Kiri

AVP leping juuni 2025 draft ENG.pdf

AGREEMENT ON ACCESS TO TRAFFIC REGISTRY DATA No.

Estonian Transport Administration, registry code 70001490, address Valge 4, 11413

Tallinn, represented by authorised representative Märten Surva, Head of the Vehicles Register Department (hereinafter referred to as the Possessor)

and

UAB TRAFIPARK, registry code 306362443, address Savanorių pr. 123A-3, 03150 Vilnius, Lithuania (hereinafter referred to as the User), represented by Managing Director Audrius Astrauskas (hereinafter referred to separately as the Party or jointly as the Parties),

on the basis of, inter alia,:

– the Road Traffic Act (hereinafter referred to as the RTA), in particular subsection 184 (12) thereof;

– Decree of the Government of the Republic No. 75 of 16 June 2011 Statutes of the Traffic

Register (“Liiklusregistri pidamise põhimäärus”); – Regulation of the Government of the Republic No. 105 of 23 September 2016 Data

Exchange Layer for Information Systems (“Infosüsteemide andmevahetuskiht”); – Regulation of the Minister of Economic Affairs and Communications No. 46 of 21 June

2011 Procedure for Accessing Electronic Data in the Traffic Register (“Liiklusregistri

elektroonsetele andmetele juurdepääsu kord”), particularly subsection 3 (3) thereof; – traffic register data exchange service specification (available on the Possessor’s website at

https://transpordiamet.ee/liiklusregistrist-andmete-valjastamine). have concluded this Agreement on access to traffic register data (hereinafter referred to as the

Agreement) under the following terms and conditions:

1. OBJECT OF AGREEMENT 1.1. The object of the Agreement is the provision of access to the Traffic Register data

(hereinafter referred to as the Data) to the User

via the data exchange platform (hereinafter referred to as the DEP) (hereinafter referred to as the Service).

1.2. The purpose of the agreement is to use the data for the identification and verification of vehicle-related information, including the owner/user details, in order to process and manage debt recovery, legal claims, or other lawful enforcement activities related to the

vehicles. The data will only be used for legitimate and proportionate purposes in compliance with applicable data protection laws.

1.3. The User has the right to process the Data only for legitimate purposes that are not in conflict with the provisions of laws and regulations.

1.4. The service is available 24 hours a day, with active working hours Mon-Fri 8:00-17:00.

1.5. The User confirms that they have thoroughly read and understood the Agreement and its Annexes and all of the laws and regulations, Possessor’s service descriptions and

instructions and other documents referred to in the Agreement. 1.6. By signing the Agreement, the User confirms that they are authorised to use the Service

and the data will be processed only for the purposes stated in the Agreement, for specified

and legitimate purposes and in accordance with laws and regulations.

2. TERMS AND DEFINITIONS

The definitions used in this Agreement and any annexes thereto shall have the following

meanings: 2.1. Data – the data entered in the Traffic Register referred to in Annex 1 to the Agreement .

2.2. Data Exchange Platform (DEP) – access in XML format provided to the User on the basis of the HTTPS protocol, according to the DEP package selected and the data group defined for the service.

2.3. DEP package – maximum number of requests allowed per month. 2.4. Incident – a failure or malfunction of the Service.

2.5. Request – return of Data on the basis of predefined inputs. 2.6. Service – the solution for the provision of and/or accessing the Traffic Register data

developed by the Possessor.

2.7. Active hours – the time when the Possessor resolves incidents. 2.8. Hours of operation – around the clock.

3. AGREEMENT VALUE 3.1. The price list for the service is published on the Possessors website

https://transpordiamet.ee/andmevahetusplatvorm. 3.2. The cost of the service consists of the selected DEP package and the number of selected

data groups 3.3. The calculation of the monthly fee shall start from the moment the Agreement enters into

force. Payment shall be made once per month on the basis of the invoice submitted by the

Possessor and within the time limit indicated thereon. The invoice must be paid within seven days.

3.4. When paying the invoice, you must indicate, among other things, the reference number shown on the invoice.

4. OBLIGATIONS OF PARTIES 4.1. The Possessor shall:

4.1.1. ensure the forwarding of the data in Annex 1 to the Agreement to the User without any obligation on the part of the Possessor to resolve any incidents within a specified time;

4.1.2. resolve incidents within a reasonable time;

4.1.3. provide explanations to the User about the object of Agreement, if necessary.

4.2. The User undertakes to: 4.2.1. process data obtained under the Agreement only to the extent necessary for the

performance of their tasks under the Agreement and for purposes that are not in conflict

with the RTA and the laws and regulations adopted pursuant thereto or other laws and regulations;

4.2.2. not store the data, unless otherwise provided by law or the Agreement; 4.2.3. not to transmit or otherwise disclose the Data to third parties, except in cases provided

by law or with the agreement of the Parties, or enter into agreements with third parties

for the processing, transfer or other disclosure of the Data to third parties; 4.2.4. ensure the lawful use of the service by means of organisational, physical and IT security

measures; 4.2.5. not to exceed the maximum number of daily requests under the DEP package; 4.2.6. immediately notify the Possessor of any incidents using the following e-mail address:

[email protected]; 4.2.7. process the usernames and passwords that enable using the Service in a manner that

ensures their confidentiality;

4.2.8. immediately inform the Possessor of any disclosure of the description of the use of data

or usernames/passwords to third parties or the public, theft of information technology or other circumstances that may lead to the use of data by unauthorised persons;

4.2.9. pay for the Service in accordance with the Agreement; 4.2.10. have a static IP address.

5. SUPERVISION AND LIABILITY 5.1. The Possessor has the right to verify at any time the lawfulness of the processing of the

Data and the User's compliance with the terms and conditions of the Agreement. To this end, the Possessor shall submit to the User an enquiry, at least in a form that can be reproduced in writing, to which the User must provide a substantial reply within five

working days by submitting photos or other relevant evidence at the request of the Possessor.

5.2. The User is aware that in the event of a breach, non-fulfilment or improper fulfilment of the obligations undertaken in the Agreement, including the data processing requirements and any statutory personal data processing requirements, the User is obligated to

compensate third parties or the Possessor for any damage caused by their acts or omissions. If the User breaches the data processing requirements under the law or the Agreement, they

will be liable for the breach in accordance with the procedures set out in the Agreement and the laws and regulations.

5.3. In addition to the obligation to compensate for damages, the User undertakes, at the request

of the Possessor, to pay the Possessor a contractual penalty of up to five thousand (5000) euros for each breach of the Agreement in the event of non-performance or improper

performance of the Agreement related to the breach of the data processing requirements. If the User exceeds the term set out in clause 7.1. of the Agreement, the Possessor is entitled to demand a contractual penalty of fifty (50) euros for each day of delay.

5.4. The Parties have agreed that the User undertakes to represent the Possessor, at the Possessor's request and at its own expense, in all disputes (including court actions) with

third parties in connection with the Agreement and to bear all costs of the proceedings. 6. AGREEMENT DOCUMENTS

6.1. The Agreement documents comprise the Agreement and any annexes thereto. Annexes to the Agreement form an integral part of the Agreement.

6.2. The description of the Service and the DEP Pricing Policy, which are available on the Possessor’s website at https://transpordiamet.ee/liiklusregistrist - juurdepaasupiiranguga-andmete-valjastamine, shall also be deemed to be Agreement

documents. 6.3. In addition to the Agreement and its Annexes, the Parties shall be guided in the

performance of the Agreement by the laws, regulations and standards in force in the Republic of Estonia and, if necessary, by other technical documents in the relevant field.

6.4. At the moment of signing of the Agreement it includes:

6.5. Annex 1 – List of Data

7. NOTICES BETWEEN THE PARTIES 7.1. All Agreement-related notices between the Parties must be given in writing unless such

notices are informative by nature and their communication to the other Party has no legal

consequences or in the cases set forth in the Agreement. 7.2. A notice is deemed to have been received by the other Party:

7.2.1. on the working day following the day on which the notification was forwarded, if the notification was forwarded to the other Party by e-mail;

7.2.2. within three working days of the date of posting, if the notice was sent by the postal

authority by a registered letter to the address indicated by the other Party. 7.3. Informative notices may be given by telephone.

8. CONFIDENTIALITY

8.1. The content of the Agreement is public information.

8.2. Facts relating to the performance of the Agreement, including the Data, are restricted information and may not be disclosed by the Parties to any third party without the other

Party's written consent. 9. AMENDMENTS TO AGREEMENT AND RESOLUTION OF DISPUTES

9.1. The Agreement may be amended by an agreement of the Parties. Amendments to the Agreement that are not in the same format as the Agreement are null and void unless

otherwise provided in the Agreement. Amendments to the Agreement must be prepared as annexes to the Agreement.

9.2. The Possessor may unilaterally amend the Agreement if this is necessary as a result of a

change in a provision of a law or a regulation or if it is necessary for amending the Service or the value of the Agreement. The Possessor undertakes to notify the User of any unilateral

amendments to the Agreement at least 30 days in advance. The User may terminate the Agreement within two weeks of receiving the said notice. If the User does not respond to the unilateral amendment of the Agreement submitted by the Possessor, they will be

deemed to have accepted the amendment of the Agreement. In such case, the amendment shall take effect two days after the notice referred to in this clause is sent by the Possessor

to the User. 9.3. Amendments to the Agreement will enter into force after signature by the Parties or on

another occasion specified in the Agreement.

9.4. The Parties agree to take all appropriate measures to resolve points of dispute arising from the Agreement by way of negotiations, thereby not harming the contractual and statutory

rights or interests of the Parties. If no agreement can be reached in this way, all disputes arising from the Agreement shall be settled in accordance with the laws and regulations of the Republic of Estonia in the court of the Possessor’s seat.

10. TERM OF AGREEMENT

10.1. The Agreement takes effect upon the signature thereof by the Parties. 10.2. The Agreement has been entered into for a term of one year. This period starts from the

entry into force of the Agreement.

10.3. In the absence of a request for termination by either Party at least 30 days prior to the expiry of the term referred to in clause 10.2, the Agreement shall be automatically

extended for a period of one year. There is no limit to the number of extensions. 10.4. A Party has the right to terminate the Agreement without notice for a good reason, in

particular if the other Party is in material breach of the Agreement. A material breach of

the Agreement shall be deemed to be, inter alia, but not limited to, a repeated breach of a term of the Agreement, as well as a breach by the User of their obligations under clauses

5.2. and 7.1. of the Agreement (incl. one-off violation of data processing requirements). 10.5. The Parties have the right to terminate the Agreement at any time by notifying the other

Party at least 30 days in advance.

10.6. If any provision of the Agreement is found to be invalid or unenforceable in full or in part in the future, the Agreement shall remain in force in all other respects.

10.7. The Agreement and the Annexes thereto shall be amended as necessary in the light of changes in the laws and regulations governing the Agreement.

10.8. The obligations of the User under the Agreement shall be fully applicable and to all

successors of the User and any obligations of the Possessor under the Agreement shall be fully applicable to any successor of the Possessor. In the event of legal succession, the

Agreement will be amended accordingly if the Party so requests. 10.9. The User has the right to request temporary suspension of the Service. During the period

of temporary suspension of the Service, the User's access to the Service will be blocked

by the Possessor. In order to terminate the temporary suspension of the Service, the User must submit a request to the Possessor. The Possessor shall restore the User's access to

the Service as soon as possible but not later than within five working days and the User shall pay the monthly fee of the Agreement as set out in clause 4.1 above. If the User has not requested continuation of the Service within one year of requesting temporary

suspension of the Service, the Agreement shall be deemed to be terminated.

11. CONTACT PERSONS 11.1. Contact person of the Estonian Transport Administration: Martin Tubalkain, tel.:

+372 5981 7141, e-mail: martin [email protected].

11.2. Contact person of the User: Kristina Panačiova, tel. +37060168141, e-mail: [email protected]

12. OTHER TERMS AND CONDITIONS 12.1. The Agreement has been entered into electronically. The Agreement is signed by the

Parties digitally. 12.2. The language of communication between the Parties shall be Estonian.

12.3. The Parties are guided by the laws and regulations of the Republic of Estonia in all matters not governed by the Agreement.

12.4. The representatives of the Parties represent and warrant that they have all the required

rights and authorisations to enter into the Agreement on behalf of the entities they represent and that they are not aware of any impediments to the performance of the

obligations undertaken and provided in the Agreement. 12.5. Disputes will be settled on the basis of the Estonian text.

_____________________ _____________________ /digitally signed/ /digitally signed/

Access to Traffic Register data Annex 1 to the Agreement

List of Data

The price list of DEP packages and returnable data groups are provided on the Estonian

Transport Administration website https://transpordiamet.ee/andmevahetusplatvorm.

1. The User uses DEP package Package 1. 2. The User will be granted access to the Traffic Register data based on the inputs: ☒ vehicle VIN code

☒ Vehicle registration plate

☐ Vehicle registration certificate number

☐ Periodic start date (dateTIME YYYY-MM-DDThh:mm:ss)

☐ Periodic end date (dateTIME YYYY-MM-DDThh:mm:ss)

3. The following data groups are opened to the user

☒ Basic data of vehicle

☒ Technical data of vehicle

☐ Technical inspection

☐ Legal constraints

☐ Registration history

☒ Selectable access to restricted data

☒ vehicle VIN code

☒ Vehicle registration plate

☒ Vehicle registration certificate number

☒ Date of issue of the vehicle registration certificate

☐ Vehicle information (operations)

JUSTIFIED LEGITIMATE INTEREST ANALYSIS 2025.10.15 TRAFIPARK UAB.pdf

JUSTIFIED LEGITIMATE INTEREST ANALYSIS

15th, October 2025

Data Controller: UAB TRAFIPARK, registry code 306362443, address

Savanorių pr. 123A-3, 03150 Vilnius, Lithuania

The purpose of personal data

processing:

The data will be used strictly for the purpose of vehicle

identification, ownership verification, and legal claim

processing (e.g., debt collection, contract enforcement, or

damage liability review)

Categories of personal data / Types of

personal data

Vehicle owner and user information, as well as vehicle

make, model, first registration date, and Euro emission

standard

A) Identification of Legitimate Interest

1. What is the purpose of the processing information?

The information is processed to identify vehicles, verify ownership, manage legal claims, and

notify drivers or owners about traffic violations or outstanding fines. Accurate data ensures legal

compliance and protects the company’s rights.

2. Is the processing necessary to achieve one or more of the Company’s objectives?

Yes. The processing of this information is necessary to achieve the Company’s objectives, as it

enables: (i) Accurate vehicle identification and ownership verification; (ii) Proper handling of

legal claims, such as debt collection, contract enforcement, and damage liability assessment;

(iii) Timely notification to drivers or owners regarding traffic violations, fines, or other legal

obligations (iv) Ensuring compliance with legal requirements and protecting the Company.

3. Is the processing necessary to achieve one or more of a third party?

Processing is necessary for a third party is required to: (i) Provide a service – e.g., sending an

invoice to a client using their data; (ii) Fulfill a contract – e.g., sharing delivery details with a

shipping company to complete an order. (iii) Meet legal obligations – e.g., reporting certain

information to tax authorities on behalf of a client.

4. Does the GDPR, the ePrivacy Regulation, or any other legal act identify the processing

operation as a legitimate activity through a positive outcome of a balancing test?

Yes. Under the GDPR, processing can be considered legitimate if a balancing test demonstrates

that the company’s legitimate interests outweigh the potential impact on individuals’ rights and

freedoms. The processing must be necessary for the purpose and proportionate, ensuring that

data subjects’ fundamental rights are not overridden.

5. Is the legitimate interest behind the processing “legitimate”?

Yes, it is. The legitimate interest behind the processing is lawful, genuine, and clearly defined,

such as improving services, ensuring security, or preventing fraud.

B) Necessity

6. Why is the processing operation necessary for the data controller?

The processing operation is necessary for the data controller because it enables the organization

to fulfill its contractual, legal, or operational obligations: (i) to perform a contract, such as

delivering goods or providing a service, the controller needs to process customer data (e.g.,

addresses, payment information); (ii) to comply with legal obligations, like reporting to tax

authorities or maintaining records for regulatory purposes; (iii) To protect legitimate business

interests, such as preventing fraud, ensuring IT security, or managing internal operations

efficiently.In all cases, the processing is essential for the data controller to achieve these

purposes, and no less intrusive method would suffice, making it necessary.

7. Why is the processing operation important for other parties to whom the data may be

disclosed (if relevant)?

The processing operation is important for other parties to whom the data may be disclosed

because it enables them to perform their roles or fulfill their obligations in relation to the data

subject or the data controller: (i) Service providers or contractors may need the data to deliver a

service, such as shipping companies needing customer addresses to complete deliveries; (ii)

Regulatory or legal authorities may require the data to ensure compliance with laws or to protect

public interests; (iii) Business partners may use the data to manage contracts, provide support,

or coordinate operations efficiently. In these cases, the processing is essential for these third

parties to carry out necessary activities, making it relevant and justified.

8. Is there another way to achieve the purpose?

No, there is no other way to achieve the purpose. The processing is necessary because it is the

only effective and proportionate method to fulfill the intended goal.

C) Balancing test

8. Can the individual reasonably expect such processing?

Yes. The individual can reasonably expect such processing, as the collection and processing of

personal data for debt recovery purposes are a common and foreseeable consequence of having

an unpaid financial obligation or fine. This expectation arises from the individual’s contractual

or legal relationship with the original creditor and from standard industry practices.

Furthermore, data subjects are typically informed of such processing through privacy notices

issued by the creditor or the debt collection agency, ensuring transparency and compliance with

data protection requirements.

9. Does the processing add value to the product or service used by the individual?

Indirectly, yes. While the primary purpose of the processing is to recover outstanding debts or

fines, it also contributes to maintaining the integrity and fairness of the service provided. By

ensuring that financial obligations are met, the company can continue to offer services on fair

terms to all customers and prevent misuse or financial loss. Therefore, the processing indirectly

supports the sustainability and reliability of the service.

10. Is the processing operation likely to negatively affect the individual’s rights?

The processing may have a limited negative impact on the individual’s rights, particularly

regarding privacy and reputation, as it involves handling personal and financial information.

However, these risks are minimized through strict compliance with data protection laws,

proportional data use, and secure handling of personal data. The processing is limited to what is

necessary for legitimate debt recovery purposes, and individuals are informed of their rights,

including the right to access, rectify, or object to the processing.

11. Could the processing operation result in unwarranted harm or distress to the

individual?

In general, the processing is not intended to cause harm or distress. However, there is a limited

risk that individuals may experience discomfort or stress when being contacted regarding unpaid

debts or fines. Such effects are considered proportionate to the legitimate purpose of debt

recovery and are mitigated by ensuring that all communications are respectful, necessary, and

compliant with legal and ethical standards. The company also limits data use to relevant

information and provides clear contact options for individuals to exercise their data protection

rights.

12. Would not carrying out the processing operation result in harm to the data controller?

Yes. If the processing were not carried out, the data controller would be unable to recover

outstanding debts or fines, resulting in financial loss and reduced operational efficiency.

This could also undermine the company’s ability to meet contractual or legal obligations

and affect its financial stability. Therefore, processing the data is necessary to protect the

legitimate business interests of the data controller.

13. Would not carrying out the processing operation result in harm to a third party?

Potentially, yes. If the debt collection process is not carried out, third parties—such as the

original creditor, suppliers, or other customers—could suffer financial or operational harm. For

example, unpaid debts may affect the creditor’s cash flow, ability to provide services, or fairness

in treating other customers. Processing the data is therefore necessary to protect the legitimate

interests of these third parties while remaining proportionate and compliant with data protection

principles.

14. Is the processing operation carried out in the interest of the data subject?

Not directly. The primary purpose of the processing is to recover outstanding debts or fines,

which serves the legitimate interests of the data controller and, in some cases, third parties.

While the processing may indirectly benefit the data subject by maintaining fair and sustainable

services, the operation is not primarily carried out for the individual’s personal interest.

Safeguards and transparency measures are implemented to minimize any negative impact on the

data subject.

15. Is the legitimate interest of the data subject balanced with the legitimate interest of the

party relying on the legitimate interest exemption?

Yes. The processing is conducted in a manner that balances the legitimate interests of the data

controller (recovering debts or fines) with the rights and interests of the data subject. The

company limits data collection and use to what is strictly necessary, ensures secure handling of

personal data, and provides clear information and rights to the individual. Measures such as

proportionality, transparency, and access to remedies are applied to ensure that the individual’s

interests are not overridden by the controller’s legitimate interest.

16. What is the relationship between the individual and the company?

The relationship is primarily a financial or contractual one. The individual owes a debt or has

an outstanding fine to the company's client, establishing a creditor-debtor relationship. The

company processes personal data in this context to recover amounts lawfully due, in line with

its legitimate interests and obligations under applicable law. There is no ongoing service

provision beyond managing the financial obligation unless otherwise specified by a separate

contract.

17. What is the nature of the data being processed? Does it include special category data?

The data being processed is primarily personal and financial in nature, including the individual’s

name, contact details, payment history, and information related to outstanding debts or fines. It

does not typically include special category data as defined under GDPR (e.g., health data, racial

or ethnic origin, political opinions, religious beliefs, or biometric data). The processing is strictly

limited to what is necessary for debt recovery and conducted in accordance with data protection

principles.

18. Does a bilateral relationship exist between the company and the individual whose data

is being processed? If yes, how close is the relationship?

Yes, a bilateral relationship exists, but it is limited in scope. The relationship is primarily

financial or contractual: the individual owes a debt or has an outstanding fine to the company

(or its client). The closeness of the relationship is minimal and transactional, focused solely on

the management and recovery of financial obligations. There is no ongoing personal or service-

based relationship beyond the debt or fine context.

19. Does the processing restrict or infringe upon the individual’s rights?

No, the processing is designed to comply with data protection laws and does not unduly restrict

or infringe upon the individual’s rights. Individuals retain their rights to access, rectify, object

to, or erase their data, and the company provides clear information on how these rights can be

exercised. Any impact on the individual is proportionate and limited to what is necessary for the

legitimate purpose of debt recovery.

20. Were the personal data obtained directly from the individual or indirectly?

The personal data may be obtained directly. Directly, the company may receive information

provided by the individual during initial transactions, registration, or communication with the

creditor. All data is processed in accordance with data protection principles.

21. Is there a relationship of subordination or power between the individual and the

company?

No, there is no formal relationship of subordination. The relationship is primarily financial or

contractual: the individual owes a debt or has an outstanding fine to the company (or its client).

While the company does have authority to pursue debt recovery, this authority is limited to the

legal and contractual obligations associated with the debt. There is no ongoing hierarchical or

employment-like power over the individual beyond what is necessary to enforce legitimate

financial obligations.

22. Is it likely that the individual would expect their data to be processed for this purpose?

Yes. Given the individual’s financial or contractual relationship with the company (or its client),

it is reasonable for the individual to expect that their personal data would be used to manage and

recover outstanding debts or fines. Such processing is standard practice in debt collection and is

typically communicated to the individual through privacy notices or contractual terms, making

the purpose foreseeable and aligned with the individual’s expectations.

23. Can the processing be considered intrusive or inappropriate? Would it be seen as such

by the individual or based on the context of the relationship?

Generally, the processing is not considered intrusive or inappropriate. The company processes

personal data solely for the legitimate purpose of recovering debts or fines, within legal and

contractual boundaries. While some individuals may feel discomfort when contacted about

outstanding obligations, this is proportionate and expected within the context of a creditor-

debtor relationship. Safeguards such as limited data use, respectful communication, and

transparency ensure the processing remains appropriate and lawful.

24. Have privacy terms been disclosed to the individual? How?

Yes. Privacy terms are typically disclosed to the individual through multiple channels, such as:

(i) Privacy notices provided by the original creditor at the time of entering into a contract or

financial agreement; (ii) Written communications or emails from the company explaining how

personal data will be used for debt recovery purposes; (iii) Publication on the company’s

website or in official contractual documentation. These disclosures ensure transparency and

compliance with data protection laws, allowing the individual to understand how their personal

data will be processed and to exercise their rights.

25. Can the individual whose data is being processed easily control or object to the

processing operation?

Yes. Individuals can exercise their rights under data protection law to control or object to the

processing of their personal data. The company provides clear information on how to submit

requests, including the right to access, rectify, restrict, or erase data, and the right to object to

debt recovery communications where applicable. These mechanisms ensure that the individual

retains control over their personal data while allowing the company to carry out its legitimate

debt recovery activities in compliance with legal requirements.

26. Can the scope of processing be adjusted to reduce significant privacy risks?

Yes. The company can limit the scope of processing to what is strictly necessary for debt

recovery, thereby reducing potential privacy risks. Measures include processing only relevant

personal and financial data, limiting access to authorized personnel, anonymizing or

pseudonymizing data where possible, and restricting communications to essential channels.

These adjustments help ensure proportionality and minimize the impact on the individual’s

privacy while still allowing the company to pursue legitimate debt recovery activities.

D) Safeguards and Compensating Controls

The company implements multiple safeguards and compensating controls to protect individuals

and reduce the risks or potential negative effects of processing personal data. These measures

include: (i) Data minimisation: Only collecting and processing data strictly necessary for debt

recovery; (ii) De-identification or pseudonymisation: Reducing the link between personal data

and the individual wherever possible; (iii) Technical and organisational measures: Ensuring

secure storage, access controls, and staff training; (iv) Privacy by default: Configuring systems

to process the minimum personal data needed for the purpose; (v)Transparency measures: Clear

communication to data subjects about the purpose and scope of processing; (vi) Encryption and

multi-factor authentication: Protecting data from unauthorised access; (vii) Data retention

controls: Retaining data only for as long as necessary to fulfill debt recovery purposes. (viii)

Restricted access: Limiting access to authorised personnel; (ix) These safeguards collectively

ensure that the processing is proportionate, secure, and compliant with applicable data protection

legislation, while mitigating potential negative impacts on the individual.

E) Conclusions

After assessing the legitimate interest balancing test, it can be concluded that the processing of

personal data by the company for the purpose of debt and fine recovery is lawful, proportionate,

and conducted in accordance with data protection principles. The processing serves a legitimate

interest of the company, and any potential impact on the rights and freedoms of the data subject

is mitigated by: (i) limiting data processing to what is necessary; (ii) implementing technical

and organizational safeguards; (iii) ensuring transparency through clear privacy notices; (iv)

providing mechanisms for individuals to exercise their rights; (v) applying measures to

minimize potential distress or harm.

Overall, the legitimate interest of the company is balanced against the rights and interests of the

individual, and the safeguards in place ensure that the processing is fair, secure, and

proportionate.

Conducted by:

_______________________________________________

(name, surname, job titile, signature)

create-2025_10_26-708 PM-Trafipark.eml

Helo,

Please find attached our legitimate interest analysis along with the signed agreement from our side.

Could you please let me know if any additional documents are required — for example, agreements with our clients, photos, or any other supporting materials?

Additionally, I would appreciate it if you could clarify how the access to the Traffic Register data via X-Road operates in practice.

Thank you very much in advance for your time and assistance.

Pagarbiai / Regards

Kristina Panačiova

Projektų vadovė / Project manager

Mob. tel.: +370 60168141

E-mail: [email protected]

Savanoriu pr. 123A,

LT-03150 Vilnius

Lithuania

ĮSPĖJIMAS DĖL KONFIDENCIALUMO

Šis elektroninis laiškas, įskaitant jo priedus, yra konfidencialus ir jo naudojimas ar atskleidimas gali būti ribojamas. Jeigu laiškas

adresuotas ne Jums, prašome nedelsiant informuoti siuntėją elektroniniu paštu ir ištrinti laišką bei visas jo kopijas, įskaitant visus

laiško priedus, iš savo sistemos. Tokiu atveju draudžiama laišką kopijuoti, platinti ar bet kuriuo kitu būdu atskleisti jo turinį. Laiško

duomenys gali būti pakeisti, laiškas gali būti perimtas, neteisėtai pakeistas ar turėti virusą, todėl neprisiimame atsakomybės už bet

kokius tokius veiksmus ar jų pasekmes. Ačiū

CONFIDENTIALITY NOTICE

This e-mail is confidential and may contain legally privileged information. If you have received it by mistake, please inform us

by reply e-mail and then delete it (including any attachments) from you system. You should not copy it on in any other way

disclose its content to anyone. E-mail is susceptible to data corruption, interception, unauthorised amendment, tampering and

virus. We do not accept liability for any such actions or the consequences thereof. Thank you.

From: Martin Tubalkain <[email protected]>
Sent: Monday, October 6, 2025 9:34 AM
To: Trafipark <[email protected]>
Subject: RE: Regarding agreement and driver data

Hello

We`ll let You know, that Transport Administration is now closed Your request. It means that You have to submit new request if Your wish is to gain information form our traffic register. If You submit new request, then You have to present justified legitimate interest analysis as well. With out this analysis we can`t take an action with processing You request.

Best regards

Martin Tubalkain

Vehicle and Registry Service Manager

+372 598 17 141

www.transpordiamet.ee

Valge 4 / 11413 Tallinn / Transpordiamet

From: Martin Tubalkain
Sent: Thursday, September 25, 2025 9:50 AM
To: 'Trafipark' <[email protected]>
Subject: RE: Regarding agreement and driver data

Hello

Please let us know, what is Your decision of proceeding the contract. We`ll wait Your answer till the end of the next week and after that we`ll close Your request. If we close the request then it means that You have to provide us new application.

If You want to preceed, then You have to consider that we can give out only data of the vehicles which have violated the parking terms. If there is some ohter violations like traffic violations, speed or red-light offences etc then in this case we do not give out car owners data.

Also if we proceed You need to present justified legitimate interest analysis according to our Data Protection Inspectorate. In attachment is questions in Estonian, that is translated in English down below.

In this analysis You have to answer next questions:

What does the processing operation involve? (Description) Why is processing based on legitimate interest necessary?

Identification of Legitimate Interest

What is the purpose of the processing operation?

Is the processing necessary to achieve one or more of the company’s objectives?

Is the processing necessary to achieve one or more objectives of a third party?

Does the GDPR, the ePrivacy Regulation, or any other legal act identify the processing operation as a legitimate activity through a positive outcome of a balancing test?

Is the interest behind the processing “legitimate”?

Necessity

Why is the processing operation necessary for the data controller?

Why is the processing operation important for other parties to whom the data may be disclosed (if relevant)?

Is there another way to achieve the purpose?

Balancing Test

Can the individual reasonably expect such processing?

Does the processing add value to the product or service used by the individual?

Is the processing operation likely to negatively affect the individual’s rights?

Could the processing operation result in unwarranted harm or distress to the individual?

Would not carrying out the processing operation result in harm to the data controller?

Would not carrying out the processing operation result in harm to a third party?

Is the processing operation carried out in the interest of the data subject?

Is the legitimate interest of the data subject balanced with the legitimate interest of the party relying on the legitimate interest exemption?

What is the relationship between the individual and the company?

What is the nature of the data being processed? Does it include special category data?

Does a bilateral relationship exist between the company and the individual whose data is being processed? If yes, how close is the relationship?

Does the processing restrict or infringe upon the individual’s rights?

Were the personal data obtained directly from the individual or indirectly?

Is there a relationship of subordination or power between the individual and the company?

Is it likely that the individual would expect their data to be processed for this purpose?

Can the processing be considered intrusive or inappropriate? Would it be seen as such by the individual or based on the context of the relationship?

Have privacy terms been disclosed to the individual? How?

Can the individual whose data is being processed easily control or object to the processing operation?

Can the scope of processing be adjusted to reduce significant privacy risks?

Safeguards and Compensating Controls

Safeguards include various compensating controls or measures that may be implemented to protect individuals or reduce the risks or potential negative effects associated with the processing. These are likely identified in data protection impact assessments (DPIAs), for example:

data minimisation, de-identification, technical and organisational measures, privacy by default, additional transparency, extra layers of encryption, multi-factor authentication, data retention controls, restricted Access, opt-out mechanisms, hashing and other data protection-related technical security methods

Have the necessary safeguards been implemented?

Best regards

Martin Tubalkain

Vehicle and Registry Service Manager

+372 598 17 141

www.transpordiamet.ee

Valge 4 / 11413 Tallinn / Transpordiamet

From: Martin Tubalkain
Sent: Thursday, August 28, 2025 11:22 AM
To: 'Trafipark' <[email protected]>
Subject: RE: Regarding agreement and driver data

Hello

Like we mentioned eralier, then we can provide car owner data for the violations that is connected with parking.

Your request is not enough for giving out data for another violations (road traffic violations, including speed or red-light offences and non-compliance with Low Emission Zone (LEZ) regulation). You have to provide contracts with local authorities or state, where can be seen that You have rights to collect debt on the name of authotity.

Best regards

Martin Tubalkain

Vehicle and Registry Service Manager

+372 598 17 141

www.transpordiamet.ee

Valge 4 / 11413 Tallinn / Transpordiamet

Hello,

Thank you for your message and for the clarification regarding access to car owner data.

We confirm that our sole purpose for requesting access to restricted vehicle owner/user data is strictly related to processing of unpaid parking fines, road traffic violations (including speed or red-light offences), and non-compliance with Low Emission Zone (LEZ) regulations.

These violations are documented, and we act on behalf of relevant authorities or partners with proper mandates and legal grounds.

We fully understand and respect the limitation you mentioned and confirm that we are not requesting personal data for any other purpose outside the scope of traffic and parking enforcement.

Please let us know if any further documentation is required to support this.

Also, could you please clarify whether we are required to access the Traffic Register data specifically through X-Road, or is it also possible to use the standard DEP HTTPS service?

If X-Road is mandatory, could you provide guidance on registration and technical setup?

Looking forward to your confirmation.

Pagarbiai / Regards

A blue and black logo

AI-generated content may be incorrect. Kristina Panačiova

Mob. tel.: +370 60168141

From: Martin Tubalkain
Sent: Wednesday, August 27, 2025 9:51 AM
To: 'Trafipark' <[email protected]>
Subject: RE: Regarding agreement and driver data

Hello

The fulfilled contract form, that was attached is not correct. We provide personal data only through x-road service.

But to proceed processing Your request, we have to point out that we do not provide car owners personal data to private companies, except when request is concerns the processing of parking fines. If Your wish ist o get car owners personal data froma another purpose, then we do not do the agreement.

Best regards

Martin Tubalkain

Vehicle and Registry Service Manager

+372 598 17 141

www.transpordiamet.ee

Valge 4 / 11413 Tallinn / Transpordiamet

From: Trafipark <[email protected]>
Sent: Tuesday, August 26, 2025 8:06 PM
To: [email protected]
Subject: Regarding agreement and driver data

Tere,

Saadame Teile meie poolt allkirjastatud lepingu ning allkirjastatud põhjenduse piiratud andmete kasutamiseks.

Kas Te saaksite palun kinnitada, kas need dokumendid on piisavad, või vajate täiendavaid andmeid ja lisadokumente (nt lepinguid võlausaldajatega, fotosid jms)?

_________________________________________________________________________________________________________________________________________

Hello,

Please find attached the signed agreement from our side, along with the signed justification for restricted data access.

Could you kindly confirm if these documents are sufficient, or if you require any additional details or supporting documentation (e.g., agreements with creditors, photos, etc.)?

Thank you in advance for your guidance.

Pagarbiai / Regards

Kristina Panačiova

Projektų vadovė / Project manager

A blue and black logo

AI-generated content may be incorrect. Mob. tel.: +370 60168141