| Dokumendiregister | Andmekaitse Inspektsioon |
| Viit | 2.2-9/25/1291-2 |
| Registreeritud | 12.05.2025 |
| Sünkroonitud | 13.05.2025 |
| Liik | Väljaminev kiri |
| Funktsioon | 2.2 Loa- ja teavitamismenetlused |
| Sari | 2.2-9 Selgitustaotlused |
| Toimik | 2.2-9/2025 |
| Juurdepääsupiirang | Avalik |
| Juurdepääsupiirang | |
| Adressaat | DNAlyse |
| Saabumis/saatmisviis | DNAlyse |
| Vastutaja | Grete-Liis Kalev (Andmekaitse Inspektsioon, Koostöö valdkond, Koolitus- ja ennetustiim) |
| Originaal | Ava uues aknas |
ERAELU KAITSE JA RIIGI LÄBIPAISTVUSE EEST
Tatari tn 39 / 10134 Tallinn / 627 4135 / [email protected] / www.aki.ee
Registrikood 70004235
Branko Trajkovski
DNAlyse
Yours: 24.04.2025 Ours: 12.05.2025 nr 2.2-9/25/1291-2
Answer to request Estonian Data Protection Inspectorate (EDPI) received your inquiry. In your inquiry you have not further explained your exact questions. Therefore, we will explain the requirements for assigning a data protection officer (DPO). You have explained that DNAlyse will be re-selling the DNA testing kits and hosting the reports. Firstly, Article 37 GDPR applies to both controllers and processors. Working Party 29 guidelines on DPO-s specify that it is good practice that the processor also assigns a DPO even if the controller fulfils the criteria for mandatory designation to appoint a DPO.1 Therefore, the first step is to determine your roles with the distributors (controller, processor or joint processor) regarding processing personal data and maintain a record of processing (Article 30 GDPR). Even if you are a processor, it is recommended that you assign a DPO because you would be hosting reports that contain special categories of data. Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms (Recital 51 GDPR). With that in mind it might be necessary to conduct a data protecting impact assessment pursuant to Article 35 GDPR. We recommend you read more about the concepts of controller and processor in the EDPB guidelines.2 Secondly, Working Party 29 Guidelines on DPOs explains that the controller or the processor is required to communicate the contact details of the DPO to the relevant supervisory authorities.3 If the main establishment is in Estonia (Article 4 (16) GDPR), the controller is required to notify EDPI the contact details of the DPO. Therefore, it is necessary to determine if you carry out activities in Estonia which require to designate a DPO. The easiest way to notify the DPO’s contacts to EDPI is through the e-Business register portal, if the company is registered in Estonia. Notification to the register can be made by a person who is legally entitled to represent the company (e.g. a member of the Management Board). It is not necessary to notify EDPI separately if you enter the notification through e-Business register portal. If it is not possible to enter the notification through e-Business portal, you can send us the notification by post or digitally (if the said digital signature is valid in accordance with the eIDAS Regulation (Regulation (EU) No 910/2014 of the European Parliament and of the Council). Thirdly, where Article 3(2) GDPR applies, the controller or the processor shall designate in writing a representative in the Union according to Article 27 (1) GDPR. Article 27 (3) GDPR specifies that the representative shall be established in one of the Member States where the data subjects,
1 Article 29 Data Protection Working Party „Guidelines on Data Protection Officers ('DPOs')“, Adopted on 13
December 2016, As last Revised and Adopted on 5 April 2017. 2 European Data Protection Board „Guidelines 07/2020 on the concepts of controller and processor in the GDPR“,
Version 2.1, Adopted on 07 July 2021. 3 Article 29 Data Protection Working Party „Guidelines on Data Protection Officers ('DPOs')“, Adopted on 13
December 2016, As last Revised and Adopted on 5 April 2017.
2 (2)
whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are. If a significant proportion of data subjects whose personal data are processed are located in one particular Member State, the EDPB recommends, as a good practice that the representative is established in that same Member State.4 Therefore, if a significant proportion of data subjects whose personal data are processed are located in Estonia, it is recommended to establish the representative in Estonia. To summarize, it is imperative to establish clear roles and responsibilities and to define the specific personal data that is being processed. Furthermore, ensure that all processing activities are in accordance with GDPR regulations. You may notify the contacts of your DPO through e-Business register portal if the company is registered in Estonia. If the company is not established in Estonia or in any other Member State, you are required to designate a representative. Respectfully Grete-Liis Kalev
lawyer
authorized by Director General
4 European Data Protection Board “Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)”, 12 November
2019.
| Nimi | K.p. | Δ | Viit | Tüüp | Org | Osapooled |
|---|