Answer to request

Hello

The Data Protection Inspectorate (DPI) has received your notification regarding the appointment of a data protection Officer (DPO) for the company. According to the Commercial Register, you have already appointed yourself as the DPO of your company since 25th of May 2026. Nevertheless, we find it necessary to clarify the following for your information.

DPI accepts appointment notifications when: 

1) the notification has been digitally or handwritten signed by a person who is registered in the Commercial Register as having the right of representation for the company/organisation, or

2) if the signatory acts on the basis of an authorisation, a power of attorney signed by the authorised representative of the company/organisation is attached to the notification. A representative of one company/organisation cannot, without authorisation, submit a notification on behalf of another company/organisation – even if they are a parent company or a higher-level institution.

The simplest way to notify the appointment of a data protection officer in Estonia is through the e-Business Register portal https://ariregister.rik.ee/eng. In that case, there is no need to send a separate notification to the Data Protection Inspectorate. The notification can be submitted by a person who is registered in the Commercial Register as having the right of representation.

The data protection officer becomes the contact person for the employer before the Inspectorate. Communication between the DPO, the DPI, and data subjects must be conducted in Estonian.

We also find it necessary to clarify that, regarding the duties of a data protection officer, a member of the management board generally cannot simultaneously serve as the organisation’s data protection officer, especially in situations where the company has only one board member or where joint representation applies in all matters. Being a board member is not merely an entry in the Register; the role carries specific tasks and responsibilities, including making business decisions, ensuring the functioning of the organisation, maintaining an effective financial management system, organising accounting, etc.

According to the General Data Protection Regulation, in order to ensure the independence of the data protection officer, controllers and processors must not: 

- give instructions regarding the performance of the data protection officer’s tasks;

- dismiss or penalise the data protection officer for performing their duties;

- place the data protection officer in a situation of conflict of interest with other possible tasks and responsibilities.

The role of data protection officer may indeed be fulfilled by an internal employee of the company (as a full-time role or an additional task) or by an external natural or legal person (e.g., under a service contract), but it is essential that no conflict of interest exists.

The absence of a conflict of interest is closely linked to the requirement that the data protection officer must be able to act independently. When a person is a member of the management board, this already provides an initial indication that a conflict may exist between the roles of board member and data protection officer.

A conflict of interest may arise in positions such as senior management roles (including CEO, production manager, CFO, head of medical services, marketing manager, HR manager, or IT manager), but also in lower-level positions within the organisational structure if they involve decision-making regarding the purposes and means of processing personal data. A conflict of interest may also arise if an external data protection officer is asked to represent the controller or processor in court in matters related to data protection.

For information on the processing of personal data, we recommend reviewing the information available on the Data Protection Inspectorate’s website www.aki.ee.  More information about DPO-s is available here  https://www.aki.ee/en/inspectorate-news-information-dpo-s/information-dpo-s (in English) and here https://www.aki.ee/isikuandmed/andmetootlejale/andmekaitsespetsialist (in Estonian).

We would like to clarify that the Etonian Data Protection Inspectorate does not offer such training courses. Every company should keep in mind, that It is important that the competence of a DPO meets the requirements set out in the GDPR. AKI does not certify DPOs. Such services and training are primarily provided by training institutions (for example University of Tallinn etc), while DPO services are often offered by law firms with specific training.

Best Regards

Andmekaitse Inspektsioon

ERAELU KAITSE JA RIIGI LÄBIPAISTVUSE EEST
Tatari 39 | 10134 Tallinn | Eesti
LinkedIn | YouTube 

-----Original Message-----

From: [email protected] <[email protected]>

Sent: Monday, May 25, 2026 11:12 AM

To: info - AKI <[email protected]>

Subject: DPO Designation Notification and Training Enquiry — ANBORELA CREATIVE FINTECH OÜ (14746683)

Tähelepanu! Tegemist on välisvõrgust saabunud kirjaga.

Tundmatu saatja korral palume linke ja faile mitte avada.

Subject: DPO Designation Notification and Training Enquiry — ANBORELA CREATIVE FINTECH OÜ (14746683)

Dear Andmekaitse Inspektsioon,

My name is Francisco Javier Moreno, founder and sole director of ANBORELA CREATIVE FINTECH OÜ, a private limited company registered in Estonia under e-Residency (registry code 14746683, address: Pärnu mnt 139c, Kesklinna linnaosa, Tallinn, 11317).

I am writing for two purposes:

1. DPO DESIGNATION NOTIFICATION

I wish to formally notify the designation of a Data Protection Officer for ANBORELA CREATIVE FINTECH OÜ, as follows:

— Name: Francisco Javier Moreno

— Role: Founder and Data Protection Officer — Professional email: [email protected] — Company: ANBORELA CREATIVE FINTECH OÜ — Registry code: 14746683

Could you please confirm the correct procedure and form to formalise this notification?

2. PROJECT DESCRIPTION

ANBORELA is an independent European research project developing a non-clinical conversational AI system to support people in addiction and behavioural recovery. The system is currently in a pre-deployment phase and has been voluntarily submitted to ethics review before any public access.

The project processes special category data (health-adjacent, anonymised at point of collection) and is designed in full compliance with GDPR and the EU AI Act. All data is stored on European infrastructure.

3. DPO TRAINING ENQUIRY

I understand that your Inspectorate offers online training courses for Data Protection Officers. Could you please provide information on upcoming courses, registration procedures, and any certification recognised under Estonian or EU law?

Thank you for your assistance. I am available to provide any additional documentation required.

Yours sincerely,

Francisco Javier Moreno

Founder & DPO — ANBORELA CREATIVE FINTECH OÜ [email protected] Pärnu mnt 139c, Tallinn, 11317 Estonia