Ida-Tallinna Keskhaigla – Court Ruling (Estonia, 2024)

On 13 February 2023, the DPA imposed a fine of € 200,000 EUR to Ida Tallina Central Hospital (‘controller’) for the unlawful disclosure of health data within the meaning of Article 9(1) GDPR. A member of the management board threw them into an open bin outside of the hospital and open to public access. With this conduct, the controller violated the requirements of Article 32(1)(b) GDPR to ensure the confidentiality of the services processing personal data. Pursuant to Article 62 PDPA, the controller committed a misdemeanour. The decision of the DPA was appealed by the controller. On 31 August 2023, the Harju County Court (‘first instance court’) annulled the decision of the DPA and ruled that the controller could not be punished for committing a misdemeanour because of the principle of derivative liability applied. According to this principle: 1) a legal person, such as a hospital, can only be liable for an offence if the conduct of its body, member, manager, or competent representative met all the elements of a tort or delict, and 2) if the act was committed in the interests of the legal person. In this case, the violation was attributed to a member of the management board, but the misconduct did not meet all the legal elements of the offense to be done in the interest of the hospital. Since this was not the case, the hospital could not be held liable for the alleged infringement. On 21 December 2023, an appeal against the decision of the first instance court was filed by an out of court proceeding by the data subject which sought the annulment of the above decision. The controller argued in the appeal proceeding that the misdemeanour proceedings should be terminated as the offence is time-barred according to 29(1)(5) Code of Misdemeanour Procedure (‘VTMS’). The Supreme Court clarified that in Estonia, due to the unique structure of their legal system, fines for GDPR violations are imposed through misdemeanour procedures by a supervisory authority. The sam