| Dokumendiregister | Andmekaitse Inspektsioon |
| Viit | 1.2.-3/25/3648-3 |
| Registreeritud | 10.11.2025 |
| Sünkroonitud | 11.11.2025 |
| Liik | Väljaminev kiri |
| Funktsioon | 1.2 Asjaajamine |
| Sari | 1.2.-3 Kirjavahetus meediaga (uus nimi al 01.01.2023) |
| Toimik | 1.2.-3/2025 |
| Juurdepääsupiirang | Avalik |
| Juurdepääsupiirang | |
| Adressaat | GlobalData |
| Saabumis/saatmisviis | GlobalData |
| Vastutaja | Maire Iro (Andmekaitse Inspektsioon, Koostöö valdkond) |
| Originaal | Ava uues aknas |
Maire Iro - AKI
Teema: FW: Re: Media request - DPI/Aspe Biogene data breach
From: Maire Iro - AKI Sent: Monday, November 10, 2025 4:24 PM To: '[email protected]' <[email protected]> Subject: RE: Re: Media request - DPI/Aspe Biogene data breach Dear Ms Longworth, Thank you for your interest in Estonia’s digital health ecosystem. Below you will find the comments of the Estonian Data Protection Inspectorate (EDPI) regarding the Asper Biogene OÜ data-breach case. The Estonian Data Protection Inspectorate (EDPI) imposed a total fine of €85,000 on Asper Biogene OÜ. This consisted of two parts: €80,000 for insufficient security measures that led to a data breach involving sensitive genetic and health data, and €5,000 for appointing the company’s sole managing board member as data protection officer (DPO), which did not ensure the required independence of the role. The amount of the fine was determined based on the scope and seriousness of the infringement, the sensitivity of the leaked data, the number of affected individuals, and the company’s turnover, in accordance with the GDPR and European Data Protection Board guidelines. HHowever, it should be noted that subsequent court proceedings annulled the decision. From the EDPI's perspective, the court nevertheless confirmed that a violation occurred n the appointment of the DPO. The court found that a board member who directs the company’s activities and determines the purposes and means of data processing cannot simultaneously act as an independent DPO. While the court considered the violation negligent and and took into account that the company later appointed a qualified DPO and enhanced its security measures, the EDPI maintains that the independence and competence of the DPO are essential obligations for all organisations, regardless of size. This case has contributed to wider awareness within Estonia’s health-tech sector of the importance of robust cybersecurity, independent data-protection governance, and transparency in handling sensitive personal data. Maintaining clear roles, effective safeguards, and open communication remain crucial for sustaining public trust in digital health. Kind regards, Maire Iro Public Relations Advisor [email protected] +372 5385 4644, +372 627 4136 Tatari 39 | 10134 Tallinn | Estonia www.aki.ee | LinkedIn | YouTube
| Nimi | K.p. | Δ | Viit | Tüüp | Org | Osapooled |
|---|---|---|---|---|---|---|
| Korduv päring | 10.11.2025 | 1 | 1.2.-3/25/3648-2 | Sissetulev kiri | aki | GlobalData |