| Dokumendiregister | Andmekaitse Inspektsioon |
| Viit | 2.2-9/25/252-2 |
| Registreeritud | 31.01.2025 |
| Sünkroonitud | 03.02.2025 |
| Liik | Väljaminev kiri |
| Funktsioon | 2.2 Loa- ja teavitamismenetlused |
| Sari | 2.2-9 Selgitustaotlused |
| Toimik | 2.2-9/2025 |
| Juurdepääsupiirang | Avalik |
| Juurdepääsupiirang | |
| Adressaat | Live Nation Entertainment |
| Saabumis/saatmisviis | Live Nation Entertainment |
| Vastutaja | Grete-Liis Kalev (Andmekaitse Inspektsioon, Koostöö valdkond, Koolitus- ja ennetustiim) |
| Originaal | Ava uues aknas |
ERAELU KAITSE JA RIIGI LÄBIPAISTVUSE EEST
Tatari tn 39 / 10134 Tallinn / 627 4135 / [email protected] / www.aki.ee / registrikood 70004235
Yours: 23.01.2025 Ours: 31.01.2025 nr 2.2-9/25/252-2
Answer to request Estonian Data Protection Inspectorate (EDPI) received your question regarding registering a data protection officer (DPO) in Estonia. In your request you have not further explained where the decisions on the purposes and means of the processing of personal data are taken and if the company is registered in Estonia. Firstly, Working Party 28 Guidelines on DPOs note that the controller or the processor is required to communicate the contact details of the DPO to the relevant supervisiory authorities. If the main establishment is located in Estonia (Article 4 (16) GDPR), the controller is required to notify EDPI the contact details of the DPO. Therefore, it is necessary to determine if you carry out activities in Estonia which require to designate a DPO. The easiest way to notify the DPO’s contacts to EDPI is through the e-Business register portal, if the company is registered in Estonia. Notification to the register can be made by a person who is legally entitled to represent the company (e.g. a member of the Management Board). It is not necessary to notify EDPI separately if you enter the notification through e-Business register portal. If it is not possible to enter the notification through e-Business portal, you can send us the notification by post or digitally (if the said digital signature is valid in accordance with the eIDAS Regulation (Regulation (EU) No 910/2014 of the European Parliament and of the Council). Secondly, where Article 3(2) GDPR applies, the controller or the processor shall designate in writing a representative in the Union according to Article 27 (1) GDPR. Article 27 (3) GDPR specifies that the representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are. If a significant proportion of data subjects whose personal data are processed are located in one particular Member State, the EDPB recommends, as a good practice that the representative is established in that same Member State.1 Therefore, if a significant proportion of data subjects whose personal data are processed are located in Estonia, it is recommended to establish the representative in Estonia. To summarize, you may notify the contacts of your DPO through e-Business register portal if the company is registered in Estonia. If the company is not established in Estonia or in any other Member State, you are required to designate a representative. I hope this answers your question. Best regards Grete-Liis Kalev
Lawyer
authorized by Director General
1 European Data Protection Board, “Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)”,
12 November 2019.
| Nimi | K.p. | Δ | Viit | Tüüp | Org | Osapooled |
|---|