.
Who was affected
Two patients who requested access to their medical treatment results and scans.
What the authority found
The Estonian DPA ordered Nura OÜ to provide the requested medical information, stating it failed to comply with Article 15 of the GDPR.
Why this matters
This ruling reinforces the obligation for healthcare providers to grant patients access to their medical records. It serves as a reminder for businesses to have clear processes for handling such requests.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Two patients (the data subjects) submitted access requests to Nura OÜ (the controller) on 12 May 2025 and 16 May 2025, respectively, in order to obtain copies of the final results of their treatment and the scans of their retainers. The same month, the data subjects filed complaints to the Estonian DPA (AKI) alleging that the controller did not disclose the medical information they requested. During the proceedings in front of the DPA, the controller claimed that it informed in August 2025 the two data subjects of the fact that it had not received the files from the manufacturer at that time. The DPA found that the controller did not provide the data subjects with the requested copies of medical data. Therefore, the DPA issued a warning to the controller, ordering it to provide the data subjects with a copy of the final results of their treatment and the scans of their retainers. The DPA specified that, if the controller failed to abide with the order, a fine of €2,000 may be imposed until the order was complied with.
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Nura OÜ in EE
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Nura OÜ - Estonia (2025). Retrieved from cookiefines.eu
Last updated: