At the end of April, the Data Protection Inspectorate (AKI) launched a supervisory procedure prompted by questions surrounding the use of automatic license plate recognition (ALPR) cameras. As part of that process, the agency carried out a broader review of the Police and Border Guard Board's (PPA) data system. The aim was to determine how data is actually processed within the police database and whether that processing meets data protection requirements. The review included checks on data queries, logging, the archiving and deletion of personal data and access rights, AKI said.

"We visited the PPA repeatedly to understand how data processing functions in practice and to evaluate how data protection principles are actually being implemented," said AKI legal adviser Agnes Järvela.

"The agency has an effective internal control system in place, along with procedures for logging actions taken in the database and overseeing its use, which helps reduce the risk of data misuse," Järvela explained.

However, the inspectorate identified deficiencies in the archiving and deletion of data within the procedural information system that is part of POLIS. The system still contained data that had exceeded its legal retention period and should no longer have been stored.

Through its directive, the inspectorate ordered the PPA to archive and delete such data in accordance with prescribed deadlines.

The police must also implement both technical and organizational measures to ensure that data archiving and deletion occur regularly and on schedule moving forward.

AKI noted that the issue concerning ALPR cameras is moving toward resolution.

"Special attention was given to the use of ALPR cameras. In making our decision, we took into account that the most recent recordings and related data from these cameras will be deleted by August 14 in line with the retention period," the inspectorate said.

During its internal review, the PPA itself identified all key areas for improvement from a data protection perspective, and AKI took these findings into consideration during its own proceedings.

Nevertheless, AKI emphasized that if ALPR camera use is reinstated, the PPA must adopt additional measures to ensure that vehicles added to the monitoring system are promptly removed once there is no longer a valid reason for surveillance. The review revealed that in some cases, vehicles remained on the alert list even though the legal basis for monitoring them had expired.

The inspectorate also highlighted that several of the concerns raised about ALPR cameras are already being addressed through a draft bill currently under review in the Riigikogu. No further criticisms related to the cameras were included in the directive.

According to Järvela, protecting personal data requires more than just technical and procedural safeguards — it also depends on having a clear and transparent framework to support agencies in their day-to-day operations.

POLIS's governing statute and the PPA's own explanations indicate that the system's data is also used for analyzing police activity and for statistical purposes. In the inspectorate's view, these activities should be made even more transparent.

--

Follow ERR News on Facebook and X and never miss an update!