Ikonka home dla okruszków News and events
photo
14.08.2025

Preliminary questions referred to the CJEU by a court in Estonia may be useful in interpreting

Poland should take part in the proceedings before the CJEU in the Estonian case of data processing by the financial analytics unit. This case may help clarify the Polish provisions of the Act on anti-money laundering and countering the financing of terrorism, as well as what data protection provisions apply here.

The President of the Personal Data Protection Office, Mirosław Wróblewski, presented such a position in response to an inquiry from Ignacy Niemczycki, Secretary of State in the Prime Minister's Office. The case concerns proceedings C-222/25 Rahapes Andmebüroo and the questions referred by the Estonian court for a preliminary ruling concerning the application of the provisions of the GDPR and the provisions of the Law Enforcement Directive 2016/680 in the context of the activities of financial intelligence entities.

Proceedings in Estonia

Proceedings before the CJEU was brought in relation to questions presented by the Estonian court. The case was initiated by an Estonian national to whom the Financial Intelligence Unit of Rahapesu Andmebüroo (RAB) refused to inform on whether it had provided information relating to him to Estonian or foreign credit institutions or foreign authorities concerning suspected money laundering. The applicant also asked the RAB whether it had created audit documentation relating to him between 2012 and 2015 and whether the requests concerning him were made to the United States. The RAB also declined to answer that question. The Estonian national then turned to the Estonian supervisory authority Andmekaitse Inspektsioon (AKI).

The AKI upheld the administrative complaint and ordered the RAB to re-examine the request for information. The RAB again rejected the request, after which the applicant lodged an administrative complaint with the AKI for the second time. The supervisory authority issued a decision and adopted an interim measure requiring the RAB to provide the citizen with requested information. The AKI based its decision on the fact that the rights of the data subject enshrined in the GDPR were at issue. However, the RAB did not disclose the information, explaining that in the fight against money laundering and terrorist financing, it is crucial to keep secret all data transmitted and collected by the RAB.

The case was heard by the administrative courts, the Supreme Court of Estonia, as well as by the Estonian supervisory authority AKI. As a result, the Estonian court posed preliminary questions to the CJEU on how Estonian law should be interpreted in the light of European data protection law: GDPR and the Law Enforcement Directive.

Position of President of the Personal Data Protection Office

The President of the Personal Data Protection Office points out that Poland should proceed with this case, because its resolution is also important for Polish legislation and the protection of personal data in Poland. It should be assumed that the activities of financial intelligence entities cannot be entirely regulated by the provisions of the Law Enforcement Directive, which allows States, in certain cases, to restrict certain rights in relation to the need to ensure security. These institutions may be fully subject to the GDPR provisions.

Pursuant to Article 15 GDPR, a data subject is entitled to obtain confirmation from a controller as to whether or not personal data concerning him or her are being processed and, if so, to access these data. A similar right is guaranteed to the data subject in Art. 2 of the EU Charter of Fundamental Rights.

Article 23 GDPR allows this right to be restricted if it serves certain public interests. Such a public interest is an important economic or financial interest of the Union or of a Member State. According to recital 41 of the GDPR, it is possible to interpret the provisions of the Regulation in such a way that the words ‘legal basis’ or ‘act’ used therein do not necessarily imply the adoption of a legal act by Parliament. In this case, the implementation of the legal act must be governed by the relevant provisions, which should specify who, how and for what period can process what data without providing the data subject with information about it.

Following the opinion of the President of the Personal Data Protection Office, it should be concluded that Poland's participation in the Case C-222/25 may be considered in the context of the unchanged wording of the provisions of the Act of 1 March 2018 on counteracting money laundering and terrorist financing (Journal of Laws of 2025, item 644), from which it is not clear whether the person whose personal data has been processed (including made available) by a financial institution has the right to exercise the right to obtain information about the circumstances of such processing under the GDPR or the law implementing Law Enforcement Directive 2016/680.

 

phone
Infoline (in Polish) UODO 606-950-000 Operates on weekdays from: 10:00-14:00
© UODO 2018 - 2025
Copyright.
Urząd Ochrony Danych Osobowych
map pin ul. Stanisława Moniuszki 1A, 00-014 Warszawa
envelope kancelaria@uodo.gov.pl
clock Working hours of the office: 8 a.m. – 4 p.m.
© UODO 2018 - 2025
Copyright.