Kiri

Hello

We`ll let You know, that Transport Administration is now closed Your request. It means that You have to submit new request if Your wish is to gain information form our traffic register. If You submit new request, then You have to present justified legitimate interest analysis as well. With out this analysis we can`t take an action with processing You request.

Best regards

Martin Tubalkain

Vehicle and Registry Service Manager

+372 598 17 141

www.transpordiamet.ee

Valge 4 / 11413 Tallinn / Transpordiamet

Hello

Please let us know, what is Your decision of proceeding the contract. We`ll wait Your answer till the end of the next week and after that we`ll close Your request. If we close the request then it means that You have to provide us new application.

If You want to preceed, then You have to consider that we can give out only data of the vehicles which have violated the parking terms. If there is some ohter violations like traffic violations, speed or red-light offences etc then in this case we do not give out car owners data.

Also if we proceed You need to present justified legitimate interest analysis according to our Data Protection Inspectorate. In attachment is questions in Estonian, that is translated in English down below.

In this analysis You have to answer next questions:

What does the processing operation involve? (Description) Why is processing based on legitimate interest necessary?

Identification of Legitimate Interest

What is the purpose of the processing operation?

Is the processing necessary to achieve one or more of the company’s objectives?

Is the processing necessary to achieve one or more objectives of a third party?

Does the GDPR, the ePrivacy Regulation, or any other legal act identify the processing operation as a legitimate activity through a positive outcome of a balancing test?

Is the interest behind the processing “legitimate”?

Necessity

Why is the processing operation necessary for the data controller?

Why is the processing operation important for other parties to whom the data may be disclosed (if relevant)?

Is there another way to achieve the purpose?

Balancing Test

Can the individual reasonably expect such processing?

Does the processing add value to the product or service used by the individual?

Is the processing operation likely to negatively affect the individual’s rights?

Could the processing operation result in unwarranted harm or distress to the individual?

Would not carrying out the processing operation result in harm to the data controller?

Would not carrying out the processing operation result in harm to a third party?

Is the processing operation carried out in the interest of the data subject?

Is the legitimate interest of the data subject balanced with the legitimate interest of the party relying on the legitimate interest exemption?

What is the relationship between the individual and the company?

What is the nature of the data being processed? Does it include special category data?

Does a bilateral relationship exist between the company and the individual whose data is being processed? If yes, how close is the relationship?

Does the processing restrict or infringe upon the individual’s rights?

Were the personal data obtained directly from the individual or indirectly?

Is there a relationship of subordination or power between the individual and the company?

Is it likely that the individual would expect their data to be processed for this purpose?

Can the processing be considered intrusive or inappropriate? Would it be seen as such by the individual or based on the context of the relationship?

Have privacy terms been disclosed to the individual? How?

Can the individual whose data is being processed easily control or object to the processing operation?

Can the scope of processing be adjusted to reduce significant privacy risks?

Safeguards and Compensating Controls

Safeguards include various compensating controls or measures that may be implemented to protect individuals or reduce the risks or potential negative effects associated with the processing. These are likely identified in data protection impact assessments (DPIAs), for example:

data minimisation, de-identification, technical and organisational measures, privacy by default, additional transparency, extra layers of encryption, multi-factor authentication, data retention controls, restricted Access, opt-out mechanisms, hashing and other data protection-related technical security methods

Have the necessary safeguards been implemented?

Best regards

Martin Tubalkain

Vehicle and Registry Service Manager

+372 598 17 141

www.transpordiamet.ee

Valge 4 / 11413 Tallinn / Transpordiamet

Hello

Like we mentioned eralier, then we can provide car owner data for the violations that is connected with parking.

Your request is not enough for giving out data for another violations (road traffic violations, including speed or red-light offences and non-compliance with Low Emission Zone (LEZ) regulation). You have to provide contracts with local authorities or state, where can be seen that You have rights to collect debt on the name of authotity.

Best regards

Martin Tubalkain

Vehicle and Registry Service Manager

+372 598 17 141

www.transpordiamet.ee

Valge 4 / 11413 Tallinn / Transpordiamet

Hello,

Thank you for your message and for the clarification regarding access to car owner data.

We confirm that our sole purpose for requesting access to restricted vehicle owner/user data is strictly related to processing of unpaid parking fines, road traffic violations (including speed or red-light offences), and non-compliance with Low Emission Zone (LEZ) regulations.

These violations are documented, and we act on behalf of relevant authorities or partners with proper mandates and legal grounds.

We fully understand and respect the limitation you mentioned and confirm that we are not requesting personal data for any other purpose outside the scope of traffic and parking enforcement.

Please let us know if any further documentation is required to support this.

Also, could you please clarify whether we are required to access the Traffic Register data specifically through X-Road, or is it also possible to use the standard DEP HTTPS service?

If X-Road is mandatory, could you provide guidance on registration and technical setup?

Looking forward to your confirmation.

Pagarbiai / Regards

Kristina Panačiova

Mob. tel.: +370 60168141

Hello

The fulfilled contract form, that was attached is not correct. We provide personal data only through x-road service.

But to proceed processing Your request, we have to point out that we do not provide car owners personal data to private companies, except when request is concerns the processing of parking fines. If Your wish ist o get car owners personal data froma another purpose, then we do not do the agreement.

Best regards

Martin Tubalkain

Vehicle and Registry Service Manager

+372 598 17 141

www.transpordiamet.ee

Valge 4 / 11413 Tallinn / Transpordiamet

Tere,

Saadame Teile meie poolt allkirjastatud lepingu ning allkirjastatud põhjenduse piiratud andmete kasutamiseks.

Kas Te saaksite palun kinnitada, kas need dokumendid on piisavad, või vajate täiendavaid andmeid ja lisadokumente (nt lepinguid võlausaldajatega, fotosid jms)?

_________________________________________________________________________________________________________________________________________

Hello,

Please find attached the signed agreement from our side, along with the signed justification for restricted data access.

Could you kindly confirm if these documents are sufficient, or if you require any additional details or supporting documentation (e.g., agreements with creditors, photos, etc.)?

Thank you in advance for your guidance.

Pagarbiai / Regards

Kristina Panačiova

Projektų vadovė / Project manager

Mob. tel.: +370 60168141

E-mail: [email protected]

Savanoriu pr. 123A,

LT-03150 Vilnius

Lithuania