Estonian court upholds data authority's right to demand written evaluations

Estonian Court Reinforces GDPR Enforcement on CCTV Surveillance

In a landmark ruling issued on June 19, 2025, the Tallinn Circuit Court upheld an enforcement order requiring a property owner to submit a written assessment of legitimate interest for CCTV surveillance. This decision, which originated in Estonia involving surveillance of private property and public roads in Pärnu, has significant implications for the marketing industry's use of surveillance and monitoring technologies.

The dispute centered on determining whether individuals could be identified from the camera footage. The court determined that individuals remained identifiable at distances covering both the neighboring property and public road areas. This ruling mirrors enforcement patterns where authorities examine actual system capabilities rather than accept compliance claims at face value.

The controller attempted to invoke GDPR's household exemption, but this defense was rejected based on the European Court of Justice's Ryneš ruling. The court characterized written assessment requirements as reasonable accountability measures rather than excessive regulatory burdens.

The ruling establishes that while GDPR contains no general obligation to prepare written legitimate interest analyses, supervisory authorities can order such documentation during enforcement proceedings. This confirms that enforcement orders need not identify specific legal provisions mandating written documentation, but rather can require such measures as appropriate means of achieving GDPR compliance in particular circumstances.

The Tallinn Circuit Court's decision provides crucial judicial backing for supervisory authorities' enforcement approach under Article 58(2)(d) GDPR. Companies across industries should prepare comprehensive documentation supporting their data processing activities before regulatory contact occurs, as the ruling signals that supervisory authorities possess broad discretion in selecting compliance measures during enforcement proceedings.

The case emerged after a neighbor filed a complaint with Estonia's Data Protection Inspectorate regarding CCTV cameras that captured both private property and public road areas. Broader European trends toward stricter data protection enforcement were reflected in the Estonian decision, with privacy advocacy groups challenging major platforms' legitimate interest claims and recent enforcement actions demonstrating coordination among European data protection authorities.

The ruling also confirms that European standard EVS-EN 62676-4:2015 sets pixel resolution requirements for different identification levels in video surveillance systems under GDPR. Marketing companies deploying surveillance or analytical technologies must align technical implementations with legal justifications, as systems capable of individual identification require appropriate legal bases and compliance documentation.

The court's most significant holding addressed whether data protection authorities can order written documentation of legitimate interest assessments, and it was affirmed that they can. The Estonian ruling carries implications for the marketing industry, as companies deploying CCTV systems for customer behavior analysis or security purposes must now prepare for potential written assessment requirements.

The Estonian Data Protection Inspectorate issued an enforcement order on February 2, 2023, requiring the controller to either halt all filming outside their property boundaries or submit a written legitimate interest assessment for continued surveillance of public areas. The dispute was concluded after a series of administrative and appeals court proceedings under European Union data protection law.

However, there is no information available in the search results about which person or institution made an inventory of the valid interests for CCTV recordings in Estonia in 2025. The ruling indicates that authorities will increasingly rely on technical standards and expert analysis when evaluating surveillance systems, as companies cannot rely solely on vendor claims or internal assessments when demonstrating GDPR compliance to supervisory authorities.

In conclusion, the Tallinn Circuit Court's ruling reinforces trends toward enhanced accountability documentation across data protection enforcement. Companies must now be more vigilant in preparing comprehensive documentation supporting their data processing activities to avoid potential enforcement actions and maintain GDPR compliance.