Vastuskiri

Suur-Ameerika 1 / 10122 Tallinn / +372 620 8100 [email protected]/ www.justdigi.ee/ Registrikood 70000898

Alan Trumeau [email protected] Response to your inquiry regarding the availability of personal data in the Estonian Commercial Register Dear Mr Trumeau, Thank you for your message and for raising important concerns about the protection of personal data in the digital age. We would like to clarify that, under Article 6 paragraph 1 point (e) of the General Data Protection Regulation (EU) 2016/6791 (hereinafter GDPR), personal data may be processed when it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. According to paragraph 3 of the same Regulation, the legal basis for such processing shall be established by Union or Member State law. In Estonia, the collection, processing, and disclosure of data in the Estonian Commercial Register are regulated by the Commercial Register Act2. According to Section 2(1) of the Act, the Estonian Commercial Register is a state database established for the purpose of collecting, storing, and disclosing information about legal entities and other registered persons. Pursuant to Section 30, the Estonian Commercial Register is public, and everyone has the right to examine registry cards and public files. The Act provides for the disclosure of certain personal data, such as the names and personal identification codes of company representatives, as these are necessary to ensure legal certainty and protect the interests of third parties in commercial transactions. The processing and publication of such data are therefore based on legal obligations and justified by the public interest in maintaining a transparent and reliable business environment. You did not specify which categories of personal data you refer to (for example, addresses, emails, or dates of birth). Please note that only data prescribed by law are published in the Estonian Commercial Register, and all processing of such data is carried out in accordance with the GDPR and the Open Data Directive (EU) 2019/10243, which supports the principle of open and accessible public information. Nevertheless, the Ministry of Justice and Digital Affairs continuously review the operation of the Estonian Commercial Register to ensure an appropriate balance between transparency, legal certainty, and the protection of personal data. Measures have also been taken to limit the visibility of personal data in public search engines and to prevent the unnecessary indexing of registry information.

1 Regulation - 2016/679 - EN - gdpr - EUR-Lex 2 Commercial Register Act–Riigi Teataja 3 Directive - 2019/1024 - EN - psi directive - EUR-Lex

Teie 23.10.2025

Meie 06.11.2025 nr 2-6/25-8633-2

2

In addition, a data protection analysis concerning the Estonian Commercial Register is currently being carried out within the Ministry to assess whether further adjustments are needed. We thank you again for your thoughtful feedback and assure you that Estonia remains committed to both data protection and transparency in public administration. Yours sincerely, (allkirjastatud digitaalselt) Mai-Liis Kullama Advisor Civil Law Division /*Lisaadressaadid: Registrite ja Infosüsteemide Keskus Andmekaitse Inspektsioon Mai-Liis Kullama 53472954 [email protected]