| Dokumendiregister | Andmekaitse Inspektsioon |
| Viit | 2.2-9/25/69-2 |
| Registreeritud | 21.01.2025 |
| Sünkroonitud | 22.01.2025 |
| Liik | Väljaminev kiri |
| Funktsioon | 2.2 Loa- ja teavitamismenetlused |
| Sari | 2.2-9 Selgitustaotlused |
| Toimik | 2.2-9/2025 |
| Juurdepääsupiirang | Avalik |
| Juurdepääsupiirang | |
| Adressaat | Privacy Data Partners SRL |
| Saabumis/saatmisviis | Privacy Data Partners SRL |
| Vastutaja | Grete-Liis Kalev (Andmekaitse Inspektsioon, Koostöö valdkond, Koolitus- ja ennetustiim) |
| Originaal | Ava uues aknas |
ERAELU KAITSE JA RIIGI LÄBIPAISTVUSE EEST
Tatari tn 39 / 10134 Tallinn / 627 4135 / [email protected] / www.aki.ee / registrikood 70004235
Andrada Mateiciuc
Yours: 08.01.2025 nr Ours: 21.01.2025 nr 2.2-9/25/69-2
Answer to request Estonian Data Protection Inspectorate (EDPI) received your letter regarding notifying us of your clients’ data protection officer (DPO). To answer your question, it is necessary to determine whether your client’s main establishment is in Estonia and if the activities conducted require a DPO. Firstly, Article 4 (16) GDPR defines “main establishment”. In your request you mentioned that the company is registered in Romania. Romania might be the main establishment, but if the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment. Article 37 (1) GDPR stipulates that the controller and the processor shall designate a data protection officer in anywhere:
a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity.
b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
Therefore, if the decisions on the purposes and means of the processing of personal data are taken in Estonia, the main establishment is in Estonia. If the main establishment is in Estonia pursuant to Article 4 (16) GDPR, then Estonian DPI is the Lead Supervisiory Authority according to Article 56 GDPR. Hence, the controller or processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority (Article 37 (7) GDPR). To conclude, if you determine, that your clients’ main establishment is in Estonia and according to the Article 37 GDPR you are required to designate a DPO, you shall notify us the contacts of the designated DPO. Read more about it here. Read more about data protection officers: Guidelines on Data Protection Officers. Best regards
Grete-Liis Kalev
Lawyer
authorized by Director General
| Nimi | K.p. | Δ | Viit | Tüüp | Org | Osapooled |
|---|