Nura OÜ – Complaint Upheld (Estonia, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Two patients (the data subjects) submitted access requests to Nura OÜ (the controller) on 12 May 2025 and 16 May 2025, respectively, in order to obtain copies of the final results of their treatment and the scans of their retainers. The same month, the data subjects filed complaints to the Estonian DPA (AKI) alleging that the controller did not disclose the medical information they requested. During the proceedings in front of the DPA, the controller claimed that it informed in August 2025 the two data subjects of the fact that it had not received the files from the manufacturer at that time. The DPA found that the controller did not provide the data subjects with the requested copies of medical data. Therefore, the DPA issued a warning to the controller, ordering it to provide the data subjects with a copy of the final results of their treatment and the scans of their retainers. The DPA specified that, if the controller failed to abide with the order, a fine of €2,000 may be imposed until the order was complied with.
GDPR Articles Cited
Two patients (the data subjects) submitted access requests to Nura OÜ (the controller) on 12 May 2025 and 16 May 2025, respectively, in order to obtain copies of the final results of their treatment and the scans of their retainers. The same month, the data subjects filed complaints to the Estonian DPA (AKI) alleging that the controller did not disclose the medical information they requested. During the proceedings in front of the DPA, the controller claimed that it informed in August 2025 the two data subjects of the fact that it had not received the files from the manufacturer at that time. The DPA found that the controller did not provide the data subjects with the requested copies of medical data. Therefore, the DPA issued a warning to the controller, ordering it to provide the data subjects with a copy of the final results of their treatment and the scans of their retainers. The DPA specified that, if the controller failed to abide with the order, a fine of €2,000 may be imposed until the order was complied with.
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Nura OÜ in EE
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Nura OÜ - Estonia (2025). Retrieved from cookiefines.eu
Last updated: