Zu Disain OÜ – Violation Found (Estonia, 2025)

The Estonian land register is publicly accessible and includes information about immovable property and its owners. A company, Zu Disain OÜ (the controller), used an automated solution (i.e. a script) to perform mass queries from the electronic land register. The Estonian DPA (AKI) launched an investigation into the controller for its processing of personal data from the electronic land register. The DPA noted that the controller may primarily rely on legitimate interest (Article 6(1)(f) GDPR) for the processing of personal data through automated queries. However, the DPA found that the controller could not have a legitimate interest for processing the data from the electronic land register due to its main business activity being non-specialised wholesale trade. Thus, the DPA concluded that the controller did not have a legal basis for the processing of personal data from the electronic land register. Furthermore, the controller did not provide an official explanation to the DPA’s inquiry during the investigation. Therefore, the DPA ordered the erasure of all personal data processed by the controller form the electronic land register, or, refusing to do so, a justification regarding the legal basis the controller relies upon for the processing activities. A penalty of €2,000 may be imposed repeatedly if the controller failed to comply with the order.