Public databases and registers are owned by public institutions and administered on behalf of the State. The inclusion of your personal data in these databases is often compulsory and dictated by law, unlike private databases. The storage and use of personal data should be lawful in order not to violate your right to private life.
Has my personal data been processed lawfully?
To evaluate whether your data has been processed lawfully and whether your privacy has been sufficiently respected, see the questions below. If, in your situation, you answer negatively to one of these questions, your privacy may have been violated. In such a case, you have the right to complain. Read more about how to complain.
Data processing must be allowed by law. The General Data Protection Regulation lists most of the common situations when personal data is allowed to be stored. Additionally, there are also other laws which regulate the storage of data in specific situations. For example, the Population Register of Estonia provides that information on the citizens and non-citizens of Estonia, and other inhabitants of Estonia shall be included in the Register.
The law should also clarify safeguards on how to protect your rights against a potential violation. Read more about how to protect yourself.
If the processing of your personal data is not allowed by law, your privacy has been violated. There is no need to examine the other questions.
Data processing has to be aimed at the protection of other legitimate interests. These legitimate interests may, for example, be:
- the protection of your and other persons’ legitimate interests to access different kinds of information about important issues (such as the ownership of real estate or businesses, if a person is considering purchasing a particular property or is engaged in contracts with a particular business)
- public authorities’ need to identify and contact you
- the prevention of disorder and crime
- combating recidivism
- the protection of national security
- the protection of public health etc.
If the use of your personal data in public databases and registers does not have a legitimate aim, the action taken is not lawful and your right to privacy may have been be violated. There is no need to examine the necessity for and the proportionality of the data processing.
Data processing must be necessary and suitable for the protection of other legitimate interests. The required information has to be important and relevant.
To evaluate its necessity, the following questions should be asked:
a) Is the collected amount of data excessive in relation to the purposes for which it is being collected and stored?
Data users should not collect additional data which is not necessary for the achievement of the legitimate aim, and the data should not be processed further for other purposes than were initially determined. In such a case, your consent for subsequent actions is required.
b) What is the length of time for which the information is (being) kept?
When the data about you contained in a database or register is no longer necessary for the achievement of the legitimate aim, this information should be deleted. This is particularly the case when the data is of a sensitive or intimate nature, such as criminal or medical records.
c) Are there other alternative and less restrictive methods available to achieve the legitimate aim?
Both competing interests – your right to control the use of your personal data and the legitimate interests of the State or other persons - have to be balanced against each other and a fair balance must be found. There have to be sufficient arguments why the interests of others in the particular case outweighed your rights.
The following questions should be asked within the balancing process:
a) What is the nature and volume of the personal information contained in the particular database or register?
For example, cellular samples and DNA have a very highly personal nature. If the data about you included in the database is of a sensitive nature and/or of a large volume, your right to private life has been restricted to a greater extent.
b) What is the range of public authorities and private persons that have access to the stored data?
If the range is relatively broad, your right to private life has been restricted to a greater extent. This is especially the situation when the data is of a very sensitive and intimate nature, for example, criminal records or medical data.
c) Are there adequate and effective guarantees against abuse and misuse of your data by authorities?
Read more about how to protect yourself in such situations.
Applicable as of 25 May 2018
Articles 6, 9 and 10
16 February 2000
4 December 2008
17 December 2009
6 June 2006
4 June 2013
18 April 2013
26 March 1987
31 July 2012
Joint publication by the the EU Agency for Fundamental Rights and the Council of Europe