https://gdprhub.eu/api.php?action=feedcontributions&user=Hk&feedformat=atom
GDPRhub - User contributions [en]
2024-03-29T10:00:50Z
User contributions
MediaWiki 1.39.6
https://gdprhub.eu/index.php?title=-_1/2021&diff=15688
- 1/2021
2021-05-05T23:37:01Z
<p>Hk: Hk moved page - 1/2021 to EDPB - 1/2021: submission bug</p>
<hr />
<div>#REDIRECT [[EDPB - 1/2021]]</div>
Hk
https://gdprhub.eu/index.php?title=EDPB_-_Binding_Decision_1/2020_-_%27Twitter%27&diff=15687
EDPB - Binding Decision 1/2020 - 'Twitter'
2021-05-05T23:37:01Z
<p>Hk: Hk moved page - 1/2021 to EDPB - 1/2021: submission bug</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=European Union<br />
|DPA-BG-Color=<br />
|DPAlogo=logoEDPB.png<br />
|DPA_Abbrevation=<br />
|DPA_With_Country=EDPB<br />
<br />
|Case_Number_Name=1/2021<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=EDPB website'<br />
|Original_Source_Link_1=https://edpb.europa.eu/<br />
|Original_Source_Language_1=English<br />
|Original_Source_Language__Code_1=EN<br />
<br />
|Type=Other<br />
|Outcome=<br />
|Date_Decided=09.11.2020<br />
|Date_Published=<br />
|Year=2020<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 4(24) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#24<br />
|GDPR_Article_2=Article 5(1)(f) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1f<br />
|GDPR_Article_3=Article 28 GDPR<br />
|GDPR_Article_Link_3=Article 28 GDPR<br />
|GDPR_Article_4=Article 33(1) GDPR<br />
|GDPR_Article_Link_4=Article 33 GDPR#1<br />
|GDPR_Article_5=Article 33(5) GDPR<br />
|GDPR_Article_Link_5=Article 33 GDPR#5<br />
|GDPR_Article_6=Article 60(4) GDPR<br />
|GDPR_Article_Link_6=Article 60 GDPR#4<br />
|GDPR_Article_7=Article 65(1)(a) GDPR<br />
|GDPR_Article_Link_7=Article 65 GDPR#1a<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
After a data breach that occurred with Twitter, the IE SA (DPC) issued a draft decision to the other SAs. They sustained their relevant and reasoned objections under Article 60 GDPR (FR, DE, DK, IT, NL, ES, HU). <br />
<br />
Therefore, the EDPB issued its first decision under Article 65(1)(a) GDPR and answers to all the objections of the SAs. <br />
<br />
=== Dispute ===<br />
<br />
* Are Twitter Inc and TIC (Twitter Ireland) controller, processor, or joint controllers ? <br />
* Where is the main establishment of Twitter, and therefore does the DPC have jurisdiction ? <br />
* When is a relevant and reasoned objection admissible under Article 4(24) GDPR ? <br />
* Can we hold violations of the GDPR other than Article 33(1) and (5) ? <br />
<br />
=== Holding ===<br />
'''1. On the admissibility of an objection, the jurisdiction of the DPC, the controller-processor relationship'''<br />
<br />
In essence, the objections raised addressed the fact that the Draft Decision does not contain enough evidence to legally and factually establish the roles of the entities concerned.<br />
<br />
The EDPB considers that an objection concerning the role, or designation, of the parties can fall within the meaning of the definition of ‘relevant and reasoned’ objection under Article 4(24) GDPR, as this can affect the determination as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation. <br />
<br />
However, the EDPB considers that an objection on the competence of the supervisory authority acting as LSA should not be raised through an objection pursuant to Article 60(4) GDPR and falls outside of the scope of Article 4(24) GDPR.<br />
<br />
Moreover, the EDPB considers that the aforementioned objections do not meet the requirements set out in Article 4(24) GDPR.<br />
<br />
'''2. On the violation of Article 33(1) obligation to notify in due time'''<br />
<br />
According to the Draft Decision, therefore, TIC became actually aware of the Breach on 7 January 2019 but should have been aware of the Breach at the latest by 3 January 2019, since on that date Twitter, Inc. as processor first assessed the incident as being a potential data breach and the Twitter, Inc. legal team instructed that the incident be opened. The Draft Decision stated that where the processor does not follow the procedure or the procedure fails otherwise the controller cannot excuse its own delayed notification on the basis of the processor’s fault, as the performance by a controller of its obligation to notify cannot be contingent upon the compliance by its processor with its obligations under Article 33(2) GDPR. This led to the infringement of Article 33(1) GDPR even if less than 72 hours elapsed between the moment at which TIC became actually aware of the Breach (7 January 2019) and the notification (8 January 2019).<br />
<br />
The FR SA raised an objection stating that the findings do not correspond to an infringement of Article 33(1) GDPR, but rather of Article 28 or Article 32 GDPR, which set out the obligations of the controller when it decides to have recourse to a processor.<br />
<br />
The DE SA argued in its objection that the issue of the allocation of roles affects the determination of the moment of awareness of the Breach, as the knowledge of a breach must be equally attributed to both joint controllers.<br />
<br />
The IE SA considers that it requests consideration of alternative provisions of the GDPR and that the request by CSAs to consider alternate provisions of the GDPR, would essentially seek to re-scope the Inquiry conducted: the IE SA concluded that such an objection does not fall within the definition of “relevant and reasoned objection” for the purposes of Article 4(24) GDPR.<br />
<br />
Again, the EDPB considered that the raised objections do not clearly demonstrate the significance of the risks posed by the Draft Decision as regards the fundamental rights and freedoms of data subjects.<br />
<br />
'''3. On the violation of Article 33(5) GDPR'''<br />
<br />
The Draft Decision of the DPC found that TIC did not comply with its obligations under Article 33(5) GDPR to document the Breach, since the documentation furnished by TIC in the course of the inquiry was not considered to contain sufficient information and was not considered to contain a record or document of, specifically, a “personal data breach”, as they amounted to “documentation of a more generalised nature.<br />
<br />
According to the IT SA, the finding in the Draft Decision that TIC provided full cooperation during the investigative phase should be reviewed as such full cooperation can only be considered to exist if adequate, exhaustive documentation is made available by the controller in a straightforward manner.<br />
<br />
The EDPB does not take a position on the merit of the substantial issues raised by this objection " because it fails to clearly demonstrate the significance of the risks posed by the Draft Decision as it does not show the implications the alleged mistake in the Draft Decision would have for the protected values".<br />
<br />
'''4. On potential alternative or further violations o the GDPR identified by the CSAs (concerned authorities)'''<br />
<br />
In order to determine whether TIC complies with its obligations under Article 33(1) GDPR, the IE SA considered them in the context of a controller's broader obligations, including those of accountability (Article 5(2) GDPR), of engagement of a processor (Article 28 GDPR), and in respect of the security of processing of personal data (Article 32 GDPR). However, the DPC did not consider whether or not TIC complied with any or each of these obligations other than for the purpose of assessing TIC’s compliance with its obligations under Article 33(1) and Article 33(5) GDPR.<br />
<br />
The DE, FR, HU, and IT SAs raised objections that TIC infringed other provisions of the GDPR in addition to, or instead of, Article 33(1) and Article 33(5) GDPR.<br />
<br />
The LSA (DPC) recalls that it informed TIC at the beginning of the inquiry that its purpose was to verify TIC’s compliance with Article 33(1) and Article 33(5) GDPR in respect of its notification of a Breach to the LSA 8 January 2019. Therefore, the LSA maintains that if it were to follow the CSAs’ objections and include other infringements in its final decision “on the basis of only the material contained in the Draft Decision”, this would result in jeopardising “the entirety of the Inquiry and Article 60 process by exposing it to the risk of claims of procedural unfairness.<br />
<br />
The other provisions being addressed by the objections of the SAs are the following: <br />
<br />
* '''Infringement of Article 5(1)(f) GDPR on the principle of integrity and confidentiality'''<br />
** The EDPB considers the objection raised by the DE SA in relation to the potential additional infringement of Article 5(1)(f) GDPR to be relevant and reasoned for the purposes of Article 4(24) GDPR, but considers the HU SA’s objection in relation to the same topic does not meet the requirements of Article 4(24)<br />
* '''Infringement of Article 5(2) GDPR on the principle of accountability'''<br />
** The EDPB considered that the IT SA’s objection on Article 5(2) GDPR meets the requirements set out in Article 4(24) GDPR. The EDPB will therefore analyse the merits of the substantial issues raised by this objection<br />
* '''Infringement of Article 24 GDPR on the responsibility of the controller'''<br />
** The EDPB accepts that an objection may challenge the conclusion of the LSA, by considering that the LSA’s findings actually lead to the conclusion that another provision of the GDPR has been infringed in addition to or instead of the provision identified by the LSA. The EDPB considers that this is precisely the essence of the DE SA’s objection, hence not preventing it from being relevant and reasoned. Therefore, the EDPB is assessing the merit of the substantial issues raised by this objection<br />
* '''Infringement of Article 28 GDPR on the relationship with processors.''' <br />
** According to the EDPB, the objections of FR and IT do not clearly demonstrate the significant risks posed by the Draft Decision for the fundamental rights and freedoms of data subjects with specific regard to the failure to conclude on the infringement of this specific provision<br />
<br />
* '''Infringement of Article 32 GDPR on the security of the processing'''<br />
** According to the EDPB, the DE SA’s objection clearly demonstrates the significance of the risks posed by the Draft Decision for the rights and freedoms of data subjects, in particular by highlighting that the facts amount to a “significant” and “substantial” breach of the confidentiality of personal data and that a large number of persons were concerned for a substantial period of time. However, the objections of the FR and HU DPA do not meet the requirement of Article 4(24) GDPR. <br />
* '''Infringement of Article 33(3) GDPR on the content of the notification of a personal data breach on security of processing'''<br />
** According to the EDPB, the DE SA does not clearly demonstrate the significant risks posed by the Draft Decision to the fundamental rights and freedoms of data subjects. As a consequence, the DE SA’s objection on Article 33(3) GDPR fails to meet the requirements set out in Article 4(24) GDPR<br />
* '''Infringement of Article 34 GDPR on the communication of a personal data breach to the data subject'''<br />
** The HU SA considers that, if changed, the Draft Decision would lead to the conclusion of additional infringements of GDPR. However, the EDPB concludes that the HU SA does not clearly demonstrate the significant risks posed by the Draft Decision to the fundamental rights and freedoms of data subjects<br />
<br />
The Board analyses the objections found being relevant and reasoned - in particular the DE SA’s objections on Article 5(1)(f), Article 24 and 32 GDPR, as well the IT SA’s objection on Article 5(2) GDPR - as well as the LSA’s response to those objections and the TIC submissions. The Board considers that the available factual elements included in the Draft Decision and in the objections are not sufficient to allow the EDPB to establish the existence of further (or alternative) infringements of Article 5(1)(f), 5(2), 24 and 32 GDPR. Even in case of an own-volition inquiry, the Guidelines on reasoned and relevant objections state that LSA “should seek consensus regarding the scope of the procedure (i.e. the aspects of data processing under scrutiny) prior to initiating the procedure formally”138, including in the context of a possible new proceeding. The EDPB also recalls the existence of a full range of the cooperation tools provided for by the GDPR (including Articles 61 and 62 GDPR), bearing in mind the goal of reaching consensus within the cooperation mechanism and the need to exchange all relevant information, with a view to ensuring protection of the fundamental rights and freedoms of data subjects. The EDPB considers that in determining the scope of the inquiry, whilst it can be limited, a LSA should frame it in such a way that it permits the CSAs to effectively fulfil their role, alongside the LSA, when determining whether there has been an infringement of the GDPR.<br />
<br />
'''5. On the lack of reprimand in the draft decision''' <br />
<br />
The proposed corrective powers to be imposed were both a reprimand, pursuant to Article 58(2)(b) GDPR, and an administrative fine, pursuant to Article 58(2)(i) GDPR, the final Draft Decision consists of the imposition only of an administrative fine on TIC as the controller<br />
<br />
The LSA decided, having regard to the scope of the inquiry that focussed on the controller’s obligations in relation to the Breach notification, that its inquiry “did not involve a finding that the underlying ‘processing operations’ relating to the Breach infringed [...] the GDPR” . Therefore, the LSA considered that there was no reason to review its decision to not issue a reprimand in light of the DE SA’s objection.<br />
<br />
The EDPD considered anyway that the objection by the DE SA did not meet the requirement of Article 4(24) GDPR since it does not provide motivation on how the failure to impose a reprimand in this specific case - where a fine is also imposed - may trigger risks for data subjects’ fundamental rights and freedoms.<br />
<br />
'''6. On the calculation of the fine'''<br />
<br />
Considering all the factors of Article 83(2) GDPR, the IE SA proposed to impose an administrative fine within the range of 150,000-300,000 USD, i.e. between 0.005% and 0.01% of the undertaking’s annual turnover or between 0.25% and 0.5% of the maximum amount of the fine which may be applied in respect of these infringements. This equates to a fine in Euro of between 135,000 and 275,000.<br />
<br />
* '''AT SA''' considers the range of fine proposed by the IE SA neither effective, nor dissuasive, nor proportionate<br />
* '''DE SA''' raised an objection arguing that the fine proposed by the LSA is “too low” and “does not comply with the provisions of Article 83(1) GDPR. As Twitter’s business model is based on processing data, and as Twitter generates turnover mainly through data processing, the DE SA considers that a dissuasive fine in this specific case would therefore have to be so high that it would render the illegal data processing unprofitable. On the basis of the fine concept applicable to the DE SAs, the fine for the infringement described in the Draft Decision would range from approximately EUR 7,348,035.00 to EUR 22,044,105.00<br />
* '''HU SA''' argued that, although “fines are justified for the committed infringements”, “the fine set out in the draft is unreasonably low, disproportionate and thus not dissuasive in view of the gravity of the committed infringement and the Controller’s worldwide market power<br />
* '''IT SA''' asked the LSA to “review the draft decision as also related to quantification of the administrative fine, taking also account of specific aggravating elements of the case with regard to the nature of the data controller and the severity and duration of the data breach<br />
<br />
'''Decision of the EDPB''' on the above:<br />
<br />
- The EDPB agrees with the position of the IE SA’s assessment according to which the controller cannot be expected to have become aware at the moment its processor has realised that a security incident has occurred.<br />
<br />
- The EDPB considers that a company for whom the processing of personal data is at the core of its business activities should have in place sufficient procedures for the documentation of personal data breaches, including remedial actions, which will enable it to also comply with the duty of notification under Article 33(1) GDPR. This element implies an additional element to take into consideration in the analysis of the gravity of the infringement.<br />
<br />
- While the LSA in its Draft Decision made reference to the requirement that the file must be dissuasive and proportionate, the EDPB considers that the LSA did not sufficiently substantiate how the fine proposed addresses these requirements. In particular, the EDPB notes that the LSA moves from calculating the maximum amount of the fine (set at $60 million) to stating the proposed fining range (set between $150.000,- and $300.000,-), without further explanation as to which particular elements led the LSA to identify this specific range224 . Beyond the general reference to the relevant factors of Article 83 (2) GDPR, there is not a clear motivation for the choice of the proposed percentage (between 0.25% and 0.5%) of the maximum applicable fine under Article 83(4) GDPR<br />
<br />
- In this regards, the EDPB has elaborated above the reasons to why the LSA in its Draft Decision should have given greater weight to the element relating to the nature, scope and negligent character of the infringement and therefore consider that the proposed fine range should be adjusted accordingly<br />
<br />
- the EDPB considers that the fine proposed in the Draft Decision is too low and therefore does not fulfil its purpose as a corrective measure, in particular it does not meet the requirements of Article 83(1) GDPR of being effective, dissuasive and proportionate<br />
<br />
- the EDPB requests the IE SA to re-assess the elements it relies upon to calculate the amount of the fixed fine225 to be imposed on TIC so as to ensure it is appropriate to the facts of the case <br />
<br />
'''7. Sumamry of the decision''' <br />
<br />
'''On the objections concerning the qualification of controller and processor and the competence of the LSA:''' <br />
<br />
The EDPB decides that the IE SA is not required to amend its Draft Decision on the basis of the objections raised, as they do not meet the requirements of Article 4(24) GDPR. <br />
<br />
'''On the objections concerning the infringements of Article 33(1) and 33(5) GDPR found by the LSA:''' <br />
<br />
In relation to the objection of the FR SA on the absence of an infringement of Article 33(1) GDPR, the objection of the DE SA on the determination of the dies a quo for the infringement of Article 33(1) GDPR, and the objection of the IT SA relating to the infringement of Article 33(5) GDPR, the EDPB decides that the IE SA is not required to amend its Draft Decision on the basis of the objections raised as they do not meet the requirements of Article 4(24) GDPR. <br />
<br />
'''On the objections relating to the possible further (or alternative) infringements of the GDPR identified by the CSAs:''' <br />
<br />
* In relation to the objection of the DE SA on the possible infringements of Article 5(1)(f), Article 24, and Article 32 GDPR, and to the objection of the IT SA on the possible infringement of Article 5(2) GDPR, the EDPB decides that, while they meet the requirements of Article 4(24) GDPR, the IE SA is not required to amend its Draft Decision because the available factual elements included in the Draft Decision and in the objections are not sufficient to allow the EDPB to establish the existence of infringements of Articles 5(1)(f), Article 5(2), Article 24, and Article 32 GDPR. <br />
* In relation to the objection of the DE SA relating to the possible infringement of Article 33(3) GDPR, the objection of the FR SA relating to the possible infringement of Article 28 and Article 32 GDPR, the objection of the HU SA relating to the possible infringement of Article 5(1)(f), Article 32, and Article 34 GDPR, and the objection of the IT SA relating to the possible infringement of Article 28 GDPR, the EDPB decides that the IE SA is not required to amend its Draft Decision on the basis of the objections raised as they do not meet the requirements of Article 4(24) GDPR. <br />
<br />
'''On the objection concerning the decision of the LSA to not issue a reprimand'''<br />
<br />
In relation to the objection of the DE SA concerning the decision of the IE SA not to issue a reprimand, the EDPB decides that the IE SA is not required to amend its Draft Decision on the basis of the objection raised as it does not meet the requirements of Article 4(24) GDPR.<br />
<br />
'''On the objection concerning the calculation of the fine suggested by the LSA:''' <br />
<br />
* In relation to the objection of the HU on the insufficiently dissuasive nature of the fine, the EDPB decides that the IE SA is not required to amend its Draft Decision on the basis of the objection raised as it does not meet the requirements of Article 4(24) GDPR. <br />
* In relation to the objection of the AT SA, the objection of the DE SA, and the objection of the IT SA on the insufficiently dissuasive nature of the fine, the EDPB decides that they meet the requirements of Article 4(24) GDPR and that the IE SA is required to re-assess the elements it relies upon to calculate the amount of the fixed fine to be imposed on TIC, and to amend its Draft Decision by increasing the level of the fine in order to ensure it fulfils its purpose as a corrective measure and meets the requirements of effectiveness, dissuasiveness and proportionality established by Article 83(1) GDPR and taking into account the criteria of Article 83(2) GDPR.<br />
<br />
== Comment ==<br />
This decision is the first decision of the EDPC under Article 65(1) GDPR. <br />
<br />
it is interesting to note that the EDPB considered in its decision that the right to be heard has been satisfactory exercised towards Twitter considering that all relevant documents and drafts decisions communicated to the EDPB were send together with Twitter's submissions and observations. it seems however that Twitter has not be heard directly by the EDPB. <br />
<br />
== Further Resources ==<br />
The final decision of the DPC is available [https://edpb.europa.eu/sites/default/files/decisions/final_decision_-_in-19-1-1_9.12.2020.pdf here]<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the English original. Please refer to the English original for more details.<br />
<br />
<pre><br />
Adopted 1<br />
Decision 01/2020 on the dispute arisen on the draft decision<br />
of the Irish Supervisory Authority regarding Twitter<br />
International Company under Article 65(1)(a) GDPR<br />
Adopted on 09 November 2020<br />
Adopted 2<br />
Table of contents<br />
1 Summary of the dispute.................................................................................................................. 5<br />
2 Conditions for adopting a binding decision..................................................................................... 8<br />
2.1 Objection(s) expressed by CSA(s) in relation to a draft decision ............................................ 8<br />
2.2 The LSA does not follow the relevant and reasoned objections to the draft decision or is of<br />
the opinion that the objections are not relevant or reasoned ........................................................... 8<br />
2.3 Conclusion ............................................................................................................................... 9<br />
3 The Right to good administration.................................................................................................... 9<br />
4 On the qualification of controller and processor and the competence of the LSA ........................ 9<br />
4.1 Analysis by the LSA in the Draft Decision................................................................................ 9<br />
4.2 Summary of the objections raised by the CSAs..................................................................... 10<br />
4.3 Position of the LSA on the objections ................................................................................... 11<br />
4.4 Analysis of the EDPB.............................................................................................................. 13<br />
4.4.1 Assessment of whether the objections were relevant and reasoned .......................... 13<br />
4.4.2 Conclusion ..................................................................................................................... 16<br />
5 On the infringements of the GDPR found by the LSA ................................................................... 17<br />
5.1 On the findings of an infringement of Article 33(1) GDPR.................................................... 17<br />
5.1.1 Analysis by the LSA in the Draft Decision...................................................................... 17<br />
5.1.2 Summary of the objections raised by the CSAs............................................................. 18<br />
5.1.3 Position of the LSA on the objections ........................................................................... 19<br />
5.1.4 Analysis of the EDPB...................................................................................................... 19<br />
5.2 On the findings of an infringement of Article 33(5) GDPR.................................................... 20<br />
5.2.1 Analysis by the LSA in the Draft Decision...................................................................... 20<br />
5.2.2 Summary of the objections raised by the CSAs............................................................. 20<br />
5.2.3 Position of the LSA on the objections ........................................................................... 21<br />
5.2.4 Analysis of the EDPB...................................................................................................... 21<br />
6 On potential further (or alternative) infringements of the GDPR identified by the CSAs ............ 22<br />
6.1 Analysis by the LSA in the Draft Decision.............................................................................. 22<br />
6.2 Summary of the objections raised by the CSAs..................................................................... 22<br />
6.2.1 Infringement of Article 5(1)(f) GDPR on the principle of integrity and confidentiality. 22<br />
6.2.2 Infringement of Article 5(2) GDPR on the principle of accountability .......................... 22<br />
6.2.3 Infringement of Article 24 GDPR on the responsibility of the controller...................... 23<br />
6.2.4 Infringement of Article 28 GDPR on the relationship with processors......................... 23<br />
6.2.5 Infringement of Article 32 GDPR on the security of the processing ............................. 23<br />
Adopted 3<br />
6.2.6 Infringement of Article 33(3) GDPR on the content of the notification of a personal<br />
data breach on security of processing .......................................................................................... 24<br />
6.2.7 Infringement of Article 34 GDPR on the communication of a personal data breach to<br />
the data subject............................................................................................................................. 24<br />
6.3 Position of the LSA on the objections ................................................................................... 24<br />
6.4 Analysis of the EDPB.............................................................................................................. 25<br />
6.4.1 Assessment of whether the objections were relevant and reasoned .......................... 25<br />
6.4.2 Assessment of the merits of the substantial issue(s) raised by the relevant and<br />
reasoned objections and conclusion............................................................................................. 31<br />
7 On the corrective measures decided by the LSA - in particular, the imposition of a reprimand.. 32<br />
7.1 Analysis by the LSA in the Draft Decision.............................................................................. 32<br />
7.2 Summary of the objections raised by the CSAs..................................................................... 33<br />
7.3 Position of the LSA on the objections ................................................................................... 33<br />
7.4 Analysis of the EDPB.............................................................................................................. 34<br />
7.4.1 Assessment of whether the objections were relevant and reasoned .......................... 34<br />
7.4.2 Conclusion ..................................................................................................................... 34<br />
8 On the corrective measures - in particular, the calculation of the administrative fine................ 34<br />
8.1 Analysis by the LSA in the Draft Decision.............................................................................. 34<br />
8.2 Summary of the objections raised by the CSAs..................................................................... 38<br />
8.3 Position of the LSA on the objections ................................................................................... 39<br />
8.4 Analysis of the EDPB.............................................................................................................. 40<br />
8.4.1 Assessment of whether the objections were relevant and reasoned .......................... 40<br />
8.4.2 Assessment of the merits of the substantial issue(s) raised by the relevant and<br />
reasoned objections...................................................................................................................... 42<br />
8.4.3 Conclusion ..................................................................................................................... 45<br />
9 Binding Decision ............................................................................................................................ 45<br />
10 Final remarks................................................................................................................................. 47<br />
Adopted 4<br />
The European Data Protection Board<br />
Having regard to Article 63 and Article 65(1)(a) of the Regulation 2016/679/EU of the European<br />
Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the<br />
processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC<br />
(General Data Protection Regulation) (hereinafter “GDPR”)1<br />
, Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended<br />
by the Decision of the EEA joint Committee No 154/2018 of 6 July 20182<br />
, Having regard to Article 11 and Article 22 of its Rules of Procedure3<br />
, Whereas:<br />
(1) The main role of the European Data Protection Board (hereinafter the “EDPB” or the “Board”) is to<br />
ensure the consistent application of the GDPR throughout the EEA. To this effect, it follows from Article<br />
60 GDPR that the lead supervisory authority (hereinafter “LSA”) shall cooperate with the other<br />
supervisory authorities concerned (hereinafter “CSAs”) in an endeavour to reach consensus, that the<br />
LSA and CSAs shall exchange all relevant information with each other, and that the LSA shall, without<br />
delay, communicate the relevant information on the matter to the other supervisory authorities<br />
concerned. The LSA shall without delay submit a draft decision to the other CSAs for their opinion and<br />
take due account of their views.<br />
(2) Where any of the CSAs expressed a reasoned and relevant objection (“RRO”) on the draft decision<br />
in accordance with Article 4(24) and Article 60(4) GDPR and the LSA does not intend to follow the RRO<br />
or considers that the objection is not reasoned and relevant, the LSA shall submit this matter to the<br />
consistency mechanism referred to in Article 63 GDPR.<br />
(3) Pursuant to Article 65(1)(a) GDPR, the EDPB shall issue a binding decision concerning all the matters<br />
which are the subject of the RROs, in particular whether there is an infringement of the GDPR.<br />
(4) The binding decision of the EDPB shall be adopted by a two-thirds majority of the members of the<br />
EDPB, pursuant to Article 65(2) GDPR in conjunction with Article 11(4) of the EDPB Rules of Procedure,<br />
within one month after the Chair and the competent supervisory authority have decided that the file<br />
is complete. The deadline may be extended by a further month, taking into account the complexity of<br />
the subject-matter upon decision of the Chair on its own initiative or at the request of at least one<br />
third of the members of the EDPB.<br />
(5) In accordance with Article 65(3) GDPR, if, in spite of such an extension, the EDPB has not been able<br />
to adopt a decision within the timeframe, it shall do so within two weeks following the expiration of<br />
the extension by a simple majority of its members.<br />
1 OJ L 119, 4.5.2016, p. 1. 2 References to “Member States” made throughout this decision should be understood as references to “EEA<br />
Member States”. References to “EU” should be understood, where relevant, as references to “EEA”. 3 EDPB Rules of Procedure, adopted on 25 May 2018, as last modified and adopted on 8 October 2020.<br />
Adopted 5<br />
1 SUMMARY OF THE DISPUTE<br />
1. This document contains a binding decision adopted by the EDPB in accordance with Article 65(1)(a)<br />
GDPR. The decision concerns the dispute arisen following a draft decision (hereinafter “Draft<br />
Decision”) issued by the Irish supervisory authority (“Data Protection Commission”, hereinafter the “IE<br />
SA”, also referred to in this context as the “LSA”) and the subsequent objections expressed by a<br />
number of CSAs (“Österreichische Datenschutzbehörde”, hereinafter the “AT SA”; “Der Hamburgische<br />
Beauftragte für Datenschutz und Informationsfreiheit”4<br />
, hereinafter the ”DE SA”; “Datatilsynet”,<br />
hereinafter the “DK SA”; “Agencia Española de Protección de Datos", hereinafter the “ES SA”; “Commission Nationale de l'Informatique et des Libertés", hereinafter the “FR SA”; “Nemzeti<br />
Adatvédelmi és Információszabadság Hatóság”, hereinafter the “HU SA”; “Garante per la protezione<br />
dei dati personali", hereinafter the “IT SA”; “Autoriteit Persoonsgegevens, hereinafter the “NL SA”). The draft decision at issue relates to an “own-volition inquiry” which was commenced by the IE SA<br />
following the notification of a personal data breach on 8 January 2019 (the “Breach”) by Twitter<br />
International Company, a company established in Dublin, Ireland (hereinafter “TIC”)5<br />
. 2. The data breach arose from a bug in Twitter's design, due to which, if a user on an Android device<br />
changed the email address associated with their Twitter account, the protected tweets became<br />
unprotected and therefore accessible to a wider public (and not just the user's followers), without the<br />
user's knowledge6<br />
. The bug was discovered on 26 December 2018 by the external contractor managing<br />
the company’s “bug bounty programme”, which is a programme whereby anyone may submit a bug<br />
report7<br />
. 3. During its investigation, Twitter discovered additional user actions that would also lead to the same<br />
unintentional result. The bug in the code was traced back to a code change made on 4 November<br />
20148<br />
. 4. TIC informed the IE SA that, as far as they can identify, between 5 September 2017 and 11 January<br />
2019, 88,726 EU and EEA users were affected by this bug. Twitter has confirmed that it dates the bug<br />
to 4 November 2014, but it has also confirmed that it can only identify users affected from 5 September<br />
2017 due to a retention policy applicable to the logs9<br />
. As a result, TIC acknowledged the possibility that<br />
more users were impacted by the breach10<br />
. 5. The decision of the IE SA to commence the inquiry was taken in circumstances where TIC had, in its<br />
breach notification form, identified the potential impact for affected individuals as being<br />
“significant”<br />
11<br />
.<br />
4 The objection by the Hamburg SA was submitted representing also “Der Landesbeauftragte für den Datenschutz<br />
und die Informationsfreiheit Baden-Württemberg”, “Berliner Beauftragte für Datenschutz und<br />
Informationsfreiheit“, “Der Landesbeauftragte für Datenschutz und Informationsfreiheit Mecklenburg- Vorpommern”, “Die Landesbeauftragte für den Datenschutz Niedersachsen”. The objection has been also<br />
coordinated with other SAs in Germany. 5 Draft Decision, paragraphs 1.1-1.2. 6 Draft Decision, paragraph 1.9. 7 Draft Decision, paragraphs 2.7 and 4.7. 8 Draft Decision, paragraph 2.10. 9 Draft Decision, paragraph 2.10. 10 Draft Decision, paragraphs 1.10, 2.10, 14.2 and 14.3. 11 Draft Decision, paragraph 2.8.<br />
Adopted 6<br />
6. The IE SA stated in its Draft Decision that it was satisfied that the IE SA is the LSA, within the meaning<br />
of the GDPR, for TIC, as controller in respect of the cross-border processing of personal data carried<br />
out by TIC that was the subject of the breach12<br />
. 7. The following table presents a summary timeline of the events part of the procedure leading to the<br />
submission of the matter to the consistency mechanism:<br />
26.12.2018 Twitter, Inc., a company incorporated in the USA receives a bug report through<br />
their bug bounty programme. The report was sent by a third party contractor<br />
managing the bug bounty programme (Contractor 1) to the third party<br />
contractor engaged by Twitter, Inc. to search for and assess bugs (Contractor 2).<br />
29.12.2018 Contractor 2 shares the result with Twitter, Inc. via a JIRA ticket.<br />
02.01.2019 Twitter, Inc.'s Information Security Team reviews the JIRA ticket and decides it<br />
was not a security issue but that it might be a data protection issue.<br />
02.01.2019 Twitter, Inc.'s Legal Team is notified.<br />
03.01.2019 Twitter, Inc.'s Legal Team decides that the issue should be treated as an incident.<br />
04.01.2019 Twitter, Inc. triggers the incident response process, but due to a mistake in<br />
applying the internal procedure, the Global DPO is not added as ‘watcher’ to the<br />
ticket. Therefore, they are not notified. 07.01.2019 The Global DPO is notified of the Data Breach during a meeting.<br />
08.01.2019 TIC notifies the Breach to the IE SA using the IE SA's cross-border breach<br />
notification form. 22.01.2019 The scope and legal basis of the inquiry were set out in the notice of<br />
commencement of inquiry that was sent to TIC on 22 January 2019.<br />
The IE SA commences the inquiry and requests information from TIC.<br />
28.05.2019 to<br />
21.10.2019<br />
Inquiry Report stage: the IE SA prepares a draft inquiry report and issues it to TIC to allow TIC<br />
to make submissions in relation to the draft inquiry report; TIC provides its submissions in relation to the draft inquiry report; the IE SA requests clarifications in relation to the submissions made by<br />
TIC; the IE SA issues its final inquiry report. 21.10.2019 The IE SA commences the decision-making stage.<br />
11 and<br />
28.11.2019<br />
The IE SA corresponds with TIC and invites TIC to make further written<br />
submissions.<br />
2.12.2019 TIC makes further submissions to the IE SA in response to the IE SA’s<br />
correspondence of 11 and 28 November 2019.<br />
12 The IE SA has confirmed that its assessment in this regard was based both on its determination that (1) TIC, as<br />
the provider of the Twitter service in the EU/EEA, is the relevant controller and (2) that TIC’s main establishment<br />
in the EU is located in Dublin, Ireland, where decisions on the purposes and means of processing of personal data<br />
of Twitter users in the EU/EEA are taken by TIC, in accordance with Article 4(16) GDPR. Draft Decision, paragraphs<br />
2.2-2.3.<br />
Adopted 7<br />
14.03.2020 The IE SA issues a Preliminary Draft Decision (hereinafter “the Preliminary Draft<br />
Decision”) to TIC, concluding that TIC infringed Articles 33(1) and 33(5) GDPR;<br />
hence intends to issue a reprimand in accordance with Article 52(2) GDPR and<br />
an administrative fine in accordance with Article 58(2)(i) and Article 83(2) GDPR.<br />
27.04.2020 TIC provides submissions on the Preliminary Draft Decision to the IE SA.<br />
27.04.2020 - 22.05.2020<br />
The IE SA takes account of TIC’s submissions in relation to the Preliminary Draft<br />
Decision and prepares its draft decision for submission to the CSAsin accordance<br />
with Article 60 GDPR. 22.05.2020 - 20.06.2020<br />
The IE SA shares its Draft Decision with the CSAs in accordance with Article 60(3)<br />
GDPR. Several CSAs (AT SA, DE SA (represented by the DE-Hamburg SA), DK SA, ES SA, FR SA, HU SA, IT SA and NL SA) raise objections in accordance with Article<br />
60(4) GDPR.<br />
15.07.2020 The IE SA issues a Composite Memorandum setting out its replies to such<br />
objections and shares it with the CSAs (hereinafter, “Composite<br />
Memorandum”). The IE SA requests the relevant CSAs to confirm whether,<br />
having considered the IE SA’s position in relation to the objections as set out in<br />
the Composite Memorandum, the CSAs intend to maintain their objections.<br />
27 and<br />
28.07.2020<br />
In light of the arguments put forward by the IE SA in the Composite<br />
Memorandum, the DK SA informs the IE SA that it does not maintain its<br />
objection, and the ES SA informs the IE SA that it withdraws its objection in part.<br />
The other CSAs (i.e., the AT, DE, ES, FR, HU, IT and NL SAs), confirm to the IE SA<br />
that they maintain their remaining objections.<br />
19.08.2020 The IE SA refers the matter to the EDPB in accordance with Article 60(4) GDPR,<br />
thereby initiating the dispute resolution procedure under Article 65(1)(a). 8. The IE SA triggered the dispute resolution process on the IMI on 19 August 2020. Following the<br />
submission by the LSA of this matter to the EDPB in accordance with Article 60(4) GDPR, the EDPB<br />
Secretariat assessed the completeness of the file on behalf of the Chair in line with Article 11(2) of the<br />
EDPB Rules of Procedure. The EDPB Secretariat contacted the IE SA for the first time on 20 August<br />
2020, asking for additional documents and information to be submitted in IMI and requesting the IE<br />
SA to confirm the completeness of the file. The IE SA provided the documents and information and<br />
confirmed the completeness of the file on 21 August 2020. A matter of particular importance that was<br />
scrutinized by the EDPB Secretariat was the right to be heard, as required by Article 41(2)(a) of the<br />
Charter of the Fundamental Rights. On 4 September 2020, the Secretariat contacted the IE SA with<br />
additional questions in order to confirm whether TIC has been given the opportunity to exercise its'<br />
right to be heard regarding all the documents that were submitted to the Board for making its decision. On 8 September 2020, the IE SA confirmed that it was the case and provided the documents to prove<br />
it13<br />
. 9. On 8 September 2020, the decision on the completeness of the file was taken, and it was circulated by<br />
the EDPB Secretariat to all the members of the EDPB.<br />
13 Amongst the documents sent by IE SA, there were emails from the Global DPO acknowledging receipt of the<br />
relevant documents.<br />
Adopted 8<br />
10. The Chair decided, in compliance with Article 65(3) GDPR in conjunction with Article 11(4) of the EDPB<br />
Rules of Procedure, to extend the default timeline for adoption of one month by a further month on<br />
account of the complexity of the subject-matter.<br />
2 CONDITIONS FOR ADOPTING A BINDING DECISION<br />
11. The general conditions for the adoption of a binding decision by the Board are set forth in Article 60(4)<br />
and Article 65(1)(a) GDPR14<br />
. 2.1 Objection(s) expressed by CSA(s) in relation to a draft decision<br />
12. The EDPB notes that CSAs raised objections to the Draft Decision via the information and<br />
communication system mentioned in Article 17 of the EDPB Rules of Procedure, namely the Internal<br />
Market Information System. The objections were raised pursuant to Article 60(4) GDPR.<br />
13. More specifically, objections were raised by CSAs in relation to the following matters: the competence of the LSA; the qualification of the roles of TIC and Twitter, Inc., respectively; the infringements of the GDPR identified by the LSA; the existence of possible additional (or alternative) infringements of the GDPR; the lack of a reprimand; the calculation of the proposed fine.<br />
14. Each of these objections was submitted within the deadline provided by Article 60(4) GDPR.<br />
2.2 The LSA does not follow the relevant and reasoned objections to the draft<br />
decision or is of the opinion that the objections are not relevant or reasoned<br />
15. On 15 July 2020, IE SA provided to the CSAs a detailed analysis of the objections raised by the CSAs in<br />
the Composite Memorandum, where it outlined whether it considered the objections to be “relevant<br />
and reasoned” in accordance with Article 4(24) GDPR, and whether it decided to follow any of the<br />
objections15<br />
. 16. More specifically, the IE SA considered that only the objections raised by CSAs in relation to the<br />
calculation of the fine meet the threshold put forward by Article 4(24) GDPR in so far as they relate to<br />
the compliance with the GDPR of the envisaged action in relation to the controller or processor and<br />
also set out the risks posed as regards the fundamental rights and freedoms of data subjects16<br />
. However, the IE SA concluded that it would not follow the objections, for the reasons set out in the<br />
Composite Memorandum and below.<br />
17. The IE SA considered that the other objections expressed by CSAs were not “relevant and reasoned”<br />
within the meaning of Article 4(24) GDPR.<br />
14 According to Article 65(1)(a) of the GDPR, the Board will issue a binding decision when a supervisory authority<br />
has raised a relevant and reasoned objection to a draft decision of the LSA or the LSA has rejected such an<br />
objection as being not relevant or reasoned. 15 The purpose of the document, as stated by the IE SA, was to facilitate further cooperation with the CSAs in<br />
relation to the Draft Decision and to comply with the requirement in Article 60(1) GDPR that the LSA shall<br />
cooperate with the other CSAs in an endeavour to reach consensus. 16 Composite Memorandum, paragraph 5.59.<br />
Adopted 9<br />
2.3 Conclusion<br />
18. The case at issue fulfils all the elements listed by Article 65(1)(a) GDPR, since several CSAs raised<br />
objections to a draft decision of the LSA within the deadline provided by Article 60(4) GDPR, and the<br />
LSA has not followed objections or rejected them as not relevant or reasoned.<br />
19. The EDPB is therefore competent to adopt a binding decision, which shall concern all the matters which<br />
are the subject of the relevant and reasoned objection(s), in particular whether there is an<br />
infringement of the GDPR17<br />
. 20. All results in this decision are without any prejudice to any assessment or binding decision made in<br />
other cases by the EDPB, including with the same parties, depending on further and/or new findings. 3 THE RIGHT TO GOOD ADMINISTRATION<br />
21. The EDPB is subject to Article 41 of the EU Charter of fundamental rights, in particular Article 41 (right<br />
to good administration). This is also reflected in Article 11(1) EDPB Rules of Procedure18<br />
. 22. The EDPB decision “shall be reasoned and addressed to the lead supervisory authority and all the<br />
supervisory authorities concerned and binding on them” (Article 65(2) GDPR). It is not aiming to address<br />
directly any third party. However, as a precautionary measure to address the possibility that TIC might<br />
be affected by the EDPB decision, the EDPB assessed if TIC was offered the opportunity to exercise its<br />
right to be heard in relation to the procedure led by the LSA and in particular if all the documents<br />
received in this procedure and used by the EDPB to take its decision have already been shared<br />
previously to TIC and if TIC has been heard on them.<br />
23. Considering that TIC has been already heard by the IE SA on all the information received by the EDPB<br />
and used to take its decision19 and the LSA has shared to the EDPB the written observations of TIC, in<br />
line with Article 11(2) EDPB Rules of Procedure20<br />
, in relation to the issues raised in this specific Draft<br />
Decision, the EDPB is satisfied that the Article 41 of the EU Charter of fundamental rights has been<br />
respected. 4 ON THE QUALIFICATION OF CONTROLLER AND PROCESSOR AND THE<br />
COMPETENCE OF THE LSA<br />
4.1 Analysis by the LSA in the Draft Decision<br />
24. The Draft Decision states that “[i]n commencing the Inquiry, the appointed investigator within the [IE<br />
SA] [...] was satisfied that TIC is the controller, within the meaning of Article 4(7) of the GDPR, in respect<br />
of the personal data that was the subject of the Breach”, and that “[i]n this regard, TIC confirmed that<br />
17 Article 65(1)(a) in fine GDPR. Some CSAs raised comments and not per se objections, which were, therefore,<br />
not taken into account by the EDPB. 18 EDPB Rules of Procedure, adopted on 25 May 2018, as last modified and adopted on 8 October 2020. 19 IE SA Preliminary Draft Decision (14 March 2020); IE SA Draft Decision (22 May 2020); Objections and<br />
comments raised by CSAs (18-20 June 2020); Composite Memorandum prepared by the IE SA (15 July 2020); and<br />
the remaining comments and objections from the CSAs (27-28 July 2020). 20 EDPB Rules of Procedure, adopted on 25 May 2018, as last modified and adopted on 8 October 2020.<br />
Adopted 10<br />
it was the controller” in the data breach notification form and in the correspondence with the IE SA21<br />
. The Draft Decision further states that "TIC also confirmed that the Breach had arisen in the context of<br />
processing carried out on its behalf by Twitter Inc., its processor"<br />
22 and "TIC is the data controller for<br />
the personal data which is the subject of the Inquiry. TIC has an agreement in place with Twitter Inc. (its processor) to provide data processing services"<br />
23<br />
. 25. Additionally, the Draft Decision specifies that the IE SA was further satisfied that it was competent to<br />
act as LSA in respect of cross-border processing carried out by TIC, in relation to the personal data that<br />
was the subject of the Breach24<br />
. 26. In this regard, the Draft Decision further states that TIC confirmed to the IE SA in notifying the Breach<br />
that it was “an Irish company”, and the “provider of the Twitter services in Europe”, and that TIC’s<br />
Privacy Policy (updated on Jan 2016) informed users of the Twitter service in the EU that they had the<br />
right to raise concerns either with their local supervisory authority or with TIC’s LSA, the IE SA25<br />
. 27. The IE SA further included in the Draft Decision an excerpt from TIC’s Annual Report and Financial<br />
Statements relating to the Financial Year ended 31 December 2018 specifying that the “ultimate<br />
controlling party and the largest group of undertakings for which group financial statements are drawn<br />
up, and of which the company is a member, is Twitter, Inc., a company incorporated in the United States<br />
of America and listed on the New York Stock Exchange”<br />
26<br />
. 28. The IE SA initially faced uncertainty arising from the use of the terms “we” and “our” in the data breach<br />
notification form to refer interchangeably to TIC and Twitter, Inc. The IE SA sought clarifications in this<br />
regard and TIC indicated that employees of TIC and Twitter, Inc. habitually use “we” and “our” loosely<br />
to refer to the group by its name. In addition, TIC indicated that whilst TIC is the controller and makes<br />
decisions with respect to the purposes and means of data processing, it does not operate alone: “TIC,<br />
and its employees, are part of [...] the Twitter Group [....]. All employees of the Twitter Group use the<br />
same computer systems, they adhere to the same general policies…and work together to ensure the<br />
global round-the-clock support required to keep the Twitter platform operational”<br />
27<br />
. 4.2 Summary of the objections raised by the CSAs<br />
29. In its objection, the ES SA states that the Draft Decision does not sufficiently justify the role of TIC as<br />
controller. The ES SA stresses that an assessment on which entity really decides on the purposes and<br />
means should be carried out, alongside with a critical analysis of all the facts which took place.<br />
According to the ES SA, the elements underlying the Draft Decision seem to suggest a conclusion that<br />
is different from the one reached by the IE SA. In particular, the ES SA considers that the decisions on<br />
the essential purposes of the data processing are actually taken by Twitter, Inc. The ES SA supported<br />
its reasoning by listing some factors that, in its view, could suggest that TIC does not decide on the<br />
purposes and means. First, the ES SA recalled that TIC is a subsidiary of Twitter, Inc. and highlighted<br />
that it would therefore be hard to understand how TIC could “issue orders” to Twitter, Inc. relating to<br />
processing of personal data of EEA users. According to the ES SA, TIC was never in the position to<br />
independently choose Twitter, Inc. as its processor and would not be able to replace it. Additionally,<br />
21 Draft Decision, paragraph 2.2. 22 Draft Decision, paragraph 4.2. 23 Draft Decision, paragraph 4.6. 24 Draft Decision, paragraph 2.3. 25 Draft Decision, paragraph 2.3. 26 Draft Decision, paragraph 2.4. 27 Draft Decision, paragraph 4.5.<br />
Adopted 11<br />
the ES SA argued that Twitter, Inc. does not seem to act as processor due to the “absence of a direct<br />
channel” between the two companies in the management of data breach cases other than the sending<br />
of an email with the Global DPO in copy. Thirdly, the ES SA stated that it was not clear how TIC could<br />
have independently adopted or influenced the decisions leading to the correction of the IT bug in the<br />
system managed and controlled by Twitter, Inc., and that it was rather Twitter, Inc. who undertook<br />
decisions relating to the solution of the Breach, whose effects were not limited only to European users.<br />
30. The NL SA also raised an objection regarding the legal qualification of TIC and Twitter, Inc. as<br />
respectively controller and processor. Specifically, the objection relatesto the way the IE SA has argued<br />
that TIC is the sole controller in this case and that Twitter, Inc. is a processor acting on their behalf. The<br />
NL SA considers that assessment of controllership is a fundamental aspect of this case and therefore<br />
any conclusion regarding the role of controller, processor or joint controllers should be supported by<br />
legal and factual evidence. In its objection, the NL SA essentially submits that the Draft Decision does<br />
not contain enough evidence to legally and factually establish the roles of the entities concerned, in<br />
particular to support the conclusion (i) that TIC is the (sole) controller and (ii) that Twitter, Inc. is merely<br />
a processor acting under instruction of TIC for the operation of the global Twitter service and/or the<br />
purposes that are relevant in this case. According to the NL SA, the LSA should verify whether the legal<br />
statements of the organisation and/or their privacy policy corresponds with their actual activities.<br />
The NL SA requested the IE SA to include more information on and/or a description of the factors that<br />
lead to the determination of roles in the Draft Decision document itself. The NL SA also mentions, as<br />
examples of factors to take into account: instructions from TIC to Twitter, Inc., or other objective<br />
evidence or practical clues from daily operations as well as examples from written records such as a<br />
data processing agreement. 31. In its objection, the DE SA argues that the relationship between Twitter, Inc. and TIC is not a<br />
controller-processor relationship, but rather a joint-controllers relationship. The objection in first<br />
instance relies on the fact that Twitter, Inc. and TIC do not operate separate data processing systems. According to the DE SA, the basic system operated by Twitter, Inc. is modified based on decisions made<br />
by TIC and that for EEA users, whereas the main processing system stays the same. The DE SA also<br />
highlighted that all the employees of the group use the same computer system and adhere to the same<br />
general policies.<br />
32. Finally, the FR SA raised an objection regarding the competence of the IE SA, stating that it seemed<br />
that the IE SA came to the conclusion that the decision-making power on the purposes and means of<br />
the processing at stake was exercised by TIC. According to the FR SA, the Draft Decision does not<br />
clearly indicate that other elements than the company TIC’s statements were taken into account by<br />
the authority to consider that this company had a decision-making power on the processing. The FR<br />
SA also specified that the Draft Decision does not clearly indicate if the competence of the authority is<br />
based either on the fact that the company TIC should be considered as the controller, or because TIC<br />
should be regarded as the main establishment as defined by Article 4(16) GDPR. The FR SA concluded<br />
that in its current state the Draft Decision does not prevent the risk of forum shopping, which the one- stop-shop mechanism is meant to avoid. The FR SA invited the IE SA to provide more elements allowing<br />
to prove that the company TIC has a decision-making power regarding the purposes and means of the<br />
processing for the social network Twitter.<br />
4.3 Position of the LSA on the objections<br />
33. In its Composite Memorandum, the IE SA considered that an objection based on the role or designation<br />
of the parties as controller and processor and/or on the competence of the IE SA “neither disputes the<br />
finding of an infringement nor the envisaged action and, therefore, does not satisfy the definition at<br />
Adopted 12<br />
Article 4(24)” and that it “does not fall within the meaning of the definition of ‘relevant and reasoned’<br />
objection under Article 4(24)”<br />
28. The IE SA nevertheless analysed such objections and, in doing so, set<br />
out the factors which it had considered in determining TIC’s status as controller and as main<br />
establishment. In this regard, the IE SA outlined (by way of summary29) the facts and legal analysis<br />
leading to its conclusion in respect of TIC’s status as controller, in essence: Twitter’s previous confirmation in 2015 that it proposed to make TIC in Ireland the controller for<br />
personal data of Twitter users in the EU30; TIC’s confirmation that it was controller for the personal data affected by the Breach both in<br />
notifying the Breach to the IE SA and during the course of the inquiry; TIC’s confirmation that a data processing agreement is in place between it and Twitter, Inc. as its<br />
processor, which includes the provisions required by Article 28 GDPR; the interactions between TIC and Twitter, Inc. following 7 January 2019, when TIC (through its<br />
DPO) was actually made aware of the Breach, demonstrating according to the IE SA that TIC<br />
exercised control and decision-making authority over Twitter, Inc. concerning the remediation<br />
activities and notification of the Breach and in relation to the underlying processing of personal<br />
data affected by the Breach; and<br />
the actions of Twitter, Inc. when it was notified of the incident by Contactor 2, which according to<br />
the IE SA also support the status of the relationship between the two entities as one in which TIC<br />
exercised authority and bore responsibilities as the controller.<br />
34. The IE SA then set out, by way of summary31, the facts and legal analysis leading to its conclusion that<br />
TIC is main established in Ireland, in essence (beyond the points above): TIC’s designation and declaration of itself as main establishment; TIC’s confirmation in its Privacy Policy of its status as the relevant controller for personal data of<br />
Twitter users in the EU; TIC’s place of central administration is in Dublin, where it has approximately 170 employees; TIC’s direct employment of a global DPO for the purposes of the GDPR, the reporting line for the<br />
Global DPO within TIC and the Global DPO’s representation of TIC on a range of privacy and data<br />
processing related activities, including the ability to veto data processing; the historical and ongoing supervision of TIC by the IE SA, during which it has been apparent that<br />
TIC determines the purposes and means for which personal data are processed within the EU. The IE SA reiterated that, notwithstanding its response to the substance of the objections raised on<br />
the matters of competence and/or the designation of the parties, it did not consider that the objections<br />
in relation to these issues satisfied the definition of being a “relevant and reasoned objection” under<br />
Article 4(24) GDPR. The IE SA stated that, in light of both its assessment that these matters did not<br />
28 Composite Memorandum, paragraph 5.39. 29 Composite Memorandum, paragraph 5.35. 30 In this regard, the Composite Memorandum explains that TIC informed the IE SA on 8 April 2015 that it<br />
proposed to make TIC in Ireland the controller for the personal data of its users outside of the USA and that TIC<br />
notified this fact to other EU supervisory authorities in May 2015 (paragraph 5.15). 31 Composite Memorandum, paragraph 5.36.<br />
Adopted 13<br />
satisfy the definition under Article 4(24) GDPR, and in light of its demonstration that it had adequately<br />
addressed the questions of main establishment, its competence, and the controller, processor<br />
designation in its Draft Decision, it did not intend to follow the objections on these matters32<br />
. 4.4 Analysis of the EDPB<br />
4.4.1 Assessment of whether the objections were relevant and reasoned<br />
35. The EDPB will begin its analysis of the objections raised by assessing whether the aforementioned<br />
objections are to be considered as a “relevant and reasoned objection” within the meaning of Article<br />
4(24) GDPR. 36. Article 4(24) of the GDPR defines “relevant and reasoned objection” as an “objection to a draft decision<br />
as to whether there is an infringement of this Regulation, or whether envisaged action in relation to<br />
the controller or processor complies with this Regulation, which clearly demonstrates the significance<br />
of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects<br />
and, where applicable, the free flow of personal data within the Union”<br />
33<br />
. 37. As clarified in the Guidelines on the concept of a relevant and reasoned objection, an objection needs<br />
to be both “relevant” and “reasoned”. In order for the objection to be “relevant”, there must be a<br />
direct connection between the objection and the draft decision and it needs to concern either whether<br />
there is an infringement of the GDPR or whether the envisaged action in relation to the controller or<br />
processor complies with the GDPR34<br />
. 38. According to the same Guidelines, an objection is “reasoned” when it is coherent, clear, precise and<br />
detailed in providing clarifications and arguments as to why an amendment of the decision is proposed<br />
and how the change would lead to a different conclusion35 and when it clearly demonstrates the<br />
significance of the risks posed by the draft decision for fundamental rights and freedoms of data<br />
subjects and, where applicable, the free flow of personal data within the European Union. The CSA<br />
should thus “show the implications the draft decision would have for the protected values”, by<br />
“advancing sufficient arguments to show that such risks are substantial and plausible”<br />
36. The<br />
evaluation of the risks posed to the rights and freedoms of data subjects37 can rely, inter alia, on the<br />
appropriateness, necessity, and proportionality of the measures envisaged38 and on the possible<br />
reduction of future infringements of the GDPR39<br />
.<br />
32 Composite Memorandum, paragraph 5.40. 33 GDPR, Article 4(24). 34 See also the EDPB Guidelines 9/2020 on the concept of relevant and reasoned objection, version for public<br />
consultation (hereinafter, “Guidelines on RRO”), paragraph 12, currently subject to public consultation,<br />
https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/guidelines-092020-relevant-and- reasoned-objection_en. The Guidelines were adopted on 8 October 2020, after the commencement of the<br />
inquiry by the IE SA relating to this particular case. 35 Guidelines on RRO, paragraph 17 and 20. 36 Guidelines on RRO, paragraph 37. 37 The “data subjects” whose rights and freedoms may be impacted may be both those whose personal data are<br />
being processed by the controller/processor and those whose personal data may be processed in the future.<br />
Guidelines on RRO, paragraph 43. 38 Guidelines on RRO, paragraph 42. 39 Guidelines on RRO, paragraph 43.<br />
Adopted 14<br />
39. In terms of content, the objection can, as a first alternative, concern the existence of an infringement<br />
of the GDPR. In this case, it should explain why the CSA disagrees as to whether the activities carried<br />
out by the controller or processor led to the infringement of a given provision of the GDPR, and to<br />
which infringement(s) specifically40. This objection may also include a disagreement as to the<br />
conclusions to be drawn from the findings of the investigation (e.g. by stating that the findings amount<br />
to an infringement other than / in addition to those already analysed)41 or could go as far as identifying<br />
gaps in the draft decision justifying the need for further investigation by the LSA42<br />
. However, this is less<br />
likely to happen when the obligation for the LSA to cooperate with the CSAs and exchange all relevant<br />
information has been duly complied with in the time preceding the issuance of the draft decision43<br />
. Alternatively, the content of the objection can refer to the compliance of the action in relation to the<br />
controller or processor (corrective measure or other) envisaged in the draft decision with the GDPR,<br />
by explaining why the action foreseen is not in line with the GDPR44<br />
. 40. The EDPB considers it possible for an objection concerning the existence of an infringement of the<br />
GDPR to concern the absence or insufficiency of assessment or reasoning (with the consequence that<br />
the conclusion in the draft decision is not adequately supported by the assessment carried out and the<br />
evidence presented, as required in Article 58 GDPR), as long as the whole threshold set forth by Article<br />
4(24) GDPR is met and provided there is a link between the allegedly insufficient analysis and whether<br />
there is an infringement of the GDPR or whether envisaged action complies with the GDPR45<br />
. 41. The EDPB considers that an objection concerning the role, or designation, of the parties can fall within<br />
the meaning of the definition of ‘relevant and reasoned’ objection under Article 4(24) GDPR, as this<br />
can affect the determination as to whether there is an infringement of this Regulation, or whether<br />
envisaged action in relation to the controller or processor complies with this Regulation. However, the<br />
EDPB considers that an objection on the competence of the supervisory authority acting as LSA should<br />
not be raised through an objection pursuant to Article 60(4) GDPR and falls outside of the scope of<br />
Article 4(24) GDPR46<br />
. a) Assessment of the objection raised by the NL SA<br />
42. The objection raised by the NL SA in first instance relates to an “absence or insufficiency of assessment<br />
or reasoning”<br />
47 leading to the conclusions drawn by the IE SA as to the legal qualification of TIC and<br />
Twitter, Inc. As the NL SA points out, the assessment of controllership is indeed a fundamental aspect<br />
of the case. A different conclusion as to the legal qualification of TIC and Twitter, Inc. would affect the<br />
40 Guidelines on RRO, paragraph 25. 41 Guidelines on RRO, paragraph 27. 42 Guidelines on RRO, paragraph 28 (which also specifies that “In this regard, a distinction must be made between,<br />
on one hand, own-volition inquiries and, on the other hand, investigations triggered by complaints or by reports<br />
on potential infringements shared by concerned supervisory authorities”). 43 Guidelines on RRO, paragraph 27. 44 Guidelines on RRO, paragraph 33. This means that the objection may, inter alia, challenge the elements relied<br />
upon to calculate the amount of the fine (Guidelines on RRO, paragraph 34). 45 Guidelines on RRO, paragraph 29. 46 The procedure pursuant to Article 65(1)(b) GDPR is applicable in this case and can be launched at any stage,<br />
Guidelines on RRO, paragraph 31. 47 Guidelines on RRO, paragraph 29. A relevant and reasoned objection concerning whether there is an<br />
infringement of the GDPR can concern “insufficient factual information or description of the case at stake”, a<br />
“disagreement as to the conclusions to be drawn from the findings of the investigation” (Guidelines on RRO,<br />
paragraph 27) or refer to an “absence or insufficiency of assessment or reasoning (with the consequence that the<br />
conclusion in the draft decision is not adequately supported by the assessment carried out and the evidence<br />
presented, as required in Article 58 GDPR)” (Guidelines on RRO, paragraph 29).<br />
Adopted 15<br />
conclusions of the supervisory authority, both in relation to the determination of an infringement of<br />
Article 33 GDPR, as well as the decision on the corrective measures resulting from the investigation.<br />
43. The EDPB recalls that each legally binding measure adopted by a supervisory authority must give the<br />
reasons for the measure48<br />
. The determination as to whether there is an infringement of this<br />
Regulation, or whether envisaged action in relation to the controller or processor complies with this<br />
Regulation, hinges on the correct identification of the roles of parties who shall be the subject of the<br />
measure. Therefore, a draft decision must contain sufficient legal and factual elements to support the<br />
proposed decision49<br />
. As a result, the EDPB considers that the objection raised by the NL SA concerns<br />
both “whether there is an infringement of the GDPR” and “whether or not the envisaged action<br />
complies with the GDPR”.<br />
44. While the EDPB considers that the objection of the NL SA is therefore relevant and includes legal<br />
arguments supporting its position, it does not put forward arguments how such consequences would<br />
pose significant risks for the rights and freedoms of data subjects and/or the free flow of data50<br />
. The<br />
EDPB recalls that the obligation to clearly demonstrate the significance of the risk posed by the draft<br />
decision - established by the GDPR - lies with the CSA51<br />
. While the possibility for CSAs to provide such<br />
demonstration may also depend on the degree of detail of the draft decision itself and on the previous<br />
exchanges of information52, such a circumstance, where applicable, cannot completely absolve the CSA<br />
from the obligation to clearly set out why it considers that the draft decision, if left unchanged, results<br />
in significant risks for the rights and freedoms of individuals.<br />
45. The EDPB finds that the objection raised by the NL SA does not clearly demonstrate the risks for the<br />
rights and freedoms of individuals as such. On this basis, the EDPB considers that the objection raised<br />
by the NL SA does not meet the requirements of Article 4(24) GDPR. b) Assessment of the objection raised by the ES SA<br />
46. The objection raised by the ES SA also challenges the sufficiency of the assessment or reasoning in<br />
relation to the conclusions drawn by the IE SA as to the legal qualification of TIC and Twitter, Inc.<br />
respectively. The objection also makes clear that the correct qualification of the TIC and Twitter, Inc.<br />
is key for determining their respective responsibilities, as well as for the competence of the IE SA. As a<br />
result, the EDPB also considers that the objection raised by the ES SA concerns both “whether there is<br />
an infringement of the GDPR” and “whether or not the envisaged action complies with the GDPR”. The<br />
objection of the ES SA also sets out why it considers that a change to the Draft Decision is necessary<br />
and how the change would lead to a different conclusion.<br />
47. While the EDPB considers that the objection of the ES SA is therefore relevant and includes legal<br />
arguments supporting its position, it does not clearly articulate why the decision, if left unchanged in<br />
this respect, would pose significant risks for the rights and freedoms of data subjects and, where<br />
applicable, the free flow of personal data. On this basis, the EDPB considers that the objection raised<br />
by the ES SA does not meet the requirements set out in Article 4(24) GDPR.<br />
48 Recital (129) GDPR. 49 Such information is also necessary to ensure the effectiveness of the cooperation and consistency mechanism,<br />
so as to allow CSAs to make an informed decision on whether or not to agree or express a relevant and reasoned<br />
objection. 50 Guidelines on RRO, paragraph 19. 51 Guidelines on RRO, paragraph 36 and Article 4(24) GDPR. 52 Guidelines on RRO, paragraph 36.<br />
Adopted 16<br />
c) Assessment of the objection raised by the DE SA<br />
48. While the objections expressed by the NL and ES SA primarily relate to an “absence of reasoning”<br />
justifying the conclusion that TIC acts as (sole) controller, the DE SA disagrees as to the conclusions to<br />
be drawn from the findings of the investigation53. In particular, the DE SA considers that the factual<br />
elements included in the file are sufficient to justify the conclusion that Twitter, Inc. does not qualify<br />
as a processor, but rather as a joint controller, together with TIC.<br />
49. In its objection, the DE SA also sets out why the qualification of the parties is relevant to the<br />
determination of “whether there is in infringement”. In particular, the DE SA argues that the legal<br />
assessment of the relationship between Twitter, Inc. and TIC affects the determination of the moment<br />
of becoming aware of the Breach. According to the DE SA, knowledge must be equally attributed to<br />
both (joint) controllers in light of Article 26(1) GDPR. Taking this into account, the DE SA argues that<br />
the relevant date when TIC as joint controller obtained knowledge (or rather should have obtained<br />
knowledge) needs to be reconsidered by the IE SA.<br />
50. The EDPB considers that the objection raised by the DE SE clearly sets out why changing the Draft<br />
Decision is considered necessary and how the objection, if followed, would lead to a different<br />
conclusion. That being said, the EDPB does not find that the objection raised by the DE SA includes a<br />
clear statement regarding the risks posed by the Draft Decision as regards the fundamental rights and<br />
freedoms of data subjects in relation to the qualification of the parties as such. On this basis, the EDPB<br />
considers that the objection raised by the DE SA does not meet the requirements set out in Article<br />
4(24) GDPR.<br />
d) Assessment of the objection raised by the FR SA<br />
51. The FR SA in essence also considers that the Draft Decision suffers from “an absence or insufficiency<br />
of assessment or reasoning”, in that it does not clearly indicate that other elements than TIC’s own<br />
statements were taken into account by the IE SA to consider that TIC exercised decision-making power<br />
over the processing. Similar to the NL SA and ES SA, the FR SA also stresses the importance that the<br />
decision of the LSA is sufficiently reasoned. Different from the NL SA and ES SA, however, the FR SA<br />
focuses in its objection primarily on the importance of including such reasoning in establishing the<br />
competence of an authority of the LSA, in particular with a view of preventing forum shopping.<br />
52. The EDPB recalls that a disagreement on the competence of the supervisory authority acting as LSA to<br />
issue a decision in the specific case should not be raised through an objection pursuant to Article 60(4)<br />
GDPR and falls outside of the scope of Article 4(24) GDPR54<br />
. The EDPB considers that the objection<br />
raised by the FR SA does not advance sufficient arguments to clearly demonstrate the significance of<br />
the risk for the rights and freedoms of data subjects posed by the Draft Decision. As a result, the EDPB<br />
considers that the objection raised by the FR SA does not amount to a relevant and reasoned objection<br />
within the meaning of Article 4(24) GDPR.<br />
4.4.2 Conclusion<br />
53. The EDPB considers that the aforementioned objections satisfy several of the criteria of Article 4(24)<br />
GDPR. Differently to the conclusion made by the IE SA, the EDPB considers that each of those<br />
objections satisfied the condition of referring alternatively to whether there is an infringement of this<br />
Regulation, or whether envisaged action in relation to the controller or processor complies with this<br />
53 Guidelines on RRO, paragraph 27. 54 Guidelines on RRO, paragraph 31. The Guidelines go on to state that unlike the objection pursuant to Article<br />
60(4) GDPR, the procedure pursuant to Article 65(1)(b) GDPR is applicable at any stage.<br />
Adopted 17<br />
Regulation. In addition, the EDPB considers that an objection based on the role, or designation, of the<br />
parties can in principle fall within the meaning of the definition of ‘relevant and reasoned’ objection<br />
under Article 4(24) GDPR. 54. However, as stated above, the aforementioned objections do not meet the threshold of providing a<br />
clear demonstration as to the significance of the risks posed by the Draft Decision as regards the<br />
fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal<br />
data within the European Union.<br />
55. In addition, as regards the aforementioned objection raised by the FR SA, in addition to not advancing<br />
sufficient arguments to clearly demonstrate the significance of the risk for the rights and freedoms of<br />
data subjects posed by the Draft Decision, the objection concerns a disagreement on the competence<br />
of the supervisory authority acting as LSA. The EDPB recalls that such disagreement should not be<br />
raised through an objection pursuant to Article 60(4) GDPR and falls outside of the scope of Article<br />
4(24) GDPR55<br />
. 56. As a result, the EDPB considers that the aforementioned objections do not meet the requirements set<br />
out in Article 4(24) GDPR.<br />
57. As a consequence, the EDPB does not take any position on the merit of any substantial issues raised<br />
by these objections. The EDPB reiterates that its current decision is without any prejudice to any<br />
assessments the EDPB may be called upon to make in other cases, including with the same parties,<br />
taking into account the contents of the relevant draft decision and the objections raised by the CSAs. 5 ON THE INFRINGEMENTS OF THE GDPR FOUND BY THE LSA<br />
5.1 On the findings of an infringement of Article 33(1) GDPR<br />
5.1.1 Analysis by the LSA in the Draft Decision<br />
58. The IE SA concluded that TIC did not meet its obligations as a controller under Article 33(1) GDPR,<br />
which "cannot be viewed in isolation and must be understood within the context of the broader<br />
obligations on controllers under the GDPR, in particular, the obligation of accountability under Article<br />
5(2), the relationship between controllers and processors (Article 28), and the obligation to implement<br />
appropriate (and effective) technical and organisational measures"<br />
56<br />
. 59. With regard to the moment at which the controller became aware of the Breach, the Draft Decision<br />
concluded that in case the Breach is suffered by the processor, the controller becomes aware when it<br />
is notified of the Breach by the processor57, but the controller must ensure that it has sufficient<br />
measures in place to facilitate this awareness58. Because TIC as controller was responsible for<br />
55 Guidelines on RRO, paragraph 31. 56 Draft Decision, paragraph 6.20. See also Draft Decision, paragraphs 6.5, 6.7, and 6.13. The Draft Decision<br />
(paragraph 7.129 (i)) also states that the “requirement under Article 33(1) [...] is predicated upon the controller<br />
ensuring that it has internal systems and procedures (and where applicable, systems and procedures in place with<br />
any external parties including processors) that are configured, and followed, so as to facilitate prompt awareness,<br />
and timely notification, of breaches”. 57 Draft Decision, paragraph 7.129 (iii). 58 Draft Decision, paragraph 7.98.<br />
Adopted 18<br />
overseeing the processing operations carried out by its processor Twitter, Inc.59, the Draft Decision<br />
stated that where the processor does not follow the procedure or the procedure fails otherwise the<br />
controller cannot excuse its own delayed notification on the basis of the processor’s fault60, as the<br />
performance by a controller of its obligation to notify cannot be contingent upon the compliance by<br />
its processor with its obligations under Article 33(2) GDPR61. The IE SA found that in these<br />
circumstances the controller must be considered as having constructive awareness of the personal<br />
Breach through its processor62, and that such an interpretation reflects the responsibility and<br />
accountability of the controller in the GDPR63<br />
. 60. According to the Draft Decision, therefore, TIC became actually aware of the Breach on 7 January<br />
201964 but should have been aware of the Breach at the latest by 3 January 2019, since on that date<br />
Twitter, Inc. as processor first assessed the incident as being a potential data breach and the Twitter, Inc. legal team instructed that the incident be opened65. The Draft Decision also stated that even in the<br />
particular circumstances of this situation (where earlier delays had also arisen66, any arrangements in<br />
place with Twitter, Inc. should have enabled this67. Instead, due to the “ineffectiveness of the process”<br />
in the “particular circumstances” of the case at stake and/or “a failure by [the processor’s] staff to<br />
follow its incident management process” there was a delay leading to the controller being notified only<br />
on 7 January 201968. This led to the infringement of Article 33(1) GDPR even if less than 72 hours<br />
elapsed between the moment at which TIC became actually aware of the Breach (7 January 2019) and<br />
the notification (8 January 2019).<br />
5.1.2 Summary of the objections raised by the CSAs<br />
61. The FR SA raised an objection stating that the findings do not correspond to an infringement of Article<br />
33(1) GDPR, but rather of Article 28 or Article 32 GDPR, which set out the obligations of the controller<br />
when it decides to have recourse to a processor. This argument relies on the fact that the finding of<br />
the infringement of Article 33(1) is mainly based on the failures in the application of the procedure<br />
59 Draft Decision, paragraph 7.129 (iv). 60 Draft Decision, paragraph 7.129 (iv). 61 Draft Decision, paragraph 7.129 (x). 62 Draft Decision, paragraph 7.129 (v). 63 Draft Decision, paragraph 7.98. According to the Draft Decision, an alternative interpretation leading to<br />
consider that a controller is only “aware” when informed by its processor, leaves a significant lacuna in the<br />
protection provided by the GDPR, as it could result in the controller avoiding responsibilities even in case of major<br />
delays if it showed it satisfied its obligations in choosing a processor and having proper systems in place, but such<br />
systems were disregarded by the processor (Draft Decision, paragraph 7.99). The IE SA further outlined in the<br />
Draft Decision that “the alternative application of Article 33(1), and that which was suggested by TIC, whereby<br />
the performance by a controller of its obligation to notify is, essentially, contingent upon the compliance by its<br />
processor with its obligations under Article 33(2), would undermine the effectiveness of the Article 33 obligations<br />
on a controller [and that] [s]uch an approach would be at odds with the overall purpose of the GDPR and the<br />
intention of the EU legislator”. 64 Draft Decision, paragraph 7.129 (vi). 65 Draft Decision, paragraph 7.129 (vi). 66 In identifying the 3 January 2019 as the date on which TIC ought to have been aware of the breach, the IE SA<br />
also took into account that an earlier delay had arisen during the period from when the incident was first notified<br />
by the External Contractor (Contractor 2) to Twitter, Inc. on 29 December 2018 to when Twitter, Inc. commenced<br />
its review of same, on 2 January 2019. TIC confirmed, during the course of the inquiry, that this was “due to the<br />
winter holiday schedule”. 67Draft Decision, paragraph 7.129 (ix). 68 Draft Decision, paragraph 7.129 (vi).<br />
Adopted 19<br />
established between TIC and its processor in case of a data breach, whereas Article 33(1) GDPR refers<br />
only to the obligation of the controller to notify data breaches to the competent authority.<br />
62. The objections of the DE SA, instead, focused on the reasoning leading to the conclusion that Article<br />
33(1) GDPR was infringed, without challenging such conclusion per se, and referred more specifically<br />
to the determination of the dies a quo of the 72-hour deadline.<br />
63. The DE SA argued in its objection that the issue of the allocation of roles affects the determination of<br />
the moment of awareness of the Breach, as the knowledge of a breach must be equally attributed to<br />
both joint controllers. According to the DE SA, this may lead to considering 26 December 2018 as the<br />
date when TIC as joint controller got knowledge/should have got knowledge of the Breach. 5.1.3 Position of the LSA on the objections<br />
64. With regard to the objection raised by the FR SA, the IE SA considers that it requests consideration of<br />
alternative provisions of the GDPR and that the request by CSAs to consider alternate provisions of the<br />
GDPR, would essentially seek to re-scope the Inquiry conducted69: the IE SA concluded that such an<br />
objection does not fall within the definition of “relevant and reasoned objection” for the purposes of<br />
Article 4(24) GDPR70. The IE SA also stressed its view that an infringement of Article 33(1) GDPR has<br />
occurred and did not propose to consider infringements of any other provisions of the GDPR as an<br />
alternative to Article 33(1)71<br />
, underlining that expanding the range of the infringements to other GDPR<br />
obligations at the request of CSAs would “jeopardise the entirety of the Inquiry and Article 60 process<br />
by exposing it to the risk of claims of procedural unfairness”<br />
72<br />
. The IE SA also pointed out that it is<br />
examining TIC’s compliance with its broader obligations under the GDPR in the context of another<br />
ongoing inquiry73<br />
. 65. Concerning the objection raised by the DE SA, with specific regard to the determination of the moment<br />
of awareness of the breach, the IE SA submitted that even if a relationship of joint controllership did<br />
exist (a view that, as outlined above in Section 4.3, the IE SA did not share) it would not necessarily<br />
mean that awareness of the Breach could be equally attributed to both joint controllers74<br />
. 5.1.4 Analysis of the EDPB<br />
5.1.4.1 Assessment of whether the objections were relevant and reasoned<br />
66. As recalled above (see Section 4.4.1), it is necessary to assess whether the objections raised by the<br />
CSAs meet the threshold set by Article 4(24) GDPR.<br />
67. Although the objection of the FR SA is relevant, since it outlines a disagreement on whether an<br />
particular infringement of the GDPR has taken place in the specific case, and it includes legal arguments<br />
supporting the objection, it fails to meet the Article 4(24) GDPR standard because it does not include<br />
justifications concerning the consequences of issuing a decision without the changes proposed in the<br />
objection, and how such consequences would pose significant risks to the rights and freedoms of data<br />
69 Composite Memorandum, paragraph 5.45. 70 Composite Memorandum, paragraph 5.45. 71 Composite Memorandum, paragraph 5.47. 72 Composite Memorandum, paragraph 5.44(c). 73 Composite Memorandum, paragraph 5.44(d). 74 Composite Memorandum, paragraph 5.34 (also referring to the CJEU judgment in Wirtschaftsakademie, C- 210/16, paragraph 43).<br />
Adopted 20<br />
subjects75<br />
. Thus, the objection cannot be said to “clearly demonstrate” the significance of the risks<br />
posed by the issuance of the Draft Decision (if it were to be issued as final) since it does not provide<br />
sufficient arguments as to why such rights and freedoms of data subjects with specific regard to the<br />
finding of an infringement of Article 33(1) (instead of Article 32 / 28) GDPR are substantial and<br />
plausible76. Therefore, the EDPB concludes the objection of the FR SA is not relevant and reasoned due<br />
to the lack of a clear demonstration of the risks as specifically required by the Article 4(24) GDPR. 68. Additionally, with regard to the DE SA’s objection specifically in relation to the determination of the<br />
dies a quo for the infringement of Article 33(1) GDPR as depending on the qualification of the parties,<br />
the EDPB would like to recall the analysis performed above in Section 4.4 and finds that the objection<br />
does not show the implications the Draft Decision with its current content - specifically concerning the<br />
reasoning underlying the finding of a Breach of Article 33(1) GDPR - would have for the protected<br />
values77 (rights and freedoms of data subjects or, where applicable, free flow of personal data).<br />
5.1.4.2 Conclusion<br />
69. The EDPB considers that the aforementioned objections satisfied the condition of referring<br />
alternatively as to whether there is an infringement of this Regulation, or whether envisaged action in<br />
relation to the controller or processor complies with this Regulation, but they do not clearly<br />
demonstrate the significance of the risks posed by the Draft Decision as regards the fundamental rights<br />
and freedoms of data subjects and, where applicable, the free flow of personal data within the<br />
European Union.<br />
70. Therefore, the FR and DE SA’s objections do not to meet the requirements in Article 4(24) GDPR78<br />
. 5.2 On the findings of an infringement of Article 33(5) GDPR<br />
5.2.1 Analysis by the LSA in the Draft Decision<br />
71. In the Draft Decision, the IE SA found that TIC did not comply with its obligations under Article 33(5)<br />
GDPR to document the Breach, since the documentation furnished by TIC in the course of the inquiry<br />
was not considered to contain sufficient information and was not considered to contain a record or<br />
document of, specifically, a “personal data breach”, as they amounted to “documentation of a more<br />
generalised nature”79<br />
. 72. On a different note, the IE SA acknowledged that TIC fully cooperated during the inquiry (although this<br />
was not considered as a mitigating factor)80<br />
. 5.2.2 Summary of the objections raised by the CSAs<br />
73. The EDPB takes the opportunity to highlight, for the sake of clarity, that none of the objections raised<br />
challenged the conclusion that TIC infringed Article 33(5) GDPR.<br />
75 Guidelines on RRO, paragraph 19. 76 Guidelines on RRO, paragraph 37. 77 Guidelines on RRO, paragraph 37. 78 As a consequence, the EDPB does not take any position on the merit of any substantial issues raised by these<br />
objections. The EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB<br />
may be called upon to make in other cases, including with the same parties, taking into account the contents of<br />
the relevant draft decision and the objections raised by the CSAs. 79 Draft Decision, paragraph 10.46. 80 Draft Decision, paragraph 14.50.<br />
Adopted 21<br />
74. However, the IT SA raised an objection arguing that the finding related to the violation of Article 33(5)<br />
GDPR does not appear consistent with the reasoning and elaborations put forward by the LSA as the<br />
inadequacy of the documentation that was produced during such an extensive investigation, as based<br />
upon multiple interactions between the LSA and the controller, allegedly points to the controller’s poor<br />
cooperation with the DPA. According to the IT SA, the finding in the Draft Decision that TIC provided<br />
full cooperation during the investigative phase should be reviewed as such full cooperation can only<br />
be considered to exist if adequate, exhaustive documentation is made available by the controller in a<br />
straightforward manner.<br />
5.2.3 Position of the LSA on the objections<br />
75. The IE SA is of the opinion that the obligation under Article 33(5) GDPR applies independently of the<br />
obligation under Article 31 GDPR to co-operate with the supervisory authority and of how TIC behaved<br />
towards, and interacted with, the LSA at the time that the latter initiated its regulatory activities<br />
regarding TIC’s Breach81. The IE SA argued the deficiencies on how TIC documented the Breach do not<br />
necessarily correlate with a lack of cooperation on TIC’s part82. In addition, the IE SA highlighted that<br />
TIC cooperated with the IE SA during the inquiry by responding to all requests for information and by<br />
providing all the requested documents, without seeking to disrupt or obstruct the inquiry in any way83<br />
.<br />
In any case, the IE SA did not consider TIC’s cooperation as a mitigating factor84<br />
. For the above- mentioned reasons, the IE SA considered that it was “questionable” as to whether the objection raised<br />
by the IT SA is reasoned and relevant, since while it relates to an infringement of the GDPR it does not<br />
demonstrate how the IE SA’s position on TIC’s degree of cooperation results in risks posed by the draft<br />
decision regarding fundamental rights and freedoms of data subjects85<br />
. The IE SA concluded it would<br />
not follow said objection86<br />
. 5.2.4 Analysis of the EDPB<br />
5.2.4.1 Assessment of whether the objections were relevant and reasoned<br />
76. The IT SA in its objection does not dispute that an infringement of Article 33(5) GDPR has occurred. A<br />
relevant and reasoned objection may question the reasoning underlying the conclusions reached by<br />
the LSA in the draft decision only insofar as such reasoning has a link with such conclusions, the<br />
objection is adequately reasoned. In this case, the objection does not clearly argue how following it<br />
could entail a change in the Draft Decision. Additionally, the objection does not meet the criteria<br />
outlined in Article 4(24) GDPR because it fails to clearly demonstrate the significance of the risks posed<br />
by the Draft Decision as it does not show the implications the alleged mistake in the Draft Decision<br />
would have for the protected values. 5.2.4.2 Conclusion<br />
77. As the IT SA’s objection does not meet the requirements of the Article 4(24) GDPR, the Board does not<br />
take a position on the merit of the substantial issues raised by this objection. The EDPB reiterates that<br />
its current decision is without any prejudice to any assessments the EDPB may be called upon to make<br />
81 Composite Memorandum, paragraph 5.87. 82 Composite Memorandum, paragraph 5.87. 83 Composite Memorandum, paragraph 5.87. 84 Composite Memorandum, paragraph 5.87. 85 Composite Memorandum, paragraph 5.88. 86 Composite Memorandum, paragraph 5.88.<br />
Adopted 22<br />
in other cases, including with the same parties, taking into account the contents of the relevant draft<br />
decision and the objections raised by the CSAs.<br />
6 ON POTENTIAL FURTHER (OR ALTERNATIVE) INFRINGEMENTS OF<br />
THE GDPR IDENTIFIED BY THE CSAS<br />
6.1 Analysis by the LSA in the Draft Decision<br />
78. Based on the information provided by TIC when it notified the Breach to the IE SA, the IE SA noticed<br />
that it appeared from the breach notification form that a period of in excess of 72 hours had elapsed<br />
from when TIC (as controller) became aware of the Breach87. For this reason, the IE SA decided to<br />
commence, on its own volition, an inquiry to examine whether TIC had complied with its obligations<br />
under Article 33(1) and Article 33(5) GDPR88<br />
. 79. In order to determine whether TIC complies with its obligations under Article 33(1) GDPR, the IE SA<br />
considered them in the context of a controller's broader obligations, including those of accountability<br />
(Article 5(2) GDPR), of engagement of a processor (Article 28 GDPR), and in respect of the security of<br />
processing of personal data (Article 32 GDPR)89. However, if the IE SA considered the factors and factual<br />
matters that led to TIC's delay in being made aware of the Breach by its processor and ultimately in<br />
notifying the Breach, the IE SA did not consider whether or not TIC complied with any or each of these<br />
obligations other than for the purpose of assessing TIC’s compliance with its obligations under Article<br />
33(1) and Article 33(5) GDPR90<br />
. 6.2 Summary of the objections raised by the CSAs<br />
80. The DE, FR, HU, and IT SAs raised objections that TIC infringed other provisions of the GDPR in addition<br />
to, or instead of, Article 33(1) and Article 33(5) GDPR.<br />
6.2.1 Infringement of Article 5(1)(f) GDPR on the principle of integrity and<br />
confidentiality<br />
81. The DE SA raised an objection stating that the "underlying bug" in TIC's application that resulted in the<br />
Breach notified to the IE SA should have been considered by the IE SA in its Draft Decision, so as to<br />
determine whether this bug actually constituted a significant violation of the confidentiality of<br />
personal data, ultimately infringing Article 5(1)(f) GDPR, in addition to Article 33(1) and Article 33(5)<br />
GDPR.<br />
82. The HU SA raised an objection stating that given the “bug” in TIC’s application over the years and its<br />
serious nature affecting data security, the IE SA should investigate whether TIC also infringed Article<br />
5(1)(f) GDPR on the principle of integrity and confidentiality.<br />
6.2.2 Infringement of Article 5(2) GDPR on the principle of accountability<br />
83. The IT SA raised an objection stating that the infringement of Article 33(1) GDPR highlights a much<br />
more severe violation of the accountability principle (under Article 5(2) GDPR), since the lack of<br />
87 Draft Decision, paragraph 2.11. 88 Draft Decision, paragraph 2.11. 89 Draft Decision, paragraphs 6.13-6.20, 7.111-7.112, 7.122-7.124. 90 Draft Decision, paragraphs 6.13, 7.111, 7.122-7.124.<br />
Adopted 23<br />
corporate policies to handle security incidents or the failure to comply with them shows that the<br />
measures implemented by the controller are inadequate to ensure compliance and to document it.<br />
The IT SA argued that these procedural shortcomings are highlighted by the Draft Decision, but the<br />
Draft Decision fails to make this the subject of a specific analysis. As this may affect the handling of<br />
future data breaches, too, the findings on whether TIC complied with Article 5(2) GDPR should also be<br />
part of the IE SA's final decision according to the IT SA. The IT SA also considered that the infringement<br />
of Article 5(2) GDPR is confirmed by the controller's inability to state the exact number and nature of<br />
the personal data affected, or the total number of data subjects involved.<br />
6.2.3 Infringement of Article 24 GDPR on the responsibility of the controller<br />
84. The DE SA raised an objection stating that the Draft Decision is not clear on why the IE SA did not assess<br />
if the significant violation of the confidentiality of personal data caused by an "underlying bug" is due<br />
to an infringement of the requirements of Article 24 GDPR.<br />
6.2.4 Infringement of Article 28 GDPR on the relationship with processors<br />
85. The FR SA expressed an objection stating that TIC did not respect the obligation of the controller to<br />
verify the validity of the procedures set up by its processor. Therefore, the FR SA considers that there<br />
is no infringement of Article 33(1) GDPR, but of Article 28 GDPR instead (or Article 32 GDPR -see below<br />
Section 6.2.5). The FR SA argued that if TIC's processor is its parent company, “it was all the more easy<br />
for TIC to verify the validity of the procedures set out by the parent company and to demand a<br />
correction if necessary”.<br />
86. The IT SA expressed an objection stating that TIC’s failure to involve the Global DPO in the Detection<br />
and Response Team of the processor (Twitter, Inc.), in spite of the fact that this practice was envisaged<br />
in TIC's internal policies, shows that the safeguards provided by the processor in terms of implementing<br />
the appropriate organisational measures under Article 28(1) GDPR are not extensive enough. In<br />
addition, the IT SA argued in its objections that the processor infringed its obligation to assist the<br />
controller, according to Article 28(3)(f) GDPR.<br />
6.2.5 Infringement of Article 32 GDPR on the security of the processing<br />
87. The DE SA raised objections stating that the IE SA should have examined if all appropriate technical<br />
and organisational measures (according to Article 32 GDPR) were complied with in this case, and<br />
whether infringements in this area should have been made the subject of these proceedings. The DE<br />
SA also argues that the Draft Decision is not clear on why the IE SA did not assess if the significant<br />
violation of the confidentiality of personal data caused by an "underlying bug" is due to an<br />
infringement of the requirements of Article 32 GDPR.<br />
88. The FR SA expressed an objection concerning the legal characterisation of the facts carried out by the<br />
IE SA and stated that the TIC’s failure to respect the obligation of the controller to verify the validity of<br />
the procedures set up by its processor corresponds to an infringement of Article 32 GDPR (or Article<br />
28 GDPR - see above Section 6.2.4), rather than of Article 33(1) GDPR. The FR SA argued that if TIC's<br />
processor is its parent company, “it was all the more easy for TIC to verify the validity of the procedures<br />
set out by its parent company and to demand a correction if necessary”. 89. The HU SA raised objections stating that given the “bug” in TIC’s application over the years and its<br />
serious nature affecting data security, the IE SA should investigate whether TIC infringed also Article<br />
32 GDPR on TIC’s obligations of security of the processing.<br />
Adopted 24<br />
6.2.6 Infringement of Article 33(3) GDPR on the content of the notification of a<br />
personal data breach on security of processing<br />
90. The DE SA expressed objections stating that the IE SA’s examination is lacking, with regard to the scope<br />
of the information to be provided in the case of a notification, which is stipulated as binding in Article<br />
33(3) GDPR. Based on TIC’s comments on the Breach they provided pursuant to Article 33(5) GDPR and<br />
on the description of the investigation of the facts of the case, TIC obviously did not fully comply with<br />
its documentation obligation when it first reported the Breach on 8 January 2019. The DE SA<br />
considered that there are therefore numerous indications that the result could also be an infringement<br />
of Article 33(3) GDPR.<br />
6.2.7 Infringement of Article 34 GDPR on the communication of a personal data<br />
breach to the data subject<br />
91. The HU SA raised objections stating that given the “bug” in TIC’s application over the years and its<br />
serious nature affecting data security, the IE SA had to investigate whether TIC infringed also Article<br />
34 GDPR on TIC’s obligations of informing the data subjects about the Breach. 6.3 Position of the LSA on the objections<br />
92. The LSA provided its response in respect of the objections concerning potential further (or alternative)<br />
infringements of the GDPR collectively in its Composite Memorandum shared with the CSAs. The LSA<br />
explained that it “exercised its discretion [...] to confine the scope of the Inquiry to the consideration of<br />
two discrete issues, being whether TIC had complied with its obligations as a controller under Article<br />
33(1) in respect of the notification of the Breach, and whether it had complied with its obligations under<br />
Article 33(5) to document the Breach”<br />
91. The LSA relied on Section 110(1) of the Irish Data Protection<br />
Act 2018, which provides that the IE SA may “cause such inquiry as it thinks fit to be conducted”<br />
92. The<br />
purpose of the inquiry as described by the IE SA was thus “solely to examine the circumstances<br />
surrounding TIC’s apparent delayed notification of the Breach [...] and its documenting of the Breach”,<br />
an issue considered by the IE SA as “of considerable importance given that, with close to 200,000<br />
breaches notified in two years across the EU, there is a need for clarity on what is required under the<br />
breach notification and documentation requirements of the GDPR”<br />
93<br />
. 93. Within its Composite Memorandum94, the IE SA maintains that objections raised in the context of<br />
Article 60(4) GDPR cannot have the effect of challenging the scope of an inquiry. In the case at hand,<br />
the LSA recalls that it informed TIC at the beginning of the inquiry that its purpose was to verify TIC’s<br />
compliance with Article 33(1) and Article 33(5) GDPR in respect of its notification of a Breach to the<br />
LSA 8 January 2019. The whole inquiry process was therefore conducted within that scope, as well as<br />
the drafting of the Draft Decision, and TIC was afforded its right to be heard in that regard at each step<br />
of the procedure. Therefore, the LSA maintains that if it were to follow the CSAs’ objections and include<br />
other infringements in its final decision “on the basis of only the material contained in the Draft<br />
Decision”, this would result in jeopardising “the entirety of the Inquiry and Article 60 process by<br />
exposing it to the risk of claims of procedural unfairness”<br />
95<br />
.<br />
91 Composite Memorandum, paragraph 1.7. 92 Composite Memorandum, paragraph 1.5. 93 Composite Memorandum, paragraph 1.9. 94 Composite Memorandum, paragraph 5.44. 95 Composite Memorandum, paragraph 5.44(c).<br />
Adopted 25<br />
94. Furthermore, the LSA explains that it has another ongoing inquiry in relation to other data breaches<br />
notified to the LSA by TIC prior to the notification that concerns the case at hand. In that other inquiry,<br />
initiated before the one at hand, the LSA highlights that the scope of investigation concerns possible<br />
non-compliance with “inter alia, Articles 5, 24, 25, 28, 29 and 32” GDPR96. The LSA considers that this<br />
parallel inquiry is indeed assessing TIC’s compliance with its broader obligations under GDPR to<br />
determine if compliance insufficiencies caused the data breaches. Consequently, the LSA is of the<br />
position that the CSAs will have the possibility to consider such possible infringements in the context<br />
of that other inquiry, as they will be consulted on its Draft Decision, in accordance with Article 60(4)<br />
GDPR97<br />
. 95. TIC submitted that, since the Draft Decision states that “a detailed examination of the technical and<br />
organisational measures is beyond the scope of the inquiry”<br />
98, it “would not be reasonable or<br />
appropriate, and would offend well-established principles of natural justice, if the Decision were to<br />
make findings or impose sanctions on TIC in respect of obligations and principles which did not form<br />
part of the DPC’s investigation, since TIC has not had an opportunity to address any concerns which the<br />
DPC or CSAs may have about TIC’s processes in these areas”<br />
99<br />
. 6.4 Analysis of the EDPB<br />
6.4.1 Assessment of whether the objections were relevant and reasoned<br />
6.4.1.1 Infringement of Article 5(1)(f) GDPR on the principle of integrity and confidentiality<br />
96. The EDPB notes that the DE SA’s objection on Article 5(1)(f) GDPR is referring to whether there is an<br />
infringement of the GDPR by expressing a disagreement as to the conclusions to be drawn from the<br />
findings of the investigation. The objection also put forward arguments to support the conclusion that<br />
compliance with Article 5(1)(f) GDPR should be assessed. The DE SA’s objection clearly demonstrates<br />
the significance of the risks posed by the Draft Decision for the rights and freedoms of data subjects,<br />
in particular by highlighting that the facts amount to a “significant” and “substantial” breach of the<br />
confidentiality of personal data and that a large number of persons were concerned for a substantial<br />
period of time. Furthermore the DE SA also argued that there were indications to consider the<br />
existence “systemic error”, which would have required a deeper scrutiny beyond the single specific<br />
bug involved.<br />
97. The HU SA’s objection can also be considered as relevant as it concerns whether there is an<br />
infringement of the GDPR. Additionally it (only) briefly makes reference to factual arguments<br />
supporting the need to assess this additional provision (the duration of the bug and its serious nature<br />
affecting data security), but does not “clearly demonstrate” the significance of the risks posed by the<br />
Draft Decision for risks to the rights and freedoms of individuals as it does not put forward arguments<br />
96 Composite Memorandum, paragraph 1.10. 97 Composite Memorandum, paragraph 5.44(d). 98 Draft Decision, paragraph 7.19. 99 “Representations in response to objections and comments from CSAs” submitted by TIC (14 August 2020),<br />
paragraph 4.1. The EDPB wishes to highlight that the objections raised by the CSAs were brought to TIC’s<br />
attention by the IE SA, and TIC issued the aforementioned representations on the objections, which were taken<br />
into account by the IE SA prior to the initiation of the Article 65 procedure and are part of the file under<br />
consideration of the EDPB in the context of this procedure. See also footnote 19.<br />
Adopted 26<br />
or justifications concerning the consequences of issuing a decision without the changes proposed in<br />
the objection100<br />
. 98. As a consequence the EDPB considers the objection raised by the DE SA in relation to the potential<br />
additional infringement of Article 5(1)(f) GDPR to be relevant and reasoned for the purposes of Article<br />
4(24) GDPR, but considers the HU SA’s objection in relation to the same topic does not meet the<br />
requirements of Article 4(24)101<br />
. 99. The EDPB will assess the merits of the substantial issues raised by the DE SA objection in relation to<br />
the potential additional infringement of Article 5(1)(f) GDPR (see section 6.4.2 below).<br />
6.4.1.2 Infringement of Article 5(2) GDPR on the principle of accountability<br />
100. The objection raised by the IT SA is to be considered “relevant” since if followed, it would lead to a<br />
different conclusion as to whether there is an infringement of the GDPR<br />
102. More specifically, it<br />
includes a “disagreement as to the conclusions to be drawn from the findings of the investigation”,<br />
since it states that the “findings amount to the infringement of a provision of the GDPR [...] in addition<br />
to [...] those already analysed by the draft decision”<br />
103<br />
. 101. Additionally, the objection is “reasoned” as it includes clarifications as to why the amendment of the<br />
decision is proposed104: the proposed change relies on the “lack of formalised corporate policies to<br />
handle security incidents [...] or the failure to comply with said policies”, on the fact that such<br />
“procedural shortcomings are highlighted by the [IE SA] repeatedly” in the Draft Decision, and on the<br />
controller’s inability to state the exact number and nature of the personal data / data subjects affected.<br />
102. The IT SA clearly demonstrated the significance of the risks posed by the Draft Decision for<br />
fundamental rights and freedoms of data subjects, by showing the “implications the draft decision<br />
would have for the protected values”105 and more specifically the “impact on the rights and freedoms<br />
of data subjects whose personal data might be processed in the future”106: the objection did so by<br />
arguing that the aspects mentioned are “structural in nature as regards the controller’s organization”<br />
and “bound to produce effects not simply on the case at issue, but also on the handling of any personal<br />
data breach that may occur in the future”.<br />
103. As a consequence, the IT SA’s objection on Article 5(2) GDPR meets the requirements set out in Article<br />
4(24) GDPR. The EDPB will therefore analyse the merits of the substantial issues raised by this<br />
objection107<br />
.<br />
100 Guidelines on RRO, paragraph 19. 101 As a consequence, the EDPB does not take any position on the merit of any substantial issues raised by the<br />
HU SA’s objection. The EDPB reiterates that its current decision is without any prejudice to any assessments the<br />
EDPB may be called upon to make in other cases, including with the same parties, taking into account the<br />
contents of the relevant draft decision and the objections raised by the CSAs. 102 Guidelines on RRO, paragraph 13. 103 Guidelines on RRO, paragraph 27. 104 Guidelines on RRO, paragraph 17. 105 Guidelines on RRO, paragraph 37. 106 Guidelines on RRO, paragraph 43. 107 See section 6.4.2 below.<br />
Adopted 27<br />
6.4.1.3 Infringement of Article 24 GDPR on the responsibility of the controller<br />
104. The DE SA’s objection specifically refers to Chapter 5 "Issues for determination" of the Draft<br />
Decision108, and objects to the Draft Decision as to whether Article 24 GDPR was also infringed by<br />
TIC109. It relies on the facts110 set out in the Draft Decision that “if a Twitter user with a protected<br />
account, using Twitter for Android, changed their email address the bug would result in their account<br />
being unprotected”<br />
111<br />
. and their protected tweets were made publicly available via the service. More<br />
precisely, the DE SA is questioning why the IE SA did not examine, in the Draft Decision, the causes of<br />
the Breach, in particular in light of Article 24 GDPR, and why the IE SA did not explain in the Draft<br />
Decision why it did not perform such examination.<br />
105. The DE SA argues that given that the Breach notification revealed “deficiencies in compliance with the<br />
GDPR, ... [a] company that is not capable by own means and resources, by inspections of internal or<br />
external security teams to find a bug of that prominence and scope should be subject to a deeper<br />
scrutiny regarding its security and data processing setup, beyond the single specific bug involved". 106. According to the DE SA, a higher scrutiny into TIC's data processing setup "could result, as the case may<br />
be, in an order to the controller to bring processing operations into compliance with the provisions of<br />
the GDPR. The case at hand fails to reflect this task. This makes it all the more urgent to examine the<br />
corrective powers under Article 58(2) GDPR in this context".<br />
107. Therefore, the DE SA pointed out what it considered as an absence of assessment, with the<br />
consequences that the conclusions drawn from the findings of the investigation by the LSA could be<br />
different112<br />
. 108. The DE SA’s objection that “According to Art. 83 (1) GDPR, fines must be “effective, proportionate and<br />
dissuasive in each individual case. A sanction is effective and dissuasive if, on the one hand, it is suitable<br />
as a general preventive measure to deter the general public from committing infringements and to<br />
affirm the general public’s confidence in the validity of Union law, but, on the other hand, it is also<br />
suitable as a preventive measure to deter the offender from committing further infringements”.<br />
Consequently, the DE SA demonstrates how not changing the Draft Decision to include an assessment<br />
of compliance with Article 24 GDPR would pose significant risks for the fundamental rights and<br />
freedoms of data subjects113<br />
. 109. In its Guidelines on RRO, the EDPB accepts that an objection may challenge the conclusion of the LSA,<br />
by considering that the LSA’s findings actually lead to the conclusion that another provision of the<br />
GDPR has been infringed in addition to or instead of the provision identified by the LSA114. The EDPB<br />
considers that this is precisely the essence of the DE SA’s objection, hence not preventing it from being<br />
relevant and reasoned.<br />
110. Additionally, the DE SA’s objection clearly demonstrates the significance of the risks posed by the Draft<br />
Decision for the rights and freedoms of data subjects, including by highlighting that a large number of<br />
persons were concerned for an equally substantial period of time, reflecting a systemic error that calls<br />
108 Guidelines on RRO, paragraph 20. 109 Guidelines on RRO, paragraph 12. 110 Guidelines on RRO, paragraph 14. 111 Draft Decision, paragraph 2.7. 112 Guidelines on RRO, paragraph 29. 113 Guidelines on RRO, paragraph 19. 114 Guidelines on RRO, paragraph 27.<br />
Adopted 28<br />
for deeper scrutiny, looking beyond the single specific bug involved. As a consequence, the DE SA’s<br />
objection on Article 24 GDPR meets the threshold set out in Article 4(24) GDPR.<br />
111. In light of the assessment above, the EDPB considers that the DE SA’s objection relating to a possible<br />
infringement of Article 24 GDPR is relevant and reasoned in accordance with Article 4(24) GDPR. As a<br />
consequence, the EDPB is assessing the merit of the substantial issues raised by this objection (see<br />
section 6.4.2 below).<br />
6.4.1.4 Infringement of Article 28 GDPR on the relationship with processors<br />
112. The FR SA’s objection specifically refers to paragraphs 7.129 iii), iv) and v) of the Draft Decision<br />
115, and<br />
objects to the Draft Decision as to whether Article 28 GDPR was infringed by TIC instead of Article 33(1)<br />
GDPR116. It relies on the facts117 set out in the Draft Decision and on the findings by the LSA that “TIC<br />
did not respect the obligation of the controller to verify the validity of the procedures set up by its<br />
processor”. 113. According to the FR SA, since Article 28(3)(h) GDPR sets forth the controller’s duties when it uses a<br />
processor, the findings should have led the LSA to the conclusion that Article 28(3)(h) GDPR was<br />
infringed, instead of Article 33(1) GDPR. Ultimately, it means, for the FR SA, that the sanction issued in<br />
fine should address different infringements.<br />
114. In its Guidelines on RRO, the EDPB accepts that an objection may challenge the conclusion of the LSA,<br />
by considering that the LSA’s findings actually lead to the conclusion that another provision of the<br />
GDPR has been infringed in addition to or instead of the provision identified by the LSA118. The EDPB<br />
considers that this is precisely the essence of the FR SA’s objection, hence not preventing it from being<br />
relevant. The objection also adequately puts forward arguments supporting the conclusion proposed.<br />
At the same time, the EDPB notes that the FR SA’s objection does not clearly demonstrate the<br />
significant risks posed by the Draft Decision for the fundamental rights and freedoms of data subjects<br />
with specific regard to the failure to conclude on the infringement of this specific provision119<br />
. In light<br />
of this assessment, the EDPB considers that the FR SA’s objection relating to a possible infringement<br />
of Article 28 GDPR instead of Article 33(1) GDPR is not relevant and reasoned in accordance with Article<br />
4(24) GDPR120<br />
. 115. The IT SA’s objects to the Draft Decision as to whether Article 28 GDPR, inter alia, was infringed by TIC<br />
in addition to Article 33(1) GDPR121<br />
. 116. The IT SA relies on the facts set out in the Draft Decision and on the findings by the LSA that whilst the<br />
involvement of the Global DPO in the Detection and Response Team of its processor, Twitter, Inc., is<br />
envisaged in TIC’s internal policies, in practice, the Global DPO was not involved. The IT SA also notes<br />
that Twitter, Inc., as the processor, failed to assist TIC.<br />
115 Guidelines on RRO, paragraph 20. 116 Guidelines on RRO, paragraph 12. 117 Guidelines on RRO, paragraph 14. 118 Objection Guidelines on RRO, paragraph 27. 119 Guidelines on RRO, paragraph 29. 120 As a consequence, the EDPB does not take any position on the merit of any substantial issues raised by these<br />
objections. The EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB<br />
may be called upon to make in other cases, including with the same parties, taking into account the contents of<br />
the relevant draft decision and the objections raised by the CSAs. 121 Guidelines on RRO, paragraph 12.<br />
Adopted 29<br />
117. According to the IT SA, with Article 28(1) GDPR requiring controllers to only use processors providing<br />
sufficient guarantees to implement appropriate technical and organisational measures, and Article<br />
28(3)(f) GDPR requiring the contract between the controller and the processor to stipulate that the<br />
processor assist “the controller in ensuring compliance with the obligations pursuant to Articles 32 to<br />
36 taking into account the nature of the processing and the information available to the processor”;<br />
the findings should have led the LSA to the conclusion that Article 28(1) and Article 28(3)(f) GDPR were<br />
also infringed.<br />
118. The EDPB considers that the IT objection in relation to Article 28(1) and Article 28(3)(f) GDPR it is to be<br />
considered “relevant” since if followed, it would lead to a different conclusion as to whether there is<br />
an infringement of the GDPR122. More specifically, it includes a “disagreement as to the conclusions to<br />
be drawn from the findings of the investigation”, since it states that the “findings amount to the<br />
infringement of a provision of the GDPR [...] in addition to [...] those already analysed by the draft<br />
decision”123<br />
. 119. Additionally, according to the EDPB, the objection is “reasoned” as it includes clarifications as to why<br />
the amendment of the decision is proposed124: the proposed change relies on the fact that the<br />
controller did not comply with its internal policies according to which TIC’s DPO should be involved.<br />
Besides, the objection raises the point that the processor failed to comply with its contractual<br />
obligation to assist the controller, in accordance with Article 28(3)(f) GDPR.<br />
120. However, the EDPB notes that the IT SA’s objection relating to Article 28(1) and Article 28(3)(f) GDPR<br />
does not clearly demonstrate significant risks posed by the Draft Decision for the fundamental rights<br />
and freedoms of data subjects125<br />
. As a consequence this objection raised by the IT SA does not meet<br />
the requirements set out in Article 4(24) GDPR126<br />
. 6.4.1.5 Infringement of Article 32 GDPR on the security of the processing<br />
121. The DE SA’s objection, if followed, would entail a change leading to a different conclusion as to<br />
whether there is an infringement of the GDPR, since it identified a “disagreement as to the conclusions<br />
to be drawn from the findings of the investigation”<br />
127 by pointing out that the findings may indicate an<br />
infringement also of Article 32 GDPR. Thus, the EDPB therefore considers that there is a link between<br />
the content of the objection and the potential different conclusion128. In addition, this objection is<br />
related to specific legal and factual content of the Draft Decision129<br />
. 122. Additionally, the DE SA’s objection clearly demonstrates the significance of the risks posed by the Draft<br />
Decision for the rights and freedoms of data subjects, in particular by highlighting that the facts amount<br />
to a “significant” and “substantial” breach of the confidentiality of personal data and that a large<br />
number of persons were concerned for a substantial period of time. Furthermore the DE SA also argued<br />
122 Guidelines on RRO, paragraph 13. 123 Guidelines on RRO, paragraph 27. 124 Guidelines on RRO, paragraph 17. 125 Guidelines on RRO, paragraph 29. 126 As a consequence, the EDPB does not take any position on the merit of any substantial issues raised by these<br />
objections. The EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB<br />
may be called upon to make in other cases, including with the same parties, taking into account the contents of<br />
the relevant draft decision and the objections raised by the CSAs. 127 Guidelines on RRO, paragraph 28. 128 Guidelines on RRO, paragraph 13. 129 Guidelines on RRO, paragraph 14.<br />
Adopted 30<br />
that there were indications to consider the existence of a “systemic error”, which would have required<br />
a deeper scrutiny beyond the single specific bug involved.<br />
123. In light of the assessment above, the EDPB considers that the DE SA’s objection relating to a possible<br />
infringement of Article 32 GDPR is relevant and reasoned in accordance with Article 4(24) GDPR. As a<br />
consequence, the EDPB is assessing the merit of the substantial issues raised by this objection (see<br />
point 6.4.2 below).<br />
124. As regards the FR SA’s objection, the EDPB considers it as meeting the criterion of “relevant” because<br />
if the LSA would have followed it, there would be a different conclusion as to whether there is an<br />
infringement of the GDPR130<br />
. The FR SA’s objection is based on the reasoning provided by the IE SA in<br />
its Draft Decision and this reasoning is linked with conclusion as to whether an infringement of the<br />
GDPR has been correctly identified131<br />
. The EDPB recalls that the CSA has to present the facts allegedly<br />
leading to a different conclusion132 and notes that in the case at stake the objection analyses the facts<br />
that would lead to the violation of Article 32(1)(d) GDPR, instead of violation of Article 33(1) GDPR,<br />
and does so in a coherent, clear and precise way, by clearly indicating which parts of the decision of<br />
the IE SA it disagrees with. The FR SA’s objection is clearly relevant by outlining a disagreement on<br />
whether an infringement of the GDPR has taken place. However, the FR SA’s objection only succinctly<br />
explains the reasons for its proposed change and does not clearly demonstrate the significance of the<br />
risks posed by the Draft Decision as regards the fundamental rights and freedoms of data subjects in<br />
relation to the failure to find an infringement of Article 32 GDPR. As a consequence this objection<br />
raised by the FR SA does not meet the requirements set out in Article 4(24) GDPR133<br />
. 125. The HU SA’s objection also referred to whether there is an infringement of the GDPR, arguing that the<br />
possible infringement of the principle of integrity and confidentiality should also be investigated. The<br />
HU SA’s objection is clearly relevant by outlining that an additional provision of the GDPR (i.e. Article<br />
32 GDPR) should have been investigated. However, the HU SA does not explain how the Draft Decision<br />
would pose such risks, nor does it fully explain why specific aspects of the decision are deficient in its<br />
point of view134. The HU SA’s objection fails to meet the criterion of providing sound reasoning for its<br />
objection, by referring to legal or factual arguments. On the contrary, it just recommends that the IE<br />
SA would also need to investigate the controller’s compliance with Article 32 GDPR. As a consequence<br />
this objection raised by the HU SA does not meet the requirements set by Article 4(24) GDPR135<br />
. 6.4.1.6 Infringement of Article 33(3) GDPR on the content of the notification of a personal data<br />
breach on security of processing<br />
126. The DE SA considers that the Draft Decision indicates that Article 33(3) GDPR could be infringed in<br />
addition to other provisions of GDPR. In that sense, it is about “whether there is an infringement” of<br />
130 Guidelines on RRO, paragraph 13. 131 Guidelines on RRO, paragraph 16. 132 Guidelines on RRO, paragraph 18. 133 As a consequence, the EDPB does not take any position on the merit of any substantial issues raised by these<br />
objections. The EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB<br />
may be called upon to make in other cases, including with the same parties, taking into account the contents of<br />
the relevant draft decision and the objections raised by the CSAs. 134 Guidelines on RRO, paragraph 18. 135 As a consequence, the EDPB does not take any position on the merit of any substantial issues raised by these<br />
objections. The EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB<br />
may be called upon to make in other cases, including with the same parties, taking into account the contents of<br />
the relevant draft decision and the objections raised by the CSAs.<br />
Adopted 31<br />
the GDPR, and that it has not been examined and addressed by the Draft Decision. Hence, the DE SA<br />
considers that, if changed, the Draft Decision would lead to the conclusion of additional infringements<br />
of GDPR.<br />
127. However, the DE SA does not clearly demonstrate the significant risks posed by the Draft Decision to<br />
the fundamental rights and freedoms of data subjects. As a consequence, the DE SA’s objection on<br />
Article 33(3) GDPR fails to meet the requirements set out in Article 4(24) GDPR136<br />
. 6.4.1.7 Infringement of Article 34 GDPR on the communication of a personal data breach to the<br />
data subject<br />
128. The HU SA considers that the Draft Decision indicates that Article 34 GDPR could be infringed in<br />
addition to other provisions of GDPR, especially in light of the fact that the bug lasted over the years,<br />
and given the serious nature affecting the controller’s security. In that sense, it is about “whether there<br />
is an infringement” of the GDPR, and that it has not been examined and addressed by the Draft<br />
Decision. Hence, the HU SA considers that, if changed, the Draft Decision would lead to the conclusion<br />
of additional infringements of GDPR.<br />
129. However, the HU SA does not clearly demonstrate the significant risks posed by the Draft Decision to<br />
the fundamental rights and freedoms of data subjects. As a consequence, the HU SA’s objection on<br />
Article 34 GDPR do not meet the requirements set out in Article 4(24) GDPR137<br />
. 6.4.2 Assessment of the merits of the substantial issue(s) raised by the relevant and<br />
reasoned objections and conclusion<br />
130. The Board now analyses the objections found being relevant and reasoned - in particular the DE SA’s<br />
objections on Article 5(1)(f), Article 24 and 32 GDPR, as well the IT SA’s objection on Article 5(2) GDPR<br />
- as well as the LSA’s response to those objections and the TIC submissions.<br />
131. In accordance with Article 65(1)(a) GDPR, in the context of a dispute resolution procedure the EDPB<br />
shall take a binding decision concerning all the matters which are the subject of the relevant and<br />
reasoned objections, in particular whether there is an infringement of the GDPR. The EDPB can (and<br />
must) make a binding decision which shall whenever possible, taking into account the elements of the<br />
file and the respondent’s right to be heard, provide a final conclusion on the application of the GDPR<br />
in relation to the case at hand. The LSA will then be obliged to implement the changes in its final<br />
decision.<br />
132. The Board considers that the available factual elements included in the Draft Decision and in the<br />
objections are not sufficient to allow the EDPB to establish the existence of further (or alternative)<br />
infringements of Article 5(1)(f), 5(2), 24 and 32 GDPR. 133. The Board considers that, as a general matter, the limited scope of the inquiry by the IE SA - focused<br />
since the outset only on whether there were infringements by TIC of Article 33(1) and 33(5) GDPR -<br />
136 As a consequence, the EDPB does not take any position on the merit of any substantial issues raised by these<br />
objections. The EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB<br />
may be called upon to make in other cases, including with the same parties, taking into account the contents of<br />
the relevant draft decision and the objections raised by the CSAs. 137 As a consequence, the EDPB does not take any position on the merit of any substantial issues raised by these<br />
objections. The EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB<br />
may be called upon to make in other cases, including with the same parties, taking into account the contents of<br />
the relevant draft decision and the objections raised by the CSAs.<br />
Adopted 32<br />
directly affects the remit of the investigation and further fact finding, as well as the ability for CSAs to<br />
put forward sufficient elements for the EDPB to sustain the objections. 134. The EDPB recalls the duty for the LSA to “endeavour to reach consensus” with the CSAs (Article 60(1)<br />
GDPR) and to provide, without delay, the CSAs with “the relevant information” on the matter (Article<br />
60(3) GDPR). Even in case of an own-volition inquiry, the Guidelines on reasoned and relevant<br />
objectionsstate that LSA “should seek consensus regarding the scope of the procedure (i.e. the aspects<br />
of data processing under scrutiny) prior to initiating the procedure formally”138, including in the context<br />
of a possible new proceeding.<br />
135. Whilst the EDPB considers that SAs enjoy certain degree of discretion to decide how to frame the scope<br />
of their inquiries, the EDPB recalls that one of the main objectives of the GDPR is to ensure consistency<br />
throughout the European Union, and the cooperation between the LSA and CSAs is one of the means<br />
to achieve this. The EDPB also recalls the existence of a full range of the cooperation tools provided<br />
for by the GDPR (including Articles 61 and 62 GDPR), bearing in mind the goal of reaching consensus<br />
within the cooperation mechanism and the need to exchange all relevant information, with a view to<br />
ensuring protection of the fundamental rights and freedoms of data subjects.<br />
136. The EDPB considers that in determining the scope of the inquiry, whilst it can be limited, a LSA should<br />
frame it in such a way that it permits the CSAs to effectively fulfil their role, alongside the LSA, when<br />
determining whether there has been an infringement of the GDPR.<br />
7 ON THE CORRECTIVE MEASURES DECIDED BY THE LSA - IN<br />
PARTICULAR, THE IMPOSITION OF A REPRIMAND<br />
7.1 Analysis by the LSA in the Draft Decision<br />
137. The Draft Decision explains that, while in the Preliminary Draft Decision the proposed corrective<br />
powers to be imposed were both a reprimand, pursuant to Article 58(2)(b) GDPR, and an<br />
administrative fine, pursuant to Article 58(2)(i) GDPR, the final Draft Decision consists of the imposition<br />
only of an administrative fine on TIC as the controller139<br />
. 138. In its submissions in relation to the Preliminary Draft Decision, TIC objected to the decision to issue a<br />
reprimand, contending that the infringements of Article 33(1) and Article 33(5) GDPR do not comprise<br />
“processing operations”, while Article 58(2)(b) GDPR provides supervisory authorities with the power<br />
to issue reprimands where processing operations have infringed provisions of the GDPR140. TIC’s<br />
argument mainly relied on the fact that neither the delay in notifying the SA nor the failure to keep<br />
appropriate records amounts to a processing operation in itself141<br />
. 139. In its Draft Decision, the IE SA explained its decision not to issue a reprimand by recalling the argument<br />
put forward by TIC in its submissions in relation to the Preliminary Draft Decision, contending that the<br />
infringements of Article 33(1) and Article 33(5) GDPR do not comprise “processing operations”, while<br />
Article 58(2)(b) GDPR provides supervisory authorities with the power to issue reprimands where<br />
processing operations have infringed provisions of the GDPR142<br />
. The IE SA considered that the term<br />
138 Guidelines on RRO, paragraph 28. 139 Draft Decision, paragraph 12.1. 140 TIC’s submissions in relation to the Preliminary Draft Decision, paragraph 11.1. 141 Draft Decision, paragraph 12.4. 142 TIC’s submissions in relation to the Preliminary Draft Decision, paragraph 11.1.<br />
Adopted 33<br />
‘processing operation(s)’ appears 50 times in the GDPR and seems to be used to denote the treatment<br />
or use of, in other words things that are done to, personal data controlled by a controller, but that at<br />
the same time the definition of “processing” provided by the GDPR is very broad, which makes it<br />
arguable that given that a breach is something affecting or done to, personal data, it follows that the<br />
notification obligation (insofar as it inherently must entail an examination of what has happened to<br />
personal data or how it has been affected) is intrinsically connected to one or more processing<br />
operations143<br />
. The IE SA did not consider it necessary to definitely conclude on the meaning and effect<br />
of the term “processing operations” in the Draft Decision, but “on balance” considered that TIC’s legal<br />
argument was “a stateable one”, deciding not to proceed with the issuing of a reprimand to TIC144<br />
. 7.2 Summary of the objections raised by the CSAs<br />
140. The DE SA raised an objection concerning the fact that while in the Preliminary Draft Decision both a<br />
reprimand and a fine were envisaged, only a fine was included in the Draft Decision. The DE SA<br />
disagreed with the reasoning put forward by the IE SA concerning the decision to not impose a<br />
reprimand. According to the DE SA, the legal reasoning accepted by the LSA as “stateable” is not<br />
convincing as the legal interpretation requires not only an examination of the wording of the provision,<br />
but also of its meaning and purpose, the history of its development and its systematic integration into<br />
the entire regulatory complex.<br />
7.3 Position of the LSA on the objections<br />
141. In its Composite Memorandum, the IE SA considered that whereas the DE SA’s objection does relate<br />
to “whether envisaged action in relation to a controller or processor complies with [the GDPR]”, it does<br />
not demonstrate how not issuing a reprimand to TIC could lead to significant risks for data subjects145<br />
on the decision to not issue a reprimand was not relevant and reasoned in accordance with Article<br />
4(24) GDPR.<br />
142. Nonetheless addressing the merits of the substantial issue(s) raised by the objections, the LSA<br />
explained that it considered the term “processing operations” in accordance with its meaning and<br />
application throughout the whole GDPR, noticing that this term is only used for SAs’ powers under<br />
Article 58 GDPR. Following TIC’s submissions in its response to the CSAs’ objections on that point, the<br />
LSA decided, having regard to the scope of the inquiry that focussed on the controller’s obligations in<br />
relation to the Breach notification, that its inquiry “did not involve a finding that the underlying<br />
‘processing operations’ relating to the Breach infringed [...] the GDPR”<br />
146. Therefore, the LSA<br />
considered that there was no reason to review its decision to not issue a reprimand in light of the DE<br />
SA’s objection.<br />
143. The LSA noted that its position in the Draft Decision to not issue a reprimand is only applicable to the<br />
specific circumstances of this case; hence is without any prejudice for future decisions on reprimands<br />
that could be made by the LSA or any other CSA147<br />
.<br />
143 Draft Decision, paragraph 12.5. 144 Draft Decision, paragraph 12.5. The other separate arguments made by TIC concerning reasons why the<br />
imposition of a reprimand was not considered appropriate (TIC’s submissions in relation to the Preliminary Draft<br />
Decision, paragraphs 11.2-11.4) were not considered separately, in light of the aforementioned decision (Draft<br />
Decision, paragraph 12.6). 145 Composite Memorandum, paragraph 5.79. 146 Composite Memorandum, paragraph 5.78. 147 Composite Memorandum, paragraph 5.78.<br />
Adopted 34<br />
7.4 Analysis of the EDPB<br />
7.4.1 Assessment of whether the objections were relevant and reasoned<br />
144. The DE SA objection refers to the compliance of the envisaged action with the GDPR, as it indicates<br />
what corrective action would, in its view, be appropriate for the LSA to include in the final decision: it<br />
is therefore a relevant objection, which adequately shows the different conclusion proposed.<br />
Furthermore, it includes legal reasoning supporting its view and proposes an alternative legal<br />
interpretation. Nevertheless, the objection does not clearly demonstrate the significance of the risk<br />
posed by the Draft Decision for rights and freedoms of data subjects and/or the free flow of personal<br />
data. In particular, it does not provide motivation on how the failure to impose a reprimand in this<br />
specific case - where a fine is also imposed - may trigger risks for data subjects’ fundamental rights and<br />
freedoms.<br />
7.4.2 Conclusion<br />
145. The EDPB considers that this objection does not meet the requirements of Article 4(24) GDPR.<br />
146. The EDPB notes the LSA position that its position to not issue a reprimand is only applicable to the<br />
specific circumstances of this case; hence is without any prejudice for future decisions on reprimands<br />
that could be made by the LSA or any other CSA148<br />
. 147. As previously indicated, the decision of the EDPB not to assess the merits of the substance of the<br />
objection raised is without prejudice to future EDPB decisions on the same or on similar issues.<br />
8 ON THE CORRECTIVE MEASURES - IN PARTICULAR, THE<br />
CALCULATION OF THE ADMINISTRATIVE FINE<br />
8.1 Analysis by the LSA in the Draft Decision<br />
148. The Draft Decision explains how the IE SA considered the criteria in Article 83(2) GDPR in deciding<br />
whether to impose an administrative fine and how to determine its amount149<br />
. 149. As regards the calculation of the fine, the Draft Decision analysed, first, the nature, gravity and<br />
duration of the infringement, as per Article 83(2)(a) GDPR150<br />
. The Draft Decision took into account the<br />
“nature, scope or purpose of the processing” by referring to the nature of the processing operations<br />
carried on by Twitter (a “microblogging” and social media platform on which users have the<br />
opportunity to document their thoughts in “tweets”), to the nature of the processing that gave rise to<br />
the Breach (arising from a bug leading to previously ‘protected’ tweets becoming ‘unprotected’ and<br />
publicly accessible - in cases where Android users changed the email address), and to the scope of the<br />
processing (the bug affected at least 88,726 EU/EEA users, as additional people were affected between<br />
148 Composite Memorandum, paragraph 5.78. 149 Draft Decision, paragraphs 14.1-14.62. 150 Article 83(2)(a) GDPR refers to “the nature, gravity and duration of the infringement taking into account the<br />
nature, scope or purpose of the processing concerned as well as the number of data subjects affected and the<br />
level of damage suffered by them”.<br />
Adopted 35<br />
the date of the bug on 4 November 2014 and its full remediation on 14 January 2019 but it was not<br />
possible for them to be all identified)151<br />
. 150. The Draft Decision also took into account the number of data subjects affected and the level of<br />
damage suffered by them152 by concluding that the number of data subjects who could have been<br />
potentially affected by the delayed notification and the potential for damage to data subjects arising<br />
from the consequent delayed assessment by the SA were relevant factors to take into consideration153<br />
.<br />
It was recalled that the impact on individual users and the possibility of damage arising therefrom will<br />
impact on the level and nature of the personal data made public and that there was at least a potential<br />
for damage to data subjects linked to the delaying of remedial actions154. The position of the IE SA in<br />
the Preliminary Draft was that “whilst TIC had not confirmed the precise nature of the data made public<br />
in the Breach, it was reasonable to deduce that, given the scale of the affected users and the nature of<br />
the service offered by TIC, some of the personal data released in relation to, at least, some of the users<br />
will have included sensitive categories of data and other particularly private material”<br />
155<br />
. This position<br />
was further nuanced in the Draft Decision in light of TIC’s submissions, as the IE SA decided that “less<br />
weight should be attributed to this factor”, on the basis of the fact that “while it cannot be definitively<br />
said that no users affected by the Breach were affected by the delayed notification, there was no direct<br />
evidence of damage to them arising from the delayed notification”<br />
156<br />
. 151. With respect to the nature of the infringement, the Draft Decision highlighted that the infringements<br />
of Articles 33(1) and 33(5) GDPR do not relate to the substantive matter of the Breach157<br />
. The IE SA<br />
also considered that the nature of the obligations under Articles 33(1) and 33(5) GDPR are such that<br />
compliance is central to the overall functioning of the supervision and enforcement regime performed<br />
by supervisory authorities in relation to both the specific issue of personal data breaches but also the<br />
identification and assessment of wider issues of non-compliance by controllers and that non- compliance with such obligations has serious consequences in that it risks undermining the effective<br />
exercise by SAs of their functions under the GDPR158<br />
. 152. With regard to the gravity of the infringement of Article 33(1) GDPR, the Draft Decision took account<br />
of how it interfered with the overall purpose of notifying a personal data breach to the supervisory<br />
authority, of the fact that no material damage to data subjects was shown, of the fact that the remedial<br />
measures by TIC were limited to forward looking action to close down the bug (and did not amount to<br />
a backward looking analysis to identify the risks to data subjects arising from the Breach) and TIC’s<br />
apparent failure to carry out any formal risk assessment159<br />
. The Draft Decision did not consider TIC’s<br />
contention that the Breach was due to an isolated failure (which led to the delay in notifying the DPO)<br />
to be of sufficient weight as to lessen the gravity of the infringement (but did take into account of such<br />
isolated nature of the incident, departing from the provisional view in the Preliminary Draft that the<br />
151 Draft Decision, paragraph 14.2. 152 Draft Decision, paragraphs 14.3-14.5. 153 Draft Decision, paragraph 14.5. 154 Draft Decision, paragraph 14.5 (the Draft Decision notes that “Clearly, the impact on individual users, and<br />
the possibility of damage arising therefrom, will depend on the level of personal data made public and, also,<br />
the nature of that personal data”). 155 Draft Decision, paragraph 14.5. 156 Draft Decision, paragraph 14.5. 157 Draft Decision, paragraph 14.6. 158 Draft Decision, paragraph 14.11. 159 Draft Decision, paragraphs 14.16-14.18.<br />
Adopted 36<br />
Breach was indicative of a broader, more systemic issue)160<br />
. Concerning the gravity of the infringement<br />
of Article 33(5) GDPR, the Draft Decision highlighted that proper documentation of breaches is<br />
required in order to enable a supervisory authority to verify the controller’s compliance with Article<br />
33 GDPR161 and that the IE SA was required to raise multiple queries in order to gain clarity concerning<br />
the facts surrounding the notification of the Breach162<br />
, but acknowledged that the deficiencies in the<br />
documentation arose from a good faith misunderstanding of the requirements (which are, however,<br />
clear from the wording of the provision)163. The Draft Decision concluded that each infringement was<br />
at the “low to moderate end of the scale of gravity”<br />
164<br />
. 153. With regard to the duration of the infringement of Article 33(1) GDPR, the Draft Decision considered<br />
that it was a period of two days and evaluated it in light of the overall timeframe generally permitted<br />
for breach notifications (72 hours), noting that it was not a trivial or inconsequential one165<br />
. Concerning the duration of the infringement of Article 33(5) GDPR, the Draft Decision concluded that<br />
it was ongoing166<br />
. 154. In relation to Article 83(2)(b) GDPR (the intentional or negligent character of the infringement), the IE<br />
SA concluded in its Draft Decision that there was a negligent character to TIC’s infringement of Article<br />
33(1) GDPR167, outlining that the delay in the notification of the Global DPO occurred because part of<br />
the internal protocol of the Twitter Group was not completed as prescribed and the protocol was not<br />
as clear as it could have been168. This led to the conclusion that the delay arose as a result of a<br />
negligence on the part of the controller, but TIC’s submission that the delayed notification was not<br />
indicative of a broader systemic issue and amounted to an isolated occurrence was accepted169. The IE<br />
SA did not identify any evidence of intentional conduct with regard to the infringement of Article 33(1)<br />
GDPR170<br />
. The Draft Decision also identified that there was a negligent character to TIC’s infringement<br />
of Article 33(5) GDPR171, since there was no knowledge and wilfulness to cause the infringement (which<br />
would have amounted to intent) but the documentation was not sufficient to enable compliance with<br />
Article 33 to be verified172<br />
. 155. As regards Article 83(2)(c) GDPR, i.e. action taken by the controller to mitigate the damage suffered<br />
by data subjects, the Draft Decision considered that remedial measures were taken to avoid repetition<br />
of the issue and to rectify the bug, which were considered as the sole mitigating factor in assessing the<br />
amount of the fine to be imposed173<br />
. 156. The Draft Decision considered Article 83(2)(d) GDPR, i.e. the degree of responsibility for the controller<br />
or processor, by noting the existing and subsequently enhanced technical and organisational measures<br />
160 Draft Decision, paragraph 14.19. 161 Draft Decision, paragraph 14.20. 162 Draft Decision, paragraph 14.21. 163 Draft Decision, paragraph 14.24. 164 Draft Decision, paragraph 14.24. 165 Draft Decision, paragraph 14.26 (it commenced on the expiration of the 72 hours from 3 January 2019 (i.e.<br />
on 6 January 2019) and ended at the time of TIC’s notification of the Breach on 8 January 2019). 166 Draft Decision, paragraph 14.29. 167 Draft Decision, paragraph 14.34. 168 Draft Decision, paragraphs 14.33-14.34. 169 Draft Decision, paragraph 14.34. 170 Draft Decision, paragraph 14.35. 171 Draft Decision, paragraph 14.38. 172 Draft Decision, paragraphs 14.36, 14.38. 173 Draft Decision, paragraphs 14.39-14.42.<br />
Adopted 37<br />
implemented by TIC as controller, including the amendment of the internal protocol of the Twitter<br />
Group (which the IE SA found was not as clear as it could have been) and the staff training measures<br />
taken afterwards by Twitter, Inc.(additional training was provided internally highlighting the<br />
importance of mentioning the DPO team - and therefore TIC as controller - in the internal ticket<br />
system), as well as the existence of internal structures and safeguards concerning responsibility for<br />
information security issues and the existence of a recurring external third party expert audit of Twitter,<br />
Inc.’s Information Security Programme174<br />
. Although the issues that arose were not found to be<br />
indicative of a broader systemic issue175 and TIC demonstrated a generally responsible and accountable<br />
approach towards data security176<br />
, it was considered that there was a moderate to high level of<br />
responsibility demonstrated by the controller as a lack of clarity in the protocol was shown also by its<br />
subsequent amendment177<br />
. 157. The degree of cooperation with the supervisory authority was evaluated, in line with Article 83(2)(f)<br />
GDPR, and was found to not amount to a mitigating factor178. The IE SA acknowledged that TIC<br />
cooperated fully but noted that this was a statutory obligation and TIC did not go beyond such duty179<br />
. 158. In relation to Article 83(2)(g) GDPR concerning the categories of personal data affected, the Draft<br />
Decision concluded that any category of personal data could have been affected by the delayed<br />
notification and that it cannot be definitively said that there was no damage to data subjects or no<br />
affected categories of personal data180<br />
. 159. The manner in which infringement became known to the IE SA was considered to be a relevant factor<br />
in the determination of the amount of the fine (in line with Article 83(2)(h) GDPR), since while TIC was<br />
forthcoming in furnishing all available documentation the records did not allow the IE SA to verify<br />
compliance with Article 33 GDPR and the information originally provided in the notification made to<br />
the IE SA was of an imprecise nature181<br />
. 160. The criteria in Article 83(2)(e), (i) and (j) GDPR were found to be not applicable, and no further<br />
elements were identified in relation to Article 83(2)(k) GDPR182<br />
. 161. The IE SA underlined in its Draft Decision that in the absence of specific EU-level guidelines on the<br />
calculation of fines, it was not bound to apply any particular methodology or use a fixed financial<br />
starting point183 and that the expression “due regard” provides SAs with a broad discretion as to how<br />
to weigh the factors in Article 83(2) GDPR184<br />
. 162. As regards the identification of the relevant undertaking to calculate the fining cap established by<br />
Article 83(4) GDPR, the IE SA underlined that the fact that TIC enjoys autonomy in its control over data<br />
processing does not mean that it ceases to be part of a single economic entity with its parent company<br />
174 Draft Decision, paragraphs 14.43-14.47. 175 Draft Decision, paragraphs 14.45. 176 Draft Decision, paragraph 14.47. 177 Draft Decision, paragraph 14.47. 178 Draft Decision, paragraph 14.50. 179 Draft Decision, paragraph 14.49. 180 Draft Decision, paragraph 14.54. 181 Draft Decision, paragraph 14.58. 182 Draft Decision, paragraphs 14.48, 14.59, 14.60, 14.61. 183 Draft Decision, paragraph 15.2. 184 Draft Decision, paragraph 15.1.<br />
Adopted 38<br />
and noted that, in addition to the ownership of TIC by Twitter, Inc., the General Counsel of Twitter,<br />
Inc. appears to be one of the three directors of TIC185<br />
. 163. For this reasons, the cap for the value of any fine imposed was calculated by the LSA with reference to<br />
Twitter, Inc.’s turnover186<br />
. As the annual turnover of Twitter, Inc., in 2018, amounted to 3 billion USD, the cap was considered to be 60 million USD (2% of 3 billion USD)187<br />
. 164. In applying the principles of effectiveness, proportionality and dissuasiveness (Article 83(1) GDPR), the Draft Decision considered that a fine cannot be effective if it does not have significance relative to<br />
the revenue of the controller, that the infringement needs to not be considered in the abstract,<br />
regardless of the impact on the controller, and that future infringements need to be deterred188<br />
. 165. The IE SA proposed to impose an administrative fine within the range of 150,000-300,000 USD, i.e.<br />
between 0.005% and 0.01% of the undertaking’s annual turnover or between 0.25% and 0.5% of the<br />
maximum amount of the fine which may be applied in respect of these infringements. This equates to<br />
a fine in Euro of between 135,000 and 275,000189<br />
. 8.2 Summary of the objections raised by the CSAs<br />
166. The AT SA raised an objection concerning the amount of the proposed fine and the fact that the LSA<br />
proposed a range of amounts instead of a fixed sum. With regard to Article 83(2)(a) GDPR, the AT SA<br />
highlighted that at least 88,726 people (but probably more) were affected by the Breach and “it is very<br />
likely that sensitive data were disclosed to the broader public”.<br />
167. The objection raised by the AT SA expressed a disagreement as to how the time at which the controller<br />
should be deemed to be aware of a data breach was analysed in the Draft Decision. More specifically,<br />
the AT SA argued in its objection that TIC should have made a data breach notification within 72 hours<br />
after the processor received the bug report and thus became aware of the Breach. The AT SA<br />
highlighted that TIC is responsible for overseeing the processing operations carried out by its<br />
processor, and that a controller should not seek to hide the failure of its processor with whom it has a<br />
contractual relationship and which was selected by the controller itself. This contributes to the<br />
assessment of the infringement of Article 33(1) GDPR by the AT SA as “grave”.<br />
168. With regard to the “intentional or negligent character of the infringement” (Article 83(2)(b) GDPR), the<br />
AT SA argued that the behaviour of TIC should be labelled as “intentional”, on the basis of the criteria<br />
of knowledge and wilfulness established in the Guidelines on the application and setting of<br />
administrative fines (“WP253”) of the Article 29 Working Party, endorsed by the EDPB190. As to the<br />
criterion referring to actions taken to mitigate the damage suffered by data subjects (Article 83(2)(c)<br />
GDPR), the AT SA highlighted that “initially it was not TIC’s intention to notify users who were affected<br />
by the breach” and “the steps taken by Twitter Inc. to rectify the bug are the sole mitigating factor”.<br />
185 Draft Decision, paragraph 15.13. 186 Draft Decision, paragraph 15.14. 187 Draft Decision, paragraph 15.19. 188 Draft Decision, paragraph 15.18. 189 Draft Decision, paragraph 15.20 (The higher end of the range proposed in the Draft Decision is lower than in<br />
the Preliminary Draft Decision, in order to reflect changes in the views in relation to gravity, the degree of<br />
responsibility of the controller and whether the infringements were systemic). In paragraph 15.21, the Draft<br />
Decision underlined that in order to protect TIC’s procedural rights a range of a fine was proposed as opposed<br />
to a fixed figure, and acknowledged the possibility that CSAs would comment on where in that range the<br />
penalty should lie. 190 https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611237.<br />
Adopted 39<br />
Finally, AT SA considers the range of fine proposed by the IE SA neither effective, nor proportionate,<br />
nor dissuasive having regard to the criteria listed in Article 83(2)(a) – (k) GDPR. As a conclusion, the AT<br />
SA proposed the imposition of a higher administrative fine, which could meet the requirement of<br />
effectiveness, proportionality and dissuasiveness (namely “a minimum amount of 1 % of the<br />
undertaking’s annual turnover”).<br />
169. The DE SA raised an objection arguing that the fine proposed by the LSA is “too low” and “does not<br />
comply with the provisions of Article 83(1) GDPR”. More specifically, the DE SA argued that the fine is<br />
not dissuasive. The objection recalled that a sanction can be deemed effective and dissuasive if it is<br />
suitable both as a general preventive measure - to deter the general public from committing<br />
infringements and to affirm the general public's confidence in the validity of Union law - and as a<br />
special preventive measure - to deter the offender from committing further infringements. The DE SA<br />
goes on to argue that the financial capacity of an undertaking (in terms of turnover) can provide an<br />
important indication of the amounts required to achieve dissuasiveness: this may entail taking into<br />
account the part of the turnover generated by the products in respect of which the infringement has<br />
been committed, which may provide an indication of the scale of the infringements. The DE SA also<br />
argues that the dissuasive effect of high fines can only be achieved if the amounts imposed cannot be<br />
easily paid because of large assets or high income, highlighting that the fine must have a dissuasive<br />
effect, particularly in relation to specific data processing. As a consequence, the threatened fine must<br />
be high enough to make data processing uneconomic and objectively inefficient. As Twitter’s business<br />
model is based on processing data, and as Twitter generates turnover mainly through data processing,<br />
the DE SA considers that a dissuasive fine in this specific case would therefore have to be so high that<br />
it would render the illegal data processing unprofitable. On the basis of the fine concept applicable to<br />
the DE SAs, the fine for the infringement described in the Draft Decision would range from<br />
approximately EUR 7,348,035.00 to EUR 22,044,105.00.<br />
170. The HU SA argued that, although “fines are justified for the committed infringements”, “the fine set<br />
out in the draft is unreasonably low, disproportionate and thus not dissuasive in view of the gravity of<br />
the committed infringement and the Controller’s worldwide market power”.<br />
171. The IT SA asked the LSA to “review the draft decision as also related to quantification of the<br />
administrative fine, taking also account of specific aggravating elements of the case with regard to the<br />
nature of the data controller and the severity and duration of the data breach”.<br />
8.3 Position of the LSA on the objections<br />
172. The IE SA assessed that the objections raised by the AT SA, DE SA and HU SA in relation to the<br />
administrative fine to be ‘relevant and reasoned’ within the meaning of Article 4(24) GDPR. At the<br />
same time, the IE SA did not follow these objections for the reasons set out in the Composite<br />
Memorandum191<br />
. 173. In particular, as regards to the AT and DE SA's objections, the IE SA considers that its assessment and<br />
application of the factors at Articles 83(2)(a) and (b) GDPR, as elaborated in its Draft Decision, is<br />
appropriate. Regarding the AT SA's objection, the IE SA argues that TIC's infringement of Article 33(1)<br />
and Article 33(5) GDPR was the result of TIC's negligence rather than an intentional omission192<br />
. Therefore, the IE SA believes that the fine as proposed by the AT SA is not proportionate193. In addition,<br />
191 Composite Memorandum, paragraphs 5.60-5.72. 192 Composite Memorandum, paragraph 5.62. 193 Composite Memorandum, paragraph 5.63.<br />
Adopted 40<br />
the IE SA argues that the concern of the AT SA regarding the fining range proposed in the Draft<br />
Decision, as opposed to a fixed sum, was not well elaborated and clarified by this CSA194<br />
. With regard<br />
to the DE SA's objection, the IE SA took note of the objection of the DE SA regarding the need for the<br />
fine to meet the requirement of dissuasiveness, but is of the opinion that the level of the fine proposed<br />
by the DE SA is not proportionate in this case195<br />
. For the above-mentioned reasons, the IE SA considers<br />
these objections are reasoned and relevant, but proposes not to follow them196<br />
. 174. The IE SA has taken due account of the AT SA’s view in relation to the timing of TIC’s awareness and<br />
notification of the Breach but concluded that notwithstanding TIC’s actual ‘awareness’ of the Breach<br />
on 7 January 2019, TIC ought to have been aware of the Breach at the latest by 3 January 2019197<br />
. In<br />
identifying 3 January 2019 as the date on which TIC ought to have been aware of the breach, the IE SA<br />
took into account that an earlier delay had arisen during the period from when the incident was first<br />
notified by a contractor to Twitter, Inc. to when Twitter, Inc. commenced its review198<br />
. Further, the IE<br />
SA clarifies that it is not suggesting that, "as a matter of generality, data controllers ought to<br />
automatically be considered to have awareness of data breaches at the same time at which their<br />
processor becomes aware of the breach"<br />
199<br />
. Also, the IE SA states that "it will usually be the case that<br />
a processor which experiences a breach will be aware of the incident at an earlier point in time than its<br />
controller, and that, provided the process agreed between the controller and the processor is effective<br />
and / or is followed, the controller will be made ‘aware’ of the breach [...] in a manner that enables it<br />
to comply with its obligation to notify same"<br />
200<br />
. 8.4 Analysis of the EDPB<br />
8.4.1 Assessment of whether the objections were relevant and reasoned<br />
175. Concerning the possibility for relevant and reasoned objections on whether envisaged action in<br />
relation to the controller or processor complies with the GDPR201 to challenge the amount of proposed<br />
fines, the EDPB recently clarified that “it is possible that the objection challenges the elements relied<br />
upon to calculate the amount of the fine”<br />
202. This can amount to an example of objection concerning<br />
whether the envisaged action in relation to the controller or processor complies with the GDPR.<br />
176. In the case at stake, the AT SA’s objection challenges the elements relied upon by the IE SA in<br />
calculating the amount of the fine and thus concerns the compliance of the proposed action vis-a-vis<br />
the controller with the GDPR. The AT SA clarified the connection between its objection and the Draft<br />
Decision and demonstrated how the proposed changes would lead to a different conclusion.<br />
Additionally, it provided arguments on why the amendment of the decision is proposed, by providing<br />
an alternative interpretation of three of the criteria listed by Article 83 GDPR and by making reference<br />
to factual and legal arguments. The AT SA clearly demonstrates the significance of the risks posed by<br />
the Draft Decision, first of all, by arguing that the proposed fine is not adequately effective and<br />
dissuasive and by recalling that to this end it needs to be likely to deter the general public from<br />
committing a similar infringement and confirm the public’s confidence in the application of Union law,<br />
194 Composite Memorandum, paragraph 5.64. 195 Composite Memorandum, paragraph 5.68. 196 Composite Memorandum, paragraphs 5.65, 5.68. 197 Composite Memorandum, paragraph 5.48. 198 Composite Memorandum, paragraph 5.50. 199 Composite Memorandum, paragraph 5.50. 200 Composite Memorandum, paragraph 5.50. 201 GDPR, Article 4(24). 202 Guidelines on RRO, paragraph 34.<br />
Adopted 41<br />
as well as to deter the controller from committing further infringements. Additionally, in the<br />
assessment of the gravity of the infringement the objection also refers to the extent to which data<br />
subjects (in a number likely to be higher than the one identified) were affected by the Breach (e.g. by<br />
having their previously protected tweets, likely to include sensitive data, exposed to the wider public).<br />
The alleged intentionality of the infringement, according to the AT SA, implies a far greater impact on<br />
the ability to know right from wrong than a negligent infringement. In light of the assessment above,<br />
the EDPB considers that the AT SA’s objection is relevant and reasoned in accordance with Article 4(24)<br />
GDPR. As a consequence, the EDPB will assess the merit of the substantial issues raised by this<br />
objection (see section 8.4.2 below).<br />
177. The DE SA’s objection is also to be considered relevant as it concerns the compliance of the envisaged<br />
action with the GDPR, by challenging the elements relied upon to calculate the amount of the fine.<br />
More specifically, it argues that the fine imposed by the IE SA is not dissuasive and thus the calculation<br />
performed does not comply with Article 83(1) GDPR. The DE SA clarified that a sanction is to be<br />
considered effective and dissuasive, when it serves as a general preventive measure to deter general<br />
public from committing infringements as well as to affirm its trust to the validity of the Union law, but<br />
also when it deters the offender from committing additional infringements. In addition, the DE SA<br />
clearly demonstrates the significance of the risks that the Draft Decision poses to the rights and<br />
freedoms of the data subjects as the failure to impose a dissuasive and effective sanction may not be<br />
able to deter the controller from committing further infringements.<br />
178. Another argument provided by the DE SA to demonstrate the significance of the risks is that the failure<br />
to appropriately handle the Breach suggests a “systemic error”, which would have required submitting<br />
the controller to a deeper scrutiny, beyond the single specific incident. The DE SA also recalled that a<br />
large number of persons was concerned and the period of time was equally substantial and concluded<br />
that the corrective powers imposed on the basis of Article 58(2) GDPR need to be examined in light of<br />
these elements. To conclude, the EDPB considers that the DE SA’s objection is reasoned and relevant<br />
within the definition of Article 4(24) GDPR. As a consequence, the EDPB will assess the merit of the<br />
substantial issues raised by this objection (see section 8.4.2 below).<br />
179. The HU SA’s objection is relevant as it also concerns the compliance of the envisaged action with the<br />
GDPR, by stating that the proposed fine is “unreasonably low, disproportionate and thus not<br />
dissuasive”. However, while the objection refers to “the “bug” in the controller’s application over the<br />
years” and to “its serious nature affecting data security”, as well as to the “gravity of the committed<br />
infringement” and to the “controller’s worldwide market power”, it does not clearly demonstrate the<br />
significance of the risks for rights and freedoms of data subjects posed by the amount of the fine as<br />
proposed by the IE SA. As a consequence, the EDPB considers this objection does not meet the<br />
requirements of Article 4(24) GDPR203<br />
. 180. Last, the relevance of the objection raised by the IT SA is also shown by its reference to whether the<br />
proposed action complies with the GDPR, as it argues that the IE SA should review the Draft Decision<br />
in relation to the quantification of the administrative fine. By referring to the “foregoing objections” and thus to the fact that the aspects mentioned are “structural in nature as regards the controller's<br />
organisation” and “bound to produce effects not simply on the case at issue, but also on any data<br />
203 As a consequence, the EDPB does not take any position on the merit of any substantial issues raised by these<br />
objections. The EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB<br />
may be called upon to make in other cases, including with the same parties, taking into account the contents of<br />
the relevant draft decision and the objections raised by the CSAs.<br />
Adopted 42<br />
breach that may occur in the future”, the IT SA’s objection clearly demonstrates the significance of the<br />
risks for the rights and freedoms of data subjects with respect to the quantification of the fine.<br />
181. Therefore, EDPB considers that the IT SA’s objection is reasoned and relevant meeting the<br />
requirements of Article 4(24) GDPR. As a consequence, the EDPB will assess the merit of the substantial<br />
issues raised by this objection.<br />
8.4.2 Assessment of the merits of the substantial issue(s) raised by the relevant and<br />
reasoned objections<br />
182. The EDPB considers that the objections found to be relevant and reasoned in this subsection204 require<br />
the assessment of whether the Draft Decision proposes a fine in line with the criteria established by<br />
Article 83 GDPR and the Article 29 Working Party Guidelines on the application and setting of<br />
administrative fines for the purposes of the Regulation 2016/679 (“WP253”) (endorsed by the<br />
EDPB)205<br />
. 183. Indeed, the consistency mechanism may also be used to promote a consistent application of<br />
administrative fines206: where a relevant and reasoned objection challenges the elements relied upon<br />
by the LSA to calculate the amount of the fine, the EDPB can instruct the LSA to engage in a new<br />
calculation of the proposed fine by eliminating the shortcomings in the establishment of causal links<br />
between the facts at issue and the way the proposed fine was calculated on the basis of the criteria in<br />
Article 83 GDPR and of the common standards established by the EDPB207<br />
. A fine should be effective,<br />
proportionate or dissuasive, as required by Article 83(1) GDPR, taking account of the facts of the<br />
case208<br />
. In addition, when deciding on the amount of the fine the LSA shall take into consideration the<br />
criteria listed in Article 83(2) GDPR.<br />
184. As regards the nature, gravity and duration of the infringement found in Articles 33(1) and 33(5) GDPR,<br />
Article 83(2)(a) GDPR requires to take into consideration inter alia the nature, scope and purpose of<br />
the processing concerned as well as the number of data subjects affected and the level of damage<br />
suffered by them.<br />
185. The EDPB agrees with the IE SA that the infringement to consider is not the Breach as such but the<br />
compliance with Articles 33(1) and 33(5) GDPR to notify that breach to the competent SA and to<br />
document that breach. 186. The EDPB notes that the IE SA takes into account the nature of the processing as well as the number<br />
of data subjects affected. As regards the nature of the processing, the IE SA describes as a<br />
“microblogging” and social media platform on which users have the opportunity to document their<br />
thoughts in “tweets”. The EDPB considers that when assessing the nature of the processing, one must<br />
also take into consideration the fact the “processing concerned” involved communications by data<br />
subjects who deliberately chose to restrict the audience of those communications. The EDPB takes<br />
note that the IE SA Draft Decision considered that: “the impact on individual users, and the possibility<br />
of damage arising therefrom, will depend on the level of personal data made public and, also, the<br />
nature of that personal data. In this regard, I indicated in the Preliminary Draft that whilst TIC had not<br />
204 These objections are those of the AT SA, DE SA, and IT SA. 205 Article 29 Working Party Guidelines on the application and setting of administrative fines for the purposes of<br />
the Regulation 2016/679, WP253 adopted on 3 October 2017 (endorsed by the EDPB on 25 May 2020). 206 GDPR, Recital 150. 207 Guidelines on RRO, paragraph 34. 208 EDPB Guidelines on administrative fines, p. 7.<br />
Adopted 43<br />
confirmed the precise nature of the data made public in the Breach, it was reasonable to deduce that,<br />
given the scale of the affected users and the nature of the service offered by TIC, some of the personal<br />
data released in relation to, at least, some of the users will have included sensitive categories of data<br />
and other particularly private material”<br />
209<br />
. However, the IE SA, based on TIC submissions, gave less<br />
weight to this factor than it did in the Preliminary Draft, as there was no direct evidence of damage210<br />
. The EDPB considers, however, that the IE SA should still have given significant weight to the fact that<br />
the “processing concerned” involves communications by data subjects who deliberately chose to<br />
restrict the audience of those communications, when evaluating the nature of the processing<br />
concerned. In particular, the IE SA should have given significant weight to this fact given that it was<br />
recalled by the IE SA in the Draft Decision, where the IE SA considered that "the large scale of the<br />
affected user segment gives rise to the possibility of a much broader spectrum of damage arising from<br />
the Breach, particularly given the nature of the service being offered by TIC" and "the likelihood that<br />
many users will have relied on the function of keeping “tweets” private to share information or views<br />
(in the comfort of what they believe to be a private and controlled environment) that they would not<br />
ordinarily release into the public domain"<br />
211<br />
. 187. Moreover, when it comes to the scope of the processing concerned as such, the IE SA appears to<br />
substitute the scope of the processing with the number of the data subjects affected. The EDPB<br />
considers that the nature and the scope of the “processing” to take into consideration in the<br />
determination of the fine is not the processing operation consisting in the (accidental) disclosure<br />
(personal data breach), or the cause thereof, but rather the scope of the underlying processing carried<br />
out by TIC, as described in the previous paragraph. 188. According to the AT SA, the timing when the controller became aware of the breach impacts on the<br />
gravity of the infringement of Article 33(1) GDPR. The objection raised by the AT SA expressed a<br />
disagreement as to how the time at which the controller should be deemed to be aware of a data<br />
breach should be determined or assessed. More specifically, the AT SA argued in its objection that TIC<br />
should have made a data breach notification within 72 hours after the processor became aware of the<br />
bug. This contributes to the assessment of the infringement of Article 33(1) GDPR by the AT SA as<br />
“grave”.<br />
189. In this respect, the EDPB recalls that the Guidelines on personal data breach notification under<br />
Regulation 2016/679 (“WP250”)212, which were endorsed by the EDPB, state that the "focus of any<br />
breach response plan should be on protecting individuals and their personal data. Consequently, breach<br />
notification should be seen as a tool enhancing compliance in relation to the protection of personal<br />
data"<br />
213<br />
. 190. According to the Guidelines on personal data breach notification, a controller should be regarded as<br />
having become “aware” when that controller has a reasonable degree of certainty that a security<br />
incident has occurred that has led to personal data being compromised214<br />
. Since the controller uses<br />
the processor to achieve its purposes, in principle, the controller should be considered as “aware” once<br />
209 Draft Decision, paragraph 14.51. 210 See paragraph 150 above. 211 Draft Decision, paragraph 14.51. 212 Article 29 Working Party Guidelines on personal data breach notification under Regulation 2016/679, WP250<br />
rev.01, endorsed by the EDPB (hereinafter, “Guidelines on personal data breach notification”). 213Guidelines on personal data breach notification, p. 5. 214 Guidelines on personal data breach notification, p.10-11.<br />
Adopted 44<br />
the processor has informed it of the breach215<br />
. However, the GDPR puts an obligation on the controller<br />
to ensure that they will be “aware” of any breaches in a timely manner so that they can take<br />
appropriate action"216 and explain that "the controller may undertake a short period of investigation in<br />
order to establish whether or not a breach has in fact occurred. During this period of investigation the<br />
controller may not be regarded as being “aware”"<br />
217<br />
. However, the Guidelines clarify that this initial<br />
investigation should begin as soon as possible and that a more detailed investigation can then<br />
follow218<br />
. 191. The Guidelinesthus make it clear that the controller, and by extension, the processor, are to act swiftly.<br />
"In most cases these preliminary actions should be completed soon after the initial alert (i.e. when the<br />
controller or processor suspects there has been a security incident which may involve personal data) –<br />
it should take longer than this only in exceptional cases"219<br />
. 192. Having regard to the above, the EDPB agrees with the position of the IE SA’s assessment according to<br />
which the controller cannot be expected to have become aware at the moment its processor has<br />
realised that a security incident has occurred. As provided in the WP29 Guidelines on data breach<br />
notifications, which were endorsed by the EDPB, there needs to be a degree of certainty that a<br />
personal data breach has occurred before awareness can be stipulated. It is not clear from the facts at<br />
issue as reflected in the Draft Decision that this was the case before the 3 January 2019. In this case, AT SA did not prove that TIC reached the necessary degree of certainty as to the fact that a data breach<br />
had occurred earlier than when the IE SA found TIC to be “aware” of the breach. As a consequence,<br />
the EDPB considers that the assessment of the gravity of the infringement does not need to be adjusted<br />
in light of a different determination of when the controller became aware of the data breach.<br />
193. Moreover, as regards the gravity of the infringement, the EDPB agrees with IE SA that the compliance<br />
with Articles 33(1) and 33(5) GDPR are central to the overall functioning of the supervision and<br />
enforcement regime.<br />
194. As regards the objection raised by the AT SA regarding the intentional nature of the infringement, the<br />
EDPB considers that the objection did not sufficiently demonstrate that from the moment the<br />
controller gained knowledge it intentionally disregarded its duty of care.<br />
195. However, as regards the negligent nature of the infringement, the EDPB considers that a company for<br />
whom the processing of personal data is at the core of its business activities should have in place<br />
sufficient procedures for the documentation of personal data breaches, including remedial actions,<br />
which will enable it to also comply with the duty of notification under Article 33(1) GDPR. This element<br />
implies an additional element to take into consideration in the analysis of the gravity of the<br />
infringement.<br />
196. The EDPB recalls that the CJEU has consistently held that a dissuasive penalty is one that has a genuine<br />
deterrent effect220. In that respect, a distinction can be made between general deterrence<br />
(discouraging others from committing the same infringement in the future) and specific deterrence<br />
215 Guidelines on personal data breach notification, p. 13. 216 Guidelines on personal data breach notification, p.11. 217 Guidelines on personal data breach notification, p.11 (emphasis added). 218 Guidelines on personal data breach notification, p.11. 219 Guidelines on personal data breach notification, p.12 (emphasis added). 220 See Opinion of Advocate General Geelhoed of 29 April 2004 in Judgment of 12 July 2005, Commission / France,<br />
C-304/02, EU:C:2005:444, par. 39.<br />
Adopted 45<br />
(discouraging the addressee of the fine from committing the same infringement again)221. Moreover,<br />
the severity of penalties must be commensurate with the seriousness of the infringements for which<br />
they are imposed222. It follows that fines must not be disproportionate to the aims pursued, that is to<br />
say, to compliance with the data protection rules and that the amount of the fine imposed on an<br />
undertaking must be proportionate to the infringement viewed as a whole, account being taken in<br />
particular of the gravity of the infringement<br />
223<br />
. 197. While the LSA in its Draft Decision made reference to the requirement that the file must be dissuasive<br />
and proportionate, the EDPB considers that the LSA did not sufficiently substantiate how the fine<br />
proposed addresses these requirements. In particular, the EDPB notes that the LSA moves from<br />
calculating the maximum amount of the fine (set at $60 million) to stating the proposed fining range<br />
(set between $150.000,- and $300.000,-), without further explanation as to which particular elements<br />
led the LSA to identify this specific range224<br />
. Beyond the general reference to the relevant factors of<br />
Article 83 (2) GDPR, there is not a clear motivation for the choice of the proposed percentage (between<br />
0.25% and 0.5%) of the maximum applicable fine under Article 83(4) GDPR.<br />
198. In this regards, the EDPB has elaborated above the reasons to why the LSA in its Draft Decision should<br />
have given greater weight to the element relating to the nature, scope and negligent character of the<br />
infringement and therefore consider that the proposed fine range should be adjusted accordingly.<br />
8.4.3 Conclusion<br />
199. Following this, the EDPB considers that the fine proposed in the Draft Decision is too low and therefore<br />
does not fulfil its purpose as a corrective measure, in particular it does not meet the requirements of<br />
Article 83(1) GDPR of being effective, dissuasive and proportionate. 200. Thus, the EDPB requests the IE SA to re-assess the elements it relies upon to calculate the amount of<br />
the fixed fine225 to be imposed on TIC so as to ensure it is appropriate to the facts of the case.<br />
201. The EDPB notes that the analysis of the objections is limited to the substance of the objections to be<br />
considered as relevant and reasoned. The scope of the EDPB’s analysis concerning the calculation of<br />
the fine is therefore limited to an analysis of the method of the calculation of the fines as such. It does<br />
not constitute an implicit or explicit validation by the EDPB, of the analysis carried out by the LSA<br />
regarding the infringement of Article 33(1) or Article 33(5) GDPR or the legal qualification of the Twitter<br />
Inc. and TIC respectively. The EDPB reiterates that its current decision is without any prejudice to any<br />
assessments the EDPB may be called upon to make in other cases, including with the same parties,<br />
taking into account the contents of the relevant draft decision and the objections raised by the CSAs.<br />
9 BINDING DECISION<br />
202. In light of the above and in accordance with the task of the EDPB under Article 70(1)(t) GDPR to issue<br />
binding decisions pursuant to Article 65 GDPR, the Board issues the following binding decision in<br />
accordance with Article 65(1)(a) GDPR:<br />
221 See inter alia Judgment of 13 June 2013, Versalis Spa / Commission, C-511/11, ECLI:EU:C:2013:386, para. 94. 222 CJEU Judgment of 25 April 2013, Asociaţia Accept, C-81/12. 223 Marine - Harvest EU General Court T-704/14, 26 October 2017. 224 Draft Decision 15.19 and 15.20. 225 This should preferably already be provided in the Art 60 GDPR draft decision.<br />
Adopted 46<br />
203.On the objections concerning the qualification of controller and processor and the competence of the<br />
LSA: The EDPB decides that the IE SA is not required to amend its Draft Decision on the basis of the<br />
objections raised, as they do not meet the requirements of Article 4(24) GDPR. 204.On the objections concerning the infringements of Article 33(1) and 33(5) GDPR found by the LSA: In relation to the objection of the FR SA on the absence of an infringement of Article 33(1) GDPR, the objection of the DE SA on the determination of the dies a quo for the infringement of Article<br />
33(1) GDPR, and the objection of the IT SA relating to the infringement of Article 33(5) GDPR, the<br />
EDPB decides that the IE SA is not required to amend its Draft Decision on the basis of the<br />
objections raised as they do not meet the requirements of Article 4(24) GDPR. 205.On the objections relating to the possible further (or alternative) infringements of the GDPR identified<br />
by the CSAs: In relation to the objection of the DE SA on the possible infringements of Article 5(1)(f), Article 24,<br />
and Article 32 GDPR, and to the objection of the IT SA on the possible infringement of Article 5(2)<br />
GDPR, the EDPB decides that, while they meet the requirements of Article 4(24) GDPR, the IE SA<br />
is not required to amend its Draft Decision because the available factual elements included in the<br />
Draft Decision and in the objections are not sufficient to allow the EDPB to establish the existence<br />
of infringements of Articles 5(1)(f), Article 5(2), Article 24, and Article 32 GDPR. In relation to the objection of the DE SA relating to the possible infringement of Article 33(3)<br />
GDPR, the objection of the FR SA relating to the possible infringement of Article 28 and Article 32<br />
GDPR, the objection of the HU SA relating to the possible infringement of Article 5(1)(f), Article<br />
32, and Article 34 GDPR, and the objection of the IT SA relating to the possible infringement of<br />
Article 28 GDPR, the EDPB decides that the IE SA is not required to amend its Draft Decision on<br />
the basis of the objections raised as they do not meet the requirements of Article 4(24) GDPR.<br />
206.On the objection concerning the decision of the LSA to not issue a reprimand: In relation to the objection of the DE SA concerning the decision of the IE SA not to issue a<br />
reprimand, the EDPB decides that the IE SA is not required to amend its Draft Decision on the<br />
basis of the objection raised as it does not meet the requirements of Article 4(24) GDPR. 207.On the objection concerning the calculation of the fine suggested by the LSA: In relation to the objection of the HU on the insufficiently dissuasive nature of the fine, the EDPB<br />
decides that the IE SA is not required to amend its Draft Decision on the basis of the objection<br />
raised as it does not meet the requirements of Article 4(24) GDPR. In relation to the objection of the AT SA, the objection of the DE SA, and the objection of the IT<br />
SA on the insufficiently dissuasive nature of the fine, the EDPB decides that they meet the<br />
requirements of Article 4(24) GDPR and that the IE SA is required to re-assess the elements it<br />
relies upon to calculate the amount of the fixed fine to be imposed on TIC, and to amend its Draft<br />
Decision by increasing the level of the fine in order to ensure it fulfils its purpose as a corrective<br />
measure and meets the requirements of effectiveness, dissuasiveness and proportionality<br />
established by Article 83(1) GDPR and taking into account the criteria of Article 83(2) GDPR.<br />
Adopted 47<br />
10 FINAL REMARKS<br />
208. This binding decision is addressed to the IE SA and the CSAs. The IE SA shall adopt its final decision on<br />
the basis of this binding decision pursuant to Article 65(6) GDPR.<br />
209. Regarding the objections deemed not to meet the requirements stipulated by Art 4(24) GDPR, the<br />
EDPB does not take any position on the merit of any substantial issues raised by these objections. The<br />
EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB may be<br />
called upon to make in other cases, including with the same parties, taking into account the contents<br />
of the relevant draft decision and the objections raised by the CSAs.<br />
210. According to Article 65(6) GDPR, the IE SA shall communicate its final decision to the Chair within one<br />
month after receiving the binding decision.<br />
211.Once such communication is done by the IE SA, the binding decision will be made public pursuant to<br />
Article 65(5) GDPR.<br />
212. Pursuant to Article 70(1)(y) GDPR, the IE SA’s final decision communicated to the EDPB will be included<br />
in the register of decisions which have been subject to the consistency mechanism.<br />
For the European Data Protection Board<br />
The Chair<br />
(Andrea Jelinek)<br />
</pre></div>
Hk
https://gdprhub.eu/index.php?title=Article_4_GDPR&diff=15437
Article 4 GDPR
2021-04-29T13:49:21Z
<p>Hk: </p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 3 GDPR|←]] Article 4: Definitions [[Article 5 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
'''Article 4 - Definitions'''<br />
<br />
For the purposes of this Regulation:<br />
<br />
<span id="1">1. ‘'''personal data'''’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</span><br />
<br />
<span id="2">2. ‘'''processing'''’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;</span><br />
<br />
<span id="3">3. ‘'''restriction of processing'''’ means the marking of stored personal data with the aim of limiting their processing in the future;</span><br />
<br />
<span id="4">4. ‘'''profiling'''’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;</span><br />
<br />
<span id="5">5. ‘'''pseudonymisation'''’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;</span><br />
<br />
<span id="6">6. ‘'''filing system'''’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;</span><br />
<br />
<span id="7">7. ‘'''controller'''’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;</span><br />
<br />
<span id="8">8. ‘'''processor'''’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;</span><br />
<br />
<span id="9">9. ‘'''recipient'''’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing </span><br />
<br />
<span id="10">10. ‘'''third party'''’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;</span><br />
<br />
<span id="11">11. ‘'''consent'''’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;</span><br />
<br />
<span id="12">12. ‘'''personal data breach'''’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;</span><br />
<br />
<span id="13">13. ‘'''genetic data'''’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;</span><br />
<br />
<span id="14">14. ‘'''biometric data'''’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;</span><br />
<br />
<span id="15">15. ‘'''data concerning health'''’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;</span><br />
<br />
<span id="16">16. ‘'''main establishment'''’ means:</span><br />
<br />
::<span id="16a">(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;</span><br />
::<span id="16b">(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;</span><br />
<br />
<span id="17">17. ‘'''representative'''’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to [[Article 27 GDPR|Article 27]], represents the controller or processor with regard to their respective obligations under this Regulation;</span><br />
<br />
<span id="18">18. ‘'''enterprise'''’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;</span><br />
<br />
<span id="19">19. ‘'''group of undertakings'''’ means a controlling undertaking and its controlled undertakings;</span><br />
<br />
<span id="20">20. ‘'''binding corporate rules'''’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;</span><br />
<br />
<span id="21">21. ‘'''supervisory authority'''’ means an independent public authority which is established by a Member State pursuant to [[Article 51 GDPR|Article 51]];</span><br />
<br />
<span id="22">22. ‘'''supervisory authority concerned'''’ means a supervisory authority which is concerned by the processing of personal data because:</span><br />
<br />
::<span id="22a">(a) the controller or processor is established on the territory of the Member State of that supervisory authority;</span><br />
<br />
::<span id="22b">(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or</span><br />
<br />
::<span id="22c">(c) a complaint has been lodged with that supervisory authority;</span><br />
<br />
<span id="23">23. ‘'''cross-border processing'''’ means either:</span><br />
<br />
::<span id="23a">(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or</span><br />
<br />
::<span id="23b">(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.</span><br />
<br />
<span id="24">24. ‘'''relevant and reasoned objection'''’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;</span><br />
<br />
<span id="25">25. ‘'''information society service'''’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council</span> <br />
<br />
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span><br />
<br />
==Relevant Recitals==<br />
===Personal Data<ref>European Commission: [https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en <!--http://web.archive.org/web/20200221090911/https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en-->What is personal data?]</ref> ===<br />
{{Recital/14 GDPR}}<br />
{{Recital/15 GDPR}}<br />
{{Recital/26 GDPR}}<br />
{{Recital/27 GDPR}}<br />
{{Recital/29 GDPR}}<br />
{{Recital/30 GDPR}}<br />
<br />
''You can help us fill this section!''<br />
<br />
==Commentary==<br />
Article 4 contains definitions of terms used in the Regulation. While some definitions are taken over from [[Directive 95/46/EC]], others are modified, complemented with additional elements, or newly introduced. <br />
<br />
In addition to the definitions provided in Article 4 GDPR, legal definitions are provided in<br />
* [[Article 5 GDPR]]: ‘lawfulness, fairness and transparency’, ‘purpose limitation’, ‘data minimisation’, ‘accuracy’, storage limitation’, ‘integrity and confidentiality’, ‘accountability’<br />
* [[Article 8 GDPR]]: ‘child’<br />
* [[Article 9 GDPR]]: ‘special categories of personal data’<br />
* [[Article 51 GDPR]]: ‘Supervisory authority’<br />
* [[Article 68 GDPR]]: ‘European Data Protection Board’,<br />
<br />
Due to the similarity in content of the definitions to those of the [[Directive 95/46/EC]], it is possible to build on the existing understanding of the terms to some extent. In the case of new definitions, on the other hand, there is scope for new interpretations. <br />
<br />
In order to avoid linguistic inconsistencies in the interpretation of definitions and to ensure that there are no differences in the understanding of terms which could lead to inconsistent application of the law, it should be noted that the Regulation is legally binding in all other official languages of the EU. Therefore, whenever in doubt, other language versions should be consulted for an interpretation and discrepancies should be resolved with the usual methods of interpretation.<br />
<br />
===Personal Data===<br />
The principal concept of the GDPR is that of ‘personal data’. The antonym to personal data is defined in Article 3(1) of Regulation (EU) 2018/1807<ref>Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union (OJ L 303, 28.11.2018, p. 59–68) [http://data.europa.eu/eli/reg/2018/1807/oj]</ref><br />
<br />
The used definition of personal data is an extension to the definition of personal data used in [[Article 2 Directive 95/46/EC#(a)|Article 2 (a) Directive 95/46/EC]].<ref name="com-2012-11-p9">COM(2012) 11 final - 2012/12 (COD), 27 January 2012, [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 p. 9].</ref><br />
<br />
The definition in the directive derived from the definition of personal data laid down in [[Article 2 Convention 108#a|Article 2 (a) Convention 108]]<ref name="com-90-314-p19">COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref>: ‘<cite>“personal data” means any information relating to an identified or identifiable individual (“data subject”)</cite>’<ref name="">Article 2 (a) European Council [https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/108 Convention No. 108]</ref>. The Commission stated, that:<br />
:<cite> a broad definition is adopted in order to cover all information which may be linked to an individual. Depending on the use to which it is put, any item of data relating to an individual, harmless though it may seem, may be sensitive (e.g. a mere postal address). In order to avoid a situation in which means of indirect identification make it possible to circumvent this definition, it is stated that an identifiable individual is an individual who can be identified by reference to a number or a similar identifying particular.</cite><br />
<br />
The Commission’s modified proposal noted that ‘the amended proposal meets Parliament’s wish that the definition of “personal data” should be as general as possible, so as to include all information concerning an identifiable individual‘<ref>COM (92) 422 final, 28.10.1992, p. 10, cited in Art. 29 Working Party. Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=4 p. 4]</ref>, a wish that also the Council took into account in the common position.<ref>Common position (EC) No 1/95, adopted by the Council on 20 February 1995, [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.C_.1995.093.01.0001.01.ENG OJ C 93, 13.4.1995, p. 1–24] ([https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51995AG0413(01)#page=20 20])</ref><br />
<br />
The definition in the Regulation contains four main building blocks:<br />
* ‘any information’<br />
* ‘relating to’<br />
* ‘an identified or indentifiable’<br />
* ‘natural person’<br />
<br />
====Any Information====<br />
With the expression ‘any information’ in the directive, the legislator sends a clear signal of its willingness to take the term ‘personal data’ as broadly as possible. This wording requires a broad interpretation.<br />
<br />
In 1983 the German Constitutional Court stated: <br />
: <cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite><ref>''Bundesverfassungsgericht''. Judgment of of the First Senate of 15. December 1983 – 1 BvR 209, 269, 362, 420, 440, 484/83 –, [http://www.bverfg.de/e/rs19831215_1bvr020983.html Fulltext in de], [https://www.bundesverfassungsgericht.de/SharedDocs/Entscheidungen/EN/1983/12/rs19831215_1bvr020983en.html Abstract in EN] [https://e-justice.europa.eu/ecli/ECLI:DE:BVerfG:1983:rs19831215.1bvr020983 ECLI:DE:BVerfG:1983:rs19831215.1bvr020983]:<br />
:<cite>The nature of the information cannot be the only factor to be taken into account. What is decisive is their usability and applicability. These depend, on the one hand, on the purpose for which the data is collected and, on the other hand, on the processing and linking possibilities inherent in information technology. This can give a date that is in itself meaningless a new significance; in this respect, there is no longer ‘meaningless’ data under the conditions of automatic data processing.<br>''Dabei kann nicht allein auf die Art der Angaben abgestellt werden. Entscheidend sind ihre Nutzbarkeit und Verwendungsmöglichkeit. Diese hängen einerseits von dem Zweck, dem die Erhebung dient, und andererseits von den der Informationstechnologie eigenen Verarbeitungsmöglichkeiten und Verknüpfungsmöglichkeiten ab. Dadurch kann ein für sich gesehen belangloses Datum einen neuen Stellenwert bekommen; insoweit gibt es unter den Bedingungen der automatischen Datenverarbeitung kein „belangloses“ Datum mehr.''</cite></ref><br />
<br />
''Personal data'' relates directly to the data subject or theirs interaction with their environment. Thus 'personal data' includes all kinds of statements about an individual. It can be ‘objective’ information such as a blood characteristic of a data subject, as well as ‘subjective’ information in the form of opinions or assessments. The latter type of information constitutes a significant part of the processing of personal data in sectors such as banking, for the assessment of the reliability of borrowers (‘An individual is a reliable borrower’), insurance (‘An individual should not die in the near future’) or employment (‘An individual is a good worker and deserves promotion’).<ref>Art. 29 Working Party. Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]</ref><br />
<br />
For information to be considered ‘personal data’, it is not necessary for the information to be true, proven or complete. In fact, the GDPR provides for the possibility that the information is incorrect and gives the data subject the right to access this information ([[Article 15 GDPR|Article 15]]) and to rectify it ([[Article 16 GDPR|Article 16]]).<ref>Art. 29 Working Party. Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]</ref><br />
<br />
With regard to the content of the information, 'personal data' includes any data which provides any kind of information. This of course includes special categories of personal data ([[Article 9 GDPR|Article 9]]) because of their special nature, but also more general types of information. The term ‘personal data’ includes information touching the individual’s private and family life ''sensu stricto'', but also information regarding whatever types of activity is undertaken by the individual, like that concerning working relations or the economic or social behaviour of the individual. It includes therefore information on individuals, regardless, of the position or capacity of those persons (as consumer, patient, employee, customer, etc).<ref>Art. 29 Working Party. Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6f]</ref><br />
<br />
This interpretation is corroborated by the wording of the Regulation itself.<br />
<br />
On the one hand, the concept of private and family life should be regarded as broad, as the European Court of Human Rights has made clear:<br />
<br />
: <cite>[The] term “private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings; furthermore, there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life” (see the Niemietz v. Germany judgment<ref>European Court of Human Rights. ''Niemietz v. Germany'', no. [http://hudoc.echr.coe.int/eng?i=001-57887 13710/88])</ref> [...], and the Halford judgment<ref>European Court of Human Rights. ''Halford v. the United Kingdon'', no.[http://hudoc.echr.coe.int/eng?i=001-58039 20605/92]</ref> [...]). That broad interpretation corresponds with that of the Council of Europe’s Convention [108].</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref><br />
<br />
On the other hand, the rules on the protection of personal data go beyond the protection of the broad concept of ‘right to respect for private and family life’ laid down in Convention 108.<br />
<br />
It should be noted that the Charter of Fundamental Rights of the European Union lays down the protection of personal data in Article 8 as an autonomous right, separate and different from the respect for private life referred to in Article 7 of the Charter, as is the case at national level in some Member States.<br />
<br />
With regard to format or medium of the information, the term ‘personal data’ includes data in alphabetical, numerical, graphic, photographic, acoustic or any other form of Information. This includes information on paper as well as information stored on a computer in binary form or, for example, on a video tape. This inevitably follows from the inclusion of automated processing of personal data in the scope of the Regulation.<br />
<br />
{{Collapse<br />
|2 = Example: Professional habits and practices<ref>Article 29 Data Protection Working Party. Opinion 4/2007 on the concept of personal data. 20. June 2007 [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf WP 136 p. 7]</ref><br />
|1 = Drug prescription information (e.g. drug identification number, drug name, drug strength, manufacturer, selling price, new or refill, reasons for use, reasons for no substitution order, prescriber's first and last name, phone number, etc.), whether in the form of an individual prescription or in the form of patterns discerned from a number of prescriptions, can be considered as personal data about the physician who prescribes this drug, even if the patient is anonymous. Thus, providing information about prescriptions written by identified or identifiable doctors to producers of prescription drugs constitutes a communication of personal data to third party recipients in the meaning of the Directive. <br />
}}<br />
<br />
{{Collapse<br />
|2 = Example: Telephone Banking<ref>Article 29 Data Protection Working Party. Opinion 4/2007 on the concept of personal data. 20. June 2007 [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf WP 136 p. 8]</ref><br />
|1 = In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data.<br />
}}<br />
<br />
{{Collapse<br />
|2 = Example: Videosurveillance<ref>Article 29 Data Protection Working Party. Opinion 4/2007 on the concept of personal data. 20. June 2007 [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf WP 136 p. 8]</ref><br />
|1 = Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable. <br />
}}<br />
<br />
{{Collapse<br />
|2 = Example: a child's drawing<ref>Article 29 Data Protection Working Party. Opinion 4/2007 on the concept of personal data. 20. June 2007 [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf WP 136 p. 8]</ref><br />
|1 = As a result of a neuro-psychiatric test conducted on a girl in the context of a court proceeding about her custody, a drawing made by her representing her family is submitted. The drawing provides information about the girl's mood and what she feels about different members of her family. As such, it could be considered as being “personal data”. The drawing will indeed reveal information relating to the child (her state of health from a psychiatric point of view) and also about e.g. her father's or mother’s behaviour. As a result, the parents in that case may be able to exert their right of access on this specific piece of information. <br />
}}<br />
<br />
====Relating to====<br />
<br />
====Identified or Identifiable====<br />
<br />
====Natural Person====<br />
<br />
====Examples====<br />
* name, municipality of residence, information concerning the earned and unearned income and assets of that person<ref>Judgment of the Court, Case [http://curia.europa.eu/juris/document/document.jsf?docid=76075&doclang=EN C-73/07], 16 December 2008, [https://e-justice.europa.eu/ecli/ECLI:EU:C:2008:727 ECLI:EU:C:2008:727], CELEX:[https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62007CJ0073 62007CJ0073]</ref><br />
<br />
* data, which relate both to the monies paid by certain bodies and the recipients<ref>Judgment of the Court, Joined Cases [http://curia.europa.eu/juris/document/document.jsf?text=&docid=48330 C-465/00, C-138/01 and C-139/01], 20. May 2003, [https://e-justice.europa.eu/ecli/ECLI:EU:C:2003:294 ECLI:EU:C:2003:294] CELEX:[https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62000CJ0465 62000CJ0465] </ref><br />
<br />
* name, date of birth, nationality, gender, ethnicity, religion and language<ref>Judgment of the Court, Joined Cases [http://curia.europa.eu/juris/document/document.jsf?text=&docid=155114 C‑141/12 and C‑372/12], 17. July 2014, [https://e-justice.europa.eu/ecli/ECLI:EU:C:2014:2081 ECLI:EU:C:2014:2081] CELEX:[https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62012CJ0141 62012CJ0141], CELEX:[https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62006CA0524 62006CA0524]</ref><br />
<br />
* name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>Judgment of the Court, Case [http://curia.europa.eu/juris/document/document.jsf?text=&docid=48382 C-101/01], 6. November 2003, [https://e-justice.europa.eu/ecli/ECLI:EU:C:2003:596 ECLI:EU:C:2003:596], CELEX:[https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62001CJ0101 62001CJ0101]</ref><br />
<br />
* name, given name, date and place of birth, nationality, marital status, sex, record of entries into and exits from a a country, residence status particulars of passports issued, previous statements as to domicile, reference numbers issued by an autority, reference numbers used by authorities<ref>Judgment of the Court, Case [http://curia.europa.eu/juris/document/document.jsf?text=&docid=76077 C-524/06], 16. December 2008, [https://e-justice.europa.eu/ecli/ECLI:EU:C:2008:724 ECLI:EU:C:2008:724], CELEX:[https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:62006CJ0524 62006CJ0524]</ref><br />
<br />
* fingerprints<ref>Judgment of the Court, Case [http://curia.europa.eu/juris/document/document.jsf?text=&docid=143189 C‑291/12], 17. Oktober 2013, [https://e-justice.europa.eu/ecli/ECLI:EU:C:2013:670 ECLI:EU:C:2013:670], CELEX:[https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62012CJ0291 62012CJ0291]</ref><br />
<br />
* the times when working hours begin and end, as well as the corresponding breaks and intervals<ref>Judgment of the Court, Case [http://curia.europa.eu/juris/document/document.jsf?text=&docid=137824&doclang=EN C-342/12], 30 May 2013, [https://e-justice.europa.eu/ecli/ECLI:EU:C:2013:355 ECLI:EU:C:2013:355], CELEX:[https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62012CJ0342 62012CJ0342]</ref><br />
<br />
* dynamic [https://en.wikipedia.org/wiki/IP_address IP address]<ref>Judgment of the Court, Case [http://curia.europa.eu/juris/document/document.jsf?docid=184668&doclang=EN C-582/14], 19 October 2014, [https://e-justice.europa.eu/ecli/ECLI:EU:C:2016:779 ECLI:EU:C:2016:779], CELEX:[https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62014CJ0582 62014CJ0582]</ref><br />
<br />
* written exams<ref>Judgment of the Court, Case [http://curia.europa.eu/juris/document/document.jsf?docid=198059&doclang=EN C‑434/16], 20 December 2017, [https://e-justice.europa.eu/ecli/ECLI:EU:C:2017:994 ECLI:EU:C:2017:994], CELEX:[https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62016CJ0434 62016CJ0434]</ref><br />
<br />
===processing===<br />
You can help us fill this section!<br />
===restriction of processing===<br />
You can help us fill this section!<br />
===profiling===<br />
You can help us fill this section!<br />
===pseudonymisation===<br />
You can help us fill this section!<br />
===filing system===<br />
You can help us fill this section!<br />
===controller===<br />
The Definition of ‘controller’ is taken over from [[Article 2 Directive 95/46/EC#(d)|Article 2 (d) Directive 95/46/EC]]<ref>COM(2012) 11 final - 2012/12 (COD), 27 January 2012, [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 p. 9].</ref>; which itself is borrowed from [[Article 2 Convention 108#d|Article 2 (d) Convention 108]]<ref>[https://aei.pitt.edu/id/eprint/10375 COM (92) 422 final - SYN 287], p. 10</ref>. <br />
<br />
The Commission stated:<br />
<br />
:<cite>The controller is the person ultimately responsible for the choices governing the design and operation of the processing carried out (usually a chief executive of the company), rather than anyone who carries out processing in accordance with the controller’s instructions. That is why the definition stipulates that the controller decides the ‘objective of the processing. [...] The controller may process data himself, or have them processed by members of his staff or by an outside processor, a legally separate person acting on his behalf.</cite><ref>[https://aei.pitt.edu/id/eprint/10375 COM (92) 422 final - SYN 287], p. 10</ref><br />
<br />
The concept of controller must be defined broadly in order to meet the objective of effective and complete protection pursued.<ref>Opinion of the Advocate General, [http://curia.europa.eu/juris/document/document.jsf?docid=198949 Case C-25/17], 1 February 2018, [https://e-justice.europa.eu/ecli/ECLI:EU:C:2018:57 ECLI:EU:C:2018:57], CELEX:[https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62017CC0025 62017CC0025], paragraph 63</ref><br />
<br />
An entity can be controller of personal data even if the information is not accessible for it.<ref>Judgment of the Court, Case [http://curia.europa.eu/juris/document/document.jsf?docid=203822 C-25/17], 10 July 2018, [https://e-justice.europa.eu/ecli/ECLI:EU:C:2018:551 ECLI:EU:C:2018:551], CELEX:[https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62017CJ0025 62017CJ0025], paragrah 69</ref><ref>Judgment of the Court, [http://curia.europa.eu/juris/document/document.jsf?text=&docid=202543 C‑210/16], 5 June 2018, [https://e-justice.europa.eu/ecli/EU:C:2018:388 EU:C:2018:388], CELEX:[https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62016CJ0210 62016CJ0210], paragraph 38</ref><br />
<br />
===processor===<br />
You can help us fill this section!<br />
===recipient===<br />
You can help us fill this section!<br />
===third party===<br />
You can help us fill this section!<br />
===consent===<br />
You can help us fill this section!<br />
===personal data breach===<br />
You can help us fill this section!<br />
===genetic data===<br />
You can help us fill this section!<br />
===biometric data===<br />
You can help us fill this section!<br />
===data concerning health===<br />
You can help us fill this section!<br />
===main establishment===<br />
You can help us fill this section!<br />
===representative===<br />
You can help us fill this section!<br />
===enterprise===<br />
===group of undertakings===<br />
You can help us fill this section!<br />
===binding corporate rules===<br />
===supervisory authority===<br />
You can help us fill this section!<br />
===supervisory authority concerned===<br />
You can help us fill this section!<br />
===cross-border processing===<br />
You can help us fill this section!<br />
===relevant and reasoned objection===<br />
You can help us fill this section!<br />
===information society service===<br />
The definition of ‘information society service’ is borrowed from Article 1(1b) of Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services, which states:<br />
<br />
: ‘service’ means any Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.<br />
: For the purposes of this definition:<br />
:: (i) ‘at a distance’ means that the service is provided without the parties being simultaneously present;<br />
:: (ii) ‘by electronic means’ means that the service is sent initially and received at its destination by means of electronic equipment for the processing (including digital compression) and storage of data, and entirely transmitted, conveyed and received by wire, by radio, by optical means or by other electromagnetic means;<br />
:: (iii) ‘at the individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request.<br />
: An indicative list of services not covered by this definition is set out in Annex I;<br />
<br />
The indicative list of services not covered by the second subparagraph of point (b) of Article 1(1) excludes the following services from being information society services:<br />
<br />
: 1. Services not provided ‘at a distance’<br />
: Services provided in the physical presence of the provider and the recipient, even if they involve the use of electronic devices:<br />
:: (a) medical examinations or treatment at a doctor's surgery using electronic equipment where the patient is physically present;<br />
:: (b) consultation of an electronic catalogue in a shop with the customer on site;<br />
:: (c) plane ticket reservation at a travel agency in the physical presence of the customer by means of a network of computers;<br />
:: (d) electronic games made available in a video arcade where the customer is physically present.<br />
: 2. Services not provided ‘by electronic means’<br />
:: — services having material content even though provided via electronic devices:<br />
::: (a) automatic cash or ticket dispensing machines (banknotes, rail tickets);<br />
::: (b) access to road networks, car parks, etc., charging for use, even if there are electronic devices at the entrance/exit controlling access and/or ensuring correct payment is made,<br />
:: — offline services: distribution of CD-ROMs or software on diskettes,<br />
:: — services which are not provided via electronic processing/inventory systems:<br />
::: (a) voice telephony services;<br />
::: (b) telefax/telex services;<br />
::: (c) services provided via voice telephony or fax;<br />
::: (d) telephone/telefax consultation of a doctor;<br />
::: (e) telephone/telefax consultation of a lawyer;<br />
::: (f) telephone/telefax direct marketing.<br />
: 3. Services not supplied ‘at the individual request of a recipient of services’<br />
: Services provided by transmitting data without individual demand for simultaneous reception by an unlimited number of individual receivers (point to multipoint transmission):<br />
:: (a) television broadcasting services (including near-video on-demand services), covered by point (e) of Article 1(1) of Directive 2010/13/EU<ref>point (e) of Article 1(1) of Directive 2010/13/EU:<br>1. For the purposes of this Directive, the following definitions shall apply:<br>[...]<br>(e) ‘television broadcasting’ or ‘television broadcast’ (i.e. a linear audiovisual media service) means an audiovisual media service provided by a media service provider for simultaneous viewing of programmes on the basis of a programme schedule [...].<br />
</ref>;<br />
:: (b) radio broadcasting services;<br />
:: (c) (televised) teletext.<br />
<br />
===international organisation===<br />
You can help us fill this section!<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 4 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>
Hk
https://gdprhub.eu/index.php?title=Court_of_Appeal_-_(2021)_IECA_53&diff=15436
Court of Appeal - (2021) IECA 53
2021-04-29T13:47:04Z
<p>Hk: </p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Ireland<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=Court of Appeal<br />
|Court_With_Country=Court of Appeal (Ireland)<br />
<br />
|Case_Number_Name=(2021) IECA 53<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=The Court Services of Ireland<br />
|Original_Source_Link_1=https://www.courts.ie/view/judgments/173edc3e-f251-4a5c-bbdb-37ccdbf64524/3c5b5e41-085e-4de8-9b20-d98b0c5504e7/2021_IECA_53 (Unapproved).pdf/pdf<br />
|Original_Source_Language_1=English<br />
|Original_Source_Language__Code_1=EN<br />
<br />
|Date_Decided=<br />
|Date_Published=19.02.2021<br />
|Year=2021<br />
<br />
|GDPR_Article_1=Article 4(11) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#11<br />
|GDPR_Article_2=Article 5 GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR<br />
<br />
<br />
<br />
|Party_Name_1=Shawl Property Investments Limited<br />
|Party_Link_1=<br />
|Party_Name_2=A. and B.<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Panayotis Yannakas<br />
|<br />
}}<br />
<br />
The Irish Court of Appeal held that the submission to a court of confidential data from a prior proceeding that had been conducted in-camera does not constitute a breach of GDPR.<br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
The EBS Building Society (EBS), as lender, offered to advance "A." a loan of up to € 8 million over 25 years to acquisition eight Residential Properties in Dublin, including the contested two houses (referred as "Blackacre" & "Whiteacre" Buildings) which formed the subject matter of the core series of proceedings. In December 2005, an term of the agreement between EBS and "A." has established that the lender hold a fist legal mortage over each of the properties. <br />
<br />
The Borrower "A." subsequently failed to meet his obligations to the lender and failed to make any repayments under the mortgages. Up to and including 4 April 2017, "A." was adjudicated bankrupt. <br />
<br />
"B." is a former life partner of "A.", but they were never married, and, in consequence, she never was a party to any of the relevant agreements & mortgages. <br />
<br />
In 2018, following an assignment of the loan and security to Beltany Property Finance DAC (Beltany), the "Blackacre" & "Whiteacre" buildings were sold by Beltany to the plaintiff, the Shawl Property Investments Limited (Shawl). Shortly before that transaction, "A." was discharged from bankruptcy. At the same time, "B." insist that, arising from the outcome of the family law proceedings, she had a beneficial interest in these properties. As judge Donnelly J. observed, "B." claimed that the family settlement agreement directly attacks the validity of the mortgages, as well as the claim of entitlement to possession. <br />
<br />
In December 2018, a group of five men and one woman broke into the "Blackacre" building and changed the locks. At about at same time, a group of men led by "A." broke into the Whiteacre building. In both cases, the intruders were put out by the Police. A few days later, again, "A." accompanied by a group of men and again broke into the Blackacre house and changed the locks. Later, "B." arrived with their daughters. The Police were called for a second time, but on this occasion, "A." argue that "B." was the building owner and denied to leave. "B." insist on being the owner of the building by virtue of a purposed transfer to her by their family Trust, for the benefit of "A."'s teenage daughters. <br />
<br />
Lastly, It should be also noted that "A." at some point with his behaviour that made it clear he did not wish to engage in any legal proceedings. That is the reason that someone can notice only submissions and other legal activities by "B.", by the other party but not by "A.".<br />
<br />
===Dispute===<br />
The judgment we are reviewing is an appeal from the order declaring that "A." and "B." have no estate, right, title or interest in these two properties. "B.", among many other arguments, asserted that an unredacted version of the 2015 judgment pleading has been used as legal material by the lender, when the latter was seeking interim injunctions against the couple. <br />
<br />
Τo a large extent the case is relavant also to the property and banking law. For the purpose of this privacy review, both abovementioned topics would mention only where it is absolute necessary for the understanding of the salient elements of the actions and pleading between the parties. It should also be noted that under the preliminary review was decided that "B." had not in any other substantive or meaningful way engaged with orders of the trial judge. <br />
<br />
About the alleged data breach, "B." placed emphasis on that the Shawl has delivered into open court private data contained details of prior family law proceedings which had been conducted in-camera hearings. She asserted that these were disclosed by the plaintiff without any regard for its in-camera status by way of breach of the strict liability rule of law, by way of data breach and by way of breach of constitutional rights of her family rights. <br />
<br />
In "B."'s eyes, that discloses constituted an outright breach of their rights to the actual effect of GDPR, National Data Protection Act, in-camera law, as well as their fundamental rights. In order to proves these allegations, she placed reliance upon Recitals 1, 4 and 7 together of Article 4(11) of GDPR.<br />
<br />
===Holding===<br />
Whelan J., has stated the evidence indicates that the disclosure of the personal data of "A." and "B." via the unredacted judgment may have been made to the court, only to the absolutely necessary degree for supporting the interim and interlocutory injunctions. <br />
<br />
Furthermore, Whelan J., observed that even if we had to accept that there was an prohibition on presenting that judgment in a manner identifying the parties outside the enforcement of the order, still she is not convinced there is evidence that can establish proof of such identifying ability.<br />
<br />
"B."'s legal argument focused that the alleged breaches of her privacy pleaded by her disclose a reasonable cause of action sufficient to entitle her to pursue the counterclaim and to reverse its dismissal by the High Court. But that is an open matter to the judge to determine when the respondent establishes that it had the data solely for a legitimate purpose within the meaning of the GDPR. In that case, the respondent required the information to properly assert its legal rights, including its right to obtain an emergency injunction. Judge observation also includes that "''the material was wholly, exclusively and necessarily procured and deployed for the purposes of establishment of the respondent’s clear title to the properties, defending the baseless claims of B. as well as A''". GDPR' Recital 111 provides that provisions should be made where the transfer is occasional and necessary in relation to a legal claim.<br />
<br />
It is accepted that a court may, in certain circumstances, lift the in camera rule where it is absolutely necessary. According to the case "''J.D. v. S.D. [2013] IEHC 648, [2014] 3 I.R. 483''", "''[t]here is, almost invariably, a further restriction on the lifting order insofar as non-essential private material should be redacted, and where the lifting of the in camera rule relates to information and documentation pertaining to just one of the parties, then the privacy and business of the other party should be preserved by even more rigorous redaction, with costs orders providing that the burden of such redaction does not fall on an innocent, or less blameworthy, party''". So, it clear where the interests of justice require that, it is open to a court to relax the in-camera rule subject to such conditions, including the requirement for redaction. That is the main reason behind the final decision that the alleged privacy breach is frivolous, vexatious and bound to fail, so it must be struck out.<br />
<br />
==Comment==<br />
''Share your comments here!''<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the English original. Please refer to the English original for more details.<br />
<br />
<pre><br />
THE COURT OF APPEAL <br />
<br />
UNAPPROVED <br />
REDACTED <br />
Neutral Citation Number [2021] IECA 53 <br />
Appeal Number: 2019/475 <br />
<br />
Whelan J. <br />
Faherty J. <br />
Collins J. <br />
<br />
<br />
<br />
BETWEEN/ <br />
<br />
SHAWL PROPERTY INVESTMENTS LIMITED <br />
<br />
RESPONDENT <br />
<br />
- AND – <br />
<br />
<br />
A. AND B. <br />
<br />
APPELLANTS <br />
<br />
<br />
<br />
JUDGMENT of Ms. Justice Máire Whelan delivered on the 19th day of February 2021 <br />
<br />
1. This is an appeal from an order of Allen J. made on 16 October 2019 and perfected on 25 October 2019 granting summary judgment in plenary proceedings and, inter alia, declaring that the appellants had no estate, right, title or interest in two properties and further dismissing the counterclaim pursuant to O. 19, r. 28 of the Rules of the Superior Courts (“RSC”). The reasoned judgment was delivered on 1 October 2019. Before considering the said judgment and orders, it is necessary to briefly review the salient background facts. <br />
<br />
<br />
Key material facts <br />
2. By letter of loan offer dated 20 October 2005 EBS Building Society (“EBS”) offered to advance to A. a loan of up to €8,318,000 over 25 years for the purposes of the acquisition by him of eight investment properties. The proceedings concern two of the said properties. On 16 <br />
<br />
<br />
November 2005 A. accepted the said offer and drew down the entire sum of the funds on 13 December 2005. An express term of the agreement between EBS and A. confirmed that EBS would hold a first legal mortgage over each of the eight properties. Consequently on 6 January 2006 A. executed a deed of mortgage and charge over, inter alia, a property referred to hereinafter as “Blackacre”. On 10 January 2006 A. executed a further deed of mortgage and charge over, inter alia, a property hereinafter referred to as “Whiteacre”. <br />
<br />
3. A. failed to discharge his liabilities on foot of the said respective mortgages. <br />
<br />
4. On 29 October 2009 EBS obtained an order in the High Court against A. for possession of, inter alia, Blackacre and Whiteacre. <br />
<br />
5. EBS did not proceed to execute the order for possession but instead on 26 May 2010 appointed a receiver over the said properties including Blackacre and Whiteacre. <br />
<br />
6. Meanwhile, on 9 September 2013, EBS marked judgment in the Central Office of the High Court against A. in the sum of €9,433,173.79. <br />
<br />
7. From the date of his appointment on or about 26 May 2010, the receiver took possession of the properties, managed same and collected the rents and profits in accordance with the tenor of his appointment and of the said respective security instruments. He put the properties on the market in or about the month of March 2014. There was significant litigation as between the receiver and the appellants between 2014 and 2018, as hereinafter set out. <br />
<br />
8. On 4 April 2017 A. was adjudicated a bankrupt. On 29 April 2017 A. brought an application to show cause against his adjudication which application was dismissed by order of the High Court (Costello J.) on 17 July 2017. He was discharged from bankruptcy on 4 April 2018. <br />
<br />
9. Under and by virtue of a deed of conveyance and assignment bearing date 30 June 2017 EBS DAC (as by then it had become) effected a transfer and disposition of A.’s loan together with the securities held for same to Beltany Property Finance DAC (“Beltany”). <br />
<br />
<br />
10. On 10 September 2018 Beltany, in pursuance of the exercise of its power of sale as specified in the mortgage instruments aforesaid, sold the properties Blackacre and Whiteacre to Shawl Property Investments Limited (“Shawl”), the respondent. Shawl went into possession of Blackacre and Whiteacre on 11 September 2018. Memorials in respect of the said assurances to Shawl were duly registered in the Registry of Deeds in accordance with the Registration of Deeds Act (Ireland) 1707. <br />
<br />
11. B. is a former partner of A. They were never married to one another. She was not a party to any of the relevant mortgages referred to above and never held any legal interest in any of the properties. <br />
<br />
<br />
The 2014 litigation <br />
12. On 29 April 2014 the receiver instituted proceedings before the High Court against A., B. and a third entity. Relevant to Blackacre and Whiteacre the said proceedings sought, inter alia, orders requiring the appellants to vacate the said premises and restraining them from entering upon, attending at or otherwise interfering with the receivership. The reliefs sought also extended to other properties which are not material to this appeal. <br />
<br />
<br />
The 2015 judgment <br />
13. A redacted judgment of Donnelly J. delivered on 27 April 2015, [2015] IEHC 366 (“the 2015 judgment”), provided, inter alia, with particular reference to the claims of the appellant, B., as follows:- <br />
<br />
<br />
“42. Shortly before the hearing commenced, [B.] swore another affidavit on the 17th November, 2014. In this affidavit, apart from exhibiting various loan offers, [B.] again asserted matters that were more properly the subject matter of submissions and these are dealt with in the course of this judgment. [B.] also exhibited and referred to various Registry of Deed search results in which she said that numerous loans had not been vacated. She also said that the schedule of documents listed to support the certificates <br />
of title sent by the solicitors in these proceedings did not contain deeds of release or vacates in relation to those loans. She said that this was a breach of contract by the EBS and was a clear breach of the law. <br />
43. In that affidavit, she also made a counterclaim insofar as she claimed an order setting aside the plaintiff as receiver, an order restraining the plaintiff, his servants or agents from entering, attending or trespassing on or near the eight properties, a further order restraining the plaintiff, his servants or agents from receiving rent for the eight properties, an order preventing the EBS appointing further receivers and an order instructing the EBS and the defendants to engage in mediation to find an equitable solution to the problems set out. <br />
44. In light of the above, the court views [B.’s] case as based upon two main planks. In the first place, she said that when taken together the loan offers and mortgage deeds are so full of errors (factual and legal), so flawed and/or so self-contradictory that they are null and void and/or cannot be relied upon to give legal justification to the appointment of the plaintiff as receiver. Her other argument is that she had a beneficial interest in these properties that takes priority over any interest that the EBS might have.” <br />
This latter contention represents the continuing stance of B. notwithstanding the clear import of the 2015 judgment and orders as upheld on appeal and set out below. <br />
14. The redacted judgment provided as follows: – <br />
<br />
<br />
“The beneficial interest <br />
The family law proceedings <br />
66. Under this heading, [B.’s] claim amounts to one that, arising from the outcome of the family law proceedings, she had a beneficial interest in the property. This is a claim that her right to possession is independent of the right to possession of [A.]. It is that <br />
independent claim which requires the court to deal with it, despite the findings made above. <br />
67. Family law matters were settled between [A.] and [B.]. On the 11th March, 2008, as part of the settlement agreement, the Circuit Court received and filed the terms of the consent. The court also made the orders where applicable set out in the terms of the consent. Insofar as it is relevant, [A.] transferred to [B.] a joint legal and beneficial interest in the property situate at [redacted] (the ninth premises) so that they would hold it as joint tenants free from encumbrances.” <br />
The redacted judgment further noted at para. 68 that additional terms of agreement were subsequently drawn up between A. and B. and purportedly dated 2 June 2008. <br />
15. In the conclusions to the 2015 judgment Donnelly J. observed in relation to the counterclaims contended for by B.:- <br />
<br />
<br />
“150. [B.] has made many and varied submissions as to why the plaintiff is not entitled to the orders he seeks. This entailed an attack on the validity of the mortgages under which he was appointed as well as a claim of entitlement to possession herself. I have dealt with and rejected each and every argument put forward by [B.]. I therefore propose to make the final orders as sought by the plaintiff in relation to [B.]. <br />
151. For the reasons set out in this judgment, it follows that the counterclaims of [B.] are dismissed.” <br />
16. With regard to A., the original sole mortgagor in respect of both mortgages, it appears that he did not attend court for the hearing of the 2014 proceedings – a pattern of behaviour replicated at the hearing of this appeal. The 2015 judgment records as follows: - <br />
<br />
<br />
“152. In relation to [A.], I sought and was given further submissions regarding the position as to final orders against him in circumstances where the plaintiff moved by way of notice of motion. In this case, [A.] sent to the plaintiff a number of e-mails <br />
which he asked to be placed before the court. In his first email of the 4th April, 2014 he indicated he had no hand, act or part in interfering with the receivership. In his second e-mail of 6th May, 2014, he again stated that he had in no way obstructed the receivership and indicated that in his view that the matter was ‘dealt with over four years ago through my acting solicitor…’. In his third e-mail dated the 15th May, 2014, he repeated similar sentiments and went on to say ‘I feel I am being harassed and drawn into another legal battle’. He acknowledged that ‘Grant Thornton were appointed by the bank EBS’ and goes on to say that he will delete his e-mail account if he is contacted further. <br />
153. It appears that at one point when this matter was before the High Court, [B.] was asked to confirm if [A.] had attended with her to inspect the mortgage at the relevant offices and she confirmed he was present. <br />
154. It is submitted that [A.] was fully on notice of the nature of the case to be made and decided not to participate in the proceedings. It goes without saying that the motion had been served on [A.]. <br />
155. [A.] has expressed his concern at being dragged into these proceedings. He was aware of what was at stake in the proceedings. It is also the case that any costs in the proceedings are ultimately borne by him subject to any order for costs against another defendant. Any surplus that might be in the receivership would be diminished by the costs of a full hearing. <br />
156. I am of the view that I have an inherent jurisdiction to treat the hearing as the full final hearing of the matters as I have outlined. It appears that it is just and equitable to treat this hearing as the final hearing in particular in light of the e-mails from [A.] indicating he did not wish to engage in these proceedings. Furthermore, the cost of any adjournment, further pleadings and further rehearing would fall ultimately on [A.] in <br />
light of the very clear conclusions I have made in this case. It is also the position that the orders I make against [B.] would extend to all persons having notice of that order. Such an order would include [A.] when notice is given. Those orders achieve possession by the plaintiff and should end all further obstruction with the receivership. In those circumstances, I will make the final orders against [A.] as well.” <br />
17. Paragraph 46 of the 2015 judgment of Donnelly J. was relied on by B. extensively in the course of the hearing of this appeal. It is considered in detail later. <br />
<br />
<br />
Order of 15 May 2015 <br />
18. The face of the order made by Donnelly J. on 15 May 2015 and perfected on 5 June 2015 records that counsel for the receiver informed the court “that he now seeks final orders of the court…”. With regard to B. the order recited as follows: “…the second named defendant informing the court that she consents to the within application before the court being an application that will lead to a final order”. The said order provided that:- <br />
<br />
<br />
“[A.] and [B.] their servants or agents and all other persons having notice of the making of this order do vacate the first premises and the second premises as set out in the schedule hereto and do deliver possession thereof to the plaintiff.” <br />
19. The order further provided as follows:- <br />
<br />
<br />
“3. [A.] and [B.] their servants or agents and all other persons having notice of the making of this order be restrained from entering or attending at any of the eight premises set out in the schedule hereto or dealing with the said premises in any manner whatsoever or purporting to deal with the said premises in any manner whatsoever.” <br />
Whiteacre and Blackacre represent the first and second of the eight premises identified in the schedule to the order. <br />
20. The order continued: – <br />
<br />
<br />
“4. [A.] and [B.] their servants or agents and all other persons having notice of the making of this order be restrained from interfering with the sale of the first premises or the second premises by the plaintiff or otherwise interfering with the receivership of the plaintiff in respect of any of the premises.” <br />
21. The court further directed as follows: – <br />
<br />
<br />
“5. [A.] and [B.] do account to the plaintiff for all monies received by [A.] and [B.] their servants or agents by way of purported collection of rent in respect of any of the eight premises set out in the schedule hereto.” <br />
A declaration was granted “that the appointment of the plaintiff as receiver of the eight premises in the schedule hereto is valid”. It further provided: “It is ordered that the counterclaims of [B.] be and are hereby dismissed”. <br />
Appeal of 2015 Order <br />
22. Following perfection of the order of Donnelly J. on 5 June 2015, B. appealed against the said order. The said appeal was dismissed by the Court of Appeal on 9 February 2017. A. also brought an application to the Court of Appeal seeking an extension of time within which to file a notice of appeal against the judgment and orders of Donnelly J. aforesaid. The said application, however, was withdrawn on 20 March 2017. <br />
<br />
<br />
Committal of B. for contempt <br />
23. A. and B. failed to comply with the orders of Donnelly J. as upheld on appeal and which had inter alia dismissed the counterclaims of B. On 4 May 2018, by order of Baker J. in the High Court, B. was committed to prison for contempt where she remained for about three and a half months. B. appealed against the said order. On 17 May 2018 the Court of Appeal refused an application for a stay on the said High Court order pending an appeal by B. An expedited hearing of the said appeal took place in the Court of Appeal on 12 June 2018. The appeal was dismissed on 21 June 2018. <br />
<br />
<br />
24. On 27 August 2018 B. gave notice that she wished to purge her contempt and at a hearing on 28 August 2018 she undertook to the High Court to vacate the premises, including inter alia Blackacre and Whiteacre, and not to interfere directly or indirectly with any of the eight identified properties. She was thereupon discharged from custody. Within three weeks of B.’s release from custody a “Deed of Trust” was created by A. appointing a third party as trustee and purporting to vest the properties in same for the benefit of the two children of A. and B. <br />
<br />
<br />
December 2018 to January 2019 <br />
25. Subsequent disturbing events which precipitated the institution of the within proceedings are succinctly outlined by the trial judge in the judgment under appeal herein as follows: - <br />
<br />
<br />
“21. Late in the morning of 2nd December, 2018, a group of five men and one woman broke into the house at [Blackacre] and changed the locks. The woman claimed to be the owner of the house by virtue of a purported transfer to her by The [X] Family Trust, for the benefit of the [A.]’s teenage daughters. The intruders were on that occasion put out by the Gardaí. <br />
22. At about the same time on the same day, a group of about eight men led by [A.] broke into the house at [Whiteacre]. Later that afternoon, the intruders were put out by the Gardaí. <br />
23. On the morning of Monday 28th January, 2019 [A.], this time accompanied by about six men, again broke into the house at [Blackacre] and again changed the locks. Later in the morning [B.] arrived, and in the afternoon the defendants were joined by their daughters. The Gardaí were again called, but on this occasion [A.] claimed that he was the owner of the building and would not leave. <br />
24. On 30th January, 2019 the High Court (Reynolds J.) made an interim order restraining the defendants from trespassing on either of the properties or from interfering with or obstructing the plaintiff’s possession and gave liberty to the plaintiff <br />
to issue and serve a motion for interlocutory orders, returnable for 1st February. On the return date, the defendants (who had left the property upon service on them of the order of 30th January) gave sworn undertakings to abide the order of 30th January, and on 8th February, 2019, consented to interlocutory orders, which were then made by Reynolds J.” <br />
Events at the hearing of the said interim and interlocutory applications and particularly whether the respondent breached B.’s data, privacy rights and the in camera rule were central to this appeal. <br />
26. A disturbing campaign of harassment and intimidation ensued, in the course of which B. along with A. attended at the offices of the employers of the two individual directors of the respondent company and made false and defamatory statements concerning each of them. Additionally, A. wrote letters to the employers of the two company directors making further false and defamatory statements, which statements included a baseless and false allegation that there were acts of paedophilia taking place at Blackacre and Whiteacre. <br />
<br />
27. It transpired that, less than three weeks after B. had purged her contempt and been released from custody, A. had purported to create a “trust deed” on 17 September 2018 purporting to grant to a named trustee the properties for the benefit of the two children of A. and B. Memorials of the said sham instrument were registered against the properties. <br />
<br />
28. Thus, approximately five months after purging her contempt of court, having spent several months in custody, B. actively participated in a scheme calculated to defy court orders and unlawfully seized possession and occupied Blackacre, driving out the owners and lawful occupants in the process. It was against such a background that Shawl was precipitated into court on 30 January 2019 and was granted interim orders restraining A. and B. until after Friday 1 February 2019 from causing damage to any portion of the said properties and directing that <br />
<br />
<br />
A. and B. immediately surrender possession and control of the properties including Blackacre and Whiteacre to the respondent. Further, orders were made restraining A. and B. from: <br />
<br />
(a) actually or implicitly harassing, threatening, intimidating or abusing the officers, shareholders, servants or agents of the respondent company; <br />
<br />
(b) making or causing to be made to any person, whether orally or in writing, by any medium whatsoever, any statement which is designed to provoke violence, harassment, threats, intimidation or abuse of the officers, shareholders, servants or agents of the respondent; <br />
<br />
(e) impeding and/or obstructing the respondent, its servants or agents in their efforts to take possession of the property; <br />
<br />
(f) impeding or obstructing the respondent, its servants or agents in their efforts to secure the property; and, <br />
<br />
(g) trespassing or entering upon or otherwise interfering with any portion of the properties without the prior written consent of the respondent. <br />
<br />
<br />
As is clear from the affidavit evidence that was before the High Court, B. was an active participant in the enterprise of breaking into Blackacre and the eviction of the lawful occupants in the property. Access to the dwelling was only recovered on foot of court orders on Friday 1 February 2019. <br />
29. It was not disputed by B. at the hearing of this appeal that she has studied law. Whether that be so or not, it must have been self-evident to her at all material times that a so-called “deed of trust” created on 17 September 2018 by A. purporting to create rights over the properties for the benefit of the children of A. and B. was of no legal effect whatsoever and was a sham and a legal fiction. Notwithstanding that fact, it is clear from the affidavits and the determinations of the High Court judge that she was an active participant in a campaign of serious intimidation which included taking to the internet and using various platforms to spread <br />
<br />
<br />
and disseminate false and defamatory statements, in particular about two individuals who are directors of the respondent company. The baseless allegations extended to claims that the properties Blackacre and Whiteacre were the locus for paedophilia. Significant damage and waste was caused to the properties including in the case of Blackacre €9,780 worth of damage. €5,000 in cash was removed from the property. <br />
<br />
30. On 8 March 2019 Reynolds J. made an order by consent for the exchange of pleadings between the parties. <br />
<br />
<br />
Statement of Claim <br />
31. A statement of claim delivered on 12 April 2019 pleaded that Shawl was the full legal and beneficial owner of the properties Blackacre and Whiteacre which it had purchased from Beltany on 10 September 2018. Echoing affidavits sworn by the directors of the company, it pleaded that Shawl, its servants and/or agents had been the subject of an orchestrated and malicious campaign of unlawful conduct “which has been organised, endorsed, facilitated and/executed by both of the defendants.” Amongst the particulars pleaded as constituent elements of the alleged campaign was the following: - <br />
<br />
<br />
“(a) On 17 September, 2018, [A.] purported to create a deed of trust pursuant to which the properties were transferred to [X.] in trust, which said deed of trust was then registered with the Property Registration Authority on 22 November, 2018; <br />
(b) On 23 November, 2018, [A.] wrote to An Garda Síochána making a false claim of title to both of the properties”. <br />
The statement of claim then graphically particularises forcible entry by A. and B. into the dwellings Blackacre and Whiteacre. It continues:- <br />
“(f) On 6 December, 2018, [A.] sent an email to the solicitors for the plaintiff making a false claim of title to the properties and making a baseless threat to complain the solicitors for the plaintiff to the Law Society of Ireland”. <br />
32. Sundry other acts alleged and pleaded to constitute defamatory statements, intimidation, threats, assault, abuse, damage to the properties and to goods and chattels therein contained are pleaded in detail. <br />
<br />
<br />
The defence and counterclaim <br />
33. On 23 May 2019 a defence and counterclaim, including a preliminary objection, was delivered on behalf of A. and B. by solicitors retained by them. Same was settled by counsel. Paragraph 3 of the defence pleads:- <br />
<br />
<br />
“…[B.] was not a party to the loan facilities and mortgages as defined below.” <br />
It was further pleaded at para. 4: – <br />
“The defendants are formed [sic] life partners…” <br />
With regard to the 2015 judgment of Donnelly J. and ensuing orders, it is pleaded as follows:- <br />
“13. Donnelly J. delivered Judgment on 27 April 2015 and granted various final orders against the Defendants. <br />
14. Said judgment was to be redacted in parts in relation to certain family law matters, as well as in respect of the identity of the parties, the record number and the addresses of the properties referenced therein.” <br />
34. The defence sets up various propositions and contentions diametrically at variance with the 2015 orders of Donnelly J. aforesaid. At para. 22 it is pleaded on behalf of A. that he “seeks a declaration in the within proceedings that he remains the legal and beneficial owner of the properties herein.” It is pleaded that a valid transfer to Beltany of the loan facility and mortgages did not occur on 30 June 2017. Albeit that Beltany is not a party to the proceedings, matters are alleged against Beltany including: - <br />
<br />
<br />
“26. …it was at all material times represented by Beltany, and/or their servants or agents, that the sums under the loan facilities remained outstanding and that they would accept the sum of €1.5 million (each) for the properties.” <br />
A wide variety of arguments and propositions are developed in the defence whereby it is sought to impugn Shawl’s title and the validity of the indentures of conveyance of 10 September 2018 whereby title to Blackacre and Whiteacre came to vest in Shawl: - <br />
“39. In light of the matters aforesaid, it is denied that the plaintiff lawfully acquired the properties from Beltany on 10 September 2018 or was entitled to be registered as owner of the properties in the Registry of Deeds…” <br />
35. The defence and counterclaim appears very faithfully to accord with B.’s own contentions and assertions regarding the properties in question throughout the relevant time. Amongst the groundless assertions pleaded was that, since A. had been adjudicated a bankrupt in April 2017, the adjudication had effectively extinguished the loan facilities over the properties in question. The pleadings in and of themselves amount to an extensive and detailed slander of the respondent’s title. It was denied that Beltany was entitled to sell as mortgagee in possession. Whilst the defence denies that A. and/or B. orchestrated, endorsed, facilitated and/or executed a malicious campaign of unlawful conduct against the respondent, the defence goes on to admit that the locks were changed, that the intruder system was immobilised, that the CCTV systems at the properties were immobilised and that the personal effects of one of the directors of the respondent company had been placed into a motor vehicle at Blackacre. <br />
<br />
36. In light of the events which have transpired and the circumscribed ambit of the appeal presented by B., of particular note are paras. 63 to 65 inclusive of the counterclaim which plead as follows: - <br />
<br />
<br />
“63. As part of said application for such reliefs, the plaintiff exhibited an unredacted copy of the judgment of Donnelly J. delivered on 27 April 2015 and marked: <br />
‘Do not publish on website’. <br />
64. The plaintiff, and/or its servants or agents, did not, or have not, set out the basis on which such a private and confidential judgment was obtained by the plaintiff and/or their legal advisors. <br />
65. Said disclosure represents a clear breach of the defendants’ right to privacy and/or the Data Protection Act 2018 and/or contempt of this Honourable Court.” <br />
37. The reliefs counterclaimed for included, inter alia: - <br />
<br />
<br />
“6. Damages for breach of privacy and/or the Data Protection Act 2018; <br />
7. Aggravated and exemplary damages”. <br />
Reply and defence to counterclaim <br />
38. The reply and defence to counterclaim was delivered on 6 June 2019. In light of the 2014 litigation and 2015 judgment and orders it invokes the doctrine of res judicata, the rule in Henderson v. Henderson (1843) 3 Hare 100 and the doctrine of issue estoppel insofar as A. and B. purported to dispute that Shawl was the full legal and beneficial owner of the properties. <br />
<br />
39. Paragraph 16 pleads as follows: - <br />
<br />
<br />
“With reference to paragraphs 63 to 65 of the defence and counterclaim, the plaintiff pleads as follows: - <br />
(a) It is denied that the judgment of the High Court (Ms. Justice Donnelly) dated 27 April 2015 (the ‘2015 judgment’) was ‘private and confidential’, whether in the manner pleaded or at all; <br />
(b) It is denied that the concept of a ‘private and confidential’ judgment of the High Court is known to the law in Ireland; <br />
(c) It is pleaded that the 2015 judgment is, and at all times having materiality to these proceedings has been, a public document; <br />
(d) It is denied that there was anything unlawful or improper in the reliance placed by the plaintiff on the terms of the 2015 judgment in the context of the application for the interim order and/or the application for the interlocutory order; <br />
(e) It is pleaded that the defendants are estopped and/or otherwise prohibited from seeking to challenge the reliance placed by the plaintiff on the terms of the 2015 judgment in the context of the application for the interlocutory order; <br />
(f) In support of the foregoing plea, the plaintiff shall rely upon the failure on the part of the defendants to raise any objection to the reliance placed by the plaintiff on the terms of the 2015 judgment in the context of the application for the interlocutory order; <br />
(g) It is denied that the plaintiff, its servants and/or agents are guilty of any breach of the defendants’ right to privacy and/or the data protection rights of the defendants, whether in the manner pleaded or at all; and <br />
(h) It is denied that the plaintiff, its servants and/or agents have acted in contempt of the High Court, whether in the manner pleaded or at all.” <br />
Motion <br />
40. A notice of motion was issued by Shawl seeking summary judgment on its claims for declaratory and injunctive reliefs alone. The approach adopted by Shawl was that, were the High Court disposed to grant the said relief and to make an order for costs, it would abandon its claim for damages. <br />
<br />
<br />
Judgment appealed against <br />
41. In his detailed judgment delivered on 1 October 2019, the trial judge reviewed the history of the loans and the course of dealings between the parties and Shawl’s predecessors in title. The court considered the salient elements of the pleadings between the parties. The court observed at para. 31 that Shawl sought summary judgment on its claims for declaratory and <br />
<br />
<br />
injunctive relief. He noted that Shawl acknowledged that an application for summary judgment other than in respect of a claim for a debt or liquidated sum is unusual but had contended that the court had jurisdiction to grant summary judgment based on the authority of Abbey International Finance Ltd. v. Point Ireland Helicopters Ltd. [2012] IEHC 374. The court noted that in reaching his conclusions in Abbey International, Kelly J. (as he then was) had relied on the inherent jurisdiction of the High Court and the specific rules applicable in cases transferred to the Commercial List in that court. He observed that Kelly J. had placed reliance on the judgment of Costello J. (as he then was) in Barry v. Buckley [1981] I.R. 306, the observations of McCarthy J. in Sun Fat Chan v. Osseous Ltd. [1992] 1 I.R. 425 and the judgment of Geoghegan J. in Dome Telecom Ltd. v. Eircom Ltd. [2007] IESC 59, [2008] 2 I.R. 726:- <br />
<br />
<br />
“…in which Geoghegan J. held that in modern times, the courts are not necessarily hidebound by the interpretation of a particular rule of court and if there is no rule in existence, precisely covering a situation calling for efficient case management and fair procedures, the court has an inherent power to fashion its own procedure.” (para. 35) <br />
He noted the arguments advanced on behalf of the appellants by their counsel including that Abbey International was a case that had been admitted into the Commercial List: - <br />
“…So it was, and Kelly J. found jurisdiction in the Commercial List Rules to deal with the plaintiff’s claims summarily: but he expressed that finding to be quite apart from the inherent jurisdiction which he had already found. <br />
38. It was further argued that because the court in Abbey International gave summary judgment only for the liquidated sum, and not for specific delivery of the helicopters, that what was said about the jurisdiction to summarily determine other claims was obiter. However, while the note of the judgment shows that the court did not give summary judgment on the claim for specific delivery, it did give conditional leave to <br />
defend: which was plainly an exercise of the jurisdiction which the court had found to exist.” <br />
42. The court then (para. 39 et seq.) considered the test applicable on applications for summary judgment including Aer Rianta c.p.t. v. Ryanair Ltd. [2001] 4 I.R. 607 together with the subsequent jurisprudence which refined the principles enunciated therein including I.B.R.C. Ltd. v. McCaughey [2014] IESC 44, [2014] 1 I.R. 749; McGrath v. O’Driscoll [2006] IEHC 195, [2007] 1 I.L.R.M. 203, and Danske Bank a/s (t/a National Irish Bank) v. Durkan New Homes [2010] IESC 22. He then proceeded to apply the legal principles in question to the facts before him. <br />
<br />
43. Regarding the contention that the adjudication of A. as a bankrupt on 4 April 2017 “extinguished the loan facilities”, the trial judge determined at para. 44 of the judgment that, “that is just silly”. The assertion that certain alleged non-disclosures on the part of EBS when A. moved an application in 2017 to show cause against his bankruptcy entitled him to a declaration that he remained the legal and beneficial owner of the properties in question, and that that omission effectively invalidated the transfer by EBS to Beltany of the loans on 30 June 2017 was disposed of at para. 46 as follows: “That is a mere assertion for which no sensible basis was advanced”. An alternative contention that A.’s bankruptcy extinguished the loan facilities such that there was nothing for EBS to transfer to Beltany on 30 June 2017 was likewise rejected by the trial judge (para. 47). <br />
<br />
44. To the second issue arising before the trial judge, namely whether A. and/or B. had established an equitable interest in the property or that the principle of estoppel was engaged, the trial judge concluded at para. 49:- <br />
<br />
<br />
“Being as charitable as I can, this is nonsense. Assuming, as I must for present purposes, that the defendants could establish that Beltany said that it would accept €1.5 million for each of the properties, the defendants do not allege that they agreed to pay it. …What <br />
[A.] says in his replying affidavit on this motion is that there were funds available, after his discharge from bankruptcy, to buy back ‘the properties held by Beltany’ – therefore all of the properties – and to ‘discharge him from all liabilities with Beltany’. Again, there is no suggestion that any money was ever offered to Beltany or that Beltany ever agreed to anything.” <br />
He concluded at para. 51: – <br />
“In my firm view the proposition that the naming of an asking price to a would-be purchaser might give rise to an estoppel preventing the owner of a property from selling it to anyone else is ridiculous. A fortiori the proposition that an expression of interest in a property coupled with an attempt to raise the purchase price might give rise to an equitable interest in property is hair raising.” <br />
45. In response to the contentions as pleaded and as argued on behalf of A. and B., that Beltany was not entitled to sell as mortgagee in possession, nor did it sell as such, and that on 10 September 2018 it was the receiver and not Beltany who was in possession of the properties, the trial judge reviewed the legislation including the provisions of the Land and Conveyancing Law Reform Act 2009, as amended by the Land and Conveyancing Law Reform Act 2013, concluding: - <br />
<br />
<br />
“56. The fundamental flaw in the defendants’ argument is that the statutory power of sale is not conditional on a mortgagee being in possession. It is true that in the vast majority of cases the mortgagee will be in possession, and will, if necessary, get a court order to put him into possession but this is because of the difficulty of persuading anyone to buy while the mortgagor remains in possession. <br />
57. The conveyance and assignment, in the case of [Blackacre], and the conveyance in the case of [Whiteacre], were both made in exercise of the powers vested in Beltany by virtue of the mortgages ‘and every other power it enabling’ and assured the properties <br />
to the plaintiff freed and discharged from all right or equity of redemption and from all claims and demands under the mortgages. That is the end of the matter. Whether, as a matter of fact, Beltany was or was not in possession is irrelevant to the effectiveness of the assurances to give good title to the plaintiff.” <br />
46. With regard to the various issues concerning formalities surrounding the assurances, conveyances and assignment in question, the trial judge cited with approval the decision of Murphy J. in English v. Promontoria (Aran) Ltd. (No. 2) [2017] IEHC 322 where a mortgagor had raised issues concerning various redactions and issues concerning, inter alia, execution in connection with the sale and disposition by the mortgagee of its interest under certain securities. Murphy J. had observed:- <br />
<br />
<br />
“…All of the issues raised by counsel for the plaintiff would be properly and validly raised if the plaintiff were a party to the deeds with an entitlement to challenge their efficacy, but he is not a party to the deeds. He is a third party whose only entitlement is to be shown that the stranger knocking on his door claiming possession has in fact acquired the interests of Ulster Bank Ireland Limited. <br />
56. In this application, what the plaintiff has singularly failed to do is to engage properly with the evidence that is actually before the court.” <br />
47. The trial judge concluded at para. 63, “The plaintiff’s title deeds, duly executed, stamped and registered, are before the court and are plainly regular on their face.” The trial judge observed at para. 68, “…I am satisfied that the defendants have no interest in the properties the subject of these proceedings”. <br />
<br />
48. It had been contended, inter alia, by A. and B. that they had consented to the making of the interlocutory orders by Reynolds J. on 1 February 2019 “strictly on the basis that there would be a full trial of the action” (para. 72). The trial judge observed:- <br />
<br />
<br />
“…It is true that the defendants, by their solicitors, in a letter written on 7th February, 2019 intimated that they would be consenting to the making of the interlocutory orders and asserted a right and wish for a full trial: but the plaintiff never agreed to that. In all the circumstances of the case, and particularly in view of the fact that no replying affidavit had been delivered in answer to the claim for interlocutory injunctions, the defendants’ consent to the making of the orders was no great concession.” (para. 72) <br />
49. The court noted that Shawl had sought an order pursuant to O. 19, r. 28 and/or the inherent jurisdiction of the court striking out the counterclaim of A. and B. on the grounds, inter alia, that it disclosed no reasonable cause of action, was bound to fail, was frivolous and vexatious and an abuse of process. It was further contended that A. and B. were precluded from raising the issues pleaded in the counterclaim by reason of the doctrines of res judicata and issue estoppel together with the rule in Henderson v. Henderson. The trial judge considered in detail those respective jurisdictions, observing at para. 78:- <br />
<br />
<br />
“…The need for caution and circumspection is a recurring theme in the authorities but this, it seems to me, is a black and white case. The plaintiff bought and paid for two houses. [A.] previously owned them but never paid for them. No amount of noise or smoke is going to change that.” <br />
50. The trial judge then turned to what came to be a central plank in the arguments of B. before this Court in the course of the appeal hearing. He noted at para. 79 that: - <br />
<br />
<br />
“…as part of the application for interim and interlocutory relief, the plaintiff exhibited an unredacted copy of the judgment of Donnelly J. delivered on 27th April, 2015 which was marked ‘Do not publish on website’. That disclosure, it is said, represents a clear breach of the defendants’ right to privacy and/or the Data Protection Act, 2018 and/or contempt of court and is actionable in damages.” <br />
The trial judge noted at para. 80 that the action taken against A. and B. by the receiver in the 2014 proceedings “principally concerned the same properties as are the subject of these proceedings.” <br />
51. Regarding the 2014 proceedings and judgment of Donnelly J. he further observed at para. 80: - <br />
<br />
<br />
“…There were in that case two main planks to [B.]’s defence. The first was an argument that the loan documentation was so flawed that it could not be relied upon to justify the appointment of the receiver. The second was an argument that a settlement made between the defendants in family law proceedings had given rise to a beneficial interest in the property for [B.], which took priority over the interest of EBS. Both arguments were rejected by the High Court and the Court of Appeal. [B.] did not accept the judgment of Donnelly J. and spent nearly four months in Mountjoy Prison before purging her contempt.” <br />
52. At paras. 81 and 82 of the judgment the trial judge noted, regarding B.’s conduct: - <br />
<br />
<br />
“On 28th January, 2019 the plaintiff was confronted with a situation in which a person who until five months previously had steadfastly refused to accept the authority of the High Court, had that day gone back into one of the houses. The plaintiff, presumably, was advised that there was no conceivable justification for the occupation but (unless perhaps by reference to a cock and bull story about a settlement by The [X] Family Trust, which, in the event, did not resurface) could not even guess what excuse might be offered. The plaintiff, in applying ex parte to the High Court for interim orders was bound by a duty of full disclosure, which included a duty to disclose the fact and outcome of the previous action against the same defendants in respect of the same properties. <br />
The judgment of Donnelly J. records that some of the evidence and submissions in the receiver’s case were heard in camera but that the judgment would necessarily refer to those matters. The judge noted that it would be necessary to redact the names of the parties and the properties so that, before publication, there should be as minimal as possible reference to the family law proceedings as would be consistent with the requirement to give reasons for the proper adjudication on the issues raised. The judgment records that Donnelly J. proposed to discuss the redaction of the judgment with the parties and it is available on the Courts Service website as McCann v. A., B. and C. [2015] IEHC 366. The names of the defendants have been anonymised and the addresses of the properties redacted.” <br />
53. With regard to how Shawl came to be in possession of a copy of the judgment of Donnelly J. of 27 April 2015 in unredacted form, the trial judge observed at para. 83: - <br />
<br />
<br />
“There is no evidence before the court on this application as to how the plaintiff came to be in possession of the unredacted judgment and it is, perhaps, unsatisfactory that the plaintiff should have it: but the responsibility for the fact that the plaintiff has it lies with whomever it was gave it to the plaintiff, and not the plaintiff.” <br />
The trial judge concluded: – <br />
“84. In any event the substance of the defendants’ complaint of infringement of privacy is that the plaintiff exhibited an unredacted copy of the judgment. If the plaintiff had exhibited the redacted judgment, the affidavit would have had to explain that A. and B. were, respectively, the first and second defendants in this case, and that the first and second redacted properties were the houses at [Whiteacre] and [Blackacre]: which would have amounted to the same thing. <br />
85. In my view there is no substance to the complaint in relation to the use by the plaintiff of the unredacted copy of the judgment and that the defendants’ counterclaim for damages on this count is bound to fail.” <br />
54. Accordingly the trial judge concluded firstly, applying the test in Abbey International Finance Ltd. v. Point Ireland Helicopters Ltd., that the defendants did not have an arguable defence:- <br />
<br />
<br />
“…I take the defendants’ case at its high-water mark but if Beltany was not in possession, that did not invalidate the sales. There is no issue of fact or nuanced question of law such as would warrant a trial of this action. <br />
89. It is very clear that the defendants have no defence and there will be a declaration that they do not, nor do either of them, have any estate, right, title or interest in either of the properties. In addition, there will be a permanent injunction restraining the defendants their servants and agents and all other persons with notice of the making of the order from trespassing or entering upon or otherwise interfering with the properties…” <br />
With regard to the counterclaim, the trial judge concluded: – <br />
“90. Applying to the counterclaim the principles enunciated by Clarke J. in Lopes v. Minister for Justice [2014] IESC 21, [ [2014] 2 I.R. 301] I find that even on the basis of the facts as pleaded, the counterclaim discloses no reasonable cause of action and is frivolous and vexatious and should be dismissed under O. 19, r. 28.” <br />
Notice of Appeal <br />
55. By notice of appeal dated 21 November 2019, A. and B. appealed to this Court. The notice suggests that they were self-representing for the purposes of the appeal. The appeal was initially listed before this Court for directions on 17 January 2020. <br />
<br />
56. Briefly put the grounds of appeal encompass the following issues: <br />
<br />
<br />
(1) data breach arising from deployment of the unredacted 2015 judgment before the High Court; <br />
<br />
(2) contempt of court in respect of the said judgment exhibited by the respondent; <br />
<br />
(3) breach of the in camera rule arising from same; <br />
<br />
(4) fair trial and due process and European Convention on Human Rights Article 6 rights; and, <br />
<br />
(5) miscellaneous fair trial and due process and access to the courts. <br />
<br />
<br />
These are considered hereafter to the extent actually argued at the appeal hearing. <br />
57. The notice of appeal court form sought details including, in the event that an appellant is not legally represented, the current postal address of the appellants. A single address was provided. With regard to an email address, the email address of B. alone was provided together with a telephone number. <br />
<br />
<br />
Submissions of B. <br />
Alleged Data Breach <br />
58. B. argued that in order to make its application for interim injunctions, Shawl delivered into open court her private data “gathered and acquired through unknown methods and from unknown third parties”. She contended that the data was and is protected by data protection law currently in operation in the State on which she is entitled to rely in circumstances where her private data is being or was processed, used and shared by a third party without her permission and consent. She placed emphasis on the fact that the said data contained details of prior family law proceedings which had been conducted in camera “…and also details disclosed in two in camera hearings which occurred during the currency of private litigation between the defendants and a third party”. Her contention was that private data was disclosed by the deployment of the 2015 unredacted judgment in the course of an ex parte application by Shawl for interim injunctions. She asserted that the 2014 litigation:- <br />
<br />
<br />
“…had occurred prior to the purported purchase of the properties by the plaintiff and was disclosed to the court by the plaintiff without any regard for its in camera status by way of a breach of the strict liability rule of law, by way of data breach and by way of breach of constitutional rights of the defendants.” <br />
59. B. asserted that the respondent disclosed “the details of three separate in camera hearings” in its pleadings and in its evidence “without…having engaged in due process to legally access the data”. She also alleged that in the course of the hearing the trial judge:- <br />
<br />
<br />
“…rose and adjourned to his rooms while counsel for the plaintiff adjourned from the court attended by the registrar who appeared to conduct an ex parte exchange with the registrar.” <br />
B. asserted that: - <br />
“On his return the judge disposed of the in camera status of some of the data and also disposed of the defendants’ data protection rights and constitutional rights to privacy and allowed the plaintiff to continue. In doing so the court and the plaintiff engaged in conduct, which constituted an outright breach of the defendants’ rights to the true effect of GDPR, Data Protection Act 2018, in camera law and their fundamental and constitutional rights”. <br />
B. contended that, as a result, the trial judge erred in conducting the hearing in breach of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, hereinafter “GDPR”). She placed reliance upon Recitals 1, 4 and 7 together with Article 4(11). She posited that the conduct of the trial judge constituted “an outright breach of all of the fundamental rights the GDPR seeks to protect and the manner in which those rights ought to be protected.” This assertion was strenuously denied by the respondent. <br />
The in camera rule <br />
60. B. took issue with the trial judge’s determination at para. 83 of the judgement that responsibility for the fact that the respondent had possession of the unredacted judgment “lies with whomever it was gave it to the plaintiff.” B. contended that the judge erred in law by disposing of “the strict liability of in camera law”. In written submissions she contended that:- <br />
<br />
<br />
“The data contained details of in camera matters and on its face the judgment, which formed the source of this in camera information, informed any reader that the family law section of the judgment contained in camera detail.” <br />
She placed reliance on the decision of Birmingham J. (as he then was) in Health Service Executive v. L.N. [2012] IEHC 611, [2013] 4 I.R. 49. <br />
61. B. contended: - <br />
<br />
<br />
“There is no doubt that when the plaintiff and the court was informed of the in camera nature of the content of the data it disclosed in open court, by counsel for the defendants who took the trouble to inform the court of the issue in circumstances where it appeared the court was unaware of the matter, that the conduct by the plaintiff that flowed from that moment was designed and calculated to interfere with the administration of justice, the rule of law and the fundamental rights of the defendants in the face of the court.” <br />
Thus, B. identified the point at which she contends the in camera rule was breached was when her counsel apprised the court in the course of the hearing that an aspect of the matter had been the subject of an in camera order. It was contended that the trial judge ought thereupon to have acted to “protect the defendant’s rights at that moment”. She asserted that:- <br />
“It makes no sense at all that in order to rectify a legal wrongdoing by one party a plaintiff may be permitted to break the law and engage in legal wrongdoing against the defendant.” <br />
62. However, Donnelly J., at the behest of B., had revisited her 2015 judgment on 4 March 2020 and her ex tempore determination of 5 March 2020 regarding the non-applicability of the in camera rule to it - which was raised by Shawl but not disclosed to this Court by B. - is considered below. <br />
<br />
<br />
Fair trial and due process <br />
63. B. further contended that when the respondent disclosed in open court and in its evidence certain in camera details pertaining to her, the respondent effectively had failed to comply with its obligations “which [require] third parties who wish access to and use of third party in camera details of court hearings to make necessary applications to the court of original jurisdiction and prove legitimate interest.” B. contended that such a step ought to have been taken by the respondent in advance of acquiring, sharing and/or using in camera content. Allied to that assertion, it was contended that “the in camera evidence and pleadings contained in the plaintiff’s books of pleadings” constituted illegally obtained evidence and a breach of the appellants’ rights to a fair trial and to due process. <br />
<br />
64. In relation to the argument that the material constituted illegally obtained evidence, reliance was placed on the Supreme Court decision in The People (Director of Public Prosecutions) v. J.C. [2015] IESC 31, [2017] 1 I.R. 417. The second appellant’s contention was that the trial judge ought not to have allowed the respondent advance its claim in circumstances where an act of data breach had taken place. It was contended that the respondent had acted in contempt of the judgment of Donnelly J. <br />
<br />
<br />
Language in the High Court judgment <br />
65. In the notice of appeal, B. took issue with the “strong and passionate” words of criticism used in his judgment by the trial judge. She asserted that she was represented by a competent legal team at the hearing before the High Court:- <br />
<br />
<br />
“It is fair and reasonable for a party to assume and expect their counsel will not proffer legal arguments that could be described as silly, hair raising, nonsense or cock and bull – all words used…”. <br />
66. Ultimately, B. contended that the High Court orders should be set aside arising from the alleged data and in camera breaches. No legal basis or authority was identified to support such an approach, however. A data infringement claim, as with the evolving misuse of private information or privacy-invasion tort, is deemed to be founded in tort. Even were all of the claims in that behalf as are advanced in the counterclaim to succeed, the remedy specified is “compensation” and no remedy could extend to conferring or vesting in B. any interest in either Blackacre or Whiteacre. The clear terms of s. 117 of the Data Protection Act 2018, as well as Article 82 of the GDPR and the basic tenets of the law of tort, make that clear. <br />
<br />
<br />
Submissions of respondent <br />
67. The respondent contended that the 2015 judgment was not delivered in in camera proceedings nor was it otherwise subject to the in camera rule. It was argued that the deployment of the 2015 judgment by Shawl in the within proceedings did not constitute a violation of the law of privacy or data protection law. Even had the 2015 judgment been subject to the in camera rule, its deployment by Shawl in the within proceedings would nonetheless have been permissible, it was contended. <br />
<br />
68. Emphasis was placed on the fact that no timely objection whatsoever was taken by or on behalf of the appellants to the deployment of the 2015 judgment in the context of either: <br />
<br />
(a) an earlier 2018 Court of Appeal hearing or; <br />
<br />
(b) the hearing of the within application for the interlocutory order. <br />
<br />
69. It was asserted that in a judgment delivered by the Court of Appeal in 2018 there was “open references to the identity of the parties and the identity of the properties”:- <br />
<br />
<br />
“That document has been in the public domain since 21 June 2018, without any attempt being made on the part of the appellants to suggest that it ought somehow to be suppressed.” <br />
70. It was argued that the 2015 judgment was a public document and its terms were not rendered confidential to the appellants by any court order or legal principle. It was asserted that it would have been “fundamentally improper” to conceal the findings contained in the 2015 judgment from the trial judge. <br />
<br />
71. The respondent asserted that “[t]he mere fact that the 2015 judgment contains personal information concerning the appellants does not render its dissemination by any party a breach of their data protection rights.” <br />
<br />
72. The respondent invoked the provisions of the Data Protection Act 2018 and the GDPR and relied on s. 160 of the 2018 Act to assert that the cause of action suggested by the appellants simply does not exist as a matter of data protection law. <br />
<br />
73. With regard to the comments of the trial judge as embodied in the judgment, the respondent contended that there is no legal principle prohibiting the judiciary from criticising claims or arguments which are devoid of merit, even in colourful or castigating terms. It was asserted that the comments of the trial judge to which the appellants object “were not only permissible, but also warranted.” <br />
<br />
<br />
Discussion <br />
74. By way of preliminary observation, it is clear from a review of the notice of appeal and the written and oral arguments advanced on behalf of the appellants that, apart from GDPR/ privacy and contempt/in camera issues, B. has not in any substantive or meaningful way engaged with the determinations and orders of the trial judge regarding the defence delivered on her behalf to the statement of claim nor with the preponderance of the matters pleaded in the counterclaim. <br />
<br />
<br />
Abbey International <br />
75. The contention of the respondent, which was accepted by the trial judge, that the High Court enjoys an inherent jurisdiction to grant orders for summary judgment in plenary proceedings based on the Abbey International Finance Ltd. v. Point Ireland Helicopters Ltd. jurisprudence was not the subject of any meaningful dispute or argument by B. in the course of this appeal. In the circumstances and where the issue was not argued at all before the court, I am prepared to accept, for the purposes of this appeal, that such a jurisdiction is vested in the High Court. It will be for the courts on another day, should the issue be fully argued and its implications cogently stress-tested, to fully evaluate the nature, extent and scope of any such jurisdiction. <br />
<br />
<br />
Order 19, r. 28 <br />
76. This Court in ACC Bank plc v. Cunniffe [2017] IECA 261 considered the distinction between O. 19, r. 28 and the inherent jurisdiction thus:- <br />
<br />
<br />
“83. Order 19, r. 28 provides that a Court may order a pleading to be struck out on the grounds that ‘it discloses no reasonable cause of action’ and in any case where the action is shown by the pleadings to be ‘frivolous or vexatious’ the court may order that the action be stayed or dismissed or that judgment may be entered accordingly. The Supreme Court in the case of [Aer Rianta c.p.t. v. Ryanair Ltd.] held that on the plain meaning of the words of O. 19, r. 28 the rule applied to a pleading in its entirety. Therefore, a court had jurisdiction under the rule to strike out an entire pleading but not a portion thereof. This interpretation, based on a construction of the plain meaning of the words of r. 28, was both internally consistent and also externally consistent with O. 19, r. 27 dealing with ‘any matter in any endorsement or pleading’ and the definition of a ‘pleading’ in O. 125, r. 1. Denham J., in delivering judgment for the Supreme Court, stated that:- <br />
‘12. The jurisdiction under O. 19, r. 28 to strike out pleadings is one a court is slow to exercise. A court will exercise caution in utilising this jurisdiction. However, if a court is convinced that a claim will fail such pleadings will be struck out.’ <br />
84. In coming to a determination on an application grounded on Order 19 r. 28, the court is confined to the statement of claim as actually pleaded. Affidavits and other matters before the court ought to be disregarded. In [McCabe v. Harding Investments Ltd. [1984] I.L.R.M. 105], O’Higgins C.J. emphasised that in order to meet the threshold under the rule ‘vexation or frivolity must appear from the pleadings alone’.” <br />
Inherent jurisdiction <br />
77. The alternative relief sought by Shawl was that the defence and counterclaim be struck out pursuant to the inherent jurisdiction of the court. In ACC Bank plc v. Cunniffe this Court considered the distinction between the two procedural applications:- <br />
<br />
<br />
“86. …In Barry v. Buckley [1981] I.R. 306 at 308, Costello J. stated:- <br />
‘But, apart from order 19, the Court has an inherent jurisdiction to stay proceedings and, on applications made to exercise it, the Court is not limited to the pleadings of the parties but is free to hear evidence on affidavit relating to the issues in the case: see Wylie's Judicature Acts (1906) at pp. 34-37 and The Supreme Court Practice (1979) at para. 18/19/10. The principles on which the Court exercises this jurisdiction are well established. Basically its jurisdiction exists to ensure that an abuse of the process of the Courts does not take place. So, if the proceedings are frivolous or vexatious they will be stayed. They will also be stayed if it is clear that the plaintiff's claim must fail; per Buckley L.J. in Goodson v. Grierson [1908] 1 K.B. 761 at p. 765. <br />
This jurisdiction should be exercised sparingly and only in clear cases; but it is one which enables the Court to avoid injustice, particularly in cases whose outcome depends on the interpretation of a contract or agreed correspondence. If, having considered the documents, the Court is satisfied that the plaintiff's case must fail, then it would be a proper exercise of its discretion to strike out proceedings whose continued existence cannot be justified and is manifestly <br />
causing irrevocable damage to a defendant.’ <br />
In contrast with the position when an application is brought relying on Ord. 19 r. 28 alone, in considering whether or not to strike out a statement of claim in the exercise of the court’s inherent jurisdiction, the court is entitled to engage in some analysis of the facts. Cases such as Clarke J. in Salthill Properties Ltd. v. Royal Bank of Scotland [2009] IEHC 207 and Sun Fat Chan v. Osseous [1992] 1 I.R. 425 confirm that approach to be correct.” <br />
78. O’Donnell J. in Nowak v. Data Protection Commissioner [2016] IESC 18, [2016] 2 I.R. 585 observed at para. 14:- <br />
<br />
<br />
“…When used appropriately, the power to dismiss proceedings in limine saves court time, avoids delay, and, just as importantly, prevents the court process and the inevitable delays involved therein from being used merely to bring pressure to bear on the other party, and thus become a bargaining counter in negotiations. Of course, such a determination is a decision which can be appealed. <br />
[15] While Costello J. in Barry v. Buckley [1981] I.R. 306 was careful to distinguish between cases which were bound to fail and those which were otherwise ‘frivolous and vexatious’, that distinction, and the distinction between the jurisdiction provided by O. 19 r. 28 of the Rules of the Superior Courts 1986 and the inherent jurisdiction have become blurred. Thus, it has come to be said that a case which cannot succeed in law <br />
is one which is frivolous and vexatious. The position was put perhaps most elegantly in the ex tempore judgment of the Supreme Court in Farley v. Ireland (Unreported, Supreme Court, 1 May 1997), at pp. 2 and 3, delivered by Barron J. and quoted by the appellant in para. 19 of his submissions: <br />
‘So far as the legality of the matter is concerned, frivolous and vexatious are legal terms, they are not pejorative in any sense or possibly in the sense that Mr. Farley may think they are. It is merely a question of saying that so far as the plaintiff is concerned, if he has no reasonable chance of succeeding then the law says that it is frivolous to bring the case. Similarly, it is a hardship on the defendant to have to take steps to defend something which cannot succeed and the law calls that vexatious.’ <br />
… <br />
[16] …Without in any way reducing the scope of an important jurisdiction both for courts and other decision makers, I nevertheless consider that it may be desirable to distinguish between cases which are bound to fail and those which are truly frivolous and vexatious…” <br />
79. It appears to me that insofar as this appeal fails and the decision of the High Court is upheld it is appropriate to do so pursuant to the inherent jurisdiction. <br />
<br />
<br />
Claims to an interest in Blackacre or Whiteacre <br />
80. In my view having regard to the facts, the following are salient considerations in the context of this appeal. In December 2005 A. drew down in excess of €8M to purchase properties including, inter alia, Blackacre and Whiteacre. A. failed to make repayments under the mortgages. In 2008 A. and B. were involved in family law proceedings. When A. and B. entered into additional “Terms of Settlement” in mid-2008 that provided that, in the event that the settlement could not be complied with, B. would reside at Blackacre and enjoy that property <br />
<br />
<br />
as a family home indefinitely, they must have known that such an arrangement could not bind EBS which was neither a party to, nor on notice of, those terms. There is no suggestion anywhere that the 2008 orders or the subsequent additional “Terms of Settlement” concluded in June 2008 were entered into with the assent of the mortgagee, EBS. <br />
<br />
81. This could have been achieved, for instance, for the purposes of binding EBS, by A. and B. invoking before the Circuit Court s. 40(8) of the Civil Liability and Courts Act 2004, as amended, which provides:- <br />
<br />
<br />
“A court hearing proceedings under a relevant enactment shall, on its own motion or on the application of one of the parties to the proceedings, have discretion to order disclosure of documents, information or evidence connected with or arising in the course of the proceedings to third parties if such disclosure is required to protect the legitimate interests of a party or other person affected by the proceedings.” <br />
That they did not do so leads inexorably to an inference that the orders thus obtained are unenforceable against any interested party who had no notice of same or their successor or assigns. <br />
82. As is noted in the redacted 2015 judgment of Donnelly J. at para. 14: - <br />
<br />
<br />
“In a letter dated 16th September, 2008, to the EBS from [redacted], the solicitors then acting for [A.], it was confirmed that none of the eight premises was a family home within the meaning of the Family Home Protection Act, 1976 (‘the Act of 1976’) and that the mortgage of the properties therein is not affected by the Act of 1976 because [A.] was not and never had been married.” <br />
83. EBS instituted proceedings seeking possession against A. in October 2008. A remarkable feature of events in 2008 and the years following is that no step was taken by A. or B. to rely on the 2008 family law orders or “Terms of Settlement” or disclose same to EBS in the context of the 2008 possession proceedings. B. never had any registered interest in the <br />
<br />
<br />
properties and was not a party to the 2008 possession proceedings but no doubt was well aware of same. In October 2009 EBS obtained an order for possession against A. In May 2010 the receiver was appointed. Had A. or B. any bona fide belief in the validity of the 2008 family law orders and “Terms of Settlement”, one would expect that they would immediately assert rights thereunder against EBS. <br />
<br />
84. In September 2013 EBS marked judgment against A. in the sum of €9.433M. <br />
<br />
<br />
The modus operandi of B. <br />
85. In 2014 the receiver was obliged to institute proceedings against A. and B. together with another entity which culminated in the order of Donnelly J. made on 15 May 2015, referred to above. The order recorded that counsel for the receiver had informed the court that he sought final orders of the court and that B. informed the court that she consented to the application being an application that would lead to a final order. Inter alia the following actions on the part of B. had precipitated the 2014 litigation: <br />
<br />
(i) In March 2014 B. wrote to EBS asserting that she was “the person legally appointed to oversee [A.]’s financial affairs.” <br />
<br />
(ii) In March 2014 a person claiming to be “Catherine Doyle” of “Capital Properties” attended at a third property purporting to represent new agents appointed for the collection of rent. It was unclear whether the said woman was one and the same as B. Locks on the property were changed and notices were placed upon the property with the words “Notice: removal of implied right access”. Similar action took place at Blackacre and Whiteacre. Upon effecting forcible entry onto the said properties, it appears that the said woman obtained rental payments from three tenants. It is noteworthy that a similar fact pattern and modus operandi of forcible entry, this time with physical ejectment of lawful occupants, was effected in December 2018 and January 2019 in relation to Blackacre and Whiteacre. <br />
<br />
<br />
(iii) At the trial of the action in 2015 before Donnelly J., B. acknowledged that she had changed the locks and was responsible for stopping the attempts by the receiver to effect a sale and disposition of the properties. <br />
<br />
(iv) It later transpired that in respect of Blackacre and Whiteacre, which by then had become vacant, persons took up occupation of the premises - either A. and B. and/or their servants or agents. <br />
<br />
(v) The stance of B. in the High Court in the 2014 proceedings was extraordinary. She deposed in an affidavit sworn in May 2014 that by virtue of orders procured in the Family Law Circuit Court she held a first legal charge over the properties. She asserted that she had taken possession of Whiteacre which she asserted constituted a “family home” and that she did so due to alleged damage and loss incurred by reason of the failure by the receiver to comply with the family law court orders. She further asserted that the appointment of the receiver was invalid. She sought an order setting aside the appointment of the receiver. <br />
<br />
86. As Donnelly J. observed at para. 44, the totality of B.’s assertions and claims as hereinbefore stated distilled down to two key contentions; that she had a beneficial interest in the properties that ranked in priority to the rights of EBS under its mortgages; and, further, that the loan offer and instruments were deficient to an extent as to be null and void and incapable of forming the legal basis for the appointment of the receiver. All these claims were relaunched once more by way of defence or counterclaim in the current proceedings. <br />
<br />
87. In her exhaustive judgment, Donnelly J. concluded that there was no sound basis for any of the contentions advanced by B. A clear order was made directing B. to vacate Blackacre and Whiteacre and to deliver up possession thereof to the receiver. B. was ordered to cease holding herself out as being a party entitled to deal with, manage or collect rents in respect of other specified properties and was restrained from entering upon or attending at any of the eight <br />
<br />
<br />
premises identified in the schedule to the order. She was further restrained by order of the court from interfering with the sale of Blackacre or Whiteacre by the receiver or otherwise interfering with the receivership and the court formally declared that the appointment of the receiver of the eight premises in the schedule to the order was valid. The counterclaims of B. were all dismissed. B. appealed the orders of Donnelly J. and on 9 February 2017 the Court of Appeal unanimously dismissed that appeal. <br />
<br />
88. B. identified nothing - be it fact, matter or principle of law - which would entitle me to interfere with the declaration granted that A. and B. did not, nor did either of them, have any estate, right, title or interest in either Blackacre or Whiteacre. <br />
<br />
89. It consequentially follows that the extensive perpetual prohibitory injunctions granted and orders specified in the curial part of the order at paras. (a) to (j) inclusive must remain undisturbed since each such order was made in support of the vindication of the rights of the respondent to beneficial ownership of Blackacre and Whiteacre; restraining harassment, threats, intimidation or abuse of the respondent’s officers, shareholders, servants or agents. However, the order is more appropriately made pursuant to the court’s inherent jurisdiction. <br />
<br />
<br />
Data, privacy and in camera claims <br />
90. Although in the course of the hearing B. asserted breaches of privacy, GDPR and her data against a wide variety of entities and parties, these proceedings and this appeal are concerned only with the parties thereto. The net question for consideration now is whether B. has established any arguable ground to pursue any aspect of the claims at paras. 63, 64 and 65 of the counterclaim and the reliefs sought at paras. 6 (“Damages for breach of privacy and/or Data Protection Act 2018”), 7 (aggravated/exemplary damages), 9 (other relief) and 10 (costs) or are same also frivolous or vexations or otherwise bound to fail. <br />
<br />
<br />
<br />
<br />
April 2015 judgment of Donnelly J. <br />
91. In her redacted judgment delivered in proceedings McCann v. A., B. and C. [2015] IEHC 366 and referred to above, at para. 46 Donnelly J. observed as follows: - <br />
<br />
<br />
“In Camera Proceedings <br />
An issue arose in the course of the proceedings relating to the family law proceedings between the first two defendants. I raised the issue that these were matters which were more properly dealt with in camera. Although [B.] initially indicated that she had no issue with them being dealt with in public, she later confirmed that she did have an issue. In any event, I had already indicated that it was my view that those matters should not be aired in public. During the course of the proceedings, the court sat in camera to hear the evidence of, and the submissions relating to, those proceedings. As those matters were in camera and as this judgment will necessarily refer to them, it is therefore necessary that the parties’ names and indeed the premises should be redacted from this judgment and that there should be as minimal as possible reference to the family law proceedings as is consistent with the requirements to give reasons for the proper adjudication on the issues raised. I propose to discuss with the parties the form in which this judgment can be disseminated in public.” <br />
92. B. asserted in this appeal – and the respondent does not deny – that an unredacted version of the 2015 judgment bearing the stamp “Do not publish on website” was put into evidence by the respondent when seeking interim/interlocutory injunctions in January and February 2019. <br />
<br />
<br />
March 2020 judgment of Donnelly J. <br />
93. Subsequent to the conclusion of the proceedings under appeal in the High Court, it appears that on 4 March 2020 B. moved an application before Donnelly J. in the High Court in the said 2014 proceedings seeking the following orders: <br />
<br />
<br />
1. an order for enforcement of the judgment of 27 April 2015 against the receiver pursuant to O. 42, r. 7; and/or <br />
<br />
2. an order for enforcement of the judgment of 27 April 2015 aforesaid pursuant to O. 42, r. 25; and/or <br />
<br />
3. an order directing the respondent Paul McCann “to disclose all the names and identities of the parties with whom he shared the content of the within proceedings in contempt of the judgment of the Honourable Ms. Justice Donnelly of the 27th April, 2015”. <br />
<br />
<br />
Donnelly J. refused the application of B. Her ex tempore judgment delivered on 5 March 2020 is worthy of note in the context of this application with particular reference to the issue of alleged breaches of the in camera rule. <br />
94. In her ex tempore judgment Donnelly J. observed: - <br />
<br />
<br />
“4. In the course of those proceedings, I was required to deal with the issue of the family law proceedings and they are dealt with from para. 66 onwards in the judgment. I had also referred to the order earlier in the judgment and in particular at para. 46… <br />
5. What happened thereafter was that I did discuss with the parties the form in which the judgment could be disseminated in public. It is clear that at that stage counsel for the receiver quite correctly raised the issue of the redaction of the record numbers from the judgment. The judgment that I had signed, and which is exhibited before me, quite correctly reflects that position in relation to the issues raised at the hearing. The parties, children and properties were not named and the record number of the proceedings was redacted.” <br />
95. She addressed the argument that the proceedings had been in camera as follows: - <br />
<br />
<br />
“19. Both parties are now agreed that the proceedings before me today are not in camera proceedings and that the previous proceedings were not in camera proceedings. That <br />
had appeared to be an issue when the matter was first called. They did not come within the criteria of in camera proceedings and I am quite satisfied that the previous proceedings also did not qualify as in camera proceedings. <br />
… <br />
22. The heart of this matter is what I said at para. 46. That paragraph was clearly and on its face intended to the publication of the judgment. That publication was what was addressed after I gave judgment and it was what was dealt with by both the parties in the discussion after the judgment. I would like to interject at this point to say that where people are relying on a transcript, the full and unedited version should be relied upon. I am not making a finding on this point but where people are relying on what was said in the transcript, the unvarnished transcript should be presented. It does seem that there are certainly some additions to that transcript and those additions may have resulted in some things being left out.” <br />
Paragraph 46 of the April 2015 judgment is set out at para. 91 above. <br />
96. At para. 24 Donnelly J. observed: – <br />
<br />
<br />
“…The passage in the judgment was directed towards publication of that judgment. That was all it said. It does not form and cannot form the wide ranging prohibition claimed by [B.].” <br />
She continued: – <br />
“…Indeed, it can be said that if any matter is to be implied into the judgment it would be that the parties could be identified to the extent necessary to permit the enforcement of the order. That is clear from the judgment itself which makes references to parties being aware of the order and the order itself including an order which restrained [B.] from interfering with the sale of certain properties or otherwise interfering with the <br />
receivership. So there was an implied interpretation there of the order that sales would occur and certain matters would occur. <br />
25. Even if one accepts what is being said here, that there was an implied prohibition on presenting the judgment in a public setting in a manner identifying the parties outside the enforcement of the order, I am not convinced there is evidence of that before me or any proof of it.” <br />
In conclusion, Donnelly J. observed at para. 28:- <br />
“…just to be clear, I do not believe there is any case in relation to the enforcement and in essence that would deal with all of [B.]’s requests, including her final request for evidence or proof, but in my view, the request for evidence that [B.] says she is entitled to, and is effectively what she is seeking by the application to disclose the names and identities of the parties, is to misunderstand the court process. There is no entitlement to seek an order of the court to obtain ‘proof’. A party in common law proceedings, in general, must supply the proof. This is not anywhere near a situation where a court would engage on the process she proposes. That is ultimately a fishing expedition and I reject her entitlement to any such relief. <br />
29. I therefore reject the application in its entirety.” <br />
No appeal of order of March 2020 <br />
97. Of significance is that B. did not appeal the said judgment and orders of Donnelly J. Accordingly, she must be taken to be bound by the key relevant determinations in the judgment of 5 March 2020 and in particular that she had no entitlement to an order directing the receiver, Paul McCann, to disclose the names or identities of parties with whom he allegedly shared the content of the judgment of 27 April 2015. Further, there is a clear determination in the judgment that the proceedings brought by way of notice of motion and heard on 4 March 2020 were not in camera proceedings and furthermore that the 2014 proceedings heard in 2015 and <br />
<br />
<br />
culminating in the written judgment of 27 April 2015 were not in camera proceedings either. The said determinations of Donnelly J., unappealed as they are, are binding on B. She offered no convincing reason for not disclosing the said order and judgment of Donnelly J. to the court. <br />
<br />
<br />
General Data Protection Regulation <br />
98. The GDPR became applicable with effect from 25 May 2018 across the EU to harmonise data privacy law in Member States. As Recital 4 makes clear:- <br />
<br />
<br />
“…The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.” <br />
Recital 1 provides:- <br />
“The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union…and Article 16(1) of the Treaty on the Functioning of the European Union…provide that everyone has the right to the protection of personal data concerning him or her.” <br />
99. Recital 146 provides: - <br />
<br />
<br />
“The controller or processor should compensate any damage which a person may suffer as a result of processing that infringes this Regulation. The controller or processor should be exempt from liability if it proves that it is not in any way responsible for the damage. The concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation. This is without prejudice to any claims for damage deriving from the violation of other rules in Union or Member State law.” <br />
It further provides: – <br />
“…Data subjects should receive full and effective compensation for the damage they have suffered. Where controllers or processors are involved in the same processing, each controller or processor should be held liable for the entire damage.” <br />
100. Recital 147 addresses the issue of jurisdiction and provides: - <br />
<br />
<br />
“Where specific rules on jurisdiction are contained in this Regulation, in particular as regards proceedings seeking a judicial remedy including compensation, against a controller or processor, general jurisdiction rules such as those of Regulation (EU) No. 1215/2012 of the European Parliament and of the Council should not prejudice the application of such specific rules.” <br />
101. Article 79 in turn addresses the right to an effective judicial remedy against a controller or processor:- <br />
<br />
<br />
“1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation. <br />
2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.” <br />
102. Article 82 of the Regulation addresses the right to compensation and liability and provides, inter alia:- <br />
<br />
<br />
“(1) Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. <br />
(2) Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller. <br />
(3) A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage. <br />
(4) Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject. <br />
… <br />
(6) Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State referred to in Article 79(2).” <br />
103. Article 84 and Recitals 149 and 150 govern the issue of penalties, including for infringement of national rules, and administrative fines. <br />
<br />
104. In substance, B.’s contention is that in particular the alleged breaches of her privacy, data protection law and in camera rights pleaded by her disclose a reasonable cause of action sufficient to entitle her to pursue the counterclaim and to reverse its dismissal by the High Court. <br />
<br />
<br />
Restraints on exercise of the inherent jurisdiction <br />
105. Delany and McGrath on Civil Procedure (4th ed., Round Hall, 2018) emphasises the extent to which restraint must be exercised by the court in the exercise of the inherent jurisdiction to strike out. The authors, having reviewed the jurisprudence, note at para. 16-16:- <br />
<br />
<br />
“…Given that an order striking out proceedings will only be made in very clear cases where there is no dispute as to the relevant facts, in practice, an application will only succeed where there are very few issues of fact or where the relevant facts are not reasonably disputable as in certain cases regarding the conclusion of contracts or the interpretation of contractual documents. So, while the court can engage with the facts of the case, there are ‘significant limitations’ on the extent to which this is appropriate.” <br />
106. B.’s data-breach/privacy claims must be evaluated with particular regard to Article 5(2) of the GDPR which established the principle of accountability in respect of a data controller. Article 5(1) provides, in short form, that personal data shall be processed in accordance with the principles of lawfulness, fairness and transparency, for specified, explicit, legitimate and limited purposes, and, <br />
<br />
<br />
“(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).” <br />
Article 5(2) provides: – <br />
“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).” <br />
107. Article 4(2) of the GDPR provides an expansive definition of processing to include: - <br />
<br />
<br />
“…any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, <br />
organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction…” (Emphasis added) <br />
108. Article 4(8) of the GDPR defines a “processor” as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”. Article 4(9) defines “recipient” as “a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.” Article 4(10) defines a “third party” as “a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data”. Article 4(12) defines “personal data breach” to mean “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. <br />
<br />
109. It will be recalled that Recital 61 provides: - <br />
<br />
<br />
“…Where personal data can be legitimately disclosed to another recipient, the data subject should be informed when the personal data are first disclosed to the recipient.” <br />
110. Recital 111 provides: - <br />
<br />
<br />
“Provisions should be made for the possibility for transfers in certain circumstances where the data subject has given his or her explicit consent, where the transfer is occasional and necessary in relation to a contract or a legal claim, regardless of whether in a judicial procedure or whether in an administrative or any out-of-court procedure, including procedures before regulatory bodies. Provision should also be made for the possibility for transfers where important grounds of public interest laid down by Union or Member State law so require or where the transfer is made from a register established by law and intended for consultation by the public or persons having a legitimate <br />
interest. In the latter case, such a transfer should not involve the entirety of the personal data or entire categories of the data contained in the register and, when the register is intended for consultation by persons having a legitimate interest, the transfer should be made only at the request of those persons or, if they are to be the recipients, taking into full account the interests and fundamental rights of the data subject.” <br />
Derogations <br />
111. Article 49 of the GDPR acknowledges that in specific situations derogations may arise. Amongst the conditions identified at Article 49(1) are the following: - <br />
<br />
<br />
“(d) the transfer is necessary for important reasons of public interest; <br />
(e) the transfer is necessary for the establishment, exercise or defence of legal claims”. <br />
Section 60 of the Data Protection Act 2018 is considered further below and establishes restrictions as are “necessary and proportionate” on the obligations of controllers and the rights of data subjects for important objectives of general public interest including for the establishment, exercise and enforcement of civil law claims whether before a court or otherwise. <br />
The Data Protection Act 2018 <br />
112. The Data Protection Act 2018, implementing the GDPR in the State, permits an individual to seek compensation from the court for breaches of data subject rights even in the absence of any material damage or financial loss. With certain exceptions, it became operative on 25 May 2018 with other provisions commencing on 30 October 2019 and 1 January 2020. Section 159 of the 2018 Act governs the processing of personal data where the court is controller. That provision became operative on 25 May 2018 and the measure governing the Superior Courts, s. 159(1), is the subject of the Data Protection Act 2018 (Section 159(1)) Rules 2018 (S.I. No. 659 of 2018) whereby the rules of the Superior Courts were amended to <br />
<br />
<br />
address the GDPR. Same become operative on 1 August 2018 but are not relevant to this appeal. <br />
<br />
113. Section 117 of the Data Protection Act 2018 implements Article 82(1) of the GDPR. It provides: - <br />
<br />
<br />
“(1) Subject to subsection (9), and without prejudice to any other remedy available to him or her, including his or her right to lodge a complaint, a data subject may, where he or she considers that his or her rights under a relevant enactment have been infringed as a result of the processing of his or her personal data in a manner that fails to comply with a relevant enactment, bring an action (in this section referred to as a ‘data protection action’) against the controller or processor concerned. <br />
(2) A data protection action shall be deemed, for the purposes of every enactment and rule of law, to be an action founded on tort. <br />
(3) The Circuit Court shall, subject to subsections (5) and (6), concurrently with the High Court, have jurisdiction to hear and determine data protection actions. <br />
(4) The court hearing a data protection action shall have the power to grant to the plaintiff one or more of the following reliefs: <br />
(a) relief by way of injunction or declaration; or <br />
(b) compensation for damage suffered by the plaintiff as a result of the infringement of a relevant enactment.” <br />
114. The 2018 Act implementing the GDPR offers two distinct routes for redress. The first option is to proceed to submit a complaint to the Data Protection Commissioner, the second being the s. 117 tort action. Nothing stated in s. 117 or indeed the Act itself suggests that a data protection action is a tort of strict liability. B. appeared to contend in her arguments that it was. The plea at para. 64 of the counterclaim that the 2015 judgment was “private and confidential”, appears to be antithetical to the judgment of Donnelly J. delivered in March 2020. However, it <br />
<br />
<br />
is not an issue that can be confidently or definitively determined on a strike-out motion. B.’s claim is directed to the deployment by Shawl of the unredacted version of the 2015 judgment, while Donnelly J.’s observations in the 2020 judgment appear to concern the redacted version of the same judgment. <br />
<br />
115. Perhaps disclosure of the unredacted 2015 judgment may well have been necessitated by reason of the exigencies which arose and warranted the extensive injunctions being sought and the making of interlocutory orders in like terms to which B. consented in February 2019. That was, in essence, the view taken by the High Court judge. He observed that, even if a copy of the redacted judgment had been deployed by the respondent, it would have been necessary for it to explain that the judgment related to A. and B. and to the properties at Blackacre and Whiteacre. That, in his view, “would have amounted to the same thing” (para. 84). That may be the case but it is at least arguable particularly in the context of an application pursuant to O. 19, r. 28 that, in deploying the unredacted judgment, Shawl went beyond what was necessary and disclosed private and personal information, relating to family law proceedings that had been heard in camera, without any sufficient justification. In my view, that issue can only properly be determined at a plenary hearing since it is not possible to definitively conclude that there is no real risk of any injustice to B. were this aspect of her claim struck out at this stage pursuant to the inherent jurisdiction. It will be for the respondent to satisfy the trial judge that it has a defence, albeit the evidence suggests it may have. <br />
<br />
<br />
The unredacted judgment <br />
116. Surprisingly, counsel for the respondent was unable to assist the court as to how the unredacted judgment came into his client’s possession or the circumstances in which it came to be deployed. When asked about the “Do not publish on website” notation on it, counsel suggested that anyone reading that note would not necessarily understand it as anything other than a restriction on internet publication and would not have read it as a restriction on <br />
<br />
<br />
dissemination of the judgment in that form. That may be so but anyone who actually read the judgment, and in particular para. 46, would have understood that the judgment was not intended to be published or circulated beyond the immediate parties in unredacted form. I would observe in this context that, while the High Court judge may have been correct in observing that responsibility for the respondent having the unredacted judgment rested with whomever it was gave it to the respondent, responsibility for deploying the unredacted judgment before the High Court rests squarely with the respondent. <br />
<br />
117. It will be recalled that after B. purged her contempt on 28 August 2018 before Quinn J. in the High Court, the respondent proceeded to complete the purchase of the properties approximately two weeks later on 11 September 2018. Having regard to the history of conduct of A. and B. vis-á-vis Blackacre and Whiteacre and their repeated setting up of baseless claims to the effect that B. in particular had beneficial rights and interests in or over the said properties that ranked in priority to EBS, it might be expected that in the investigation of title to the two properties integral to the conveyances, the titles being unregistered, the vendor, Beltany, was obliged, inter alia, to make appropriate disclosures directed to establishing its title to the property. But there was no evidence on the issue one way or another and it is not open to this Court to surmise. <br />
<br />
118. Amongst the standard requisitions on title from a conveyancing perspective is an enquiry as to whether any litigation was pending or whether any court order had been made in relation to the property, or any part of same, and a vendor is obliged to respond to such a requisition. The existence of orders dismissing baseless claims to an interest in the properties and ordering A. and B. to vacate Blackacre and Whiteacre could be reasonably expected to form part of the muniments of title since they were dispositive of the groundless claims of A. and B. to have an interest in the property. This may explain how the unredacted judgment came into the <br />
<br />
<br />
possession of the respondent but, again there was no evidence one way or the other. In light of the O. 19, r. 28 jurisprudence it is for the High Court to make a determination on the issue. <br />
<br />
119. No order obtained in 2008 in the context of in camera proceedings could confer any estate, right, title or interest upon B. in or over the said properties inconsistent with the priority rights of EBS and the rights of the validly appointed receiver to effect a sale and disposition of same. Such orders were obtained without EBS being a party to or on notice of same and as such cannot bind EBS or its successors in title, the receiver, Beltany or the respondent. We know from the judgment of Donnelly J. of 5 March 2020 in the receiver proceedings that the 2015 hearing and proceedings before Donnelly J. were not in camera proceedings and neither was the application the subject of the judgment of 5 March 2020 in camera, nor the order of 4 March 2020 made by Donnelly J. <br />
<br />
120. That being so, it would be unsurprising and entirely in accordance with the principle of proportionality that a copy of the orders and judgment which pertained directly to the premises in sale would be disclosed to the purchaser (being the respondent herein) in the conveyancing transactions of circa 11 September 2018. However, there was no evidence before the court on the issue. <br />
<br />
121. Whilst counsel for the respondent very fairly did not engage in speculation as to the provenance of the unredacted judgment disclosed to the High Court when interim and interlocutory injunctions were sought in January and February 2019, B. herself identified a possible provenance for an unredacted version as set out hereafter. <br />
<br />
122. B. asserted in the course of the hearing of this appeal that an unredacted version of the 2015 judgment was put up on the Courts Service website. This is an allegation which she also made before Donnelly J. on 4 March 2020 and which is expressly referred to in the course of the judgment delivered ex tempore on 5 March 2020. As of March 2020, B. asserted that she had a “screen-grab” of same. <br />
<br />
<br />
123. As Donnelly J. noted at para. 7 of her ex tempore judgment: - <br />
<br />
<br />
“A complaint was made which she was fully entitled to make, found at Exhibit K, to the assigned judge, who is Baker J., dealing with what I understand are the GDPR issues.” <br />
124. B. informed this Court that subsequent to same Baker J. made substantive findings in her favour in her capacity as the assigned judge in respect of the Data Protection Act 2018. B. objected to disclosure of the said determination, as she was entitled to do, but I accept her statement. <br />
<br />
<br />
Proportionality, general public interest and the balancing of rights in context <br />
125. As the Court of Justice of the EU has repeatedly made clear, the right to the protection of personal data is not an absolute right but requires to be considered in relation to its function in society and to be balanced with other fundamental rights in accordance with the principle of proportionality. That is made clear in Recital 4 of the GDPR. The events which gave rise to the respondent moving an application for interim injunctive relief before the High Court are disturbing at a number of levels and bear repetition. It will be recalled that on 28 August 2018 B. undertook to the High Court, in order to purge her contempt, to vacate the premises and not to interfere directly or indirectly with same and was discharged from custody having spent approximately three and a half months in custody for contempt. As outlined above, thereafter the sale was completed to the respondent on 11 September 2018 in respect of the two premises Blackacre and Whiteacre. <br />
<br />
126. None of the series of manoeuvres engaged in by B. in collaboration with A., including a court order obtained in 2008, a “settlement” document concluded in 2008 and a sham trust executed in September 2018, conferred any estate, right, title or interest in B. or indeed her offspring (who are now of full age) capable of interfering with the priorities, rights and entitlements of the original mortgagee and its successor in title. It appears that B. does not and <br />
<br />
<br />
presumably never will accept the orders of the High Court made on 15 May 2015 and upheld on appeal directing that A. and B., their servants and agents and all other persons having notice of the making of the orders vacate Whiteacre and Blackacre and deliver up possession of same to the receiver. The emergency which necessitated the application for an interim injunction on 30 January 2019 was precipitated wholly and exclusively by the wrongful acts of A. and B. acting in concert. The appellants’ notice of appeal acknowledges: - <br />
<br />
<br />
“It is clear that in order to comply with its obligation of full disclosure to the court to advance its claim, the plaintiff disclosed full details of proceedings and pleadings in the [2014 proceedings].” <br />
127. Arguably, notwithstanding the GDPR and the 2018 Act, it was vitally necessary, bearing in mind the obligation of full disclosure, that the court be apprised of the fact of the court orders of relevance pertaining to the identity of the properties and the identity of the parties in respect of whom the orders of 15 May 2015, as affirmed on appeal, were made to enable the legitimate interests of the respondent be pursued and the protection of the court be obtained by way of interim and interlocutory injunctions so that the respondent could withstand and defend the false and baseless claims of A. and B. to have title to the properties. <br />
<br />
128. Arguably, such conduct, in the exigencies that arose, represents the use of the data for a legitimate purpose in my view, particularly given the campaign of media harassment and the gravely serious allegations being published concerning two directors of the respondent company, including baseless allegations of paedophilia and the publication of their home addresses. <br />
<br />
129. Whereas counsel for the respondent was not in a position to confirm how the unredacted version of the 2015 judgment came to be in court at the moving of the injunction application, a legal basis is potentially discernible in the context of the sale and could have arisen at the point of the sale and disposition of the property in September 2018 in the context of providing <br />
<br />
<br />
evidence of title and evidence of the groundless nature of the claims of A. and B. having been dismissed by the court and orders having been made directing B. as well as A. to vacate the premises and deliver up possession of same. <br />
<br />
130. A possible alternative legitimate basis in which the document was held by the respondent and adduced in evidence before the High Court on 30 January 2019 could spring from the fact that the vendor sold the properties Whiteacre and Blackacre subject to a statutory covenant for title. As Wylie and Woods note in Irish Conveyancing Law (4th ed., Bloomsbury Professional, 2019) at para. 21.05, the position is governed by ss. 80 and 81 together with Schedule 3 of the Land and Conveyancing Law Reform Act 2009. Accordingly, as a strict matter of law it was incumbent on the parties who sold the property to the respondent to provide clear proof that the claims of A. and B. to have an interest in or right to occupy Whiteacre and/or Blackacre were baseless, and contrary to the 2015 orders and judgment of the court. This could only be done by disclosure of the orders previously obtained and the unredacted 2015 judgment. These arguments were not advanced at the hearing of the appeal and are matters for the trial judge. <br />
<br />
131. It will be open to the trial judge to determine that a full defence to the claim is established if at the hearing the respondent establishes that it had the data solely for a legitimate purpose within the meaning of Article 5 of the GDPR; that the respondent required the information to properly put before the court to assert its legal rights including its right to obtain emergency injunctions; that the material was wholly, exclusively and necessarily procured and deployed for the purposes of establishment of the respondent’s clear title to the properties, defending the baseless claims of B. as well as A., advancing the respondent’s own legal entitlement to obtain emergency injunctive relief and indeed ultimately permanent injunctive relief, together with other orders for the protection of the rights of natural persons including those lawfully in occupation and possession of both properties as licensees of the respondent, the directors of the company, and persons associated therewith, together with the company itself. <br />
<br />
<br />
132. It will be for the trial judge to determine whether the threshold of general public interest within s. 60 of the Data Protection Act 2018 is reached and whether the application ought to be refused pursuant to s. 60(3)(a) as being necessary and proportionate- <br />
<br />
<br />
“(iv) in contemplation of or for the establishment, exercise or defence of, a legal claim, prospective legal claim, legal proceedings or prospective legal proceedings whether before a court, statutory tribunal, statutory body or an administrative or out-of-court procedure, <br />
(v) for the enforcement of civil law claims, including matters relating to any liability of a controller or processor in respect of damages, compensation or other liabilities or debts related to the claim”. <br />
It will be for the trial judge to determine whether the disclosure went beyond what was necessary to establish the respondent’s legal rights within the meaning of ss. 60(3)(a)(iv) and/or (v) of the 2018 Act. <br />
133. I observe that the GDPR, data infringement rights and the cognate rights of privacy asserted by B. cannot be set up to defeat the ends of justice, to pursue false or specious claims, to traduce the good name and reputation of others or to pursue ends that are dishonest, self-serving or at the expense of the legitimate interests or rights of others, particularly in the context of litigation. As such therefore, it is necessary to have regard to the principle of proportionality in evaluating claims for breaches of same. <br />
<br />
<br />
Privacy <br />
134. Alleged breach of privacy was not pleaded or argued with any degree of particularity save as exemplifying alleged breaches of the Data Protection Act 2018 and an aspect of same. <br />
<br />
<br />
The in camera rule <br />
135. In Gilchrist v. Sunday Newspapers Ltd. [2017] IESC 18, [2017] 2 I.R. 284 O’Donnell J. carried out a comprehensive analysis of the approach to the balancing of interests and rights of <br />
<br />
<br />
Article 34.1 of the Constitution, which in general requires justice to be administered in courts established by law by judges and that same be administered in public. At para. 42 he observed that: - <br />
<br />
<br />
“42. In my view it is not necessary to read Article 34.1 down to the point where the only exception permissible in respect of any subject matter is where it can be demonstrated that justice simply cannot be done otherwise… <br />
43. The fact that Article 34.1 of the Constitution states in explicit terms any hearing in private is an exception to a fundamental constitutional rule means that any such exception much be strictly construed. A demonstration that it is not possible to hear and determine a case fairly is certainly a powerful consideration justifying a hearing other than in public, but it cannot be the sole touchstone of the circumstances in which it is appropriate to have a hearing in private.” <br />
136. The Supreme Court in Irish Times Ltd. v. Ireland [1998] 1 I.R. 359 recognised the inherent jurisdiction of the court to direct that a case be heard “otherwise than in public” within the meaning of Article 34.1 where it is necessary to protect other constitutional rights and interests, namely in that case the right to a fair trial guaranteed by Article 38.1. Such jurisdiction extends to making a direction that part of a case be heard in camera where same is warranted to prevent the indirect circumvention of the in camera rule. Donnelly J. appears to have exercised that inherent function in the course of hearing the receiver litigation in 2015 when the public were excluded during the hearing of two elements of the evidence before her. <br />
<br />
137. Section 45 of the Courts (Supplemental Provisions) Act 1961 provides inter alia that matrimonial causes and matters may be heard “otherwise than in public” as an exception to the general requirement that justice be administered in public. <br />
<br />
138. Section 40 of the Civil Liability and Courts Act 2004, as amended, and the Civil Liability and Courts Act 2004 (Section 40(3)) Regulations 2005 (S.I. No. 337 of 2005) govern the <br />
<br />
<br />
position and provide that certain proceedings be heard “otherwise than in public”. Section 40(3)(b) provides that nothing contained in a relevant enactment, including s. 45 of the Courts (Supplemental Provisions) Act 1961, shall operate to prohibit: – <br />
<br />
<br />
“…the publication of the decision of the court in such proceedings, <br />
in accordance with rules of court, provided that the report or decision does not contain any information which would enable the parties to the proceedings or any child to which the proceedings relate to be identified…” <br />
Section 40(6) provides: – <br />
“Nothing contained in an enactment that prohibits proceedings to which the enactment relates from being heard in public shall operate to prohibit the production of a document prepared for the purposes or in contemplation of such proceedings or given in evidence in such proceedings, to – <br />
(a) … <br />
(b) such body or other person as may be prescribed by order made by the Minister, when the body or person concerned is performing functions consisting of the conducting of a hearing, inquiry or investigation in relation to, or adjudicating on, any matter as may be so prescribed.” (emphasis added) <br />
Subsection 7 provides: – <br />
“Nothing contained in an enactment that prohibits proceedings to which the enactment relates from being heard in public shall operate to prohibit the giving of information or evidence given in such proceedings to- <br />
(a) … <br />
(b) such body or other person as may be prescribed by order made by the Minister, when the body or person concerned is performing functions consisting <br />
of the conducting of a hearing, inquiry or investigation in relation to, or adjudicating on, any matter as may be so prescribed.” <br />
139. A useful analysis of s. 40 of the Civil Liability and Courts Act 2004, as amended, is to be found in Kelly: The Irish Constitution (5th ed., Bloomsbury Professional, 2018). At para. 6.1.349 the authors observe:- <br />
<br />
<br />
“Section 40(4) allows parties to in camera proceedings to provide copies of orders made in such proceedings to prescribed persons and in accordance with prescribed conditions. …sub-s (6) provides for the production of documentation prepared in contemplation of or for the purposes of such proceedings at subsequent related inquiries or investigations. Subsection (7) provides that evidence may be given to such investigations, while sub-s (8) gives a court hearing proceedings in camera discretion to order the disclosure of documentation to third parties, ‘if such disclosure is required to protect the legitimate interests of a party or other person affected by the proceedings’.” <br />
140. An example of the operation of s. 40(8) is the decision of the High Court in J.D. v. S.D. [2013] IEHC 648, [2014] 3 I.R. 483. As fn. 880 in Kelly observes: - <br />
<br />
<br />
“…In that case, the in camera rule was relaxed to allow the disclosure of information from family law proceedings relevant to bankruptcy proceedings. The disclosure was sought by NAMA and NALM to determine whether assets were being concealed. Also relevant in that case was s. 40(8) of the Civil Liability and Courts Act 2004…Abbott J. held that s. 40(8) did not abolish the common law power to relax the in camera rule.” <br />
At fn. 881 in Kelly the authors observe: – <br />
“…Abbott J. found that the common law rule conferring a discretion to relax the in camera rule survived the enactment of s. 40(8) of the Civil Liability and Courts Act 2004…He said [at para. 17]: <br />
‘…I find that the court may in certain circumstances lift the in camera rule, it is important that the lifting of the in camera rule is seldom absolute and the practice of the court usually is to attach the disciplines of the in camera rule to the recipient or recipients of the information and documentation which has been released by lifting the rule. There is, almost invariably, a further restriction on the lifting order insofar as non-essential private material should be redacted, and where the lifting of the in camera rule relates to information and documentation pertaining to just one of the parties, then the privacy and business of the other party should be preserved by even more rigorous redaction, with costs orders providing that the burden of such redaction does not fall on an innocent, or less blameworthy, party.’” <br />
141. As was made clear by Abbot J. in J.D. v. S.D., where the interests of justice require it, it is always open to a court to relax or waive the in camera rule subject to such conditions, including a requirement for redaction, as the court sees fit. <br />
<br />
142. In the instant case, however, there does not appear to be any evidence nor is it pleaded that the respondent ever had in its possession a copy of the order made in the family law proceedings between A. and B. in 2008. There is no evidence either that there was a written judgment at that time. Donnelly J. has since confirmed that the 2015 and 2020 hearings were not in camera proceedings. <br />
<br />
<br />
Contempt of court <br />
143. Contempt of court may be criminal or civil in nature. As was observed by Thomas O’Malley in The Criminal Process (1st ed., Round Hall, 2009) at para. 16-39:- <br />
<br />
<br />
“…While it is sometimes difficult in practice to distinguish between them, civil contempt usually arises from failure to obey a court order or abide by an undertaking, <br />
whereas criminal contempt embraces a range of behaviour calculated to interfere with the course of justice, or tending to do so.” <br />
The author continues: – <br />
“…The dividing line between criminal contempt and the common-law offence of perverting the course of justice is not always easy to draw. The latter consists of some positive act that tends and is intended to pervert the course of public justice.” <br />
144. In this jurisdiction, notwithstanding the recommendations of the Law Reform Commission in Report on Contempt of Court (L.R.C. 47-1994), contempt of court remains on a common law footing. <br />
<br />
145. Considering the issue of contempt, Shatter in his seminal text Family Law (4th ed., Bloomsbury Professional, 1997) observes at para. 2.33: - <br />
<br />
<br />
“Where family proceedings are heard in camera publication of information which relates to the proceedings in a manner which identifies the parties…is a contempt of court. Publication of a judgment of the court and comment made on it in a manner that does not identify the parties involved does not constitute contempt.” <br />
He considers in detail at para. 2.35 the decision in P.S.S. v. Independent Newspapers (Ireland) Ltd. (Unreported, High Court, Budd J., 19 and 22 May 1995) where Budd J. observed at p. 112 that: - <br />
“…the contents of this judgment may be discussed and published but in such manner that the parties involved in the family law…dispute are not identifiable.” <br />
Such an approach represents best practice. <br />
146. Keane J. (as he then was) in Kelly v. O’Neill [2000] 1 I.R. 354 observed at p. 374 that: - <br />
<br />
<br />
“…our law in this area is in many respects uncertain and in need of clarification by legislation.” <br />
That view was echoed subsequently by the Supreme Court in Irish Bank Resolution Corporation Ltd. v. Quinn [2012] IESC 51 where Hardiman J. observed at p. 16: - <br />
“It is 20 years now since the Law Reform Commission urged the need for statutory reform in this area, and some 31 years since such reform took place by statute in the neighbouring jurisdiction. It is most unfortunate that no positive steps have been taken here with the result that this fraught matter has come on for resolution in an uncertain state of the law.” <br />
147. McKechnie J. observed in the Supreme Court in Walsh v Minister for Justice and Equality [2019] IESC 15 at paras. 2 to 3:- <br />
<br />
<br />
“…there are several different species of contempt: further within each such area there are multiple ways in which one can offend. Although subject to some criticism, even as severe as saying it was, ‘unhelpful and at most a meaningless classification’ (Jennison v. Baker [1972] 1 All E.R. 997 at 1002) I find usefulness in the distinction between civil and criminal contempt. That view of Lord Salmon, as he then was, is an overreach, if intended for all purposes; in any event it must be seen in an English context where statute has much intervened… <br />
3. Ó Dálaigh C.J., has said that civil contempt is coercive in purpose, whereas criminal contempt is punitive in motion: (Keegan v. De Burca [1973] I.R. 223 at 227). That statement, despite the views of Hardiman J. (Irish Bank Resolution Corporation Ltd. v. Quinn [2012] IESC 51, ((Unreported, Supreme Court, 24th October 2012) at p. 16 of his judgment), now requires adjustment. As several subsequent decisions show, there can also be a penal element in civil contempt where the conduct or behaviour, in addition to having an inter partes impact, is grossly offensive to the administration of justice so much so that the courts of themselves must have a say (Shell E. & P. Ltd. v. McGrath [2006] IEHC 108, [2007] 1 I.R. 671, Dublin City Council v. McFeely [2012] <br />
IESC 45, [2015] 3 I.R. 722). Incarceration does not necessarily have to follow, a fine or even a much lesser sanction may suffice. Such approach is focused on the ‘public interest’ aspect of justice.” <br />
148. The issue of contempt in its context in the instant case as argued by B. is integrally bound up with the allegation of breach by the respondent of the in camera rule. The question is whether B. can persuade this Court that she has an arguable cause of action to pursue a claim for a remedy in respect of contempt in her counterclaim or whether this aspect is frivolous or vexatious or otherwise bound to fail. <br />
<br />
149. In my view a review of the authorities suggests that B. does not have an arguable cause of action and this aspect of the counterclaim is bound to fail. <br />
<br />
150. The law of contempt is concerned with maintaining and defending the authority of the court in the public interest. As was observed by the majority judgment of Pearson L.J. in Chapman v. Honig [1963] 2 Q.B. 502 at p. 522: - <br />
<br />
<br />
“…The jurisdiction exists and is exercised…for the protection of the administration of justice and is not for the protection of individuals.” <br />
151. In the context of civil proceedings, a litigant can instigate proceedings for contempt with the objective of thereby ensuring that the alleged contemnor will respect her rights. However, the law of contempt as it operates in this jurisdiction is not directed towards compensating a litigant who alleges she has suffered loss as a result of a contempt of court. <br />
<br />
152. The law of contempt is directed towards punishing those who fail to comply with orders of the court for the dominant purpose of maintaining the authority of the court in the public interest. To sound in damages private claims are to be framed normally in the context of contract or tort. <br />
<br />
153. It follows as a matter of principle that, insofar as B. contends that the alleged conduct of Shawl amounted to a contempt of court, such a claim would not confer on a court the power to <br />
<br />
<br />
compensate her by an order for damages. Damages are not generally recoverable for breach of a court order in a counterclaim such as that framed by B. since breach of a court order simpliciter does not in itself constitute a cause of action in private law. In coming to that conclusion I place reliance, inter alia, on the decision of the UK House of Lords in Customs and Excise Commissioners v. Barclays Bank Plc [2006] UKHL 28, [2007] 1 A.C. 181 where Lord Bingham analysed the law in some detail and concluded that a simple breach of a court order does not constitute a cause of action sounding in damages. In doing so, he distinguished earlier authorities where a duty of care which was found to be congruent with an obligation embodied in the terms of a court order had been found to exist on the basis that in such cases there was an additional element amounting to a voluntary assumption of responsibility by the party who was on notice of the making of the court order. <br />
<br />
154. The judgment of Lord Hoffmann is likewise noteworthy, particularly at paras. 35 to 40 inclusive. In my view the contention that a contempt alleged to arise from the deployment of an unredacted copy of the 2015 judgment could generate a cause of action sounding in damages is comparable with the question of whether a statutory duty can generate a common law duty of care for the reasons adumbrated by Lord Hoffmann in Customs and Excise Commissioners v. Barclays Bank plc. On the facts before him he concluded that the order carried its own remedies and its reach did not extend any further: - <br />
<br />
<br />
“…But you cannot derive a common law duty of care directly from a statutory duty. Likewise, as it seems to me, you cannot derive one from an order of court.” (para. 39) <br />
155. Insofar as B. seeks to litigate in her counterclaim the issue of contempt arising from the deployment of the unredacted judgment, the contempt/breach of the in camera rule contended for, were she to establish it to the satisfaction of a court, carries its own discrete remedies. An action in damages in a private civil suit is not one of them. An alleged breach of the in camera <br />
<br />
<br />
rule does not, on the facts disclosed in this case, create private law duties and does not in itself constitute a cause of action in private law. <br />
<br />
156. I have been unable to find any clear authority in this jurisdiction for the proposition that a cause of action arises simply by virtue of a civil contempt of court being committed by a defendant. No authority was identified by B. for a proposition that it is possible to rely on the breach of an in camera requirement in support of a claim in private law for compensatory damages. I have had regard to the decision of Pearson L.J. in Chapman v. Honig. I further note the more recent decision of the English Court of Appeal in JSC BTA Bank v. Ablyazov (No. 14) [2017] EWCA Civ. 40, [2017] Q.B. 853 where Sales L.J. concluded that no authority being relied upon by the cross-appellant established that damages were recoverable in a private law suit for a simple breach of a court order. Therefore it follows that the counterclaim insofar as it seeks to pursue a claim in damages for contempt of court/breach of the in camera rule discloses no reasonable cause of action and is doomed to fail. It is further both frivolous and vexatious. Accordingly that part of the counterclaim falls to be struck out pursuant to the inherent jurisdiction. <br />
<br />
<br />
Conclusion on private claim arising from alleged civil contempt/breach of in camera rule <br />
157. In my view B. has failed to establish that she has any reasonable cause of action by way of counterclaim in these proceedings arising simply by virtue of an alleged contempt of court committed by the respondent by deployment in the injunction application of the unredacted version of the 2015 judgment of Donnelly J. in breach of the in camera rule. The claim based on contempt of court/breach of the in camera rule is bound to fail and must be struck out. <br />
<br />
158. Donnelly J. has stated that the proceedings before her in 2015 and 2020 were not in camera proceedings. The evidence indicates that the disclosure of the identities of A. and B. and the properties via the unredacted judgment may have been made to the court only to the extent necessary to discharge the burden of proof in support of the interim and interlocutory <br />
<br />
<br />
injunctions sought . Whether that is so and whether same offers a complete answer to the claims of B. for damages for a breach of the Data Protection Act 2018 is a matter to be determined by the trial judge in the counterclaim solely having regard to the said Act. <br />
<br />
<br />
Comments of the trial judge <br />
159. I have some sympathy for B.’s contention that the use of nomenclatures in the judgment such as “nonsense”, “just silly”, “hair raising” and “cock and bull” were regrettable. B. takes offence at what she considers to be their derogatory tone and that is to some extent understandable. The words detract from what is otherwise a very comprehensive and thorough analysis of the facts and the evidence. I am constrained to conclude that they represent a wholly uncharacteristic expression of view by the trial judge, perhaps precipitated by the profoundly shocking and disturbing evidence before him of a campaign of intimidation orchestrated by B., with the active assistance of A., towards the innocent individuals who are the directors of the respondent company, the bona fide purchasers and beneficial owners of Blackacre and Whiteacre together with their tenants and lodgers disclosed by the evidence, which conduct was wholly unwarranted and calculated to drive the true owner out of occupation and seize the properties on the strength of an entirely bogus deed of trust. <br />
<br />
<br />
Conclusion <br />
160. A. did not appear at the hearing of the appeal. Counsel on behalf of the respondent informed this Court that on or about 23 October 2020 solicitors for the respondent communicated by email with A. at the email address he had provided to them informing him of the date for hearing of this appeal. B. also confirmed to the court that A. was aware that his appeal was for hearing on 16 November 2020. There being no appearance by or on his behalf and no communication by him with the court, in the circumstances it is appropriate that his appeal be struck out and the orders of the High Court against him be affirmed together with an order for the respondent’s costs of this appeal on a party and party basis when ascertained. <br />
<br />
<br />
161. B. has failed to establish that any part of the defence should stand. It was correctly struck out by the High Court, albeit that in my view doing so was warranted pursuant to the inherent jurisdiction of the court as bound to fail. I would affirm the High Court order on the basis of the inherent jurisdiction in relation to the counterclaim save and except as to the parts of paras. 63, 64 and 65 of the counterclaim, confined solely and exclusively to the claim of alleged breach of the Data Protection Act 2018 together with paras. 6, 9 and 10 of the reliefs counterclaimed, said aspects alone to proceed to plenary hearing. All other aspects of paras. 63, 64 and 65 of the counterclaim to be struck out pursuant to the inherent jurisdiction of the court as bound to fail and not maintainable. <br />
<br />
162. Accordingly, the declaratory and other reliefs and orders sought at paras. 1 to 5 and 7 to 8 inclusive of the prayer in the counterclaim are not maintainable and manifestly include a continuing slander of the respondent’s title and irrevocable damage to it and must likewise be struck out pursuant to the inherent jurisdiction. <br />
<br />
163. B. was self-represented at this appeal. Regarding the issue of costs, I would propose that same be dealt with as follows. It is appropriate in the circumstances that the order for costs made against B. in the High Court be set aside. It is in the interests of justice, in light of the gravity of her conduct, the nature of the interim and interlocutory orders made against her in January 2019 and February 2019, the failure of B. to disclose to this Court the judgment and order of Donnelly J. made in March 2020 and given the very limited nature of success in this appeal, that order for one half of the High Court costs of the respondent be made against B. No order as to costs be made in favour of either party in respect of this appeal. If either party wishes to contend for an alternative order, liberty is granted to apply to the Office of the Court of Appeal within 14 days of the date of delivery of this judgment for a brief supplemental hearing on the issue of costs, with written submissions of not more than 1,000 words to be filed with the Office of the Court of Appeal and delivered to the other party herein within 14 days of the <br />
<br />
<br />
date of delivery hereof and a further like period to be afforded to the other party to respond to same to enable this Court to consider the arguments and adjudicate same. If such hearing is requested and results in an order in the terms already proposed by the Court, the unsuccessful party may be liable for the additional costs of such hearing. In default of receipt of such application, an order in the terms I have proposed above will be made. <br />
<br />
164. Faherty J. and Collins J. hereby assent to the within judgment which is being delivered electronically by reason of the Covid-19 pandemic. <br />
<br />
</pre></div>
Hk
https://gdprhub.eu/index.php?title=Data_Protection_in_Austria&diff=15435
Data Protection in Austria
2021-04-29T13:45:48Z
<p>Hk: </p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
! colspan="2" |Data Protection in Austria<br />
[[Category:Country Overview]]<br />
|-<br />
| colspan="2" |[[File:at.png|center|250px]]<br />
|-<br />
|Data Protection Authority:||[[DSB (Austria)]]<br />
|-<br />
|National Implementation Law (Original):||[https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10001597 Datenschutzgesetz (DSG)]<br />
|-<br />
|English Translation of National Implementation Law:||[https://www.ris.bka.gv.at/Dokumente/Erv/ERV_1999_1_165/ERV_1999_1_165.html Datenschutzgesetz (DSG)]<br />
|-<br />
|Official Language(s):||German<br />
|-<br />
|National Legislation Database(s):||[https://www.ris.bka.gv.at/ RIS.bka.gv.at]<br />
|-<br />
|English Legislation Database(s):||[https://www.ris.bka.gv.at/defaultEn.aspx RIS.bka.gv.at/en]<br />
|-<br />
|National Decision Database(s):||[https://www.ris.bka.gv.at/ RIS.bka.gv.at]<br />
|}<br />
<br />
==Legislation==<br />
<br />
===History===<br />
Austria has passed the first data protection law in 1979 ([https://www.ris.bka.gv.at/Dokumente/BgblPdf/1978_565_0/1978_565_0.pdf BGBl I Nr. 565/1978]). Directive 95/46/EC was implemented by the Data Protection Act 2000 (''Datenschutzgsetz - DSG 2000''). Austria has traditionally not structurally differentiated between public and private data processing. Traditionally Austrian law has not only covered natural personal but also legal entities as data subjects.<br />
<br />
===National Constitutional protections===<br />
The DSG 1978 introduced the Constitutional Right to Data Protection in § 1 DSG. Austria also gave the ECHR constitutional status, whereby the Right to Privacy in Article 8 ECHR was established in Austria.<br />
<br />
===National GDPR implementation law===<br />
GDPR was mainly implemented by the new Data Protection Act (''Datenschutzgesetz - DSG''), passed through ([https://www.ris.bka.gv.at/eli/bgbl/I/2017/120 BGBl. I Nr. 120/2017]). <br />
<br />
The Austrian government has passed numerous laws to update data protection rules and terminology in many other national provisions, which are not listed here in detail.<br />
<br />
====Age of Consent====<br />
Under [https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10001597&Artikel=2&Paragraf=4&Anlage=&Uebergangsrecht= § 4(4) DSG] the age of consent in Austria is 14, in line with Austrian civil law provisions.<br />
<br />
====Freedom of Speech====<br />
Austria has exempt any processing of personal data by media for journalistic purposes from the GDPR in [https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10001597&Artikel=2&Paragraf=9&Anlage=&Uebergangsrecht= § 9(1) DSG]. It is questionable if this broad exception is violating the Austrian Constitution, GDPR and/or the CFR.<br />
<br />
====Employment context====<br />
Data protection matters in the work context are regulated in §§ 91, 96 and 96a [https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10008329 ArbVG]. Forms of electronic control (''Kontrollmaßnahme'') requires the agreement of the workers' council for certain processing of employee data. If no worker' council is installed, each employee must consent to forms of electronic control under [https://www.ris.bka.gv.at/Dokument.wxe?Abfrage=Bundesnormen&Dokumentnummer=NOR12108893 § 10 ARVRAG].<br />
<br />
====Research, Arts and Literature====<br />
[https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10001597&Artikel=2&Paragraf=9&Anlage=&Uebergangsrecht= § 9(2) DSG] further that processing for purposes of research, artistic and literary purposes must be balances with the right to freedom of expression and the right to information.<br />
<br />
Austria has amended the Research Organisational Act ([https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10009514 ''Forschungsorganisationsgesetz – FOG'']) to include many waivers from GDPR for research purposes under [[Article 89 GDPR]]. It is questionable of the law is constitutional and in line with GDPR.<br />
<br />
====Other relevant national provisions and laws====<br />
[https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10007517&Artikel=&Paragraf=151&Anlage=&Uebergangsrecht= § 151] of the Austrian Business Act (''[https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10007517 Gewerbeordnung - GewO]'') traditionally allows data collections and sharing for direct marking purposes. [https://www.ris.bka.gv.at/Dokument.wxe?Abfrage=Bundesnormen&Dokumentnummer=NOR40032660 § 152 GewO] mentions credit agencies. Both seem to be overridden by GDPR.<br />
<br />
[https://ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10001597&FassungVom=2020-01-13&Artikel=2&Paragraf=12&Anlage=&Uebergangsrecht= §§ 12] and 13 of the Data Protection Act (DSG) regulate CCTV cameras. The law allows CCTV based on a "legitimate interest" only (1) on privately used property, (2) in case of previous violations of rights or special dangers or (3) in the interest of private documentation if an identification of persons is not intended. It is unclear if this national determination of [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] is compatible with the GDPR.<br />
<br />
Many other GDPR provisions were introduced in the sector-specific laws throughout the relevant acts.<br />
<br />
===National ePrivacy Law===<br />
Austria has implemented the ePrivacy Directive mainly in §§ 92 to 197 of the Telecoms Act ([https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20002849 ''Telekommunikationsgesetz 2013, TKG'']). <br />
<br />
Cookies are regulated in [https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20002849&Artikel=&Paragraf=96&Anlage=&Uebergangsrecht= § 96(3) TKG].<br />
<br />
Spam Emails are regulated in [https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20002849&Artikel=&Paragraf=107&Anlage=&Uebergangsrecht= § 107(3) TKG].<br />
<br />
==Data Protection Authority==<br />
The ''Datenschutzbehörde (DSB)'' is the national data protection authority for Austria. It has replace the ''Datenschutzkommission (DSK)'' on 1 January 2014. It resides in Vienna and is in charge of all public and private entities in Austria. <br />
<br />
→ Details see [[DSB (Austria)]]<br />
<br />
==Judicial protection==<br />
<br />
===Civil Courts===<br />
In Austria the ordinary civil courts are in charge of data protection lawsuits. § 28 DSG requires that civil lawsuits in data protection matters have to be filed with one of the 16 Regional Court (''Landesgericht - LG'') instead of the district courts (''Bezirksgericht - BG''). Under national procedural law this requires that all parties are represented by a lawyer.<br />
<br />
Appeals can be brought to one of the four Higher Regional Courts (''Oberlandesgericht - OLG'') and further to the Austrian Supreme Court (''Obererster Gerichtshof - OGH''). The 6th chamber of the Austrian Supreme Court his the dedicated chamber for data protection matters.<br />
<br />
===Administrative Courts===<br />
Appeals from the Austrian DPA are brought before the Federal Administrative Court (''Bundesverwaltungsgericht - BVwG'') and can be further brought to the Austrian Supreme Administrative Court (''Verwaltungsgerichtshof - VwGH'') or (in certain cases) to the Austrian Constitutional Court (''Verfassungsgerichtshof - VfGH''). <br />
<br />
===Constitutional Court===<br />
The Austrian Constitutional Court (''Verfassungsgerichtshof - VfGH'') is in charge of deciding over any violation of the Constitutional Right to Data Protection in § 1 DSG, the Rights to Privacy and Data Protection in Article 7 and 8 CFR and the Right to Privacy in Article 8 ECHR. Applications can be made direly by a citizen, by members of parliament or one of the Austrian states. Austrian law also allows referrals by Civil courts. The Constitutional Court has by now a long body of case law on data protection matters.</div>
Hk
https://gdprhub.eu/index.php?title=NAIH_(Hungary)_-_NAIH/2020/2729/15&diff=15434
NAIH (Hungary) - NAIH/2020/2729/15
2021-04-29T13:44:43Z
<p>Hk: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Hungary<br />
|DPA-BG-Color=background-color:#7f0037;<br />
|DPAlogo=LogoHU.jpg<br />
|DPA_Abbrevation=NAIH<br />
|DPA_With_Country=NAIH (Hungary)<br />
<br />
|Case_Number_Name=NAIH/2020/2729/15<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=NAIH (Hungary)<br />
|Original_Source_Link_1=https://www.naih.hu/files/NAIH-2020-2729-15-hatarozat.pdf<br />
|Original_Source_Language_1=Hungarian<br />
|Original_Source_Language__Code_1=HU<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=14.12.2020<br />
|Date_Published=16.12.2020<br />
|Year=2020<br />
|Fine=700000<br />
|Currency=HUF<br />
<br />
|GDPR_Article_1=Article 5(1)(b) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1b<br />
|GDPR_Article_2=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1c<br />
|GDPR_Article_3=Article 13(1) GDPR<br />
|GDPR_Article_Link_3=Article 13 GDPR#1<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The Hungarian DPA (NAIH) fined a construction company close to €2000 for excessive monitoring of property which allowed for the surveillance of employees without their knowledge.<br />
<br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
A construction company had installed a video surveillance system on a construction site to protect the property and the physical integrity of employees. However, cameras partially captured a social room and activities of the employees. They had not been sufficiently informed about that while signing a contract, having knowledge only about the video system monitoring the property.<br />
<br />
===Dispute===<br />
Is a video surveillance system that partially captures activities of employees without their knowledge compliant with Article 5 GDPR?<br />
<br />
===Holding===<br />
The DPA concluded that the video surveillance system introduced by the company was unreasonable and that it failed to provide sufficient information about collection of personal data from its employees. The company was fined 700.000 HUF and instructed to change the angle of view of the camera so that it doesn't monitor workers' activities.<br />
<br />
<br />
==Comment==<br />
''Share your comments here!''<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.<br />
<br />
<pre><br />
Case number: NAIH / 2020/2729/15 Subject: Decision on request<br />
data protection authority<br />
Clerk: pending<br />
<br />
<br />
<br />
<br />
H A T Á R O Z A T<br />
<br />
<br />
<br />
The National Authority for Data Protection and Freedom of Information (hereinafter referred to as the Authority) with […]<br />
([…]) (Hereinafter referred to as the “Applicant”) against […] (hereinafter referred to as the “Applicant”)<br />
hereinafter referred to as "the request"), the processing of personal data by natural persons<br />
the free movement of such data and Directive 95/46 / EC<br />
Regulation (EU) 2016/679 repealing Directive (hereinafter referred to as General<br />
<br />
alleged breach of obligations by the Applicant<br />
in the data protection authority proceedings initiated by the Authority on 24 March 2020 a<br />
The applicant grants his application and<br />
<br />
1. Notes that<br />
<br />
<br />
the. the Applicant has infringed Article 5 (b) and (c) of the General Data Protection Regulation<br />
(‘Purpose-based’ and ‘data-saving’) when the establishment of a site under [...] […]<br />
He set the angle of view of the camera in his room called<br />
to monitor only the area justified for the protection of persons and property, but also the<br />
<br />
it was also suitable for observing short administrative workers.<br />
<br />
b. The Applicant infringed Article 13 (1) of the General Data Protection Regulation,<br />
when its employees working at its site under […] are employed from 18 November 2019 to 2020.<br />
in the period between 3 April was not properly informed by the camera data processing taking place there<br />
<br />
circumstances.<br />
<br />
2. Instructs the Applicant to ensure that the equipment installed in the premises of […]<br />
change the angle of view of the camera so that it is not suitable for workers<br />
unreasonable monitoring and be consistent with the personnel and<br />
<br />
for the purpose of protecting property.<br />
<br />
3. for the above infringements, 30. From the date on which this Decision became final<br />
within a day<br />
<br />
<br />
700,000 HUF, ie seven hundred thousand HUF<br />
<br />
order to pay a data protection fine;<br />
<br />
4. order the final decision of the Applicant and the Applicant's identification data<br />
<br />
(anonymisation).<br />
<br />
The fine is the Authority's forint collection account for the collection of centralized revenues<br />
(10032000-01040425-00000000 Centralized direct debit account IBAN: HU83 1003 2000 0104<br />
<br />
<br />
<br />
<br />
…………………………………………………………………………………………………………………………………… ………………………………….<br />
1055 Budapest Tel .: +36 1 391-1400 ugyfelszolgalat@naih.hu<br />
Falk Miksa utca 9-11. Fax: +36 1 391-1410 www.naih.hu0425 0000 0000) must be paid by bank transfer. When transferring the amount, NAIH / 2020/2729<br />
JUDGE. should be referred to.<br />
<br />
If the debtor fails to meet his obligation to pay the fine within the time limit,<br />
is required to pay a late payment allowance. The rate of default interest is the statutory interest, which is a<br />
the central bank base rate valid on the first day of the calendar half-year affected by the delay. THE<br />
the Authority's centralized revenue collection forint account<br />
<br />
(10032000-01040425-00000000 Centralized direct debit account).<br />
<br />
Failure to comply with the notice under point 2 and the fine and penalty for late payment under point 3<br />
in the event of non-payment, the Authority shall order enforcement of the decision, the fine and the penalty payment.<br />
<br />
In view of the fact that the Authority exceeded the administrative deadline, it was HUF 10,000, ie HUF ten thousand<br />
pay the Applicant, at his / her choice, by bank transfer or postal order.<br />
<br />
<br />
There is no administrative appeal against this decision, but it has been available since its notification<br />
Within 30 days of the application addressed to the Metropolitan Court in an administrative lawsuit<br />
can be challenged. The emergency does not affect the time limit for bringing an action. The application to the Authority<br />
shall be submitted electronically, which shall forward it to the court together with the case file. The trial<br />
The application for maintenance must be indicated in the application. During the emergency, the court is hearing<br />
acting outside. For those who do not receive a full personal exemption from judicial review<br />
<br />
the fee of the procedure is HUF 30,000, the lawsuit is subject to the right to record material fees. Before the Metropolitan Court<br />
legal representation is mandatory in proceedings.<br />
<br />
EXPLANATORY STATEMENT<br />
<br />
I. Background, clarification of the facts<br />
<br />
<br />
the. Content of the request received by the Authority<br />
<br />
The Applicant submitted an application to the Authority by e-mail dated 15 March 2020,<br />
supplemented the following day, 16 March 2020. In the application, it stated that the Applicant […]<br />
Based on its own experience, a camera system for property protection purposes was installed at the site below<br />
for monitoring workers' work and rest periods, and<br />
are also used to control According to the Applicant, among other things, this observation<br />
<br />
nor did he receive sufficient information about the purpose and legal basis of the<br />
worked at the site. He did not receive any information about the cameras at the site yet<br />
no warnings were posted either.<br />
<br />
Applicant is an official procedure in connection with the above - in his opinion, illegal conduct<br />
requested the Authority to conduct it.<br />
<br />
The application did not contain a statement from the Applicant as to the identity of the Authority<br />
<br />
whether to investigate the data controller's activities of the Requested. Furthermore, the<br />
were not attached to the application by the Applicant documenting the infringing situation<br />
recorded recordings or other documents that may be used in the course of evidence, and not<br />
the content and form of the instruction of the superior acting on behalf of the Applicant was precisely described. THE<br />
In view of the above, the Authority called on the Applicant to rectify the deficiencies, which he did in March 2020<br />
Replaced on the 24th.<br />
<br />
<br />
<br />
<br />
<br />
<br />
2In connection with the application and its replacement, it can be stated that between the Applicant and the Applicant<br />
On January 20, 2020, an employment contract was created to fill the position of “warehouse manager”. THE<br />
The job description and the data management information were attached to the employment contract<br />
Applicant submitted to the Authority.<br />
<br />
General employees dated January 16, 2020, handed over upon signing the employment contract<br />
<br />
a separate section in the data management information deals with the operation of the camera surveillance system.<br />
According to this, the Applicant operates a camera surveillance system, which, however, is not used by the<br />
primary and explicit monitoring of workers and their activities. The camera<br />
surveillance only for the protection of human life, physical integrity, personal liberty, and<br />
in the case of property protection. No cameras will be installed in rooms<br />
where human dignity may be violated, in particular in changing rooms, washrooms, toilets and<br />
in premises where the Applicant's employees take breaks between work. THE<br />
<br />
the camera system stores the recorded images for 72 hours. The rules are only brief and<br />
informs about the camera surveillance in general, it is not specifically under the Applicant […]<br />
monitoring at its premises.<br />
<br />
According to the Applicant, his duties included, inter alia, that the Applicant […]<br />
the image transmitted by the camera system installed at the site for the protection of persons and property<br />
check. Access to the camera system […], as directed by the fleet and logistics manager<br />
<br />
received from the Applicant's IT department. Narration by the Applicant and by him by the cameras<br />
According to photos attached from the transmitted images, the site was also used by employees for recreation<br />
the so-called […] Was also camcordered. The Applicant received several verbal instructions from his superior<br />
([…]) To monitor employees for the purpose of staying too much time in “[…]”. THE<br />
According to the applicant, there was an employee who had too many stays in the rest area<br />
moved to another area within the site. According to the applicant, upon entry<br />
the cameras have been in operation for months.<br />
<br />
<br />
In the application, based on the above, the Applicant requested that the Authority investigate the matter a<br />
Applicant's unlawful conduct of camera data processing by employees<br />
and the non-disclosure of the lack of information.<br />
<br />
On the basis of the request and its supplement, the right to information self - determination and the<br />
CXII of 2011 on freedom of information. Section 60 (1) of the Information Act (hereinafter: the Information Act)<br />
<br />
data protection authority proceedings were initiated on 24 March 2020.<br />
<br />
b. Facts established during the data protection authority proceedings<br />
<br />
1) In the case, the Authority issued NAIH / 2020/2729/6. to clarify the facts<br />
called on the Applicant to make a statement and provide documents within the deadline<br />
he did.<br />
<br />
<br />
On the basis of the applicant's statement, it can be stated that it is for the purpose of personal and property protection<br />
the operation of a camera system for new entrants as part of the entry process<br />
informed. The text of the prospectus has already been attached to the application by the Applicant.<br />
Applicant also informed the Authority that the prospectus for employees of the internal<br />
can also be accessed at any time via an IT network.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
3According to the applicant's declaration, the site below […] has a dry matter storage activity<br />
(high-value telecommunications and IT equipment, hardware, cables, wires, etc.), there<br />
a total of 37 employees perform their activities. He applied for the camera system built here<br />
security and property of buildings, equipment, technical articles,<br />
protection of its valuables, preservation of their value and condition, and staying in the monitored area<br />
protection and insurance of the life, physical integrity and property of persons<br />
prevention of infringements, detection of detected infringements, official or judicial<br />
<br />
installed and operated for the purpose of<br />
<br />
There has been an employer instruction on the installation and use of the cameras operated by the Applicant<br />
issued on March 24, 2020, which was emailed to employees working in the field<br />
information on 3 April 2020. The email includes a link to the camera surveillance system<br />
issued on 24 March 2020. The rules<br />
applies generally to cameras operated by the Applicant and not only to […]<br />
<br />
on site. The information e-mail was also addressed to all employees (from: […],<br />
to: […]).<br />
<br />
The purpose of the camera surveillance is applied to the security of buildings and property<br />
protection, as well as personal protection objectives set out in the above detailed privacy policy<br />
regulations. The legitimate interest of the Candidate was indicated as the legal basis for the observation. The<br />
the balancing test required for data management based on the legitimate interests of the controller a<br />
<br />
contained in separate regulations. Article 3.2 of the Regulations can not install a camera such<br />
premises or from a viewing angle that allows employees to spend their working time<br />
and it is forbidden to place a camera in a locker room, toilet or shower<br />
and in all places where visual observation would be a violation of human dignity.<br />
<br />
Candidate attached to his response the camera placed in the areas monitored by the affected person<br />
information (which is annexed to the detailed rules of procedure) and the […]<br />
<br />
installation diagram for on-site cameras.<br />
<br />
According to the applicant's statement, the cameras operating at the […] site are not present at the workplace<br />
or to monitor the intensity of work, but for the purpose of protecting property<br />
installed them. No observation is made in rooms that are staffed<br />
they are used to relax. Applicant sent a list of cameras installed at the site as well<br />
snapshots showing the viewing angle of the cameras. The cameras do not record sound, a<br />
<br />
images are stored for up to 30 days.<br />
<br />
According to the Applicant's statement, a room called […] was also referred to by the Applicant<br />
watching camera. The purpose of installing this camera is to protect property, as there are high-value small machines,<br />
tools and parts are stored. The room in addition to short-term administration<br />
tasks are also performed (for example, publishing warehouse material, receipt by computer<br />
documentation), continuous employee presence, but constant performance of tasks in this<br />
not in room. Based on the submitted camera image for storage in the room<br />
<br />
shelves, cabinets, as well as a desk with computer and printer and several office swivel chairs<br />
can be served:<br />
<br />
[…]<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
4The camera image sent is the same as the camera image attached by the Applicant for the room and<br />
with regard to the angle of view, with the difference that in the case of recruitment of the Applicant there are more<br />
employee is also visible.<br />
<br />
For images transmitted by on - site cameras in the Privacy Policy 1<br />
<br />
can be accessed by employees in a specific breakdown. To learn about camera images<br />
general manager, HR manager, security manager, network operation center (NOC)<br />
team leader and staff performing 0-24 hour dispatching tasks are eligible. A given<br />
area (eg the […] site in question) cameras, the logistics manager, the logistics manager<br />
team leader and warehouse manager are entitled to get to know the camera images. Additional authority<br />
<br />
may be issued in consultation with the security manager.<br />
<br />
2) In the case, the Authority issued NAIH / 2020/2729/8. to clarify the facts<br />
called on the Applicant to make a statement and provide documents within the deadline<br />
he did.<br />
<br />
<br />
At the Authority's request, the applicant stated that it had not received any complaints from the […] site<br />
camera system.<br />
<br />
The camera system is called Its “trial operation” began on the 18th of November 2019 at the site. THE<br />
Development of a specific privacy policy for camera surveillance<br />
based at the time “was already in progress” for its issuance and email to employees<br />
<br />
finally, as referred to in the Applicant's previous statement, on 3 April 2020<br />
took place.<br />
<br />
Logging access to camera images Requested with […] central video server<br />
performs. The following access data is logged: time,<br />
user ID, user IP address, user type, event, server name,<br />
<br />
event information, event supplementary information. The log data requested by the person and<br />
CXXXIII of 2005 on the rules of property protection and private investigation.<br />
22/2006 on the implementation of Act (IV. 25.) Decree of the Ministry of the Interior with reference to Section 10 (2)<br />
Store for 30 days.<br />
<br />
The applicant also stated that the room […] at the […] site was not<br />
<br />
a room set aside for employees to spend their working time. Its basic function is a warehouse,<br />
and short-term administrative tasks are performed there. It is permanent in the room<br />
tasks are not performed by employees.<br />
<br />
3) In the case, the Authority issued NAIH / 2020/2729/10. to clarify the facts<br />
<br />
called on the Applicant to make a statement and provide documents within the deadline<br />
he did.<br />
<br />
At the request of the Authority, the applicant stated that the installation of the camera system at the […] site<br />
after, from November 18, 2018, it was immediately suitable for image capture, so in this respect<br />
there was no difference between its “live” and “test run” in terms of data management.<br />
<br />
<br />
<br />
1<br />
Requested NAIH / 2020/2729/7. Annex 3, point 12, to its reply<br />
<br />
<br />
<br />
<br />
<br />
<br />
5The system was professionally reviewed on 6 April 2020 due to an internal coordination problem<br />
line, during which it was found that the constructed configuration is supplemented in several respects<br />
and needs to be changed, but not until the Authority has completed its procedure<br />
changes Requested, it is still in its original condition on the site.<br />
<br />
Information on the "trial operation" of the camera system and the start of the related data management<br />
was not posted to workers. Information on the operation of the system in 2020.<br />
<br />
was sent to the employees by e-mail on April 3, as already requested<br />
he also referred in his previous answers.<br />
<br />
c. A NAIH / 2020/2007. in an investigation procedure on the same subject<br />
established and merging cases<br />
<br />
In addition to the Applicant's request, he was further affected by an e-mail dated 22 February 2020 to the Authority<br />
<br />
A complaint was also received in which the complainant described that the Applicant […]<br />
worked at his site and was not familiar with data management when his employee entered<br />
regulations regarding the camera surveillance system and was not available at the site<br />
posting warning and information on camera surveillance. The complainant also described<br />
that a resting space was also observed by the cameras.<br />
<br />
As in this case the complainant did not consent to the disclosure of the identity of the complainant<br />
<br />
therefore, in this case the Authority initiated an investigation procedure against Infotv. § 52<br />
based on NAIH / 2020/2007. case number.<br />
<br />
The Authority's NAIH / 2020/2007/4. Applicant also sent the 2020.<br />
the employer's instructions dated 24 March 2020 and the e-mail dated 3 April 2020<br />
on the availability of the data protection rules for camera data management, which are already the subject of this decision<br />
I./.b./1). It is also requested as the legal basis and purpose of data processing<br />
<br />
indicated references in official procedure NAIH / 2020/2729. Requested<br />
also sent a drawing of the installation of the cameras and the images they transmitted, which are the same<br />
with the sender in the present official proceedings.<br />
<br />
By activating the camera surveillance system and starting data management<br />
In this case, the Applicant also indicated the date of 18 November 2019 as<br />
Start of “trial run”.<br />
<br />
<br />
Given that the complaint is complained about by the camera surveillance system is data protection<br />
was a data protection authority procedure with the same content<br />
ongoing NAIH / 2020/2729. The Authority therefore decided in case NAIH / 2020/2007 No.<br />
concluded the investigation procedure on 16 July 2020 and the findings set out therein are hereinafter referred to as<br />
It was further examined ex officio in case NAIH / 2020/2729. On the joinder of cases a<br />
Authority Applicant NAIH / 2020/2729/11. notified under document number dated 16 July 2020.<br />
<br />
<br />
II. Applicable legal provisions<br />
<br />
CL of 2016 on General Administrative Procedure. Section 99 of the Act (hereinafter: the Act)<br />
the authority, within the limits of its competence, monitors the provisions of the law<br />
compliance with the provisions of this Regulation and with the provisions of the enforceable decision.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
6Based in accordance with Article 2 (1) of the General Data Protection Regulation<br />
the general data protection regulation applies to data processing.<br />
<br />
According to Article 4 (1) of the General Data Protection Regulation, "personal data" means identified or<br />
any information relating to an identifiable natural person ("data subject"); identifiable by a<br />
a natural person who, directly or indirectly, in particular by an identifier, e.g.<br />
name, number, location data, online identifier or physical, physiological,<br />
<br />
genetic, intellectual, economic, cultural or social identity<br />
identifiable by a factor.<br />
<br />
According to Article 4 (2) of the General Data Protection Regulation, "processing" means personal data<br />
or any operation on data files, whether automated or non - automated; or<br />
a set of operations, such as collecting, recording, organizing, sorting, storing, transforming, or<br />
change, query, view, use, transmit, distribute or otherwise<br />
<br />
harmonization, interconnection, restriction, deletion,<br />
or destruction.<br />
<br />
Personal data pursuant to Article 5 (1) (b) of the General Data Protection Regulation<br />
collected only for specified, explicit and legitimate purposes and not processed<br />
in a way incompatible with those objectives; not in accordance with Article 89 (1)<br />
considered incompatible with the original purpose for the purpose of archiving in the public interest, scientific<br />
<br />
and further processing for historical research or statistical purposes (‘for<br />
constraint ”).<br />
<br />
Pursuant to Article 5 (1) (c) of the General Data Protection Regulation, personal data are:<br />
they must be appropriate and relevant to the purposes of the data processing, and<br />
should be limited to what is necessary (‘data saving’).<br />
<br />
<br />
Pursuant to Article 5 (2) of the General Data Protection Regulation, the controller is responsible for<br />
and be able to comply with the principles set out in<br />
(‘accountability’).<br />
<br />
According to Article 6 (1) (f) of the General Data Protection Regulation, personal data<br />
is lawful only if and to the extent that at least one of the following is met:<br />
data processing in order to enforce the legitimate interests of the controller or a third party<br />
<br />
necessary, unless those interests take precedence over those interests<br />
or fundamental rights and freedoms which require the protection of personal data,<br />
especially if the child is affected.<br />
<br />
Pursuant to Article 13 of the General Data Protection Regulation<br />
If personal data concerning the data subject are collected from the data subject, the controller shall:<br />
at the time of obtaining personal data, make the following available to the data subject<br />
all information:<br />
<br />
(a) the identity and contact details of the controller and, if any, of the controller 's representative;<br />
(b) the contact details of the Data Protection Officer, if any;<br />
(c) the purpose of the intended processing of the personal data and the legal basis for the processing;<br />
(d) in the case of processing based on Article 6 (1) (f), the controller or a third party<br />
legitimate interests of a party;<br />
(e) where applicable, the recipients or categories of recipients of the personal data, if any;<br />
<br />
<br />
<br />
<br />
<br />
<br />
7f) where applicable, the fact that the controller is a third country or international organization<br />
personal data to the Commission and the Commission for Compliance<br />
the existence or absence of a decision in accordance with Article 46, Article 47 or Article 49 (1).<br />
in the case of the transmission referred to in the second subparagraph of<br />
guarantees and the means of obtaining a copy thereof, or<br />
reference to their availability.<br />
2. In addition to the information referred to in paragraph 1, the controller shall be the personal data<br />
<br />
at the time of acquisition, in order to ensure fair and transparent data management<br />
provide the data subject with the following additional information:<br />
(a) the period for which the personal data will be stored or, if that is not possible, that period<br />
aspects of its definition;<br />
(b) the data subject's right to request from the controller the personal data concerning him or her<br />
access to, rectification, erasure or restriction of the processing of data, and<br />
may object to the processing of such personal data and to the data portability concerned<br />
<br />
the right to<br />
(c) information based on Article 6 (1) (a) or Article 9 (2) (a);<br />
in the case of data processing, the right to withdraw the consent at any time, which<br />
does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal;<br />
(d) the right to lodge a complaint to the supervisory authority;<br />
(e) that the provision of personal data is required by law or by a contractual obligation<br />
based on or a precondition for concluding a contract and whether the person concerned has a personal obligation<br />
<br />
data and the possible consequences for them<br />
failure to provide data;<br />
(f) the fact of automated decision-making referred to in Article 22 (1) and (4), including:<br />
profiling as well as, at least in these cases, the logic used and that<br />
understandable information on the significance of such data processing and on the data subject<br />
what the expected consequences are.<br />
<br />
<br />
2005 on the rules for the protection of persons, property and private investigators<br />
évi XCCCIII. Pursuant to Section 30 (3) of the Act (hereinafter: the Act), it is not applicable<br />
an electronic surveillance system in a place where surveillance may violate human dignity,<br />
in particular in changing rooms, changing rooms, washrooms, toilets, hospital rooms and social<br />
in the residence of the institution.<br />
<br />
Section 9 (2) of Act I of 2012 on the Labor Code (hereinafter: Mt.)<br />
<br />
according to the employee's right to personality may be restricted if the restriction is an employment relationship<br />
absolutely necessary and proportionate to the achievement of the objective. THE<br />
the manner of restriction of the right to privacy, the expected duration of the conditions, and<br />
the circumstances justifying the necessity and proportionality of the employee in writing in advance<br />
be informed.<br />
<br />
Mt. 11 / A. § (1), the employee's conduct related to the employment relationship<br />
can be checked. In this context, the employer may also use a technical tool, of which the<br />
<br />
inform the employee in writing in advance.<br />
<br />
The Acre. Pursuant to Section 103 (1) of the Act on Proceedings<br />
provisions of the Act. It shall apply with the exceptions provided for in Sections 103 and 104.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
8 Act CXII of 2011 on the right to information self-determination and freedom of information. law<br />
(hereinafter: the Information Act) pursuant to Section 61 (1) (a), the Authority<br />
in the context of the data processing operations set out in<br />
may apply the legal consequences set out in the Data Protection Regulation.<br />
<br />
Pursuant to Article 58 (2) (b) and (i) of the General Data Protection Regulation, the supervisory<br />
the authority, acting in the corrective capacity of the authority, condemns the controller or processor if<br />
<br />
breached the provisions of the Regulation or Article 83<br />
impose an administrative fine accordingly, depending on the circumstances of the case<br />
in addition to or instead of the measures referred to in Paragraph 2 of the same Article<br />
(d), the supervisory authority, acting in its corrective capacity, shall instruct the controller<br />
or the data processor to carry out its data processing operations, where appropriate in a specified manner and<br />
within the time limit laid down in this Regulation.<br />
<br />
<br />
The conditions for the imposition of an administrative fine are set out in Article 83 of the General Data Protection Regulation.<br />
contained in Article. Infotv. 75 / A. § of the General Data Protection Regulation.<br />
the powers set out in Article 2 (2) to (6), taking into account the principle of proportionality<br />
in particular through legislation on the processing of personal data<br />
or in a binding act of the European Union<br />
to remedy the breach in the event of a breach of Article 58 of the General Data Protection Regulation<br />
in particular by alerting the controller or processor.<br />
<br />
<br />
The Acre. Pursuant to Section 104 (1) (a), the Authority shall act ex officio in its area of competence<br />
initiate proceedings if he becomes aware of the circumstance giving rise to the proceedings;<br />
under paragraph 3 of the same paragraph, the ex officio procedure is the first procedural act<br />
starts on the day of the execution of the contract, the initiation of the notification to the known customer may be omitted if the<br />
the authority shall take a decision within eight days of the initiation of the procedure.<br />
<br />
<br />
III. Decision<br />
<br />
the. Legal basis of the examined data management<br />
<br />
According to the definition in Article 4 (1) of the General Data Protection Regulation, one<br />
man's face, his image is considered personal data, the taking of the image as well as the data<br />
and any operation carried out shall be considered as data processing within the meaning of Article 4 (2).<br />
<br />
<br />
Given that the viewing angles of the cameras were designed to be observed<br />
outside the premises and the property located there<br />
workers are also monitored on the basis of documents sent to the Authority at the workplace<br />
rules on camera surveillance should also be taken into account for the legality of the case<br />
in connection with its judgment. In assessing this, the following labor law rules apply.<br />
<br />
Pursuant to Section 42 (2) (a) of the Labor Code, the employee is obliged to do so on the basis of the employment contract<br />
<br />
to perform work under the direction of the employer. In accordance with this, Section 52 (1) b) of the Mt.<br />
and (c) defined as the employee’s basic duty that the employee<br />
is obliged to be at the disposal of the employer during his working hours and his work is generally expected<br />
expertise and diligence, rules, regulations, instructions and<br />
performed as usual. In order to comply with these legal obligations, Mt. 11 / A. § (1)<br />
provides for the possibility for the employer to involve the employee in the employment relationship<br />
<br />
<br />
<br />
<br />
<br />
<br />
9Check your related behavior. This right is necessarily accompanied<br />
<br />
handling of personal data.<br />
<br />
<br />
Data management related to employer control from the provisions of the Mt., employment<br />
data management independent of the employee's contribution due to its nature. With your consent<br />
In this context, it should be noted that its general data protection regulation<br />
2<br />
must be voluntary. In relation to voluntary contributions<br />
however, established under Article 29 of the already repealed Data Protection Directive<br />
Data Protection Working Party (hereinafter: Data Protection Working Party) in several resolutions<br />
<br />
also explained that the volunteer in the employee-employer relationship is questionable<br />
possibility of contribution. In the world of work, therefore, instead of the data subject 's consent, there is another legal basis,<br />
the use of data management based on the legitimate interests of the employer is justified.<br />
<br />
<br />
Article 6 (1) (f) of the General Data Protection Regulation under the legal basis of a legitimate interest<br />
thus, personal data may be processed if the processing is carried out by the controller (or<br />
<br />
third party), unless those interests<br />
preceded by the right of data subjects to the protection of personal data.<br />
<br />
<br />
It is important that the employer, as data controller, has a discretionary interest in invoking this legal basis<br />
must perform. 6 Carrying out a balance of interests is a multi-step process in which<br />
<br />
the legitimate interest of the controller, ie the employer, and the counterpoint to the weighting must be identified<br />
the data subject, the employee, the fundamental right concerned, and finally on the basis of the weighting<br />
it must be determined whether personal data can be processed. Where the balance of interests<br />
<br />
as a result, it can be concluded that the employer’s legitimate interest precedes the employees<br />
the right to the protection of personal data, a camera system can be operated.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
2<br />
Article 4 (11) of the General Data Protection Regulation: ‘‘ consent of the data subject ’means the voluntary, specific and<br />
a sufficiently informed and unambiguous statement giving the statement or confirmation concerned<br />
by means of an unequivocally express act that he or she consents to the processing of personal data concerning him or her. "<br />
3The Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data<br />
<br />
Directive 95/46 / EC of the European Parliament and of the Council<br />
4 Prior to the date of application of the General Data Protection Regulation, the Data Protection Working Party shall:<br />
an independent European adviser on data protection and privacy issues<br />
<br />
was replaced by the European Data Protection Board<br />
5Article 6 (1) (f) of the General Data Protection Regulation: "The processing of personal data shall only take place if and to the extent that<br />
lawful if at least one of the following is met: the processing is lawful by the controller or a third party<br />
<br />
necessary to safeguard the interests of the person concerned, unless those interests take precedence over such interests<br />
interests or fundamental rights and freedoms which necessitate the protection of personal data, in particular where<br />
affected child. "<br />
6 The Data Protection Working Party 6/2014 provides assistance in carrying out the interest balance. number, the data controller<br />
<br />
Opinion on the concept of legitimate interests under Article 7 of Directive 95/46 / EC, in which the general<br />
during the period of application of the Data Protection Regulation. The opinion can be obtained from the following link:<br />
https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
10From the "principle of accountability" under Article 5 (2) of the General Data Protection Regulation<br />
however, as a result, the employer must prove that it uses electronic<br />
monitoring system is compatible with the principle of purposeful data management and the balancing of interests<br />
its outcome resulted in the primacy of the legitimate interest of the controller. This is a requirement<br />
designates the framework for the purpose of an electronic monitoring system in the workplace<br />
to operate.<br />
<br />
<br />
Requested in the data protection regulations sent to the Authority as the legal basis for the monitoring<br />
legitimate interest has been indicated. Required for data management based on the legitimate interest of the data controller<br />
the balancing test is included separately in the data management rules sent to the Authority. THE<br />
data management of a built-in camera system, necessarily monitoring employees<br />
as a legal basis, he therefore requested Article 6 (1) (f) of the General Data Protection Regulation<br />
applied. The use of this legal basis is accepted by the Authority as appropriate in the workplace<br />
in connection with a camera system for the protection of persons and property, and thus in connection therewith<br />
<br />
it makes no further findings.<br />
<br />
b. The purpose of the examined data management<br />
<br />
Data management in the Applicant's replies to the Authority and in the attached documentation<br />
to protect the security of buildings and their property, and<br />
marked personal protection objectives. Thus, the purpose of operating the camera system is not to<br />
<br />
monitoring and influencing the work of employees, but also protecting people and property.<br />
<br />
In this regard, it is important to mention that workplace camera surveillance is absolute<br />
is a constraint on respect for human dignity, and therefore cameras for workers and<br />
not to operate on a permanent, non-targeted basis<br />
may. It is also illegal to use an electronic monitoring system that<br />
aimed at influencing employees ’behavior at work, employees<br />
<br />
permanent monitoring and control with cameras. The reason for this is for control purposes<br />
observation typically violates the principle of necessity proportionality, as the employer has a number of<br />
there is another way to live Mt. 11 / A. § (1). Therefore,<br />
it is not possible to operate cameras that are exclusively for the workers and the work done by them<br />
activity is monitored on a permanent basis. Exceptions are workplaces where the<br />
the lives and physical integrity of workers may be in imminent danger and thus exceptionally operable<br />
camera, for example, in an assembly hall, furnace, industrial plant or other source of danger<br />
<br />
facilities. It should be emphasized, however, that only in that case<br />
an operable camera to protect the life and physical safety of workers in the event of danger<br />
it actually exists and is direct, that is, the potential danger cannot be constitutional<br />
acceptable data management purpose. However, all this must be proven by the employer<br />
balancing test.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
11In the case of surveillance for property protection purposes, the employer must also certify the<br />
in the balance of interests, that there are in fact circumstances which justify<br />
placement of certain cameras and otherwise the goal to be achieved cannot be ensured. The protection of property<br />
In the case of purpose monitoring, another important requirement is to pay special attention to the employer<br />
must be such that the angle of view of the given camera is essentially aimed at the property to be protected,<br />
and, as a result of the above, should not become an observation of the work of workers<br />
suitable tool.<br />
<br />
<br />
In addition, it is also not possible to use an electronic monitoring system in a room<br />
which has been designated for the purpose of taking a break between employees. An exception to this<br />
may be the case if there is some valuable property to be protected in this room,<br />
in connection with which an employer interest can be justified (for example, employees<br />
the equipment was damaged several times and the damage had to be borne by the employer). In this<br />
In this case, a camera can be placed in the room for this specific purpose, but then the<br />
<br />
The employer must also pay particular attention to the principle of data saving<br />
be such that the angle of view of the camera can only be directed at the property to be protected.<br />
<br />
Based on your requested responses and the submitted images transmitted by the placed cameras<br />
it can be established that they are the storage premises on the premises, the goods stored there and the<br />
courtyard and parking spaces there are observed. An exception to this is called […]<br />
room, as here a larger desk, chairs and<br />
<br />
computer workstation as well, which Requested response based on short-term administration<br />
activities (for example, publishing of warehouse materials, receipt by computer<br />
documentation).<br />
<br />
The purpose of the installation of […] 's camera is also the protection of persons and property<br />
because in the room, outside the workstation, there are high-value small machines, tools,<br />
parts are stored. In the case of a recording attached by the Applicant, there are several in the room<br />
<br />
employee is also visible.<br />
<br />
Regarding the angle of view of this camera, it can be stated that its lower-right part is administrative<br />
furniture and objects forming part of a workstation, while the upper left part is large<br />
small appliances, tools and parts, as well as cabinets and shelves suitable for storing them<br />
are visible.<br />
<br />
<br />
According to his requested statement, […] is not a room designated for breaks between work. If<br />
it would be, there, under the Privacy Policy of the Requested Camera Surveillance<br />
camera could not be operated. Nevertheless, the Applicant's request was received by the Authority<br />
in connection with a further complaint, it can be stated that it was also used for this purpose by the employees, a<br />
with short-term administrative work. For example, according to the applicant's statement, several employees<br />
was also called upon by the site 's logistics manager to spend less time on<br />
in the room.<br />
<br />
<br />
Irrespective of the allegations made in the application or in the complaint, it can be concluded that […] -<br />
installed in the camera angle of view is suitable to see through them the workers (the tested<br />
37 people in the period) requested to view the pictures of the cameras<br />
through your authorized employees. This is because the camera's viewing angle is more than just<br />
high - value assets to be protected or storage units containing them (mediated<br />
upper left half of the image), but also the workstation for administrative purposes (lower right half of the transmitted image)<br />
<br />
<br />
<br />
<br />
<br />
<br />
12 hanging. Constant monitoring of the latter part of the room is neither the protection of property nor the<br />
nor is it justified in order to protect the life and physical integrity of workers, as there is only physical<br />
there is administrative work that does not pose a real threat to health, and there is significant storage of valuables<br />
it doesn't happen either.<br />
<br />
The ability of the image transmitted by the camera to monitor the intensity of work is<br />
are also likely to be the subject of an independent complaint. The system is suitable<br />
<br />
to ensure that it does not serve to unduly monitor employees by the intermediary<br />
by those authorized to view the image (in this case, these are the logistics manager and the warehouse manager) a<br />
Responsible as a data controller operating and operating the system<br />
belongs to.<br />
<br />
On the basis of the above, the Authority concludes that the Applicant's [] site is named […]<br />
the angle of view of the camera installed in the room is suitable for unreasonable surveillance of workers,<br />
<br />
thus incompatible with the original purpose of protecting persons and property. Through the camera<br />
therefore infringes Article 5 (1) (b) of the General Data Protection Regulation<br />
the principle of "purpose limitation".<br />
<br />
In addition, since said camera is aimed not only at the assets to be protected, but also at<br />
a wider spectrum of vision is included in the image it conveys, thus enabling the room<br />
the Authority is of the opinion that the principle of data saving - the general<br />
<br />
Article 5 (1) (c) of the Data Protection Regulation.<br />
<br />
In view of the above, the Authority requested the Applicant, in the operative part of this Decision, to<br />
to change the angle of view of the camera installed in the […] room of the […] site<br />
so that it is not suitable for unreasonable monitoring of workers and in accordance with<br />
be for the purpose of protecting the person and property of the system installation.<br />
<br />
<br />
c. Informing stakeholders about the data management examined<br />
<br />
An essential requirement for data management related to camera surveillance at work,<br />
that employees ’data management is appropriate, transparent and easy to understand<br />
receive information. In this connection, the following should be taken into account:<br />
<br />
Pursuant to Section 9 (2) of the Labor Code: “On the manner, conditions and conditions of restriction of the right to personality<br />
<br />
the expected duration and the circumstances justifying its necessity and proportionality<br />
the worker must be informed in advance in writing. "<br />
<br />
Mt. 11 / A. § (1), if the employer also uses technical means a<br />
employees, they must inform them in writing in advance.<br />
<br />
Article 13 (1) to (2) of the General Data Protection Regulation states that data processing<br />
what information should be made available to employees.<br />
<br />
<br />
For data management related to camera surveillance, the general data protection regulation<br />
In accordance with the system of requirements laid down by<br />
circumstances must be reported:<br />
<br />
- the person operating the electronic monitoring system (legal or natural)<br />
determining<br />
<br />
<br />
<br />
<br />
<br />
13 - the contact details of the Data Protection Officer, if appointed by the Data Controller<br />
person<br />
- the location of each camera and the purpose for which it is intended<br />
the area, subject, or whether you are directly with the camera<br />
<br />
whether the employer carries out a fixed observation,<br />
- the legal basis for the processing,<br />
<br />
- the determination of the legitimate interest of the controller,<br />
<br />
- the storage period of the recording,<br />
- the persons entitled to access the data and whether the recordings are made<br />
<br />
to which persons and bodies, in which case the employer may forward,<br />
- the rules for reviewing recordings and whether to record recordings<br />
what purpose the employer may use,<br />
<br />
- the rights of employees to electronic rights<br />
in the context of the monitoring system and how they can exercise their rights,<br />
<br />
- in the event of a breach of their right to information self-determination<br />
enforcement tools.<br />
<br />
In connection with the obligation to provide information, it is also necessary to emphasize to the employer<br />
for each camera, you must indicate exactly what that camera is like<br />
<br />
for the purpose of the given area and what area or equipment the angle of view of the camera is aimed at.<br />
This allows the employer to justify to employees why it is considered<br />
it is necessary to monitor the area. The practice of a<br />
employer generally informs employees that it is electronic<br />
uses a monitoring system in the workplace.<br />
<br />
An additional requirement in the context of proper information is that the employer is obliged<br />
<br />
to place an alert on the fact that the area is electronic<br />
uses a monitoring system.<br />
<br />
Applicant notified by the Authority at the request of the […] site of the camera system<br />
immediately after its installation and commissioning on 18 November 2019<br />
it was suitable for image capture, which began at this time.<br />
<br />
<br />
Applicant distinguishes between the periods of operation of the system so-called. “Trial” and “sharp<br />
although he did not comment on the exact duration of the trial operation. Requested<br />
However, according to the statement, there was no difference between the “sharp” and the<br />
"Trial operation", so the system operated in the same way during the relevant period. The two<br />
the conditions for data management were thus the same.<br />
<br />
On the “trial operation” of the camera system installed on site and the related data management<br />
<br />
information about the start of the contract was not sent to employees on November 18, 2019<br />
before.<br />
<br />
Applicant attached to his application his employment contract on the day of his entry<br />
Data management information provided by the applicant. The prospectus is general, not specific to only<br />
<br />
<br />
<br />
<br />
<br />
<br />
14-camera document focusing on data management, but also the employee's personal data<br />
contains information on the general management of Up to one paragraph in the prospectus<br />
The applicant requests some issues of camera data management (eg legal basis, retention period, purpose,<br />
prohibitions). This shorter summary document does not include those listed above<br />
all categories as it is not with a camera system at a specific site<br />
is only a general guide. According to the applicant, the site is a warning<br />
signs were not posted either, with the availability of any further, more specific information<br />
<br />
connection.<br />
<br />
More detailed data protection regulations on the operation of the requested camera systems in 2020.<br />
was sent to employees on April 3 by email containing a link to<br />
To the policy available on your requested internal network. This document is not only for […]<br />
for all cameras operated by the Applicant<br />
contains detailed privacy rules. The e-mail is not only from the employees of the […] site,<br />
<br />
but received by all employees (addressee: […]), so it is likely to be considered<br />
Requested general “camera” data management policy.<br />
<br />
Based on the above, it can be stated that the Applicant handed over to the Applicant upon entry<br />
in his data management prospectus he only informed him in general terms that he was performing his job<br />
you can observe it with a camera. Such general, concise and easy-to-understand information is<br />
data management options are to be welcomed and basically expected from data controllers.<br />
<br />
<br />
However, brief general employee information alone is not enough if specific<br />
with data management (in this case with camera surveillance at the specific site)<br />
no further guarantees have been included in a more detailed data management policy<br />
guaranteeing the rights and freedoms of those concerned. For these further<br />
guarantees or a document describing them are not referred to in the prospectus (eg by link).<br />
<br />
<br />
No information on camera data management was provided at the specific site, and the camera<br />
detailed internal rules for monitoring well after the start of data processing,<br />
was established with a delay of several months.<br />
<br />
The absence of these additional specific guarantees defeats the purpose of the information, namely that the data subject is concerned<br />
be aware of the circumstances in which your personal data are processed by the controller.<br />
It is important that the data controller, at the request of the data subject, has additional specific, specific data processing<br />
<br />
provide more detailed information on your circumstances. General privacy policy<br />
Article 13 (1) to (2) of Regulation (EC) No 1049/2001 specifies in detail which<br />
shall inform the data subject of the information, of which, however, the<br />
the information given when the employee entered was only partially compliant. The briefing is not<br />
it included, for example, the balancing test and other references where it did<br />
detailed rules would be available. The reason for this is that the regulations can only be<br />
months later, after the start of data management, the<br />
workers. The content of the warning sign to be placed in the monitored area is also only<br />
<br />
subsequently, defined in these regulations.<br />
<br />
Article 13 (1) of the General Data Protection Regulation provides that the controller a<br />
at the time of obtaining personal data, make available to the data subject a<br />
each of the information listed.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
15In this case, the Applicant was not able to start the data processing (which is the so-called<br />
‘Trial operation’ date of 18 November 2019) to ensure this, as it is only a very<br />
provided brief and general information on the possibility of camera surveillance by employees<br />
upon entry. Complementing, briefing and briefing the brief for all employees<br />
available detailed camera data management policy only after data management begins more<br />
adopted and communicated to stakeholders (3 April 2020). After that the<br />
information has already complied with the requirements of Article 13.<br />
<br />
<br />
On the basis of the applicant 's request and the joint complaint, it can thus be concluded that a<br />
at the site, there was inadequate information about camera data management at the site<br />
employees (a total of 37 people in the period under review) all the way to detailed data management<br />
until the issue of the regulations.<br />
<br />
On the basis of the above, the applicant infringed Article 13 (1) of the […]<br />
<br />
for on-site camera data management from 19 November 2019 to 3 April 2020.<br />
because it did not provide sufficient information and specificity to the<br />
workers.<br />
<br />
d. Findings concerning the sanction applied.<br />
<br />
The Authority has examined the type of sanction it intends to impose on the Applicant<br />
<br />
for the breaches detected and whether a data protection fine is justified. E<br />
Article 83 (2) of the General Data Protection Regulation and Infotv. 75 / A. §-the<br />
based on Infotv. § 61 (5), considered all relevant to the case<br />
and found that in the case of the infringement discovered in the present proceedings, the Applicant<br />
warning and solicitation is not in itself a sufficiently proportionate and dissuasive sanction,<br />
it is therefore appropriate to impose a fine.<br />
<br />
<br />
In determining the need to impose a fine, the Authority considered the infringements<br />
aggravating and mitigating circumstances as follows:<br />
<br />
Aggravating circumstances:<br />
<br />
- In connection with the data management activities of the Applicant, the Authority has already done so before<br />
infringement in an official data protection procedure ([…])<br />
<br />
<br />
- In relation to its position in the Requested Market and the resources available to it<br />
he is increasingly expected to comply with data protection legislation, including the workplace<br />
compliance with data management.<br />
<br />
- Infringement of camera data management and insufficient information at the investigated site is long<br />
lasted until 18 November 2019 - 3 April 2020<br />
<br />
<br />
In setting the amount of the fine, the Authority took into account that<br />
Infringements of principle by the applicant are covered by Article 83 of the General Data Protection Regulation<br />
(5), it falls within the higher maximum fine category<br />
constitute an infringement.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
16 Mitigating circumstances:<br />
<br />
- Infringement of camera surveillance and lack of information on the data management under investigation<br />
did not affect a particularly wide range of persons (a total of 37<br />
employee).<br />
<br />
- Only one camera ([…]) image transmitted at the site may be suitable for<br />
<br />
unjustified monitoring of workers.<br />
<br />
Other circumstances considered:<br />
<br />
- The Authority also took note of the fact that the Applicant cooperated in all aspects of the<br />
Authority in the investigation of the case, although this conduct is not - as the law<br />
obligations were also not exceeded, he assessed as explicitly mitigating<br />
<br />
as a circumstance.<br />
<br />
In setting the amount of the fine, the Authority took into account that<br />
Net sales of HUF […] (HUF […]) in the business year between January 1, 2019 and December 31, 2019<br />
volt. In setting the fine, it took into account the duration of the infringement<br />
taking into account the Authority’s business year 2019 and the fact that 2020 is not yet available<br />
public data available. On the basis of the above, the amount of the fine imposed is based on the gravity of the infringement<br />
<br />
proportionate, shall not be considered excessive.<br />
<br />
The Authority has issued the Infotv. Pursuant to Section 61 (2) (c) of the decision, the Applicant ID<br />
ordered the disclosure of his data by obscuring his data, as it does not affect him<br />
a wide range of persons.<br />
<br />
ARC. Other issues<br />
<br />
<br />
The powers of the Authority are limited by the Infotv. Section 38 (2) and (2a), its jurisdiction is<br />
covers the whole country.<br />
<br />
The Acre. § 112 and § 116 (1) and § 114 (1), respectively<br />
there is a right of appeal against an administrative action.<br />
<br />
<br />
The rules of administrative litigation are laid down in Act I of 2017 on the Procedure of Administrative Litigation (a<br />
hereinafter: Kp.). A Kp. Pursuant to Section 12 (2) (a), the Authority<br />
administrative lawsuit against the decision of the Kp. Section 13 (11)<br />
The Metropolitan Court has exclusive jurisdiction pursuant to On civil procedure<br />
on 2016 CXXX. Act (hereinafter: Pp.) - the Kp. Pursuant to Section 26 (1)<br />
applicable - legal representation in a lawsuit within the jurisdiction of the General Court pursuant to Section 72<br />
obligatory. Kp. Pursuant to Section 39 (6), unless otherwise provided by law, the application<br />
has no suspensory effect on the entry into force of the administrative act.<br />
<br />
<br />
A Kp. Section 29 (1) and with this regard Pp. Applicable in accordance with § 604, electronic<br />
CCXXII of 2015 on the general rules of administration and trust services. Act (a<br />
hereinafter: E-Administration Act), pursuant to Section 9 (1) (b), the customer is legal<br />
representative is required to communicate electronically.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
17The time and place of the filing of the application is Section 39 (1). THE<br />
Information on the possibility of requesting a hearing can be found in Kp. Section 77 (1) - (2)<br />
based on. The amount of the fee for an administrative lawsuit is set out in Act XCIII of 1990 on Fees. law<br />
(hereinafter: Itv.) 44 / A. § (1). From the advance payment of the fee is<br />
Itv. Section 59 (1) and Section 62 (1) (h) shall release the party initiating the proceedings.<br />
<br />
74/2020 on certain procedural measures in force during an emergency. (III. 31.)<br />
<br />
According to Section 35 of the Government Decree (hereinafter: Government Decree), unless this Decree provides otherwise<br />
the emergency does not affect the running of the time limits.<br />
<br />
Pursuant to Section 41 (1) of the Government Decree, the court is hearing at the time of the emergency<br />
acting outside. If a lawsuit were to be held outside the time of the emergency, the plaintiff would then<br />
you can ask the court to hear out of court instead of hearing the emergency<br />
postpone until the end of<br />
<br />
(a) the court did not order, at least in part, the suspensory effect of the administrative act,<br />
(b) the action has suspensory effect and the court has not ordered the suspension of the suspensory effect<br />
el,<br />
(c) no interim measure has been ordered.<br />
<br />
The Acre. According to § 132, if the debtor does not comply with the obligation contained in the final decision of the authority<br />
fulfilled, it is enforceable. The decision of the Authority Pursuant to Section 82 (1) of the Communication<br />
<br />
becomes final. The Acre. Section 133 of the Enforcement - if by law or government decree<br />
unless otherwise provided - ordered by the decision-making authority. The Acre. Pursuant to Section 134 a<br />
enforcement - if local in a law, government decree or municipal authority matter<br />
the decree of the local government does not provide otherwise - it is carried out by the state tax authority. Infotv.<br />
Pursuant to Section 60 (7), a specific act included in the decision of the Authority<br />
obligation to perform, to behave, to tolerate or to stop<br />
implementation of the decision shall be carried out by the Authority.<br />
<br />
<br />
Budapest, October 14, 2020<br />
<br />
<br />
Dr. Attila Péterfalvi<br />
President<br />
c. professor<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
18<br />
</pre></div>
Hk
https://gdprhub.eu/index.php?title=NAIH_(Hungary)_-_NAIH/2020/2555&diff=15433
NAIH (Hungary) - NAIH/2020/2555
2021-04-29T13:42:39Z
<p>Hk: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Hungary<br />
|DPA-BG-Color=background-color:#7f0037;<br />
|DPAlogo=LogoHU.jpg<br />
|DPA_Abbrevation=NAIH<br />
|DPA_With_Country=NAIH (Hungary)<br />
<br />
|Case_Number_Name=NAIH / 2020/2555<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=HU DPA<br />
|Original_Source_Link_1=https://www.naih.hu/files/NAIH-2020-2555-hatarozat.pdf<br />
|Original_Source_Language_1=Hungarian<br />
|Original_Source_Language__Code_1=HU<br />
<br />
|Type=Complaint<br />
|Outcome=Partly Upheld<br />
|Date_Decided=03.03.2020<br />
|Date_Published=03.03.2020<br />
|Year=2020<br />
|Fine=30000<br />
|Currency=HUF<br />
<br />
|GDPR_Article_1=Article 4(1) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#1<br />
|GDPR_Article_2=Article 4(2) GDPR<br />
|GDPR_Article_Link_2=Article 4 GDPR#2<br />
|GDPR_Article_3=Article 5(1) GDPR<br />
|GDPR_Article_Link_3=Article 5 GDPR#1<br />
|GDPR_Article_4=Article 11(2) GDPR<br />
|GDPR_Article_Link_4=Article 11 GDPR#2<br />
|GDPR_Article_5=Article 12(2) GDPR<br />
|GDPR_Article_Link_5=Article 12 GDPR#2<br />
|GDPR_Article_6=Article 12(3) GDPR<br />
|GDPR_Article_Link_6=Article 12 GDPR#3<br />
|GDPR_Article_7=Article 15(1) GDPR<br />
|GDPR_Article_Link_7=Article 15 GDPR#1<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The Hungarian DPA (NAIH) imposed a fine of 300 000 HUF (approx. €872) to a debtor for collecting the complainant's phone and sending reminder SMS after the amount due was already paid. <br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
The debtor collected the phone number of the complainant during a phone conversation without informing her/him that he would do so. Whereas the debt had been paid, the complainant kept receiving reminder SMS to pay the debt. The complainant filed a complaint with the HU DPA.<br />
<br />
===Dispute===<br />
<br />
<br />
===Holding===<br />
HU DPA fined the controller 300 000 Florint for illegal collection and use of the phone data. However, the DPA concluded that the controller did not violate Article 15.2 by asking more information to identify the data subject when the complainant wanted to have her/his phone number erased. <br />
<br />
==Comment==<br />
<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.<br />
<br />
<pre><br />
ase number: NAIH / 2020/2555. Subject: Partial decision granting the application, Background: NAIH / 2019/3261. order partially terminating the proceedings <br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The National Authority for Data Protection and Freedom of Information (hereinafter: the Authority) […] applicant<br />
<br />
(hereinafter referred to as the “Applicant”) shall take the following decisions in the data protection authority proceedings initiated against […] (hereinafter referred to as the “Obliged”) regarding the illegal use of the telephone number used by the Applicant and the Applicant's address and e-mail address:<br />
<br />
<br />
<br />
I. In its decision, the Authority, in the part of the applicant's request to establish that the [] telephone number was unlawful, <br />
<br />
<br />
<br />
gives place and<br />
<br />
<br />
finds that the Debtor has failed to fulfill its obligation under the principle of accuracy and that the Debtor has infringed Article 6 (1) of the General Data Protection Regulation. <br />
<br />
<br />
<br />
II. In the decision of the Authority, the part of the Applicant's request to establish the unlawful handling of the Applicant's address data and e-mail address <br />
<br />
rejects.<br />
<br />
<br />
<br />
III. The Authority shall issue the Debtor ex officio due to its unlawful data processing <br />
<br />
<br />
<br />
HUF 300,000, ie a three hundred thousand forint data protection fine<br />
<br />
<br />
<br />
obliges to pay.<br />
<br />
<br />
<br />
Within 15 days of the expiry of the time limit for initiating legal proceedings to initiate a judicial review or, in the case of initiating a review, of the court's decision, the Authority's centralized revenue collection forint account (1003200001040425-00000000 Centralized collection account IBAN: HU83 1003 2000 0104 . When transferring the amount, NAIH / 2019/3261. Quince. should be referred to.<br />
<br />
If the Debtor fails to meet the obligation to pay the fine within the time limit , he shall be liable to pay default interest. The amount of the late payment surcharge is the statutory interest rate, which is equal to the central bank base rate valid on the first day of the calendar half-year affected by the delay. In the event of non-payment of the fine and the late payment allowance, the Authority shall order the enforcement of the decision and the recovery of the fine and the late payment allowance in the form of taxes. The collection of fines and late fees in the form of taxes is carried out by the National Tax and Customs Board.<br />
<br />
<br />
<br />
ARC. In its order, the Authority initiated the data protection authority procedure in the part of the Order ordering the deletion of the telephone number of the Applicant. <br />
<br />
<br />
<br />
<br />
<br />
cancel.<br />
<br />
<br />
<br />
V. In view of the fact that the administrative deadline has been exceeded, the Authority shall pay HUF 10,000, ie ten thousand forints, to the Applicant - at its option - by bank transfer or postal order. <br />
<br />
<br />
<br />
No procedural costs were incurred during the official proceedings, so the Authority did not order them to be borne.<br />
<br />
<br />
<br />
I, II., III. There is no administrative remedy against the decision contained in clauses IV and V and the order contained in clauses IV and V , but it may be challenged in an administrative lawsuit within 30 days of the notification. The application must be submitted to the Authority, electronically, which it forwards to the court together with the case file. The request for a hearing must be indicated in the application. For those who do not receive a full personal tax exemption, the fee for the court review procedure is HUF 30,000, the lawsuit is subject to the right of engagement. Legal proceedings are mandatory in proceedings before the Metropolitan Court.<br />
<br />
<br />
<br />
<br />
<br />
EXPLANATORY STATEMENT<br />
<br />
<br />
I. Procedure and clarification of the facts<br />
<br />
<br />
<br />
On 29 March 2019, the Applicant submitted a petition in which it initiated the conduct of data protection authority proceedings. <br />
<br />
<br />
<br />
According to the information provided in the application, the Debtor's representative on 12.02.2019. A request for payment with file number [irat] was served on the Applicant's address on The document was received by the petitioner's husband, who informed the representative that the addressee of the summons had been living abroad for several years. The Applicant's husband also informed the Representative that he could send the summons to the debtor by e-mail, no other option was available.<br />
<br />
<br />
<br />
On the day of receipt of the above-mentioned document, the Applicant spoke by telephone to the person representing the Debtor who handed over the document, with whom the Applicant stated that the claim will be settled to the specified account number within 2-3 days and the Applicant will pay the money in person. During the telephone meeting, the Debtor's representative did not inform the Applicant whether the telephone conversation or his name and telephone number would be recorded, nor did he inform him that he might be treated as a client in the future.<br />
<br />
<br />
<br />
The Applicant paid the debt claimed by the Debtor on 13.02.2019. On February 15, 2019, Ké relmező received an SMS notification from the Debtor to its telephone, in which a debt was communicated with reference to the registration number […], failing which enforcement was envisaged. Subsequently, several SMS exchanges took place, in which the Applicant indicated that the payment had been made, however, more and more prompts were received for this. The texts of the SMS did not contain the name of the debtor, nor did they mention a specific person in the address.<br />
<br />
<br />
<br />
The Applicant attached a copy of the following documents to the application : <br />
<br />
<br />
<br />
- the Debtor on 31.01.2019. on the day of […], no. letter addressed to <br />
<br />
- for […] by the Applicant on 13.02.2019. proof of payment made on the day of payment, <br />
<br />
- payment request and correspondence from the Debtor to the telephone number [..] (15 February 2019, <br />
<br />
16, 26, 13 March),<br />
<br />
[…] Complaint handling policy,<br />
<br />
- the data subject's request for the deletion of his / her personal data sent by the applicant to the e-mail address [..] on 16 February 2019, enclosing the pdf form containing his / her related request, <br />
<br />
- 02/16/2019 a power of attorney issued to the Applicant's husband on the day of the petition, according to which she may act on behalf of the Applicant in the cases of the Debtor [..]. <br />
<br />
<br />
<br />
The content of the request did not comply with Article CXII of 2011 on the right to information and freedom of information. Act (hereinafter: Infotv.) Infotv. 60. § (5), therefore the Authority called on the Applicant to rectify the deficiencies, which the Applicant complied with within the deadline. The Applicant stated that he objected to the “sender of the SMS as […]” and informed the Authority that the […] telephone number used by him belonged to his […] subscription, which the Applicant was entitled to use as a representative. He substantiated his claim with a copy of the number of […] . The Applicant also attached a copy of the invoice according to which […], as the biller, re-invoiced the telephone fee to the Applicant.<br />
<br />
<br />
<br />
In his statement, the Applicant requested that the Authority establish the fact of the Debtor's unlawful data processing and instruct the Debtor to delete his personal data (telephone number, e-mail address, residential address).<br />
<br />
<br />
<br />
At the request of the Authority, the Debtor stated that he did not process the Applicant's personal data, only the aggrieved telephone number was recorded in their register, which the Applicant provided to the Debtor together with the fact that the debtor can be reached abroad in case of problems. as a contact. The […] telephone number was not recorded by the Debtor in his system for the Applicant, but for his client, ie the debtor of the claim he wishes to recover, who is a person other than the Applicant. The Applicant sent a letter to the Debtor on 16 February 2019 requesting data management information and requesting the deletion of his personal data. According to the Debtor's statement, the aggrieved telephone number will be issued on 23.03.2019. deleted from their system on The Debtor's statement that the telephone number was not stored in connection with the Applicant is also supported by a copy of the SMS messages sent to the Debtor's telephone number, as there is no reference to the Applicant's name, only a registration number to identify his client's case. According to the documents attached by the Debtor, the case identifier in the SMS messages cannot be linked to the case of the Applicant, but to the case of the Applicant's relative […].<br />
<br />
<br />
<br />
As the Debtor stated that the “aggrieved telephone number - as a contact number provided by the Applicant - has been recorded in our system for the Client”, the Authority called on the Debtor to confirm the Applicant's consent by audio recording or otherwise for the period until the cancellation. on. At the request of the Authority, the Debtor could not prove the existence of the consent of the data subject related to the telephone number recorded in its system.<br />
<br />
<br />
<br />
II. Applicable law<br />
<br />
<br />
<br />
Article 2 of Regulation (EU) No 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (hereinafter referred to as the General Data Protection Regulation ) (1) provides that the Regulation applies to the processing of personal data in a partially or fully automated manner and to the non - automated processing of data which form part of a registration system or which are intended to be part of a registration system.<br />
<br />
<br />
<br />
Infotv. Pursuant to Section 60 (1), in order to enforce the right to the protection of personal data, the Authority shall initiate a data protection authority procedure at the request of the data subject .<br />
<br />
<br />
<br />
Unless otherwise provided in the General Data Protection Decree, the data protection authority procedure initiated on request is governed by Act CL of 2016 on General Administrative Procedure. (hereinafter: Ákr.) shall apply with the exceptions specified in the Infotv .<br />
<br />
<br />
<br />
The Acre. Pursuant to § 36, the application is a written or personal statement of the client requesting the conduct of an official procedure or a decision of the authority in order to enforce his right or legitimate interest . Infotv. Pursuant to Article 60 (2), a request to initiate an official data protection procedure may be made in the case provided for in Article 77 (1) of the General Data Protection Regulation . Pursuant to Article 77 (1) of the General Data Protection Regulation, any data subject has the right to lodge a complaint with a supervisory authority if he or she considers that the processing of personal data concerning him or her infringes the General Data Protection Regulation.<br />
<br />
<br />
<br />
The Acre. Pursuant to Section 47 (1) (c), the authority shall terminate the proceedings if the proceedings have become devoid of purpose.<br />
<br />
<br />
<br />
Under Article 4 (1) of the General Data Protection Regulation, "personal data" means any information relating to an identified or identifiable natural person ("data subject"); identify a natural person who, directly or indirectly, in particular by means of an identifier such as a name, number, location, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person identifiable on the basis of.<br />
<br />
<br />
<br />
According to Article 4 (2) of the General Data Protection Regulation, "processing" means any operation or set of operations on personal data or files, whether automated or non-automated, such as collection, recording, systematisation, sorting , storage, transformation or alteration, retrieval, consultation, use, communication by transmission, distribution or otherwise making available, coordination or interconnection, restriction, deletion or destruction.<br />
<br />
<br />
<br />
Pursuant to Article 5 (1) (d) of the General Data Protection Regulation, personal data must be accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that personal data which are inaccurate for the purposes of the processing are erased or rectified without delay ("accuracy").<br />
<br />
<br />
<br />
Pursuant to Article 11 (2) of the General Data Protection Regulation, if, in the cases referred to in paragraph 1 of this Article, the controller can prove that he is not in a position to identify the data subject, he shall, as far as possible, inform him accordingly. In such cases, 15-20. Article 1 shall not apply unless the data subject provides additional information enabling him to be identified in order to exercise his rights under those Articles .<br />
<br />
<br />
<br />
Pursuant to Article 12 (2) of the General Data Protection Regulation, the controller shall facilitate the exercise of their rights under this Article. In the cases referred to in Article 11 (2), the controller shall He may not refuse to comply with his request for the exercise of his rights under Article c unless he proves that he is unable to identify the person concerned.<br />
<br />
<br />
<br />
Pursuant to Article 12 (3) of the General Data Protection Regulation, the controller shall, without undue delay, but in any case within one month of receipt of the request, inform the data subject in accordance with Articles 15 to 22. on the action taken on a request pursuant to Article. If necessary, taking into account the complexity of the application and the number of applications, this time limit may be extended by a further two months. The controller shall inform the data subject of the extension of the time limit, indicating the reasons for the delay, within one month of receiving the request. If the data subject has submitted the request by electronic means, the information shall, as far as possible, be provided by electronic means, unless the data subject requests otherwise.<br />
<br />
<br />
<br />
Pursuant to Article 15 (1) of the General Data Protection Regulation, the data subject has the right to receive feedback from the controller as to whether the processing of his or her personal data is in progress and, if such processing is in progress, the right to access the personal data and get access to the following information:<br />
<br />
(a) the purposes of the processing; <br />
<br />
(b) the categories of personal data concerned ; <br />
<br />
(c) the recipients or categories of recipients to whom the personal data have been or will be communicated, including in particular recipients in third countries or international organizations; <br />
<br />
(d) where applicable, the intended period for which the personal data will be stored or, failing that <br />
<br />
possible, criteria for determining this period;<br />
<br />
(e) the data subject's right to request personal data concerning him or her from the controller <br />
<br />
rectification, erasure or restriction of the use of such personal data and may object to the processing of such personal data;<br />
<br />
(f) the right to lodge a complaint with a supervisory authority;<br />
<br />
(g) if the data were not collected from the data subject, all available sources <br />
<br />
information;<br />
<br />
(h) the fact of the automated decision-making referred to in Article 22 (1) and (4), including profiling, and, at least in those cases, comprehensible information on the logic used and the significance of such processing and on the data subject. what are the expected consequences. <br />
<br />
<br />
<br />
Infotv. Pursuant to Section 38 (2), the Authority is responsible for monitoring and facilitating the protection of personal data and the right to know public data in the public interest, as well as for facilitating the free flow of personal data within the European Union.<br />
<br />
<br />
<br />
The Acre. Pursuant to Section 27 (1), the authority is entitled to know and process the natural personal identification data of the client and other participants in the proceedings and the personal data specified in the law regulating the type of case, and - unless otherwise provided by law - other personal data essential for clarifying the facts. . In the application procedure, it must be presumed that the requesting client has consented to the processing of personal data, including special data, necessary to clarify the facts.<br />
<br />
<br />
<br />
III. Decision: <br />
<br />
<br />
<br />
III.1. It is a question of treating the telephone number […] as personal data<br />
<br />
<br />
<br />
According to the Applicant's statement, the subscriber of the telephone number […] is not the Applicant, but [..], but the Applicant is the user of this telephone number.<br />
<br />
<br />
<br />
Pursuant to Article 2 (1) of the General Data Protection Regulation, the Regulation covers data management and data processing that concerns the data of a natural person.<br />
<br />
<br />
<br />
CLXXIX of 2011 on the rights of nationalities. Pursuant to Section 2 (2) of the Act […], an organization with legal personality, ie a non-natural person, can be directly identified on the basis of the telephone number connected to its subscription contract .<br />
<br />
<br />
<br />
However, given that the telephone number subscribed by the legal entity can be linked to the Applicant as a user as a representative, it can be contacted directly when making and receiving a call or, in this case, using the telephone number and clearly contacting the Applicant. , so his personal data can be considered under Article 4 (1) of the General Data Protection Regulation .<br />
<br />
<br />
<br />
III.2. Principle of accuracy<br />
<br />
<br />
<br />
The data controller's measures must promote the principle of accuracy and prevent the use of inaccurate data. <br />
<br />
<br />
<br />
In view of the above , the recording of the telephone number used by the Applicant as the telephone number of the Debtor's customer and the sending of SMS addressed to the Customer to the Applicant's telephone number was not lawful under Article 5 (1) (d) of the General Data Protection Regulation. when his data was recorded, his colleague knew that the telephone number he recorded was not his customer and the customer was not the source of the data. The Authority established from the statements of the Applicant and the Debtor that the Applicant's telephone number was recorded as the data of the Debtor's client without the Applicant being entitled to act on behalf of the Debtor's client, as he did not have a power of attorney enabling the Applicant to act . <br />
<br />
<br />
<br />
On the basis of the above, the Authority found that the Debtor had infringed Article 5 (1) (d) of the General Data Protection Regulation.<br />
<br />
<br />
<br />
III.3. Proof of clear , voluntary and specific consent based on adequate information required to process the Applicant's personal data<br />
<br />
<br />
<br />
Recital 32 of the General Data Protection Regulation stipulates that consent-based data processing must be accompanied by a clear confirmatory act, a voluntary, specific, informed contribution to the controller in accordance with Articles 7 (1) and 5 of the General Data Protection Regulation ( 2) you must also be able to prove it.<br />
<br />
<br />
<br />
When collecting the Applicant's personal data (during a telephone conversation with him ), the Debtor's employee was aware that he was handling and collecting the Applicant's personal data, therefore he should have asked the Applicant for consent to the personal data and proved the existence of this legal basis. In the zone, despite the invitation of the Authority, the Debtor did not provide the Authority with any audio material or document supporting the existence of the consent. Thus, compliance with the requirements set out in recital 32 and Article 7 of the General Data Protection Regulation has not been demonstrated for the period up to the deletion.<br />
<br />
<br />
<br />
Based on the above, the Authority concluded that the Debtor did not prove that he had the consent of the Applicant to process his personal data , so that the consent recorded the telephone number in his system in the absence of a legal basis, in breach of Article 6 (1) of the General Data Protection Regulation.<br />
<br />
<br />
<br />
III.4. The Applicant's request for access and deletion of data to the Debtor<br />
<br />
<br />
<br />
The Applicant also submitted its request for access and deletion of data to the Debtor on 16 February 2019.<br />
<br />
<br />
<br />
Within the time limit set out in Article 12 (3) of the General Data Protection Regulation, the Debtor informed by electronic means on 7 March 2019, in accordance with Article 15 (1) of the General Data Protection Regulation, that no claim was registered in his name and may not provide information to third parties on the number of cases referred to . <br />
<br />
<br />
<br />
According to the documents attached by the Debtor, the case identifier in the SMS messages may not be related to the case of the Applicant, but to the case of the Applicant's relative […]. The Applicant did not appear in the Debtor's register as a client or a proxy .<br />
<br />
<br />
<br />
Pursuant to Article 12 (2) of the General Data Protection Regulation, the controller may refuse to comply with a data subject's request if he or she proves that the data subject cannot be identified. During the proceedings, the Debtor stated that he was not in a position to identify the Applicant in his register, so that he complied with his request for cancellation only after the additional information enabling his identification was communicated on 7 March 2019. Given that the Debtor, in violation of the principle of accuracy, recorded the telephone number used by the Applicant with his client, he could not fulfill the Applicant's request for cancellation without providing additional information, as he could not identify him. After providing the additional information , the Debtor deleted the personal data from its records.<br />
<br />
<br />
<br />
Due to the above, the Debtor did not violate Article 15 (1) of the General Data Protection Regulation, as he did not treat the telephone number data provided for contact purposes as personal data concerning the Applicant, however, the - III.2. In view of the findings made in point - the Debtor should have noticed that it was not the data of his client, but the data of a person who did not come into contact with the Debtor as a donor.<br />
<br />
<br />
<br />
The Debtor complied with Article 11 (2) of the General Data Protection Regulation and deleted the inaccurate data from its records.<br />
<br />
<br />
<br />
III.5. The phone application to be ordered cancellation of em<br />
<br />
<br />
<br />
In the part of the application requesting the deletion of the telephone number, the Authority Pursuant to Section 47 (1) (c), the proceedings shall be terminated as the proceedings have become devoid of purpose, and the Debtor shall no longer continue the processing of the objected data.<br />
<br />
<br />
<br />
According to the screenshot of the Debtor's statement and register, the telephone number was deleted on 23 March 2019, ie before the start of the data protection authority proceedings.<br />
<br />
<br />
<br />
III.6. Unlawful handling of applicant's address and e-mail address data<br />
<br />
<br />
<br />
According to the Debtor's statement, only the telephone number […] was recorded in the register of the Applicant's personal data.<br />
<br />
<br />
<br />
From the Applicant's statement and the attached screenshots and correspondence with the Debtor - by electronic means only - the Authority found that the Debtor unlawfully processed only the Applicant's telephone number data, as it did not address the Payment Request to the Applicant, but to the previously notified address. customers. This is also supported by the Applicant's statement that the Applicant's husband received the letter addressed to the Debtor's client and made a "brother-in-law" note on the receipt, and indicated that the Debtor's client lives abroad as a way of life . It can be stated from the statements of the Debtor and the Applicant, as well as from the screenshots supporting the Applicant's claims, that the Debtor subsequently sent a notification about the debt of its client only by SMS to the Applicant .<br />
<br />
<br />
<br />
According to the attached documents, the Debtor only sent reply letters to the Applicant's e-mail address to the Applicant's e-mail address.<br />
<br />
<br />
<br />
Based on the above, the Authority concluded that the Applicant's address details and e-mail address were not unlawfully handled by the Debtor.<br />
<br />
<br />
<br />
III.7. sanctions<br />
<br />
<br />
<br />
The Authority accepts the Applicant's request in part and condemns the Debtor pursuant to Article 58 (2) (b) of the General Data Protection Regulation because its data processing activities violated Article 5 (1) (d) of the General Data Protection Regulation and the General Data Protection Regulation. Article 6 (1) of the Data Protection Regulation.<br />
<br />
<br />
<br />
The above infringements necessitated the establishment of a legal consequence, which was determined by the Authority acting in accordance with its statutory discretion.<br />
<br />
<br />
<br />
The Authority examined of its own motion whether it was justified to impose a data protection fine on the Obligation . In this context, the Authority shall comply with Article 83 (2) of the General Data Protection Regulation and Infotv.75 / A. §, it considered of its own motion all the circumstances of the case and found that in the case of the infringement discovered in the present proceedings , the warning was neither a proportionate nor a dissuasive sanction, therefore it is necessary to impose a fine.<br />
<br />
<br />
<br />
In imposing the fine, the Authority took into account the following factors:<br />
<br />
<br />
<br />
- The breach is moderately serious, because the Debtor has also committed a breach of principle by processing the unlawful data. (Article 83 (2) (a) of the General Data Protection Regulation) <br />
<br />
<br />
<br />
- Infringement caused by unjustified data processing due to negligent conduct of the Debtor, <br />
<br />
caused by his data management practices. ( Article 83 (2) (b) of the General Data Protection Regulation)<br />
<br />
<br />
<br />
- The Authority assessed as a mitigating circumstance the fact that the Debtor deleted the telephone number from the system before the initiation of the official procedure, at the request of the Applicant, after the necessary identification . (Article 83 (2) (c) of the General Data Protection Regulation) <br />
<br />
<br />
<br />
- The Debtor has not yet been convicted of a breach of the General Data Protection Regulation. (Article 83 (2) (e) and (i) of the General Data Protection Regulation) <br />
<br />
<br />
<br />
- Based on the Debtor's income statement for 2018, its pre-tax profit is HUF 23,000,000 <br />
<br />
volt. The data protection fine imposed shall not exceed the maximum fine that may be imposed.<br />
<br />
<br />
<br />
- A special prevention bírságkiszabással the Authority aims to encourage R ötelezettet <br />
<br />
to review data recording and telephone number management practices. <br />
<br />
<br />
<br />
The infringement committed by the Debtor is an infringement falling into the higher category of fines under Article 83 (5) (a) of the General Data Protection Regulation . Depending on the nature of the infringement, the maximum fine that may be imposed under Article 83 (5) (a) of the General Data Protection Regulation is EUR 20 000 000 or up to 4% of the total worldwide turnover in the preceding financial year.<br />
<br />
<br />
<br />
H ot meet the fine imposed in respect of Article 83 of the General Data Protection Regulation (2), the following provisions are not taken into account because they were not relevant to the objective case: d), f), g), h), j) and point (k).<br />
<br />
<br />
<br />
The basis of the above, the Authority decided in accordance with the part.<br />
<br />
<br />
<br />
<br />
<br />
ARC. Other issues:<br />
<br />
<br />
<br />
The competence of the Authority is limited by the Infotv. § 38 (2) and (2a), its jurisdiction extends to the entire territory of the country.<br />
<br />
<br />
<br />
The Acre. Pursuant to Section 112 and Section 116 (1) and Section 114 (1), the decision is subject to administrative appeal.<br />
<br />
<br />
<br />
<br />
<br />
* * *<br />
<br />
<br />
<br />
The rules of administrative litigation are defined in Act I of 2017 on the Procedure of Administrative Litigation (hereinafter : Kp.). A Kp. Pursuant to Section 12 (2) (a), the administrative lawsuit against the decision of the Authority falls within the jurisdiction of the court, the lawsuit is subject to the provisions of Art. Pursuant to Section 13 (11), the Metropolitan Court has exclusive jurisdiction.<br />
<br />
<br />
<br />
CXXX of 2016 on the Code of Civil Procedure. Act (hereinafter: Pp.) - the Kp. Applicable under Section 26 (1) - Under Section 72, legal representation is mandatory in litigation falling within the jurisdiction of the Tribunal. Kp. Pursuant to Section 39 (6), unless otherwise provided by law, the filing of an application does not have a suspensive effect on the entry into force of the administrative act.<br />
<br />
<br />
<br />
A Kp. Section 29 (1) and with this regard Pp. Act CCXXII of 2015 on the general rules of electronic administration and trust services , applicable pursuant to Section 604 . Pursuant to Section 9 (1) (b) of the Act (hereinafter: E-Administration Act), the legal representative of the customer is obliged to keep in touch. <br />
<br />
<br />
<br />
The time and place of filing the application is set out in the CC. Section 39 (1). Information on the possibility of requesting a hearing can be found in Kp. It is based on Section 77 (1) - (2). The amount of the fee for an administrative lawsuit is set out in Act XCIII of 1990 on Fees. Act (hereinafter: Act I ) 45 / A. § (1). From the advance payment of the fee, the Itv. Section 59 (1) and Section 62 (1) (h) shall release the party initiating the proceedings.<br />
<br />
If the Debtor fails to duly demonstrate compliance with the required obligations , the Authority shall consider that the obligations have not been fulfilled within the time limit. The Acre. Pursuant to Section 132, if the Debtor has not complied with its obligation contained in the final decision of the Authority, it may be enforced. The decision of the Authority Pursuant to Section 82 (1) , it becomes final upon notification. The Acre. Pursuant to Section 133, enforcement is ordered by the decision-making authority, unless otherwise provided by law or government decree. The Acre. Pursuant to Section 134, enforcement is carried out by the state tax authority, unless otherwise provided by law, governmental order or a decree of a local government in a municipal authority matter. <br />
<br />
<br />
<br />
During the procedure, the authority exceeded the Infotv. 60 / A (1) of the Act , therefore the Ákr. Pursuant to Section 51 b), it pays ten thousand forints to the Applicant.<br />
<br />
<br />
<br />
Pursuant to Section 46 (1) (a) of the Act, the authority rejects the application if the condition for initiating the procedure specified by law is missing and this Act does not have any other legal consequences.<br />
<br />
<br />
<br />
The Acre. Section 47 (1) (a) states that the authority shall terminate the proceedings if the application should have been rejected, but the reasons for this became known to the authority after the commencement of the proceedings.<br />
<br />
<br />
<br />
Budapest, March 9, 2020<br />
<br />
Dr. Attila Péterfalvi<br />
<br />
chairman<br />
<br />
c. professor<br />
<br />
<br />
<br />
<br />
</pre></div>
Hk
https://gdprhub.eu/index.php?title=NAIH_(Hungary)_-_NAIH/2020/1154/9&diff=15432
NAIH (Hungary) - NAIH/2020/1154/9
2021-04-29T13:41:25Z
<p>Hk: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Hungary<br />
|DPA-BG-Color=background-color:#7f0037;<br />
|DPAlogo=LogoHU.jpg<br />
|DPA_Abbrevation=NAIH<br />
|DPA_With_Country=NAIH (Hungary)<br />
<br />
|Case_Number_Name=NAIH / 2020/1154/9<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Hungarian DPA<br />
|Original_Source_Link_1=https://www.naih.hu/files/NAIH-2020-1154-9-hatarozat.pdf<br />
|Original_Source_Language_1=Hungarian<br />
|Original_Source_Language__Code_1=HU<br />
<br />
|Type=Complaint<br />
|Outcome=Partly Upheld<br />
|Date_Decided=23.07.2020<br />
|Date_Published=23.07.2020<br />
|Year=2020<br />
|Fine=2000000<br />
|Currency=HUF<br />
<br />
|GDPR_Article_1=Article 6(1)(f) GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR#1f<br />
|GDPR_Article_2=Article 12 GDPR<br />
|GDPR_Article_Link_2=Article 12 GDPR<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The Hungarian DPA (NAIH) issued a fine against Forbes Hungary which published the list of the 50 wealthiest Hungarians and the list of the biggest family-owned businesses, for not performing a balance of interests prior to the publication and lack of information on the rights of the complainant. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Forbes published the 50 wealthiest persons in Hungary and the biggest family-owned business. The data used for the publication had been collected from public sources, including the company register. <br />
<br />
=== Dispute ===<br />
How to assess the balance between legitimate interests and the freedom of press ? What should be the legal basis applicable here ? <br />
<br />
=== Holding ===<br />
The Hungarian DPA considered that the balance of interests should be performed before the publication and should be communicated to the complainant so that he can object to the processing of his data on the basis of Article 6.1.f. <br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.<br />
<br />
<pre><br />
Page 1<br />
Case number: NAIH / 2020/1154/9Subject: Application in partHistory: NAIH / 2019/8402decision grantingBefore the National Data Protection and Freedom of Information Authority (hereinafter: the Authority ) […]applicants (hereinafter collectively referred to as the Applicants ), through their representative [],Mediarey Hungary Services Private Limited Company (address: 1061 Budapest,Andrássy út 12., company registration number: 01-10-140295; hereinafter referred to as "the applicant" ),Forbes Magazine ('Forbes'), published in the applicant' s edition, is published andillegal data processing related to its electronic publications, as well as those of the Applicantsfollowing a request for inadequate enforcementIn the data protection authority procedure, the Authority shall take the following decisions:I. The AuthorityIN ITS DECISION1. The applicants' application is granted in part1.1. and finds that the Applicant is with Forbes in September 2019published and published in the publication of the largest family businessesonline version (Data Management 1) and Forbes 50 released in January 2020for the printed and online version of the richest Hungarian publication(Data Management 2) in connection with related data managementown interests and the legitimate interests of themselves and third parties (the public) and theseHe did not inform the applicants in advance of the result of his comparison with the interestsApplicants, in breach of Article 6 (1) (f) of the General Data Protection Regulationpoint.1.2. The Authority further notes that by requesting that Data Management 1 andThe Applicants did not provide adequate information regarding data management 2 eitherall relevant circumstances of the data processing and the Applicants are personalthe right to object to the processing of personal data and the Applicantsdid not provide information in its replies to the requests forApplicants' access to justice, violated the general data protectionArticle 5 (1) (a), Article 5 (2), Article 12 (1) and (4) ofArticle 14, Article 15 and Article 21 (4).1.3. The Authority condemns the Applicant for unlawful data processing , at the same timeinstructs that1.3.1 within 15 days of the decision becoming finalcomply with the information management information available to Applicantsobligations, including those taken into account in the balance of interests,Applicant's and Applicants' Interests and Balance of Interestinformation on the outcome of the proceedings, information on the right to protest andinformation on enforcement options.1.3.2 if the Applicant is entitled to it during future planned data processinginterest as a legal basis, it shall, in accordance with the law andcarry out a balance of interests in the light of the provisions of this Decision,including a second, individual consideration of interests following the protest.<br />
Page 2<br />
21.3.3 pre-convert in accordance with applicable law and the provisions of this decisioninformation practices.2. The Authority shall reject the application in so far as it:2.1 of the Applicants request the Authority to order the limitation of data management,Deletion of Applicants' Personal Data and Requested Personal Datatreatment;2.2 the Applicants request that the Authority restrict the data processing by an interim measureand prohibit the disclosure of personal information.3. The Authority shall reject the part of the application concerning the imposition of a data protection fine ,however, due to the violations found, the Debtor ex officioHUF 2,000,000, ie HUF 2 milliondata protection fineobliges to pay.No procedural costs were incurred during the official proceedings and therefore no costs were incurredprovided by the Authority.The data protection fine is the starting point for initiating a judicial review15 days after the expiry of the time limit or, in the case of initiation of a review, after the decision of the courtthe Authority’s centralized revenue collection special purpose forint account (10032000-01040425-00000000 Centralized direct debit account IBAN: HU83 1003 2000 0104 0425 00000000). Upon transfer of the amount, NAIH / 2020/1154/9 JUDGMENT. numberto refer to.Failure by the Applicant to meet its obligation to pay the fine within the time limit shall result in delayis required to pay a supplement. The rate of the late payment interest is the statutory interest, which is in arrearsthe central bank base rate in force on the first day of the calendar half-year in question.Section 1.3.1. from the date of notification of the decisionin writing within 30 days of the date of entry into force of this Regulation, together with theto the Authority.The Applicant shall be notified of the decision 1.3.3. in order to comply with the obligation laid down inmeasures shall be taken in writing within 30 days of the date of notification of the decisiontogether with the submission of evidence, to the Authority.The Authority shall impose fines and periodic penalty payments or for failure to comply with the prescribed obligationsinitiate the implementation of the decision.There is no administrative remedy against this decision, but it is from notificationwithin 30 days of the application to the Metropolitan Court in an administrative lawsuitcan be challenged. The application must be submitted to the Authority, electronically, which is the caseforward it to the court together with its documents. Indicate the request for a hearing in the applicationmust. For those who do not receive a full personal exemption from judicial reviewprocedure fee is HUF 30,000, the lawsuit is subject to the right to record material fees. Before the Metropolitan Courtlegal representation is mandatory in proceedings.<br />
Page 3<br />
3II. The request for a finding of an infringement concerns the processing of data before 25 May 2018the Authority shall follow the data protection authority procedureIN THE PERFORMANCE OFeliminate , as the General Data Protection Regulation is not applicable for this period.There is no administrative appeal against this order, but it must be appealed against on the 30th day after notificationmay be challenged in an administrative lawsuit by an action addressed to the Metropolitan Court within one day. THEthe application shall be submitted to the Authority, electronically, together with the case fileforward it to the court. The request for a hearing must be indicated in the application. The entirefor those who do not benefit from personal exemption, the fee for the judicial review procedureHUF 30,000, the lawsuit is subject to the right to record material taxes. In the proceedings before the Metropolitan Court, the legalrepresentation is mandatory.EXPLANATORY STATEMENTI. FactsI.1. Period under investigationFor the first time, the Applicant was included in the August 2015 issue of Forbes"[…] Family" in the "Largest Hungarian family businesses" compilation. Subsequently, in 2019.The “Largest Hungarian Family” owned by the “[…] family” was included in the September issue.enterprises 2019 ”. In addition, the January 2020 issue of “RichestHungarians ”[…]. As a result of […], Forbes January 50, 2020the number containing the richest Hungarian list was recalled by the Applicant to Data Management 1and in the online version of the lists related to Data Management 2, the term […] and […]replaced by […].The Authority will follow this data protection authority procedure on 25 May 2018data processing activities, in particular the personal data of the Applicants (name, surname,property) and inadequate enforcement of the rights of the data subjecthe continued. For data processing prior to 25 May 2018, natural persons aprotection of individuals with regard to the processing of personal data and on the free movement of such data,and Regulation (EU) 2016/679 repealing Directive 95/46 / EC (ahereinafter "the General Data Protection Regulation")therefore the rules of the General Data Protection Regulation do not apply to them, so they areno request for a data protection authority procedure may be made in respect ofor the provisions of the General Data Protection Regulation in respect of such data processingThe Authority is not empowered to examine compliance with this data protection authority procedureframework.I.2. Data provided in connection with the Applicants in the publications examined during the procedureThe Applicants objected to the data management related to the following publications and lists:- Forbes released in September 2019, containing the largest family businessesprinted and online version of the publication (Data Management 1). [The online version ishttps://forbes.hu/extra/csaladi-lista-2019/#/ , and the specific article is […]available under the link.]<br />
Page 4<br />
4- Forbes released in January 2020 - and in the meantime […] recalled - 50 richestThe printed and online version of the Hungarian publication (Data Management 2) . [Onlineversion under the link https://forbes.hu/extra/50-leggazdagabb-magyar-2019/ , the specificand the article is available under […] .]For Data Management 1, the following content was released:- In the printed version, the name of the family ([…] family) is the business in which they have an interestname ([…]), estimated value of the enterprise ([…]), head office of the enterprise ([…]),year of establishment ([…]) and the number of generations interested in the business ([…])indication. The entry contains the following description:[…]- The online version originally included the family name, but this […]has been removed as a result and the term […] can be read instead. In addition, thebusiness name, estimated value, year of incorporation and generations interested in the businessnumber has been indicated. The online version has a shorter description, the entrycontains only:[…]- The full names of the Applicants were not included in either the printed or online versionsas no other family members were named. The Applicantshis portrait was not or is not included in either the print or online versions.For Data Management 2, the following content was released:- In the printed version, only […] of the Applicants were named, the publication isit did not contain any direct or indirect reference to another member of the family. In the publicationthe amount of […] 's estimated assets ([…].), the source of the estimated assets ([…]) has been indicatedand also his age ([…]). The article contained the following description:[…]- The printed version included one of the MNB's Growth Bond Programalso a box describing the purpose of the issue, which also included the name of […] and the volume of the issue.([…]).- The online version also originally included […] 's name, but this […]has been removed as a result and the term […] can be read instead, as well as on thisin addition, the estimated value of the property was also indicated. The online version is shorter anda slightly different description can be read:[…]- The portrait of the Applicants (including […]) is not available in either the printed or online versionscontained or contained.For Data Management 1 and Data Management 2, it is managed and disclosed by the Applicantprovided is not specific under Article 9 of the General Data Protection Regulationpersonal data (racial or ethnic origin, political opinion, religious or worldview)personal data indicating beliefs or trade union membership, as well as naturalgenetic and biometric data, health data andpersonal information about the sexual life or sexual orientation of natural personsdata) category.The publicly available data in the […] business register include the compilation of the objectionable lists andAt the time of its publication, it was found that […] and […] held management positions in theand that […] and […] are members (ie owners) of the undertaking. Although the members of […](owners) occurred on the day ()] of the members (owners)amended on [vált] and replaced […] and […] by […] and […]registration, that development is irrelevant to the case, not least because<br />
Page 5<br />
5publications, lists based on the data and information available and taken into account at that timehave been compiled.Data forming part of the public and public register of companies and / or the Applicantsin the accounts and on the website of the undertaking in which it has an interest, on […] , […] and […]In addition to the information under reference, for Data Management 1, […] is estimatedand for Data Management 2 […] (after the amendment: [módos])estimated assets from its activities have been disclosed.Although the (estimated) value of the company in which the Applicants have an interest, […] / […] (estimated)the amount of its assets is not part of the company register, it is not public data in the public interest,however, publications are not personal to Applicants (e.g., inherited, donated, married)acquired, etc.) are presented to the readership but to the businessand the amount of assets accumulated as a result of the business activityfrom publicly available company data, information, company reports and the companythe Applicant drew a conclusion from his own communications. The Applicant shall estimate these acollected data from public sources and then used them in a specific wayevaluated and communicated as an opinion.I.3. Correspondence between the Applicants and the ApplicantFor several correspondence between the Applicants and the Applicant regarding Data Management 1 and Data Management 2also took place. These exchanges of letters, which are set out in Annex III.4 to the Decision, at the point of concernwill be explained in detail in the context of the exercise of the right - the Authority willobligation to provide information, the balance of interests carried out by the Applicant and the ApplicantsGeneral Data Protection Regulation in response to requests from data subjects to exercise their rightsexamined and assessed for compliance with the relevant provisions ofI.4. Procedure, Statements made by the Applicants and the Requested ProcedureElectronic applications sent by the Applicants on 6 December 2019 and to the Authority on 6 December 2019.in their application received by post on 12 December and on 17 December 2019electronically and by application received by post on 19 December 2019.in their supplement, Data Management 1 and Data Management 2, as well as the Applicants ’such as prior information, access, rectification andthe right to protest - inadequate provision of objections and data protection authority proceedingsinitiated against the Applicant.In the application and its supplement, the Applicants stated the following:- The Applicant first implemented data collection in 2016 when the ApplicantsOn the basis of the data collected regarding the financial situation of the Company, the Applicants wished to be included in thein its publication summarizing the largest family businesses. The Applicants are already at this timestrongly protested against the data processing operations affecting them, as a result of which theApplicant then refused to disclose the data.- From the e-mail sent by the Applicant on 26 August 2019have been informed that they want the “[…] family” for the Requested Data Management 1indicated in the [] context, so that […] discloses the financial position of the familycalculation of public company data of companies owned by Forbes and Forbes editorial staffbased on its methods.- The Applicants were informed of this by a letter sent by the Applicant on 26 August 2019that [] Forbes ’family business listings in previous years did not include […] because<br />
Page 6<br />
6based on the data for the given year and our estimates based on them, in our opinion notranked among the 25 largest companies. ” From this, the Applicants concluded thatthat the Applicant has also collected data about them in recent years, however, the Applicanthe did not inform them in any way.- According to the Applicants, the use of the term "[család] family" is misleading and untrueand the use of the term in this context infringes the rights of members of the […] family whowho are not members of the […] and also includes a reference to minor children. THEAccording to the register of companies, […] is not owned by the '[…] family' but by […]and […]. […] And […] are not owners, but only executives of the company,consequently, according to the Applicants, the effectiveness of […] isthe conclusion regarding the property relations of the executives is false.- On 30 August 2019, the Applicants submitted a request to the Applicant in whichfirstly, they protested against the processing of their personal data and secondly against informationrequested in connection with the processing of their personal data and also requested that the Applicantcorrect inaccurate personal information.- In its reply to the request for the exercise of the rights of the data subject, the Applicant:According to the applicants, it was not provided for in the General Data Protection RegulationProvided all the information listed in Article 15 and did not provide any informationtheir rights regarding the processing of their personal dataand the legal remedies available against the data processing.- The Applicants further submitted that the Applicant had not indicated in its reply thaton what legal basis he handles personal data did not indicate that the data processingnor did it pass on the result of the balancing test. THEApplicant raised the issue of informing the public as the purpose of data management, the Applicantsconsiders, however, that this objective does not create a legitimate interest on the part of thewhich would lawfully process personal data, and the Applicants ’privacy andhis right to privacy takes precedence over any legitimate interests of the Applicantopposite. The Applicants claim that for years they have been paying special attention to private andto separate their business and the confidentiality of their privacy, not in the pressthey make a statement, their possible manifestations strictly on business considerationsconcentrate.- The Applicants submitted that the publication containing the largest family businessesFollowing its release in September 2019 - information confirmed by policebased on - identified, persons with a criminal record appeared in the family propertyaround. While the family has previously been able to successfully protect its privacy, the Applicantsin his view, the Forbes list published in September 2019 directed it to Applicantsattention of criminal circles .- By e-mail of 6 November 2019, the Applicant informed theApplicants to be included in the case of Requested Data Management 2 as wellApplicants as individuals.- As in the previous request, that letter did not contain a general data protectionDecree 13-14. and was not included in the listthe person (s) and specific data to be included,on what legal basis Forbes would publish the Applicantspersonal data established on the basis of certain calculations, which the Applicants asthe financial situation of individuals. Excel spreadsheet attached to the letterits document name refers to the “[…] family”, so in the Applicants ’view, the Applicantalready deals specifically with data relating to Applicants as individuals. THEHowever, in the applicants' view, the '[…] family' is inaccurate personal data, as it isit contains a reference to all family members, including children, but […] is ownedits range is limited to […] and […]. Also, according to the Applicants, the alleged propertythe calculation of data on their situation is based on a method of calculation not described,<br />
Page 7<br />
7which […] and […] owns the company’s public company data and the Applicant’s ownbased on calculation methods. In connection with the calculation, the Applicant alone is an excelprovided a table which, according to the Applicants, was sent on 6 November 2019Contrary to its wording, it did not contain a description of the method of calculation.- The Applicants' lawyer sent to the Applicant on 15 November 2019letter of formal notice pursuant to Article 21 of the General Data Protection Regulationprotested against the data processing carried out by the Applicant concerning Applicants andthey were prohibited from accessing any personal data concerning themcollect and perform other data processing activities, includingdisclosure. Applicants were also prohibited from doing so - either by name ormentioned as a family, appear in the statement, either directly or indirectly,and called on the Applicant to provide the Applicants ’personal details without delaydelete them and do not carry out any data processing operations on them or on them.The Applicants are Article 18 (1) (a) and (d) of the General Data Protection Regulationalso requested a restriction on data processing and strongly called on theApplicant to refrain from publishing data concerning Applicants in generalcircumstances set out in Article 18 (1) (a) and (d) of the Data Protection Regulationas well as in the wake of the protest.- In its reply letter delivered on 20 November 2019, the Applicant is the Applicantsin its view, it provided incomplete information, such as no informationgiven to the Applicants by processing their personal datawhat rights they have in relation to them and what remedies are available against the processingthey can live. The Applicant also indicated as the legal basis for data processing withoutArticle 6 (1) (f) of the General Data Protection Regulationgeneral and the individual balance of interests required by the protestwould have provided information on the outcome. According to the Applicants, the information is notcomply with Articles 13 (2) (f) and 14 (2) of the General Data Protection Regulationg), as the Applicants do not know what their personal data islogically analyze the importance of data management and what it is for Applicantshas expected consequences. The duration of data processing is missing from the informationexact definition, and the Applicant did not comply with the Applicants' generalrequests for the exercise of data subject rights under the Data Protection Regulationdata processing in view of the fact that the Applicants indicate that the data are not accurate,nor has it complied with its obligation to cancel.In addition to the above, the Applicants made the following (additional) comments by the Applicantwith regard to the processing of personal data, as regards the legal background:- A 7/2014. Paragraph [62] of the explanatory memorandum to Decision AB (III. 7.) states that “[a]persons exercising public power and politicians in public office are also entitled toprotection of personality, if the value judgment does not identify their person in public affairs disputes, noin connection with their public activities, but also with their private or family lifein this connection. " With their private or family life outside the scope of debating public affairsinformation is considered protected even for public actors, so suchDisclosure of such information constitutes a serious breach of privacy by Applicantsaccording to.- According to the Applicants, satisfying the curiosity of society even thensufficient basis for interference with privacy, if otherwise in social decision-makingit is a person playing a role (BDT2017.3693). According to the Applicantsin particular, this protection applies to persons, including in relation to the Applicants, who:they cannot be regarded as public figures at all, since their activities do not fall within the scope of thepublic performance.<br />
Page 8<br />
8- Regarding the legal assessment of the data management of the press, according to the Applicantsthe position expressed in previous resolutions of the Data Protection Commissioner remains,according to which “[t] he case law also suggests that newspapers consider the aincreasing the number of copies, standing up to market competition, and, conversely, personalthe obligation to protect data is not sufficiently taken into account ".- The Applicants referred to a so-called meeting of representatives of the data protection authorities of the European Union.Working Group 29 WP 217 opinion that “the media cannot get generalauthority to take into account the privacy of public actorspublish a detail ’.- According to the Applicants, the case law of previous years is clear in that the“100 richest Hungarians” and other similar types of lists despite the protest of the person concerned(in connection with the similar list of Magyar Hírlap ABI1472 / A / 2003 or in connection with the Playboy list ABI 922 / A / 2000.resolutions). According to previous resolutions of the Data Protection Commissioner, “[t] heregarding who are not public figures, just wealthy people, I do not holdlawful of this procedure, as their names were published without their consentcontext. In my view, the mere fact that someone is wealthy, yetdoes not mean that he is also a public figure. Also for personal data published on the listensure the data subject's right to self-determination, in the absence of consent to personal datamay not be disclosed ' . Although the resolutions referred to are general privacybefore the entry into force of this Regulation, they are, in the view of the Applicants,differences still apply today.- The Applicants referred to the Authority's website at www.deres.tv “The bigbastard database 2. ” from photographs illegally published in the entrythat the database is capable of beingput stakeholders in a negative color so that they are in the crosshairs.- The Applicants also referred to the Authority's connection with the Serial List of the Watch Sheet.There was also Naihan / 2018/2618/6 / V resolution, which the Authority wrote that "thelisting is intended to provide stakeholders with a sense of negative social perception of data subjectswho do not qualify as public actors, do not take on a public role,and they do not wish to influence the public by their activities. "- In the context of Article 85 (3) of the General Data Protection Regulation, Hungary is as followsnotified relevant legislation: Act V of 2013 on the Civil Code(hereinafter: the Civil Code) 2:44. § (in connection with the free debate on public affairs); on freedom of the pressand the CIV of 2010 on the basic rules of media content. Act (hereinafter:Smtv.) § 4 (3) (principles) and § 6 (resource protection). Position of the Applicantsaccording to which at most the mentioned legal points could be invoked by the Applicant, aArticle 6 (1) of the General Data Protection Regulation in the context of freedom of the pressto establish a legitimate interest under point (f); otherwise for data management onlythe provisions of the General Data Protection Regulation apply directly.- According to the Applicants, the existing infringement is based on the principle thatsubstantiated or presumed allegations concerning the property of a person -regardless of the size of the property - to the information that belongs to the narrowest circle of the given personthey are thus fully integrated into the individual 's privacy, andthey have a direct effect on, among other things, the judgment and acceptance of the given personand in some cases for safety.- Applicants for the safety of the whole family, including minor family membersproperty has been kept strictly confidential for years in order to preserve and maintain ittheir situation. The success of […] was not hidden, but its details and individualsthe amount of assets due was never declared. You are real in the pressFalse information may directly or indirectly affect Applicants or their familiesadditional members of the quality of life of the various security measures and personnel<br />
Page 9<br />
9as a result of its application. According to the Applicants, the lives of minor children andto protect their safety only in a way that adversely affects the spiritual development of childrenfeasible, and future implications are unpredictable and one-offthe appearance of the press also results in the development of an irreversible feeling of fear in the "[…] family"members, regardless of whether their lives, physical integrity, wealth are smaller or largerwhether there is a direct or indirect threat.- According to the Applicants, the purpose indicated by the Applicant (public opinionexercise of the right to freedom of the press) is not real because thethe situation paints a false picture of the natural persons behind the '[család] family',it gives the appearance that the whole “[…] family” is wealthy. According to the Applicants, certainwith regard to the presentation of the financial situation of individuals (ie not public actors)the processing of their personal data cannot be a legitimate aim, as the public is therebynot properly informed.- According to the Applicants, if the purpose is to inform the publicthe Applicant wishes to achieve, it must be obtained from each individual concernedobtain their consent, otherwise calculated by name, company name, unique methoddisclosure of assets constitutes unauthorized data processing. According to the Applicantsthe purpose of the data management is not the same as the purpose for which the business register orreport handles the personal data of the Applicants and consequently the wider personalThe processing of the personal data of the “[…] family” concerning the circle by the Applicant is not purposeful, thusillegal.- Condition for reference to Article 6 (1) (f) of the General Data Protection Regulation(Also in relation to Data Management 1 and Data Management 2) is that the Applicant as data controllercarry out a balancing test and inform the data subject of the result. Thein a balancing test, the controller must demonstrate that it has a legitimate interestfor data enforcement to be necessary and proportionate intervention by the data subjectto his private sphere. An interest balance test was not issued by the Applicant to the Applicantsavailable to you.- According to the Applicants, it also applies to Data Management 1 and Data Management 2,that information based on speculation containing false information may not be appropriateaccurate information to the public and that the processing also applies to personsfor whom there is no public interest. The Applicantsinformation on his or her privileged position, whether real or falsedisclosure has a significant impact on the perceptions, relationships,acceptance, and even personal safety, moreover, in the “[…] family” it isMinor children are also included, who have increased protection from general privacyrequired by Article 6 (1) (f) of Regulation No 40/94.- According to the Applicants, even if some of the data is from public databasesderived, the conclusions drawn from it as personal data are not treated even thencreates a legal basis. No additional information was provided by the Applicant. THEAccording to the applicants, there is no treatment of data on their financial situationIn this way, public data cannot be deduced from the company public or the public interestthe assets of an individual other than his shareholding in a company, oryou may also have debts.- According to the Applicants, the Association refers to a “[…] relationship” and a “[…] generation” -also published data on which data could not be derived from the publicfrom records.- According to the Applicants, only General is concerned with regard to Data Management 2Article 6 (1) (a) of the Data Protection Regulation could provide a legal basis for data processing,however, Applicants consent to the processing of their personal datathey did not.<br />
Page 10<br />
10- In the response letter of the Applicant, the state or other information provided to […] as a data processing purposethe use of public funds, their role in successthereby informing the public and, more broadly,the exercise of the right to freedom of the press. The Applicants referred in this connection toAuthority [born before the general data protection regulation became applicable]NAIH / 4454/6/2012 / V, which states that public companyincluding the personal data of owners and senior executives - may not be usedfor purposes other than those provided for in the law on which it is based (currently theAct V of 2006 on Company Proceedings and Liquidation; hereinafter:Ctv.) Records. The Ctv. According to the preamble, these data are exclusively constitutional for entrepreneurssecurity of trade and the interests of the creditor or otherwisemay be used to protect the public interest. According to the Applicants, the Applicantthe objectives set by the applicant are incompatible with those objectives and by the Applicanta specific purpose may not provide a legal basis for the rights of the Applicants indicated as a legitimate interestto limit their privacy; in particular, they cannot be used for thisdata in the business register relating to the financial situation of personsto draw conclusions who are not owners of the company concerned.- The Applicants have indicated to the Applicant that speculative estimates do not givereal result, the data processed do not comply with the principle of accuracy. In view of this, theAccording to the applicants, Article 17 (1) of the General Data Protection Regulationwould have been required under paragraph 1 (c) to immediately delete the untrueor pursuant to Article 5 (1) (d) of the General Data Protection Regulationat least he should have taken all reasonable steps to ensure thatdelete personal data which are inaccurate for the purposes of data processing without delay, orcorrect it. The Applicants strongly requested the deletion of the data on the basis of the protest,however, in its reply, the Applicant indicated only the name in relation to the namewillingness to rectify personal data.- The Petitioners refer to Constitutional Court Decision IV / 1235/2019. No., constitutional lawdecision rejecting the complaint, in which the Constitutional Court stated that “[it] isstatements of fact, the truth of which cannot be substantiated, the expression of opinionfreedom does not protect ’ .- The obligation of the Applicant as data controller to inform about the present caseprimarily defined in Article 14 of the General Data Protection Regulation, as it is personaldata were not collected from the Applicants by the Applicant. According to the Applicants, aThe applicant has manifestly infringed this obligation to provide information on several occasions,and did not provide them with adequate information. The Applicant is also the Applicantsthe result of a mandatory individual balance of interests following a protestinformed the Applicants, thereby also violating its obligation to provide information.- The Applicants pursuant to Article 18 (1) (a) and (d) of the General Data Protection Regulationasked the Applicant to limit the processing of data, the accuracy of personal dataand protests against data processing. The Applicantsin its opinion, the processing of the data affected by the restriction request to the Applicantshould have been restricted, as further processing is covered by Article 18 of the General Data Protection Regulation.None of the reasons set out in Article 2 (2).- In their opinion, the Applicants cannot be considered as public actors, their activitiesit does not fall within the scope of public interest, such as Article 21 of the General Data Protection Regulationlawfully objected to the processing. Applicants Data Management 1 andThey also exercised their right to object in 2 respects. According to the Applicants, theApplicant has not demonstrated compelling legitimate interests which take precedenceenjoy the rights and freedoms of the Applicants and the protestThe Applicants did not provide a mandatory interest balance test afterfor. In the opinion of the Applicants, there are no compelling legitimate reasons<br />
Page 11<br />
11maintained on the Applicant’s site, as the Applicant handles personal onlydata to create a large readership for yourself on the website, andincrease Forbes sales. These cases, according to the Applicants, in no waycreated by Article 21 (1) of the General Data Protection Regulationexception.According to the applicants, the present case is very similar to that of the Court of Justice of the European Union('the CJEU') in Case C-131/12. number,Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD)and Mario Costeja González, in which the CJEU ruled that the publicit has a strong interest in making the data available if it is in the public domain concernedhis role justifies this. According to the Applicants, to the case referred tosimilarly, in the present case, no such circumstance exists, and despite the dataits publication elsewhere was lawful, the data processing of the Applicant is expressillegal due to protest.- Of the Applicants, […] builds export markets, […] is present in more than […] countries.[…] Their partner was abducted three times and his wife once. According to the Applicantsappearing on such lists also raises the question of the family and the international contextfamily members on the map, search engines pre-position these lists by whicha member of the family is more likely to be a victim, even foreign perpetratorsalso with regard to.- According to the Applicants, Data Management 1 directed the attention of criminal circles to the Applicants.In support of this, the Applicants sent a letter to the Authorityin which the […] security director indicates the […] family in personal protection dutieschanges and provide information on related measures.In view of the above, the Applicants initiated a data protection authority procedureData Management 1 and Data Management 2 and requested that the Authority be generalArticle 5 (1) (a), (b), (d) and (e) of the Data Protection Regulation, Article 6 (1) (f)Article 13 (2) (f) and Article 14 (2) (g), Article 14 (1) andArticle 15 (1) (h) and Article 21 (1)infringement of Article 18 (1) (a) and (d).order the restriction of personal data and then Article 17 (1)pursuant to Article 58 (2) (f) and prohibitApplicant for the processing of personal data.The Applicants requested that the Authority issue the Infotv. Pursuant to Section 61 (1) (a), the generalalso impose a fine under Article 83 (4) of the Data Protection Regulation on the Applicantopposite.The Applicants further requested that the Authority issue a decision on the General Administrative Procedure 2016.year CL. Act (hereinafter: Ákr.) with a temporary measurerestrict the processing of data, prohibit the disclosure of personal data, given that itsin the absence of the Applicants and their minor children (who are also involved, only not in the present proceedingsapplicants) the appearance of Data Management 2 with unavoidable damage, danger, orwould inevitably infringe the rights of the individual.On the basis of the request, Article 57 (1) (f) of the General Data Protection Regulation and Infotv. 60.§ (1), a data protection authority procedure was initiated.Following the initiation of the procedure, Applicants will receive an email dated January 24, 2020It was sent on 27 January 2020 and sent to the Authority by post on 28 January 2020informed the Authority in their letter of formal notice that the data protection application submitted to the Authorityon the basis of a request for an official procedure in parallel with an ongoing procedure<br />
Page 12<br />
12there is also a civil action in which an interim measure is granted at first instance on […]in its order on the subject, ordered the Applicant to:- indicate the personal data processed concerning the Applicants,- the personal data processed concerning the Applicants is expressly provided by the Applicantswith your written consent,- the disclosure of personal data processed concerning Applicantsabstain.The Applicants further informed the Authority that the Applicant had the abovehas failed to fulfill its obligations and has disclosed both online and on paperApplicants' personal data and includes the Applicants in the list of the richest Hungarians(Data Management 2).On […] […], it established the preliminary enforceability of the order, on the basis of which theorder can be enforced independently of the second-instance proceedings.An extract from […] 's order for interim measures [ideiglen] and the[…] ordering the applicants for a preliminary ruling on the provisional enforceability of an interim measuresent to the Authority.The Authority dated 28 January 2020 initiating the data protection authority procedureNAIH / 2020/1154/2, and Ákr. With reference to § 63 of the factsinvited the Applicant to make a statement in order to clarify The order to the Authoritywas received on February 3, 2020 based on the returned return receipt.Forbes issued a notice on its website on […]. The Communication states, inter alia:includes:[…]The full notice is available at URL […] .Date of receipt of the application by the Applicant dated 6 February 2020, received by the Authority on 12 February 2020informed the Authority in a letter dated- Members of the […] family have filed a civil lawsuit against the Applicant. Background to the civil lawsuit,that the defendants applied for interim measures. The temporary[…] […], which was registered under number […] under number […].left in place by order. An application for interim measures shall be subject to the condition that:Applicants page within 30 days to file a lawsuit for the alleged infringement on the meritsassessment. […] Ordered the provisional application for interim measures, whichcondition for bringing an action. To the best of the Applicant's legal representative, the actionhas been filed and is under investigation for litigation.- Given that the contents of the Authority's request are subject to legal proceedingsis pending, in the Applicant's view, as a basis for the Authority's requestThe right to information self - determination and theCXII of 2011 on freedom of information. Section 53 (3) of the Information Act (hereinafter: the Information Act)pursuant to paragraph 1 (a). [Infotv. Section 53 (3) (a): The Authority shall make the notificationrefuses, without a substantive examination, if legal proceedings are pending in the case in question, orthe case has previously been the subject of a final court decision.]The Authority did not agree with the position of the Applicant, as Infotv. § 53 of the Ákr.therefore not an administrative procedureapplicable. In view of the above, the Authority issued NAIH / 2020/1154/4 of 13 February 2020<br />
Page 13<br />
13In his order no., he repeatedly invited the Applicant to make a statement. The order to the Authoritywas received on 19 February 2020 on the basis of the returned return receipt.In an e-mail dated 27 February 2020 but sent on 26 February 2020, aThe applicant, through his / her legal representative ([…]), shall provide the requested information.and sent supporting documents to the Authority.In its reply to the Authority, the Applicant stated the following:- The Applicants, through their legal representative, apply for interim measurespresented. By order of […], the interim measure was granted byprovided that Applicants may, within 30 days, file an action on […] the merits of the caserequesting an assessment. Not until the reply letter is sent to the Applicant to the Authoritythe action was served, only one order was received in which the actioninformed the Applicant of his refusal by […] (Order No […]).- Between the Applicants and the Applicant in connection with the handling of the personal data of the ApplicantsDue to the ongoing court proceedings, the Applicant is of the opinion that the data protectionthere is a need to suspend official proceedings. The position of the Applicant is as followsjustified: The Acre. Pursuant to Section 48 (1) a), the Authority shall suspend the proceedings,if the decision on the preliminary question falls within the jurisdiction of a court. Given that it is temporaryfollowing an order imposing a measure, the Authority shall form the basis of the proceedingscivil and non-civil proceedings are pending in connection with data processing,the possibility arises that the Ákr. Pursuant to Section 46 (1) (b)there will be a place of refusal or it will be infringed by the adjudication of a question of law which is completely identical in contentjudicial proceedings, since if the Authority pursues the data protection authorityinvestigation, the situation may arise that in a legal issue (Applicants for our personal datatreatment by the Applicant) is decided by two courts, as an aCXXX of 2016 on Civil Procedure. procedure (hereinafter: Pp.),and clients have the option of judicial review of the Authority's decisionto ask. It depends on the court process: either it decides the merits of the action or some sortreason does not make a final decision and the applicant side loses the opportunity to Pp. according toenforcement. This is a preliminary issue that is pending in the ongoing court proceedingsel. In view of all this, the Applicant requested that the Authority suspend the data protectionofficial procedure.- The Forbes press product is primarily a business paper that is, among other things, Hungariancompanies, owners, their business, their developments, the market economyand any relationship with the Statereadership. Applicants are the owners ([…] and […]) and manager of […]officials ([…] and […]).- Forbes was first published in August 2015 (ie not in 2016,as stated by the Applicants) included the “[…] family” in the “Largest Hungarianfamily businesses ’. It was subsequently published in the September 2019 issueowned by the “[család] family” […] of the “Largest Hungarian Family Enterprises 2019”compilation (Data Management 1). In addition, it appeared in the January 2020 issueIt is included in the entry […] of the compilation “Richest Hungarians” […] (Data Management 2).- Compilations are prepared by Forbes journalists based on publicly available company data. THEcalculations based on public data for the company or person concerned at all timessent, giving the opportunity to correct the calculations, other comments. THERequested employees proactively contacted and informed in advance theApplicants as well.- The [...] information URL available show that a regular [...] in recent yearsreceived large amounts of state and EU funds totaling several billion forintsgrants.<br />
Page 14<br />
14- The processing of personal data is inseparable - and therefore cannot be legally assessedseparately from the content published in Forbes compilations. In Forbes compilations acompany information was provided: in what state aidthey benefited from what marketing activities they carried out, what expansions they implementedme.- According to the Applicant, the term '[…] family' cannot be considered generalpersonal data pursuant to Article 4 (1) of the Data Protection Regulation.- The Basic Law of Hungary both recognizes the right to the protection of personal dataand the publicity of data of public interest [VI. Article 3 (3)], freedom of the press and the pressdiversity [IX. Article 2 (2)] and states that Hungary 's economy is abased on the freedom of establishment [Article M (1)].- Pursuant to Article 39 (2) of the Basic Law, all organizations managing public fundsis accountable to the public for its management of public funds. THEpublic funds shall be managed in accordance with the principles of transparency and public purity; anddata on public funds and national wealth are data of public interest.- Article 85 (1) of the General Data Protection Regulation also shows the Member Statesreconcile the right to freedom of expression and information with data protection. Thethe European Data Protection SupervisorsPublished by the Working Party (Working Group 29) on 26 November 2014 [WP 227paragraph 2 of its resolution, according to which data protection rights are the expression of opinionshould be interpreted in the light of (also) the law of In the case of EUB Tele2Sverige AB [C-203/2015] 2016.Paragraph 93 of its decision of 21 December 2006 is similar to the followingstates: “Thus, both Article 7 of the Charter, for respect for privacyprotection of personal data as guaranteed by Article 8 thereofthe importance of the right to justice as established in case law (see in this sense:Schrems judgment of 6 October 2015, C-362/14, EU: C: 2015: 650, paragraph 39, and the judgment there.case-law cited above) Article 15 of Directive 2002/58 must be taken into accountIn the interpretation of paragraph 1. The same is true of expressionfreedom, given the particular importance that this freedom attaches to allin a democratic society. This fundamental right guaranteed by Article 11 of the Charter aone of the essential foundations of a democratic and pluralistic society, is one of the valueson which the Union is founded under Article 2 TEU (see, to that effect, June 2003)Schmidberger judgment of 12 December 2003, C-112/00, EU: C: 2003: 333, paragraph 79; September 6, 2011Patriciello, C-163/10, EU: C: 2011: 543, paragraph 31.)- A 7/2014. (III. 7.) AB in the wording of Resolution AB “[a] freedom of the press - which encompassesfreedom of all types of media - the institution of freedom of expression. The press -despite the increasingly complex and diversified nature of its activities, in particularexpression of opinion, opinion-forming and opinion-formingmeans of obtaining information. " (Justification [40]). This is the role of the press in particularappreciates in the expression of public opinion, since “[a] social, political debatesThese are largely due to the fact that public actors and, in the public debate,typically through the press - participants ’perceptions of each other’s ideas, political performance andin this context, they also criticize each other’s personalities. And the press is constitutionalits mission is to monitor the exercise of public authority, of which thepresentation of the activities of persons and institutions involved in shaping public affairs "(Justification [48]).- The interpretation of the media by the Constitutional Court is democratic public opinionits central role in the formation of the press does not lead to “the pressits activities should not be subject to legal requirements […], but at the time of their creation andthe constitutional mission of the press,the publication of information of public interest shall not be hindered or impeded "{3/2015. (II. 2.) AB decision, Justification [25]}. A 28/2014. (IX. 29.) AB<br />
Page 15<br />
15' As long as any information does not constitute an abuse of freedom of the press,in the context of the protection of human dignityrarely justify a restriction on the exercise of freedom of the press. " (Justification[42]). This interpretation is based on 16/2016. (X. 20.) and 17/2016. (X. 20.) AB decisionshave also been consistently enforced in favor of press freedom.- Personal within the meaning of Article 6 (1) (f) of the General Data Protection Regulationdata processing is lawful if the data processing is legitimate by the controller or a third partynecessary to safeguard its interests, unless those interests take precedenceenjoy the interests or fundamental rights and freedoms of the data subject which are personaldata protection, unless the child concerned.- Given that Hungary is a market economy, the task of the press cannot be narrowed downinterpreted as the operation of private companies owned by private individuals,publicity is not possible at any level regarding its ownership backgroundprovide information. Of course, this activity also has its limitations:protection of trade secrets, protection of human dignity, etc., while business journalism is onelegitimate activity. The Applicant does not handle or disclose any personal informationdata which would constitute a disproportionate invasion of privacy. Managed by the Applicant anddisclosed (minimum) personal information is closely related to the businessactivity. The Applicant is essentially information about the ownership background of the company(name) handles. Estimates of the extent of wealth are solely businessare based on activity-related public data and are therefore not covered by the compilationreal estate, private property (eg inheritance, marriage)wealth, lottery winnings). Similarly, Applicant does not handle and disclose to the private sectorgrossly disruptive data. (For example, it would be obviously illegal toa compilation that would predict changes based on contractors ’health datain the course of business.)- The Smtv. Section 10 (1) also states: “Everyone has the right to be properly treatedto inform about local, national and European public affairs, as well as Hungaryevents of importance to its citizens and members of the Hungarian nation. THEIt is the responsibility of the media system as a whole to provide credible, prompt and accurate information on these matters andevents. "- The Ctv. Section 10 prescribes publicity of the company in the public interest. Company data - and what's in itpersonal data - so they are not just for road safety. (The public interestrefers to the protection of the Ctv. preamble). The Ctv. Company data pursuant to Section 10 (2)are fully public.- The task of business journalism analyzing the market economy is to explore the nodes of the economy,internal relations, scope of ownership, networks, state involvement. THEAccording to the Applicant, it is a company owned or controlled by the Applicantsthis is exactly what the page issued by the Applicant did. According to the Applicanta Ctv. interpretation of its provisions on public disclosure in accordance with the Basic Law,that the right of the press to be informed about the operation of the economy should also be includedin the public interest justifying the public. According to the Applicant, the opposite is trueinterpretation would result in the owners of companies, leadinginformation on their officials could only be provided with the consent of the data subject, thisand it makes sense to make the role of the press “watchdog” impossible, which cannot be narrowed downto control state public power.- According to the Applicant 's legal position, information on the Applicants' assets andtheir public connection to the Applicants in the Infotv. Pursuant to Section 3, Clause 6public personal data in the public interest, the disclosure of which,its acquaintance or making available is required by law in the public interest. THEThe names of the applicants and the company they own and their value are central,data found in public, publicly available records that is accessible to anyone.<br />
Page 16<br />
16- Infotv. Pursuant to Section 26 (2), public personal data in the public interest for the purposein accordance with the principle of data management. The Applicant from themanages the data of the Applicants in order to exercise their rights arising from the freedom of the press,and the information activities of the press in a democratic societyimplement. The Applicant shall record each calendar year the publicly availablebased on databases, the richest natural persons and families in Hungary.The aim is to make Hungarian society aware of the greatest economic influenceeconomic influence is in itself a significant public goodgives a role to some individuals, often with other social, political influencesassociated with. Introducing such a concentration of power to and in societyrecording changes from year to year is a matter of public interest information. THEThe requested aim is also to inform the Hungarian business community, the largestabout the owners behind Hungarian-owned companies, thus contributing to businesstransparency and traceability. The Applicant also considers it his responsibility tostrengthening the Hungarian entrepreneurial culture by making successful Hungarian entrepreneursreports on its activities - the compilation of the annual rich list also serves this purpose in part.- According to the Applicant, his activity is in the public interest. The economicjournalism is a legitimate activity in the public interest, and in its context it is the richest and at the same timehaving the greatest (or in any case much greater than average) social influencepersons according to a regular methodology based on reliable public dataits collection and archiving is in the public interest. The Applicant is public onlycompiled a list of the most fashionable people based on available databases. Theseregisters (real estate register, company database created on the basis of court registration dataand companies ’own public disclosures) and the wide range of personal data they containit is public so that economic life is transparent and accessible to citizenswork. Journalism adds value to the publicdatabases to help lay citizens interpret and summarize theotherwise a huge amount of information is publicly available. The Applicants[…], which is owned or controlled byin itself justifies the fact that the citizens (the readership) are behind the investmentthe identity of the standing owner is known.- On 16 August 2019, the journalist employed by the Applicant contacted theBusinesses that can be linked to applicants in connection with Data Management 1. Attached to the lettera description of the methodology used to compile the compilation has been attached,indicating the source of the data used for the compilation (publicly available)available company data). An excel spreadsheet has been sent as an email attachmentin the form of a calculation based on the data of […]. Legal Representative of the ApplicantsIn response, the Applicant sent a reply containing its legal position in September 2019On the 12th day, in which he provided information on the scope of the processed data, as well as the data managementstaff were also named.- On 14 November 2019, the Applicant's journalist repeatedly contacted […]Data management 2 connection. Once again, the methodology was attached to the requestdescription and excel spreadsheet showing business data. Employee of the Applicant 2019.the legal position of the Applicant's legal representative on 20 Novembersent a presentation response letter.In addition to the information provided to the Authority, the Applicant Section 33 (1) and (4)requested that the Authority submit the Applicants' submission and its annexes electronicallysend, given that the Applicant, in the knowledge of the submission, has submitted further commentsintends to do.In its order NAIH / 2020/1154/6 of 16 March 2020, the Authority granted access to the filelimited request, without sending any unknown documents<br />
Page 17<br />
17and the Applicants ’request for a data protection authority procedure and itsthe Annex, the supplement to the application and its annexes (except by the Security Director of […]introducing changes to personal protection tasks concerning the […] family, andinformation on related measures) and to the Applicant Authoritysent on 24 January 2020 and its annexes by post and electronicallyalso sent to the Applicant by letter.By e-mail sent on 23 March 2020 and by post to the Authority by 2020.By letter received on 26 March 2006, the Applicant made the following additional comments:- Judging the falseness or reality of a fact is not a data protection issue,but also the Civil Code. or Smtv. may be judged on the basis of the rules of protection of privacy orin a press correction procedure. The Applicants did not initiate such proceedings. With thisIn this context, according to the Applicant, there is a clear inability toinclude minors who do not have the capacity to actmay be actors in a business.- The Applicants complain that they have not been informed of their rights and remediestheir possibilities. The reply letter does not really include the Infotv. and generalrelevant provision of the data protection regulation, but on the one hand on the forbes.hu website at that timeThe data management information was also available, from which theon the other hand, the Applicants through their legal representativeturned to the Applicant and the legal representative to the Lawyer's Act of 2017LXXVIII. (hereinafter: the Act) was obliged to inform the Applicants of thetheir enforceable rights and how to enforce them. Letters of invitation specificallyindicate that enforcement proceedings will be initiated by the Applicants. The legalMember may not make such a summons without giving notice of enforcementinformation to its principals.- According to the Applicant's position, the Applicants' statement that it cannot be established is misleadingthe logic of Forbes journalists analyzing the data. The reply lettersA methodological letter was sent as an annex to thedata analysis method. The Applicant notes in this regard that the journalistsovereign right to draw conclusions after analysis of raw data.In case of inaccuracy of the personal data, the Applicants were assured thatcomments, the Applicant’s staff member also explicitly requested feedback from thecalculations.- In the Applicant's view, other information listed by the Applicantsdeficiencies have not been substantiated and documents previously sent to the Authoritycertify that the Applicants have been duly informed.- The resolution of the Data Protection Commissioner referred to by the Applicants ["in itself the factthat someone is wealthy does not mean that he is also a public figure ”] in relation to the Applicantpoints out that the present proceedings are based on the General Data Protection Regulation, Article 6 of which provides:.A balance of interests shall be established in accordance with Article 1 (1) (f). As stated by the Applicantreferred to in a reply sent previously to the Authority, advocates for the public thatpersonal data has been processed in connection with the use of public funds. THEAccording to the applicant, the public is not justified by the fact of wealth,but because the state supports the Applicants' business with billions of forintsfor years.- The Applicant refuses to accept the professional work referred to by the Applicants as homophobic,and juxtaposing government expiring propaganda lists. The Requestedin his view, the argument for his tastelessness is also erroneous because of the marked listsprocessing of special personal data for expiration purposes. The Applicant was not treatednever any special personal information about Applicants or Forbespublished publications were published with no expiration date.<br />
Page 18<br />
18- In connection with the case - law decision BDT2017.3693 relied on by the Applicants, theThe petitioner notes that the factual basis of the judgment is based on the Civil Code. the right to an imagewas a violation. However, in the Applicant's view, it is a paragraph of the decisionto be highlighted. According to it, '[t] he applicant's identity in a matter of public interest isinterest has come to the forefront, however, not with the public authorities but with the economic onesmay be considered a public figure in the context of power, its reputation is narrower,media appearances are not considered common. Although the AB referred to in that regardhas a greater tolerance obligation based on decisions, its tolerance obligation is not the samewith the obligation of tolerance of a person of political or public authority. Not like thata public figure whose publication of photographs of litigation without consent is thoroughhe should endure for no reason. " According to the Applicant, this shows thatpersons with economic power also have an increased obligation of tolerance.- The content of the data processing and the public communications based on them is not the Applicantsbut also the company owned and controlled by themfinancial support from the state; neither the data processed nor the objectionscommunications have nothing to do with family and private life.- The Applicants also justify the serious threat to the rights of minor childrenthe merits of their complaint. In this regard, the Applicant notes that theit can be established from the attached documents that the Applicant does not treat a minorany information and that the Applicants, including through a legal representative,no minor found.- The Applicants refer to the September 2019 compilation of criminal circles' attentiondirected to the family, which puts them at constant safety risk. THEAccording to the applicant, it was not substantiated in what way the criminal circles were directedattention to the family, and that between the publication of the Forbes list and the actions of criminalswhat is the causal relationship. In the Applicant's view, it is speculative and unjustifiablethe relationship even if to the detriment of the Applicants in an unfortunate mannerto Act C of 2012 on the Penal Code (hereinafter: the Criminal Code)conflicting behavior has taken place recently.- According to the Applicant, Case C-131/12 relied on by the Applicants. CJEU Decision Nomisleading reference because the case is expressly out of date information(‘right to forget’). Paragraphs 70 and 81 of the judgment.also requires a balancing of interests. According to the Applicant, apublished information are timely communications from the press body, and therefore misleading aApplicant reference.- With regard to purpose limitation, the Applicant emphasizes that the purpose of data processing iscarrying out journalistic work and informing the public on matters of public interest.- The Applicant informed the Applicants about the result of the balance of interests, the ApplicantIn its view, its aspects and results are clearly distinguished by thefrom reply letters.- The methodological information sent to the Applicants and the introduction to the lists, andit is clear from the records of the Applicants that, in the Applicant 's view,only economic data related to the company was used.- According to the Applicant, there is no automatic in case of inaccuracy of the datacancellation obligation [mainly not by the General Data Protection Regulation by Applicantsnot referred to in Article 17 (1) (c)]. The Applicant further notes thatthat the Applicants did not avail themselves of the provisions of Article 16 of the General Data Protection Regulationright of rectification, even though they had the opportunity to do so.<br />
Page 19<br />
19The Applicants sent it to the Authority on 24 April 2020 by e-mail onlyIn their letter, they reiterated their previous submissions and informed the followingAuthority:- The […] Police Headquarters is paying close attention to the surroundings of […] 's property, as thein the family’s living environment, as announced by the […] Security Directora well-known criminal living in Keszthely but of Moldavian origin appeared, about whomvideo was also recorded.- Owners of […] as a result of the events at issue in the present case, proceedings by the publisher of Forbesdue to […] a gift contract was redeemed representing a significant value, existing for 16 yearspart of their business.- Applicants withdraw their application with respect to Data Management 2 implementeddisclosure.- The Applicants also maintain their previously submitted applications Data Management 1, iefor data management operations in September 2019 and earlier.The Applicants thus as a whole with respect to Data Management 1 and Data Management 2 - the abovewith the exception of disclosure - have maintained their request for general data protectionArticle 5 (1) (a), (b), (e), Article 6 (1) (f) ofArticle 13 and Article 14 (1) and (2), andEstablishment of unlawful data processing by the Applicant pursuant to Article 21 (1)with regard to. The Applicants requested that the applications submitted by the Authority be limitedcircle.II. Applicable legal provisionsPursuant to Article 2 (1) of the General Data Protection Regulation, the General Data Protection Regulationshall apply to the processing of personal data in part or in full by automated means,and the non - automated processing of personal data which:are part of a registration system or are part of a registration systemthey want to do.For data management falling within the scope of the General Data Protection Decree, Infotv. Section 2 (2)according to the general data protection regulation in the provisions indicated thereinshall apply with additions.According to Article 4 (1) of the General Data Protection Regulation, "personal data" means identified orany information relating to an identifiable natural person ("data subject"); identifiable by aa natural person who, directly or indirectly, in particular by an identifier, e.g.name, number, location data, online identifier or physical, physiological,genetic, mental, economic, cultural or social identity of one or more relevantidentifiable by a factor.According to Article 4 (2) of the General Data Protection Regulation, "processing" means personal dataor any operation on data files in an automated or non - automated manner, ora set of operations, such as collecting, recording, organizing, sorting, storing, transforming, orchange, query, view, use, transmit, distribute or otherwiseharmonization or interconnection, restriction, deletion,or destruction.According to Article 4 (4) of the General Data Protection Regulation, "profiling" means personal dataany form of automated management in which personaldata for the assessment of certain personal characteristics of a natural person,<br />
Page 20<br />
20especially for job performance, economic situation, health status, personalpreferences, interest, reliability, behavior, location, orused to analyze or predict motion-related characteristics.According to Article 4 (6) of the General Data Protection Regulation, "registration system" means personal datadata in any way - centralized, decentralized or functional or geographicalaccording to - a segmented stock that is accessible according to specific criteria.According to Article 4 (7) of the General Data Protection Regulation: "controller" means the natural or legal personperson, public authority, agency or any other body that provides personal datadetermine the purposes and means of its management, alone or in association with others; if the data managementpurposes and means are determined by Union or Member State law, the controller or the controllerUnion or Member State law may also lay down specific criteria for the designation ofPersonal data pursuant to Article 5 (1) (a) of the General Data Protection Regulationmust be handled lawfully and fairly and in a way that is transparent to the data subject("Legality, due process and transparency").Pursuant to Article 5 (1) (b) of the General Data Protection Regulation, personal data onlymay be collected for a specific, clear and legitimate purpose and may not be combined with those purposescannot be dealt with in a compatible way (‘purpose-based’).Purposes of data processing under Article 5 (1) (c) of the General Data Protection Regulationthey must be appropriate and relevant to what is necessary and limited to what is necessary(“Data saving”).Personal data pursuant to Article 5 (1) (d) of the General Data Protection Regulationthey must be accurate and, where necessary, kept up to date; all reasonable measures must be takento ensure that personal data are inaccurate for the purposes of data processingdeleted or corrected immediately ("accuracy").Personal data pursuant to Article 5 (1) (e) of the General Data Protection Regulationshould be stored in a form that identifies the data subjects only for personal useallows the time necessary to achieve its data processing objectives; personal information than thislonger storage can only take place if personal datain accordance with Article 89 (1) for archiving in the public interest, scientific andfor historical research or statistical purposes, those concerned by this Regulationappropriate technical and organizational arrangements to protect the rights and freedoms ofsubject to the implementation of measures (‘limited storage capacity’).Pursuant to Article 5 (2) of the General Data Protection Regulation, the controller is responsible forshall be able to demonstrate such compliance(“Accountability”).Pursuant to Article 6 (1) of the General Data Protection Regulation, personal data may only be used if andcan be lawfully managed if at least one of the following is met:(a) the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposestreatment;(b) processing is necessary for the performance of a contract to which one of the parties is a party,or taking steps at the request of the data subject prior to the conclusion of the contractnecessary to do so;(c) processing is necessary for compliance with a legal obligation to which the controller is subject;(d) the processing is in the vital interests of the data subject or of another natural personnecessary for its protection;(e) the processing is in the public interest or a public authority conferred on the controller<br />
Page 21<br />
21necessary for the performance of the task carried out in the exercise of(f) processing for the protection of the legitimate interests of the controller or of a third partynecessary, unless those interests take precedence over those interestsinterests or fundamental rights and freedoms which constitute the protection of personal dataespecially if the child concerned.According to recital 47 of the General Data Protection Regulationin any case, it must be carefully examined, inter alia, whether the person concernedwhether you can reasonably expect when and in connection with the collection of personal datathat data may be processed for that purpose. Interests and fundamental rights of the data subjectmay take precedence over the interests of the controller if the personal data are suchconditions in which data subjects do not expect further data processing.[...] The processing of personal data in order to prevent fraud is also essentialit is in the legitimate interest of the controller concerned. Personal information for direct business purposesmay also be considered to be based on a legitimate interest.Data controllers related to measures for the exercise of data subjects' rightsobligations are set out in Article 12 of the General Data Protection Regulation.Pursuant to Article 12 (1) of the General Data Protection Regulation, the controller is appropriatetake measures to enable the data subject to process personal dataall the information referred to in Articles 13 and 14 and Articles 15 to 22. and Article 34each piece of information in a concise, transparent, comprehensible and easily accessible form, in a clear mannerand provide it in plain language, in particular any information addressed to childrenin the case of. The information shall be provided in writing or by other means, including, where appropriate, by electronic meansalso - must be specified. Oral information may be provided at the request of the data subject, provided otherwisethe identity of the data subject has been verified.Pursuant to Article 12 (2) of the General Data Protection Regulation, the controller shall facilitateaffected 15-22. exercise of their rights under this Article. In the cases referred to in Article 11 (2)the controller shall refer to the relevant 15-22. fulfillment of his request to exercise his rights under Articlehe may not refuse it unless he proves that he is unable to identify the person concerned.Pursuant to Article 12 (3) of the General Data Protection Regulation, the controller is unjustifiedwithout delay, but in any case within one month of receipt of the requestinform the data subject in accordance with Articles 15 to 22. the action taken on a request pursuant to Article. NeedIn view of the complexity of the application and the number of applications, this time limit shall be extended by two further periodsmay be extended by one month. The extension of the deadline by the data controller shall be the reasons for the delayinform the data subject within one month of receipt of the request. Ifthe data subject has submitted the application electronically, the information shall be provided, if possible, electronicallyunless otherwise requested by the data subject.Pursuant to Article 12 (4) of the General Data Protection Regulation, if the controller does not do someasures at the request of the data subject, without delay, but at the latest at the time of the requestinform the data subject of the non-action within one month of receiptand that the person concerned may lodge a complaint with a supervisory authority and may residejudicial redress.Pursuant to Article 13 (5) of the General Data Protection Regulation, Articles 13 and 14information and Articles 15 to 22. The information and action provided for in Articles 31 and 34 shall be provided free of chargeto assure. If the data subject's request is clearly unfounded or - particularly repetitive in natureexcessive, the data controller, subject to the provision of the requested information or information or the requestedadministrative costs associated with the adoption of the measure, may charge a reasonable fee,or refuse to act on the request. The request is clearthe burden of proving that it is unfounded or excessive is on the controller.<br />
Page 22<br />
22Article 14 of the General Data Protection Regulation states that the controller shall, as a minimumwhich data processing circumstances and how to inform data subjects if personaldata were not obtained from data subjects. According to:[14. Article 1 (1): If the personal data have not been obtained from the data subject, the controllerprovide the data subject with the following information:(a) the identity and contact details of the controller and, if any, of the controller 's representative;(b) the contact details of the Data Protection Officer, if any;(c) the purpose of the intended processing of the personal data and the legal basis for the processing;(d) the categories of personal data concerned;(e) the recipients or categories of recipients of the personal data, if any;(f) where applicable, the fact that the controller is a recipient in a third country, orintends to transfer personal data to an international organization, andthe existence or absence of a Commission decision on compliance, or in Article 46,the transmission referred to in Article 49 or the second subparagraph of Article 49 (1)where appropriate, an indication of the appropriate and suitable guarantees and a copy thereofreference to the means of obtaining them or their availability.[14. Article 2] (2): In addition to the information referred to in paragraph 1, the controller shall be the data subjectto ensure fair and transparent data processing for the data subjectthe following additional information is required:(a) the period for which the personal data will be stored or, if that is not possible, that periodaspects of its definition;(b) where the processing is based on Article 6 (1) (f), the controller or a third partylegitimate interests of a party;(c) the data subject's right to request from the controller the personal data concerning him or heraccess to, rectification, erasure or restriction of the processing of data, andmay object to the processing of personal data and to the data portability concernedthe right to(d) information based on Article 6 (1) (a) or Article 9 (2) (a);the right to withdraw consent at any time in the case of data processing,which does not affect the processing carried out on the basis of the consent prior to the withdrawallegitimacy;(e) the right to lodge a complaint with a supervisory authority;(f) the source of the personal data and, where applicable, the public availability of the datawhether they come from sources; and(g) the fact of automated decision-making referred to in Article 22 (1) and (4), including:profiling as well as, at least in these cases, the logic used and thatcomprehensible information on the significance of such data processing andthe expected consequences for the data subject.[14. Article 3 (3): The controller shall provide the information referred to in paragraphs 1 and 2 as followsenter according to:(a) personal data, taking into account the specific circumstances of the processing of personal datawithin a reasonable time of receipt, but not later than one month;(b) where personal data are used for the purpose of contacting the data subject, at least:affected first(c) at the time of contact; obsession(d) where the data are expected to be communicated to another recipient, the personal data at the latestthe first time.[14. Article 4 (4): If the controller is different from the purpose for which the personal data were obtainedintends to carry out further data processing for that purpose, it shall inform thethis different purpose and any relevant additional information referred to in paragraph 2information.<br />
Page 23<br />
23[14. Paragraphs 5 to 4 shall not apply if and to the extent that:(a) the data subject already has the information;(b) it proves impossible to provide the information in question, orwould require a disproportionate effort, in particular for archiving in the public interest,for scientific and historical research or statistical purposes, in accordance with Article 89 (1)in the case of data processing subject to the conditions and guarantees set out inwhere the obligation referred to in paragraph 1 of this Article is likelywould make it impossible or seriously jeopardize the achievement of the purposes of this data processing. SuchIn such cases, the controller must take appropriate action - the informationincluding the rights, freedoms and legitimate interests of the data subjectto protect its interests;(c) the acquisition or communication of the data is expressly provided for in the Union law applicable to the controlleror the law of a Member State which is appropriate to protect the legitimate interests of the data subjectprovides for measures; obsession(d) professional secrecy of personal data as required by Union or Member State lawobligation, including legal confidentiality,must remain confidential.Pursuant to Article 15 (1) of the General Data Protection Regulation, the data subject is entitled to:receive feedback from the data controller on the processing of your personal datais in progress, and if such data processing is in progress, you are entitled to personalaccess to data and the following information:(a) the purposes of the processing;(b) the categories of personal data concerned;(c) the recipients or categories of recipients to whom the personal data relatecommunicated or will be communicated, including in particular to third country consignees, andinternational organizations;(d) where applicable, the intended period for which the personal data will be stored or, failing thatpossible, criteria for determining this period;(e) the data subject's right to request personal data concerning him or her from the controllerrectification, erasure or limitation of handling and may object to such personalagainst data processing;(f) the right to lodge a complaint with a supervisory authority;(g) if the data were not collected from the data subject, all available sourcesinformation;(h) the fact of automated decision-making referred to in Article 22 (1) and (4), including:profiling as well as, at least in these cases, the logic used and thatcomprehensible information on the significance of such data processing andthe expected consequences for the data subject.Under Article 16 of the General Data Protection Regulation, the data subject has the right to requestthe data controller shall correct the inaccurate personal data concerning him without undue delay.Taking into account the purpose of the data processing, the data subject is entitled to request the incomplete personalsupplementing the data, inter alia, by means of a supplementary declaration.Pursuant to Article 17 (1) of the General Data Protection Regulation, the data subject is entitled to:at the request of the controller, delete the personal data concerning him without undue delay,and the controller is obliged to make the personal data of the data subject unjustifieddelete without delay if one of the following reasons exists:(a) personal data are no longer required for the purpose for which they were collected ortreated differently;(b) the data subject withdraws the authorization referred to in Article 6 (1) (a) or Article 9 (2);(a) the consent which is the basis for the processing and the processinghas no other legal basis;(c) the data subject objects to the processing pursuant to Article 21 (1) and is not<br />
Page 24<br />
24overriding legitimate reason for the processing or Article 21 (2) is concernedprotests against data processing on the basis of(d) personal data have been processed unlawfully;(e) personal data are required by the law of the Union or Member State applicable to the controllerto be canceled in order to fulfill an obligation;(f) the collection of personal data referred to in Article 8 (1)the provision of social services.Pursuant to Article 17 (2) of the General Data Protection Regulation, if the controller is made publichas brought personal data and is required by paragraph 1 to delete it using available technologyand take the steps reasonably expected, taking into account the costs of implementation,including technical measures - in order to inform the data controllerdata controllers that the data subject has requested from them links to the personal data in questionor the deletion of a copy or duplicate of such personal data.Pursuant to Article 17 (3) of the General Data Protection Regulation, paragraphs 1 and 2 do notapplicable if data processing is required:(a) for the purpose of exercising the right to freedom of expression and information;(b) the Union or Member State rules governing the processing of personal data applicable to the controllerfulfillment of a legal obligation or in the public interest or entrusted to the controllerfor the performance of a task performed in the exercise of a public authority;(c) in accordance with Article 9 (2) (h) and (i) and Article 9 (3)on grounds of public interest in the field of public health;(d) for archiving purposes in the public interest, in accordance with Article 89 (1), for scientific andfor historical research purposes or for statistical purposes where referred to in paragraph 1law would be likely to make it impossible or seriously jeopardize thatdata management; obsessione) to submit, enforce or defend legal claims.Pursuant to Article 18 (1) of the General Data Protection Regulation, the data subject is entitled to:at the request of the controller, the controller shall restrict the processing if one of the following is met:(a) the data subject disputes the accuracy of the personal data, in which case the limitation shall be:applies to a period of time that allows the controller to verify the personalaccuracy of data;(b) the processing is unlawful and the data subject opposes the deletion of the data and requests it insteadrestrictions on the use of(c) the controller no longer needs the personal data for the purpose of processing the data, butthe data subject requests them to bring, assert or defend legal claims;obsession(d) the data subject has objected to the processing in accordance with Article 21 (1); in this case therestriction shall apply for as long as it is established that thewhether the legitimate reasons of the controller take precedence over the legitimate reasons of the data subject.According to Article 18 (2) of the General Data Protection Regulation, if the processing is in accordance with paragraph 1such personal data, with the exception of storage, only by the data subjector to bring, assert or defend legal claims, orto protect the rights of another natural or legal person, or of the Union or any of theimportant public interest of the Member State.According to recital 67 of the General Data Protection Regulation, personal dataMethods used to limit the treatment may include, but are not limited to, the subjecttemporary transfer of personal data to another data management system, orterminating their access to users or from a website posted theretemporary removal of data. Restriction of data management with automated registrationsystems are basically provided by technical means, in a way that is personal<br />
Page 25<br />
25no further data processing operations may be performed on the data and they may not be altered.The fact that the processing of personal data is limited must be clearly indicated in the systemPursuant to Article 21 (1) of the General Data Protection Regulation, the data subject is entitled to:protest at any time for reasons relating to his own situation, in accordance with Article 6 (1).based on points (e) or (f) of paragraph 1, including those provisionsbased profiling. In this case, the data controller may not process the personal dataunless the controller demonstrates that the processing is justified by compelling legitimate reasons.justified by the interests, rights and freedoms of the data subjector to bring, assert or defend legal claimsare related.Pursuant to Article 21 (2) of the General Data Protection Regulation, if the processing of personal datain the interests of direct acquisition, the person concerned shall have the right to object at any timeagainst the processing of personal data for that purpose, including profiling, whereit is related to direct business acquisition.Pursuant to Article 21 (3) of the General Data Protection Regulation, if the data subject objects to theagainst the processing of personal data for the purpose of direct business acquisition, you are personaldata can no longer be processed for this purpose.Pursuant to Article 21 (4) of the General Data Protection Regulation, referred to in paragraphs 1 and 2at the latest at the time of the first contact with the data subjectclearly and separately from any other informationto be displayed.Pursuant to Article 77 (1) of the General Data Protection Regulation, other administrative orwithout prejudice to judicial remedies, any person concerned shall have the right to lodge a complaint with onesupervisory authority, in particular its habitual residence, place of employment or presumptionin the Member State of the offense, if the data subject considers that the personal dataprocessing of data infringes this Regulation.Infotv. Pursuant to Section 38 (2), the Authority is responsible for the protection of personal data,and the right of access to data of public interest and public interestpersonal data within the European Unionfacilitating its free movement. The Authority's tasks and powers are general data protectionArticle 57 (1), Article 58 (1) to (3) and Infotv. Paragraphs (2) - (4) of Section 38defined in detail.The right to the protection of personal data pursuant to Section 60 (1) and (2) of the Information Actthe Authority shall, at the request of the data subject, be a data protection authorityinitiate proceedings and may initiate ex officio data protection authority proceedings. The data protection authority procedureArticle 77 (1) of the General Data Protection Regulation andIt may be submitted in the case specified in Section 22 (b)..Unless otherwise provided in the General Data Protection Regulation, the application was initiatedfor data protection authority proceedings under Ákr. provisions of the Infotv shall applywith differences.Infotv. Pursuant to Section 61 (1) (a), it was taken in a data protection authority proceedingIn its decision, the Authority With the data management operations specified in Section 2 (2)in this context, in accordance with Article 58 (2) of the General Data Protection Regulationmay apply legal consequences. Accordingly , acting within the remedial powers of the Authority:(a) warn the controller or processor that one of the planned data processing operationsits activities are likely to infringe the provisions of this Regulation;<br />
Page 26<br />
26(b) condemn the controller or the processor if his or her data processing activitieshas infringed the provisions of this Regulation;(c) instruct the controller or the processor to comply with this Regulationexercise its rights under this Regulation;(d) instruct the controller or processor to carry out its data processing operationsin such a way and within a specified period, bring this Regulation into line with this Regulationprovisions;(e) instruct the controller to inform the data subject of the data protection incident;(f) temporarily or permanently restrict data processing, including data processingprohibition;(g) order personal data in accordance with Articles 16, 17 and 18 respectivelyrectification or erasure of data or restrictions on data processing, and in accordance with Article 17 (2).order notification to the addressees in accordance withwith whom or with whom the personal data have been communicated;(h) withdraw the certificate or instruct the certification body in accordance with Articles 42 and 43revoke a duly issued certificate or instruct the certification body to:do not issue the certificate if the conditions for certification are not or are no longer met;(i) impose an administrative fine in accordance with Article 83, depending on the circumstances of the casein addition to or instead of the measures referred to in this paragraph; and(j) order the flow of data to a recipient in a third country or to an international organizationsuspension.All supervisory authorities pursuant to Article 83 (1) of the General Data Protection Regulationensure that the infringements referred to in paragraphs 4, 5 and 6 of this Regulation comply with this ArticleThe administrative fines imposed pursuant to this Regulation shall be effective, proportionate and dissuasive in each casebe dissuasive.Pursuant to Article 83 (2) of the General Data Protection Regulation, administrative fines are imposed byreferred to in Article 58 (2) (a) to (h) and (j), as the case may beshould be imposed in addition to or instead of measures. When deciding if it is necessaryimposing an administrative fine or setting the amount of the administrative finein each case due account shall be taken of the following:(a) the nature, gravity and duration of the breach, taking into account the processing in questionthe nature, scope or purpose of the infringement and the number of persons affected by the infringement; andthe extent of the damage they have suffered;(b) the intentional or negligent nature of the infringement;(c) the mitigation of damage suffered by the data subject by the controller or the processorany measures taken to(d) the extent of the responsibility of the controller or processor, taking into account theTechnical and organizational measures taken pursuant to Articles 25 and 32;(e) relevant infringements previously committed by the controller or the processor;(f) the supervisory authority to remedy the breach and the possible negative effects of the breachthe extent of cooperation to alleviate(g) the categories of personal data affected by the breach;(h) the manner in which the supervisory authority became aware of the infringement, in particularwhether the controller or processor has reported the infringement and, if so, whatin detail;(i) if previously against the controller or processor concerned, in the samehave ordered one of the measures referred to in Article 58 (2),compliance with the measures in question;(j) whether the controller or processor has complied with Article 40approved codes of conduct or approved certification in accordance with Article 42mechanisms; and<br />
Page 27<br />
27(k) other aggravating or mitigating factors relevant to the circumstances of the case,for example, the financial gain obtained as a direct or indirect consequence of the infringementor avoided loss.Pursuant to Article 83 (5) of the General Data Protection Regulation, the following provisionsan administrative fine of up to EUR 20 000 000 in accordance with paragraph 2fines or, in the case of undertakings, the total annual worldwide turnover of the preceding financial yearshall not exceed 4%, with the higher of the two amountsto impose:(a) the principles of data processing, including the conditions for consent, in accordance with Articles 5, 6, 7 and 9;appropriately;(b) the rights of data subjects under Articles 12 to 22. in accordance with ArticlePursuant to Article 83 (7) of the General Data Protection Regulation, the supervisory authorities are Article 58Without prejudice to its power of correction under paragraph 2, each Member Statemay lay down rules on whether a public authority or body established in that Member Statewhether an administrative fine can be imposed on another body performing a public function, and if so, what kindextent.Infotv. Pursuant to Section 61 (1) (bg), in the data protection authority proceedingsIn its decision, the Authority may impose a fine.Infotv. 75 / A. § pursuant to Article 83 (2) to (6) of the General Data Protection Regulationshall exercise its powers in accordance with the principle of proportionality, in particular by:legislation on the processing of personal data or binding European Union lawin the event of a first breach of the rules set out in its actin accordance with Article 58 of the General Data Protection Regulation, in particularby alerting the controller or processor.The Acre. Under Section 17, the authority has the powers and competencies at all stages of the proceedingsex officio. If you notice any of your deficiencies and your doubts can be ruled out in the casecompetent authority shall transfer the case or, failing that, shall reject the applicationor terminate the proceedings.Pursuant to Section 47 (1) a) of the Ákr, the authority terminates the procedure if the applicationshould have been rejected, but the reason for this was after the initiation of the procedureauthority.Article VI of the Basic Law Under Article 1 (1), everyone has the right to private and family liferespect for his or her life, home, contacts and reputation. The expression of opinionfreedom of association and the exercise of the right of assembly must not affect the private and family life of others,and damage to your home.Act LIII of 2018 on the protection of privacy. Act (hereinafter: Mvtv.) 1-2. §everyone has the right to respect for his private and family life, his home and his relations (ahereinafter collectively referred to as the "right to privacy"). Right to privacy apart of the right to free expression of personality, under which the individualfreedom belongs to the responsible, independent shaping of life, family, home and human relationshipsestablishment and conservation. […] This right is only the exercise of another fundamental right or of onein order to protect constitutional value, to the extent strictly necessary, for the purpose to be achievedproportionately, respecting the essential content of the right to privacy and human dignitylimited by holding. The essence of the right to privacy is that it - in a separate lawwith certain exceptions - not to be harmed by others against the will of the individual. For privacyEveryone must respect the rights of others when exercising their right to<br />
Page 28<br />
28The Mvtv. Pursuant to Section 8, Paragraphs (1) - (2), the purpose of the right to respect for private life,in particular the right to anonymity, personal data, privacy, images and sound recordings,protection of honor and reputation. Violation of the right to privacymay mean personal data which an individual wishes to retain, in particular in relation to his or her privacy,abuse of secrecy, image, sound recording, or breach of honor and reputation.The Mvtv. Pursuant to Section 9, Paragraphs (1) - (3), everyone has the right to have his or her family life asprivacy, increased protection. The right to respect for family life isthe individual and his or her family member are entitled to it together. Infringement of the right to respect for family lifemeans, in particular, the unauthorized violation or disturbance of the family life of others or the family life of othersunauthorized interference with his or her life.Article VI of the Basic Law Everyone has the right to the protection of personal data pursuant to Articleand to learn about and disseminate data of public interest.Infotv. Pursuant to Section 1, the purpose of this Act is to process data in the areas covered by itlaying down basic rules for the protection of natural personsprivacy of data controllers and the transparency of public affairs in the public interest.and enforcing the right to access and disseminate public data in the public interestcome true.Infotv. Pursuant to Section 3 (6), public data in the public interest does not fall within the definition of data of public interestany information relating to the disclosure, disclosure or disclosure of whichdisclosure is required by law in the public interest.Infotv. Pursuant to Section 26 (2), public personal data in the public interest is purposefulin accordance with the principle of data management.The Ctv. The preamble states that the Ctv. aims to create a modern legal framework for theIn accordance with the regulations of the European Union.the order of registration and the constitutional rights of entrepreneurs in the economicto ensure the safety of traffic and to protect the interests of creditors or other public interestsfull disclosure of the data of the public register of companies, directly or electronically.The Ctv. Pursuant to Section 10 (1), the company register is from the company register as well as in the company registerconsists of annexes to certify the information contained in the Annex and other documents to whichsubmission of the company - in the public interest, or traffic safety, as well as the interests of creditors(hereinafter collectively referred to as company documents).The Ctv. Pursuant to Section 10 (2), the existing or deleted data of the company register, as well as the company documents -including company documents submitted electronically or converted into electronic documents,are fully public. Tax registration procedure under the Taxation Actwill also be fully public after the successful completion of the submitted, but not yet completedalso reviewed the application for registration and its annexes by stating that the application for registration (change registration)the business register must indicate the existence of an assessment. The legality of supervisionprocedure documents are public in accordance with the provisions of this Act.The Ctv. Pursuant to Section 24 (1) (b), (f) and (h), the register of companies is for all companiescontains the name of the company, its subscribed capital, its executive officer and the person authorized to represent the companyname, tax identification number, in the case of a natural person, place of residence, date of birth, motherbirth name,, in the case of a legal person, registered office and company registration number or registration number,as well as the position of the persons entitled to representation, the date of the establishment of this legal relationshipin the case of temporary representation, the date of termination of the legal relationship or if the legal relationshiptermination takes place earlier than the date indicated in the register of companies, the termination is effectiveand the fact that the company representative is notarized<br />
Page 29<br />
29a copy of the title or a specimen signature countersigned by a lawyer or bar counsel for submissioncost.The Ctv. Pursuant to Section 27 (3) a) and e), the register of companies is based on Articles 24-26. §in addition, in the case of a limited liability companya) the names of the members, in the case of a natural person, their place of residence, date of birth, birth name of their mother,in the case of a legal person, its registered office and its registration or registration number, andif the member's voting rights exceed 50 percent, or the memberhas a qualified majority influence, this fact as welle) in the case of a jointly owned share, the names of the owners, in the case of a natural personplace of residence, date of birth, mother 's birth name, in the case of a legal person, registered office, andcompany registration number or registration number.Act CVI of 2007 on State Property. Section 5 (1) - (2) of the Property Act (hereinafter: Property Act)public interest in and management of all public propertyavailable non-public interest data. State-owned enterpriseor a body or person in possession thereof is the Public Data Disclosure Actshall be deemed to be a body or person performing a public task in accordance withInfotv. Pursuant to Section 27 (3), it does not qualify as a business secret in the public interestcentral and local government budgets and EU supportbudget allowance, discount, state and municipalmanagement, possession, use, recovery of property,information relating to its encumbrance, the acquisition of any right affecting such property,as well as data the disclosure or disclosure of which is the subject of a separate lawin the public interest. However, disclosure should not result in such data- so especially protected knowledge - access to which are familiar with the businesswould cause disproportionate damage to the pursuit of the activity, provided that it does not impede itaccess to public data in the public interest.Article IX of the Basic Law Under Article 1 (1), (2) and (4), everyone has the right to:freedom of expression. Hungary recognizes and protects freedom of the press anddiversity, ensures the free movement necessary for the development of democratic public opinionconditions for information. The exercise of freedom of expression must not be directed at othersviolation of human dignity.Pursuant to Article 85 (1) of the General Data Protection Regulation, Member States shall legislatereconcile the right to the protection of personal data under this Regulation withthe right to freedom of expression and information, including personal datafor journalistic, scientific, artistic or literary purposes.Pursuant to Article 85 (2) of the General Data Protection Regulation, personal data are journalisticscientific, artistic or literary expressionMember States shall provide for exceptions or derogations from Annex II. Chapter III (Principles), Chapter III Chapterrights concerned), Annex IV Chapter V (the controller and the processor), Chapter V (personal datato third countries or international organizations), Chapter(independent supervisory authorities), Annex VII. Chapter IX (Cooperation and Coherence) and Chapter IX Chapterspecial cases of data processing) if these exceptions or derogations are necessary in order to:the right to the protection of personal data can be reconciled with the expression of opinionfreedom of expression and the right to information.According to recital 65 of the General Data Protection Regulation […], personal dataits further retention is considered lawful if it is an expression of opinion and informationthe exercise of the right to liberty, the fulfillment of a legal obligation, respectivelythe performance of a task carried out in the public interest or the public authority conferred on the controller<br />
Page 30<br />
30or in the public interest in the field of public health, archiving in the public interestfor scientific and historical research or statistical purposes, or for legal purposesnecessary to submit, validate or defendAccording to recital 153 of the General Data Protection Regulation, [the] law of the Member Statesmust reconcile expression of opinion and information - including journalism,the rules on freedom of scientific, artistic and literary expressionthe right to the protection of personal data under this Regulation. It is appropriate that the onlypersonal data for journalistic, scientific, artistic or literary expressionbe exempted or exempted from certain provisions of this Regulationfrom the requirements of this Directive if this is necessary for the protection of personal datareconciling the right to freedom of expression and information,provided for in Article 11 of the Charter. This applies in particular to personal audiovisual datanews archives and press libraries.Consequently, Member States shall determine the scope of this by adopting legislative measuresnecessary exceptions and derogations in order to strike a balance between fundamental rights. Member Statesexceptions and derogations shall be adopted in accordance with the general principles, the rights of the data subject, the controller and thepersonal data to third countries or international organizationsindependent supervisory authorities, cooperation and uniformityapplication and individual data management situations. If these are your exceptionsdifferences between Member States, the law of the Member State applicable to the controller should applyapply. The right to freedom of expression in all democratic societiesIn order to take account of the importance oflike journalism, it must be interpreted broadly.The Smtv. Pursuant to Section 4 (3), the exercise of freedom of the press may not be exercisedcriminal offense or incitement to commit a criminal offense shall not be contrary to public morality,and must not infringe on the privacy rights of others.The Smtv. Under Section 10, everyone has the right to be properly informed by the local, thenational and European public affairs, as well as citizens of Hungary and members of the Hungarian nationevents of major importance to him. The task of the media system as a whole is to provide authentic, fast,accurate information on these matters and events.The Smtv. Pursuant to Section 13, linear media services performing information activities are obligedlocal, national, national and European and Hungary of public intereston events and controversial issues of importance to its citizens and members of the Hungarian nationin a balanced way in the information and news programs they publishto inform. The detailed rules of this obligation are law of proportionality and democracyin accordance with the requirements of public opinion.A Ptk. 2:44 on the protection of the right to privacy of a public figure. § (1) - (3) athe exercise of fundamental rights to ensure the free challenge of public affairs to the privacy of the public figurenecessary and proportionate, without prejudice to human dignity;however, it must not harm your private and family life or your home. The publicagainst a communication or conduct outside the scope of free debate in public mattersthe same protection as a non-public actor. A public actor is not a public matteractivity or data related to your private or family life.Article 8 of the European Convention on Human Rights states that everyone has the right to:respect for private and family life, home and correspondence. Authority to exercise this rightit can only intervene in cases where it is democratic, as defined by lawin the interests of national security, public security or the economic well-being of the country,prevention of riots or crime, protection of public health or morals, ornecessary to protect the rights and freedoms of others.<br />
Page 31<br />
31Under Article 10 (1) of the European Convention on Human Rights, everyone has the right to: afreedom of expression. This right includes freedom of expression andit respects the freedom to know and communicate information and ideas across national borderswithout the intervention of an official body.III. Decision of the AuthorityIII.1. The identity of the controllerA natural person as defined in the General Data Protection Regulationany information on the basis of which that natural person is directly or indirectlyindirectly identifiable personal data, any operation performed on the datathe purpose and means of data management, alone or in association with othersnatural or legal person, public authority, agency or any other bodyand the body is considered a data controller.With regard to the data management examined, the full name, surname and economic situation of the Applicantspersonal data pursuant to Article 4 (1) of the General Data Protection Regulation,and the publisher of a press product that collects, processes, lists and publishes data isunder Article 4 (7) of the General Data Protection Regulation, a data controller is either online or offlinecontent, publications and personal data published in printed formwith regard to the (re) use of personal data andthe purpose of its publication is determined by the publisher of the press product.Data Management 1 and Data Management 2 pursuant to Article 2 (1) of the General Data Protection Regulationfalls within the scope of the General Data Protection Regulation and, consequently, thethe rules of the general data protection regulation apply.Pursuant to the above, the Applicant, as the publisher of Forbes in Hungary, is the objected data handlersis considered a data controller.III.2. The identity of the ApplicantsThe lack of public role of the Applicants was also repeatedly invoked by the Applicants in the proceedingsin their statements and correspondence with the Applicant.3145/2018. (V. 7.), the Constitutional Court emphasized that the change had taken placeexpansion of the range of public actors through the spread of social conditions, especially telecommunicationsso that people have the opportunity to become active participants in public debates,who were not previously included in the conceptual scope of public actors. These persons are the so-called. exceptionalpublic actors. {3145/2018 (V. 7.) Decision AB Justification [46]}Freedom of expression is primarily concerned with criticizing public authoritiesexpresses opinions, but in the interpretation of the Constitutional Court it is publicthe range of issues is wider than political speech and persons exercising public powercriticizing its activities. Accordingly, the public debate is not limited to the state andit covers the whole operation of the local government, the system of public authorities, but also encompasses itin the world of corporate social responsibility and businesspublic issues (eg environmental, energy efficiency, labor, etc.)road safety issues). {3145/2018 (V. 7.) AB Decision Justification [31] - [32]}According to the decision of the Constitutional Court, in deciding the quality of a public figure, the followingaspects are relevant:<br />
Page 32<br />
32- whether the public statement expressing the opinion reflects the position expressed in the public interest debate,- whether the public communication involves a public performance,- whether the communication to the public involves a statement of fact or a judgment of value,- whether the communication to the public infringes the human dignity or reputation of the person concerned(honor).Public actor quality is the fact of public involvement that goes hand in hand with the discussion of public life issueswhich, according to AB, must always be assessed individually on the basis of the specified criteria:the manner and circumstances of the communication and the subject and context of the opinion (eg the medium)type, subject of communication, content, style, purpose, topicality, reactions to it).The exercise of freedom of expression can only be justified in cases wherein which the participants have become, at their own discretion, more active actors in public affairs than others,thereby also undertaking public assessments and criticisms of the community concerned. Public affairstherefore, statements which affect or characterize them and which attack themthey have to put up with more patience. { 3145/2018 (V. 7.) Decision AB Justification [48]}The Applicants emphasized that they had always wanted to separate their private lives frommarket life, and although the establishment of a business is voluntary, this does not in itself mean thatbusiness owners, senior executives become public actors, andthat someone is rich is not necessarily a sufficient condition for restricting privacy, that israther, it is only one component of influence.However, in the case of the Applicants, the fact that the […]in a few years - from state subsidies and from state or other public fundsresources - has become a market leader in several countries. Applicants must counthad to be a successful, high-wealth company in the case of the business world as a public life onethey also become active shapers of its segment, undertaking the accompanying evaluations and criticismswhich they thus have to endure with greater patience.In connection with the present case, it can also be stated that one of the content elements of the examined communications is the Applicantsname and managing position, ownership position shall be considered as public data in the public interestdue to:- The Ctv. Pursuant to Section 10 (2), the existing or deleted data of the register of companies are in fullare public. Thus, the data contained in company files, including personal data,which, during registration in the register of companies, the purpose of the register of companiesaccordingly, data subjects provide their personal data with a view to disclosureaccessible to anyone. Existing or deleted data in the register of companies, as well aspersonal data contained in company records are public data in the public interest which are personaldata and also public data in the public interest.- On the mandatory content of the register of companies, the Ctv. Section 24 (1), as well as limited liabilitycompanies such as […] - Ctv. Section 27 (3) provides. The referencedlegislation stipulates that the register of companies for all companies, inter alia,contains the name of the company's senior executive or the person authorized to represent the company,the position of the persons entitled to represent and, in the case of a limited liability company,among other things, the names of the members or, in the case of a jointly owned share, the owners.- The publicity of the data included in the register of companies is regulated by Ctv. according to its preamblepurposes and the legislator considered that this interest outweighed the data subjectsinterests.It should also be noted that the information provided in the publications on […] is on the one handcan be found in […] 's own accounts and website, and on the other hand, that [] publichas implemented and is implementing various expansions, capacity enhancements,<br />
Page 33<br />
33public data in the public interest according to the Property Act. Section 5, paragraphs (1) - (2), and Infotv. Section 27 (3)pursuant to paragraphIII.3. Legality of data processingThe subject matter of the present case is not usually the data protection analysis of economic journalism, and although the nature of the caseand circumstances, the Authority also makes general findings to emphasize that it is presentIn this procedure, the Authority is linked to specific publications ("products") issued by the Applicantexamined data treatments.Under the provisions of the General Data Protection Regulation, there are a number of reasons for the lawfulness of data processingrequirement must be met.Article 5 of the General Data Protection Regulation contains the main principles that are personalmust be taken into account in the processing of the data and which must be in force at all timesduring data management. Such principles include legality, due process and transparency,the principles of purpose limitation, data saving, accuracy and limited storage [5. Article 1paragraph 1 (a) to (e)]. From the principle of accountability [5. Article 2 (2)]is responsible for complying with data protection principles and must be able to do soalso to prove. Accordingly, the data controller must be able to prove that it is personalthe purpose for which it processes the data and why it can be considered for that purposeit is imperative to process your personal information, in addition, you must do everythingreasonable steps to ensure that it is inaccurate for the purposes of the processingdelete or rectify personal data without delay and document andkeep records of data processing so that its lawfulness can be proved afterwards.The controller must have a legal basis in accordance with Article 6 of the General Data Protection Regulationhave access to the data and be able to demonstrate that, with the consent of the data subject, orwhich legal provision it handles / has handled personal data in accordance with or whichdata processing is necessary to enforce the legitimate interests of the controller or a third party,and the processing restricts the data subject's right to the protection of the personal data proportionately.The name and financial situation of the Applicants are undoubtedly personal to the Applicantshowever, their activities in relation to the company in which they have an interesthaving regard to the fact that their data entered in the business register are public data in the public interest, as well asa Ctv. Company data pursuant to Section 10 (1).Of course, the quality of the company data in the data in question does not mean that the data in the company registercould be used in any way: respecting the principle of purposeful data managementappropriate legal basis, and - ensuring the right to information self-determinationwith due regard for the rights of the data subject.According to the Applicant's statement, the purpose of data processing is the rights arising from the freedom of the pressinformation activities of the press in a democratic societyimplement. The Applicant also aims to inform the Hungarian business community, aabout the owners behind the largest Hungarian-owned companies, thus contributing to businesstransparency and traceability. The Applicant also considers it his responsibility to be Hungarianstrengthening the entrepreneurial culture by reporting on the activities of successful Hungarian entrepreneurs- the compilation of the annual rich list partly serves this purpose.In the publications, the Applicant linked […] to the “[…] family”. The Authority considers thatin the context of publications, the word ‘family’ is synonymous with family businessshould be interpreted, and although there is no legal definition of a family business in Hungary,according to professional interpretation, regardless of their size and results, it is a family-run economy<br />
Page 34<br />
34companies, ie family businesses, are companiesmajority controlled by a family or families with common ancestors,in the hands of family members is concentrated so that control is at least two, owner and / or managerthrough the strategic and / or operational activities and decisions of the employed family member.Of the Applicants, only […] were named for Data Management 2, and although Data Management 1it has been indicated that the […] generation of the family has an interest in the economic activity,publications never name other family members, either specifically or indirectlyreferring to them. From the information in the company register, it is clear that the […] familywhich members belong to this staff group.Consequently, the Applicants' view that the "[…] family" is not valid is incorrect.it would be inaccurate personal data because it applies to all family members, including minor childrencontains a reference. Neither the printed nor the online versions of the lists contain any direct or indirectreference to minor children, i.e. the Applicant does not treat the family as a minorand information on minor family members in the register of companieslocated. Consequently, minor members of the […] family cannot be considered Data Management 1 andData management for 2 stakeholders.It should also be noted that Forbes is an economic, business articles and articlesa press product containing compilations, so that the Authority considers it accessible to anyonerecords and data forming part of companies' own public communications and accounts; andthe communication and dissemination of information in different compilations does not violate the purposeprinciple of data management.It should also be emphasized that assets derived from economic activities orEstimating the value of a company using a specific method is clearly afreedom of expression. The Applicant's estimate is different from the publiccollected data from different sources and then this data into a specificevaluated on the basis of a methodology.For Data Management 1, the following methodologies can be found in both the printed and online versionsdescription:“We took as families the companies where the ownership circle and the leaderthere is a blood relationship between the members of the management (i.e. owned by the spouses)companies, if no other relative is a member of the management, were not taken into account). The companiesevaluated based on the American Forbes methodology. Where possible, on an EBITDA basiswe calculated, this is best suited to show the money-making capacity of firms.We used industry multipliers and then deducted the company's liabilities from the value thus obtained,and we added your cash stock.In all cases, we worked from publicly available information, where possible, on a consolidated basisdata were used where such were not available, we ourselves consolidated theresults on the basis of available information. The Bisnode PartnerControl collections helped theConcorde MB Partners advised us on the company evaluation. ”For Data Management 2, the following methodological descriptions can be found in the printed and online versions:“We evaluated the companies based on the methodology of our American parent company. Where we knew it isWe calculated on the basis of EBITDA and took into account the court data. The internationalin accordance with company valuation practice, we used an industry multiplier. This is AswathWe used Damodaran, a professor at New York University, as a starting point, buttogether with our company valuation specialists and our regional sister sites, the multipliers for the region, respectivelywe tailored it to the Hungarian market, where it was necessary. The company was added to the value thus obtained<br />
Page 35<br />
35and the loans were withdrawn from it (in the case of larger holdingsalways based on consolidated accounts).Assets accumulated in real estate, asset management or financial companies (thevalues of real estate, assets, investments) and according to the American Forbes methodologyall liabilities were accounted for.We deducted taxes on dividends, and where we knew, we surveyed billionaires, among othersfinancing needs of its interests and have also been deducted from the dividend or offsetalso part of the dividends of recent years. We always work from publicly available data.We have always used the most recent data available, for most non-public companiesthis means the financial statements submitted for the financial year from 1 January 2018 to 31 December 2018.For stocks, we have calculated the latest data. Closing of the property valuation: December 201910.Bisnode PartnerControl assisted us in collecting the data. The companiesWe were helped by the M&A experts of consulting companies. ”A similar methodological description is described in all similar Forbes publications (printed andonline version). In addition to the declarations and the AuthorityBased on the documents sent, it can be established that the Applicant is the current listsbut in all cases before the publication of the publicationsThe property and value valuation prepared for the Applicants on the basis of the methodology isor in relation to the business, in any case requesting feedback from them, and thatclarify the data if necessary. (Correspondence between the Applicants and the Applicantdetailed in III.4. presented in the context of the rights of the data subject.)Consequently, on the basis of the above, the Applicants' claim thatthey don’t know what logic Forbes journalists use to analyze the data.The Applicant did not specify the legal basis for data processing, although it did not specify itreferred to Article 6 (1) (e) of the General Data Protection Regulationindicated Article 6 (1) (f) of the General Data Protection Regulation. All this to the Applicanton the ground that, in its view, the activity carried out by the Applicant, namely theeconomic journalism and, within this framework, the richest and largest (orabove average) persons with social influence on a regular basis, publicly availabledata collection and a specific methodology for data and informationevaluation, interpretation and archiving of activities in the public interestthe […] receive and have received significant state subsidies, which in itself justifies its citizens(the readership) the identity of the owner behind the investmentbe.The Applicant also referred to the Basic Law of Hungary - which is personal datain addition to the right to the protection of the public, the disclosure of data of public interest and the freedom of the press and thealso protects the diversity of the press - Article 10 of the Smtv, Article 85 of the General Data Protection Regulation,and decisions made by the Constitutional Court that are expressly made by the pressdata management and the exercise of freedom of the press, as well as the expression of opinionsborn in the context of his freedom.The Basic Law of Hungary provides for the right to the protection of personal data, freedom of the press and thealso names freedom of expression as a fundamental right, such as freedom of the press andfreedom of expression as a constitutional fundamental right to the enforcement of personal datamust be accompanied by the protection of the fundamental constitutional right toThe Constitutional Court ruled on the issues of media law 165/2011. (XII. 20.) ABsummarized its views on the establishment of freedom of expression and the press, and<br />
Page 36<br />
36in addition to freedom of expression, stressed the importance of democratic public opinion by citizensthe importance of shaping In its decision, the Constitutional Court stated that “freedom of opinionit simultaneously serves the fulfillment of individual autonomy and the democratic side of the communitythe possibility of creating and maintaining public opinion. [...] The press is about free speechinstitution. Thus, freedom of the press, as far as speech, communication and opinion are concernedits protection is also twofold: subjective subjective lawthe establishment and maintenance of democratic public opinion on the part of the communityserves. [...] By exercising the right to freedom of the press, the holder of a fundamental right is an active shaper ofdemocratic public opinion. In this capacity, the press monitors public actors,the activities of its institutions, the decision-making process, inform the political community,democratic publicity (the role of the “watchdog”). "The Tietosuojavaltuutettu v Satakunnan Markkinapörssi Oy and Oy Satamedia advancein Case C-73/07, REFERENCE for a preliminary ruling under Article 234 EC In case noprotection of individuals with regard to the processing of personal data and on the free movement of such dataArticle 9 of Directive 95/46 / EC of the European Parliament and of the Council of 24 October 1995replaced by journalistic activities within the meaning of Article 85 of the General Data Protection Regulationand in its judgment of 16 December 2008 stated the followingmeg:- "In order to take into account that what freedom of speech is of great importancein all democratic societies, on the one hand, and the concepts involved, on the otherjournalism must be interpreted broadly. On the other hand, and the balance between the two fundamental rightsprotection of the fundamental right to privacyrequires that […] data protection exceptions and limitations to thewithin the limits strictly necessary. " [OJ C C-73/07. s. Case, paragraph 56]- 'The exceptions and derogations provided for in Article 9 of the Directive apply not only to media undertakings,but apply to all persons engaged in journalistic activities. " [EUB, C-73/07. s. Case, paragraph 58]- “The fact that the disclosure of public data is for-profitdoes not preclude, a priori, that it was carried out solely for the purpose of journalismconsidered as an activity. […] Some commercial success is professional journalismessential conditions for its survival. " [OJ C C-73/07. s. Judgment in Case.point]- 'Concerning data derived from public documents in accordance with [national] lawactivities such as those at issue in the main proceedings may be classified as 'journalistic activities',if their purpose is to provide information, opinions or ideasavailable to the public, whatever the mode of transmission. Eactivities are not reserved for media companies and may be linkedfor profit. " [OJ C C-73/07. s. Judgment, paragraph 61]The above findings of the CJEU are Sergei Buivids v. Datu valsts inspekcija preliminary rulingin Case C-345/17. in case no. 14 February 2019also reiterated in its judgment:- 'The Court has already held that, in order to take account of the fact that athe importance of freedom of expression for all democratssociety, relevant concepts, including journalism, need to be interpreted broadly(see in this regard: Satakunnan Markkinapörssi and Satamedia of 16 December 2008Case C-73/07, EU: C: 2008: 727, paragraph 56). ’ [ECR C-345/17. s. Case, paragraph 51]- Thus, it is clear from the travaux préparatoires for Directive 95/46 that Article 9 of that directiveThe exemptions and derogations provided for in Article 1 apply not only to media undertakings but also to:apply to all persons engaged in journalistic activities (seeJudgment of the Court of 16 December 2008 in Case C-73/07 Satakunnan Markkinapörssi and SatamediaEU: C: 2008: 727, point 58). " [ECR C-345/17. s. Case, paragraph 52]- 'It is clear from the case-law of the Court that' journalistic activities' are those aactivities designed to provide information, opinions or ideas<br />
Page 37<br />
37available to the public, whatever the mode of transmission (seein that regard: Judgment of Satakunnan Markkinapörssi and Satamedia of 16 December 2008, C-73/07, EU: C: 2008: 727, point 61). " [ECR C-345/17. s. Judgment, paragraph 53]Recital 153 of the General Data Protection Regulation also states thatthe right to freedom of expression exists in all democratic societiesIn order to take account of the importance ofjournalism, should be interpreted broadly.From publicly available databases, companies' own communications and reportsprocessing of (personal) data from, as well as the data collected is specifiedfrom the evaluation based on the methodology and the valuation, even newlyactivities concerning the data generated for the journalistic activity of the Applicantare related. The fact that the disclosure of this information is appropriatefor profit (also) does not preclude it from being carried out for journalistic purposesconsidered as an activity.The European Court of Human Rights (ECtHR) has a wealth of case lawin developing the specific benchmarks that have been voiced in the debate on public affairslimitation of opinions. The practice of the ECtHR, however, is alsomade it clear that opinions expressed in the context of public affairs were more protectedit is not limited to political debates and politicians in the narrow sense. On the one hand, party politicsin addition to debates, it also protects the freedom to discuss other issues affecting the community with particular forcethe right to freedom of expression guaranteed by the European Convention on Human Rights (ECtHR: Thorgeirsonv. Iceland, application number: 13778/88, paragraph 64, 1992, decision on the merits and satisfaction) .On the other hand, the ECtHR does not call only in cases where the public affairs dispute is outstandingimportant argument in which the disputed speech is addressed to politicians or officialsbut also if the public interest issue (also) concerns individuals. LatterIn this case, the tolerance threshold for individuals should also increase (ECtHR: Bladet Tromsø and Stensaasv. Norway, application number: 21980/93, 1999, decision on the merits and satisfaction) .Thus, in terms of the application of specific standards, it is not the person concerned per sestatus, but the public nature of the opinion.That is to say, it is not the case with free expression of opinion in public affairsthe significance of whether or not the person covered by the report is a professional public figurenor the question on which the speaker spoke and the communication in questioncontributes to public debate.Although the Applicants' role in business as well as public or other public fundsand the use of factual newspaper articles and reports related to themmay indeed be related to a public debate, the question arises as to whether this is by the Applicantcan also be said for published rich lists.The already mentioned “Markkinapörssi case” was also examined by the ECtHR { Satakunnan Markkinapörssi Oy andSatamedia Oy v Finland [Grand Chamber], 931/13. s. case, 27 June 2017}, whichrecalled in its decision the criteria of the case-law to which it was guidedshould serve the national authorities and the ECtHR itself when facing each otherthey consider freedom of expression and the right to privacy.When it comes to political speech or debate on a matter of public interest, there is littleit is possible to restrict the right to know and communicate information, “and that is a fundamental onelaw in a democratic society ’.Derogations from data protection rules for journalistic purposes allow journalists to:access and collect personal data in order to carry out their journalistic activitiesand deal with them, however, the ECtHR pointed out that the mere fact that<br />
Page 38<br />
38any information available to the public does not necessarily exclude it from Human RightsFrom the protection of Article 8 of the European Convention and to companies as a professional media industryactors had to be aware of the need for large-scale data collection and publicationthe exception rule exclusively for journalistic activities does not necessarily apply. TheThe rights protected by Articles 8 and 10 of the European Convention on Human Rights are reciprocalHowever, with regard to the weighting of documents, the ECtHR has pointed out, on the one hand, thatfree access to information) can indeed help to address issues of public interestdemocratic debate, however, found that the raw data without any analysis, largethere was no public interest in publishing it in the crowd. Taxation data acurious members of the public could allow individuals based on their economic situationcategorization of the privacy of othersdesire for information, which should not be seen as promoting a debate on an issue of public interest.The ECtHR has also transposed the case law of the ECtHR into EU law in the already mentioned ‘Buivids case’ :in that regard, it is clear from that case-law that it is intended to respect privacyin order to strike a balance between the right to freedom of expression and the right to freedom of expressionThe European Court of Human Rights has developed the relevant criteria to be taken into account, inter aliathe contribution to the public interest debate, the awareness of the data subject, the subject of the report, the data subjectpast conduct, content, form and consequences of disclosure, informationthe manner and circumstances of obtaining the information and their appropriateness (see in this sense:ECtHR, 27 June 2017, Satakunnan Markkinapörssi Oy and Satamedia Oy v. Finland,CE: ECHR: 2017: 0627JUD000093113, § 165). Similarly, it must be borne in mind thatthe controller may accept a reduction in the scope of the invasion of privacyenabling measures. " [ECR C-345/17. s. Case, paragraph 66]The Constitutional Court ruled in favor of the Mansion Pfv.IV.20.884 / 2017/7. Annuling Judgment IV / 1368/2018.in the Resolution No. Pfv.IV.21.398 / 2017/4 of the Mansion. annulling his judgment noIV / 316/2019. It also stated in its resolution no . in Article 1 (1)due to the special protection of the private and family life, home and contact of the individual aclose relatives of public and non-public actors should also be particularly protected. […] Alone apublic curiosity, gossip is not the basis for a question of public interestnature. The right to privacy of a non-public actor in order to have the right to express an opiniona non-public actor may be constitutionally restricted in a matter of overriding public interestfamily relationships, provided that it is essential to inform the publicnecessary and the information disclosed is a specific, non-publican adequate detail relating only to the matter of public interest. " {IV / 1368/2018. ABDecision, Justification [61]; IV / 316/2019. Decision AB, Justification [54]}In view of the above, the Authority considers that there are no indications thatcompiling rich lists would be a “watchdog” type of activity and that specific public debatewould be related. These lists are published regularly (annually), not for specific eventsthey are related, but precisely to who and to what extent the given has been enrichedregardless of the source of the assets, the lists are based on a specific methodologyare compiled, not on the basis of who or which business received state aidsupport, so that the compilations also include persons and undertakings who, respectivelywhich did not receive state aid. As long as economic journalism can really‘Mission’, while the ‘rich list’ as a product is primarily not directly for public debatebut satisfies a ‘rumor hunger’, as it is not about concrete fact-finding, investigationit is about (which is typical of “watchdog” type journalism) but that the Candidate abased on publicly available information, estimated by businesses according to their own methodologyor, in the case of persons, assets derived from the activities of the undertakingthen ranks companies and individuals on the basis of estimated value or assets.Reference to business journalism as an activity of public interest Data management 1 andData management 2 cannot be accepted as a legal basis for data management either. The reason is that<br />
Page 39<br />
39the legal basis under Article 6 (1) (e) of the General Data Protection Regulation is a piece of legislationmay be related to a data management activity related to a public task classified as such by the THEAlthough economic journalism is an activity in the public interest, it is not a public task (the General Data Protection Act)a public interest task in the wording of the Regulation), just as a journalist cannot be consideredto a person performing a public task [cf. Section 459 (1) of Act C of 2012 on the Penal Codeparagraph 12].Thus, in the case of Data Management 1 and Data Management 2, as well as similar “rich lists”, the Applicant does notperforms a task in the public interest, not least because these lists - by their nature andsince this is not their purpose either - they do not give a thorough picture of a dubious or perceived transaction.Journalism is not covered by Article 6 (1) (e) of the General Data Protection Regulation itself.within the scope of the legal basis set out in This is borne out by Article 17 (3) (b)follows closely the terms also used in Article 6 (1) (e) [or the Union legislatorin Article 17 (3) (b), it essentially merged what is already close to each otherPleas in law pursuant to Article 6 (1) (c) and (e)]. Related to the expression of opinionhowever, the deletion of data cannot be avoided by this point but by Article 17 (3) (a)included.It follows that Data Management 1 and Data Management 2, similar “rich lists”,and, in general, all data processing related to business journalism, which is notArticle 6 (1) (f) of the General Data Protection Regulationlegitimate interest may occur on a legal basis.In his statements made during the proceedings, the Applicant also referred to the legal basis of the legitimate interest.According to recital 47 of the General Data Protection Regulation, if the data processinglegal basis is a legitimate interest, it must be preceded by a balance of interestsit must specify, inter alia, the legitimate interest, the effect on the person concerned and whether:whether the processing is necessary or proportionate and whether it is a legitimate interest or notwhether the right of the data subject is superior.Thus, data processing based on a legitimate interest can only take place if the data controller has done so in advanceperforms the interest balancing test and, as a result of the test, the data controller or a third partylegitimate interests outweigh the possible disadvantages to the data subject through the processing.The balancing test is a three-step process in which thethe legitimate interest of the controller as well as the interest of the data subject as opposed to the weighting and the data subjectfundamental right, and finally, on the basis of the weighting, it must be determined whether it is personaldata. On this basis, it falls under Article 6 (1) (f) of the General Data Protection Regulationreference may be appropriate and thus data processing may be lawful if itthe conclusion of the balancing test is that the controller or a third party has a legitimate interesttakes precedence over the data subject's legitimate interest in protecting his or her personal dataand the limitation of the rights of the data subject is proportionate to whether the controller or a third partywith a legitimate interest in the restriction.In doing so, the controller must consider, inter alia, that the data subject is concernedwhether it is a public actor (if so, this strengthens the data controller’s interest in data management) or thatwhether the journalistic activity in question is of an investigative nature (again, this only strengthens the data managementinterest) or only to satisfy a rumor hunger (in this case, personalstronger interest in data protection). Balance of interests is also successful if it isthis article is about public subsidies and otherwise public data in the public interest(e.g. company data).<br />
Page 40<br />
40The balancing test shall be properly documented in accordance with the principle of accountability,and data subjects must be duly informed in accordance with the General Data Protection Regulationthe legitimate interest of the controller, whether or not personal data are collected from data subjects [Article 13].Article 14 (1) (d)] or have not been obtained from the person concerned [Article 14 (1) (d)]. Article 2 (2) (b)point].In its statements made during the proceedings, the Applicant set out its position and arguments on its own andthe existence of a legitimate interest of a third party (the public) and thus the rights of the Applicants andhowever, this is not in line with the general data protection regulation (47).the requirements relating to the balancing of interests set out in recital THEThe applicant did not carry out the balance of interests properly and, as set out in Article III.4 of the Decision.is not explained in detail in point (a)information to the Applicants and only to the Applicants' legal representativeinformed the Applicants in its replies.In connection with the balance of interests, it should also be emphasized what a data management is likeand to what extent it may adversely affect a data subject cannot be generalized becausethe data subjects and their circumstances are different in each case, so this is a subjective value judgment,which means the same data management that one considers acceptable in one casedata subject, in another case another data subject may find it offensive.Freedom of information and the right to information self-determination must be taken into accountit must be taken into account whether the disclosure of the data does not disproportionately infringe thethe right to privacy. In the present case, however, it can be stated that the ApplicantThe content of the data processing carried out by the Company and the public communications based on them is not the responsibility of the Applicantsprivate or family life, but also the activities of the undertaking in which they have an interest,and the economic results that can be derived from it. Obviouslyit can be stated that the data processed in this circle, as well as the communications, are not theIt is for applicants ’family and private lives, but also for their achievements in economic and business lifeto do.Given that the compilations of the Applicants are available to anyone in the public interestpublic personal data, the estimated amount of assets generated by the economic activity,or contain no additional personal data beyond the estimated value of the business, andThe content of the articles is based on […] 's reports and public announcements, so data management does not go beyondnecessary and proportionate, and archiving the lists is compatible with data managementFor its original purpose, the Authority notes that the requested Data Management 1 and Data Management 2Article 5 (1) (b), (c) and (d) of the General Data Protection Regulation.and (e), data economy, accuracy and limited storageprinciple.Based on the principle of accountability, data controllers throughout the data management process sothey must implement data management operations to be able to protect datato demonstrate compliance with the rules. The principle of accountability is therefore not onlyprocess level can be interpreted, but all specific data management activities, a specificthe processing of the personal data of the data subject.In the opinion of the Authority, the legitimate interest indicated by the Applicant is acceptableand Data Management 2, however, with the Applicant failing to weigh the interestsduly carried out, or in their own or the public's legitimate interests, and by the Applicantsdid not inform the Applicants in advance of the outcome of theinfringed Article 6 (1) (f) of the General Data Protection Regulation and the Generalthe principle of accountability under Article 5 (2) of the Data Protection RegulationAlso for data management 2.<br />
Page 41<br />
41III.4. Rights of the data subject and limitations on the exercise of rightsIn connection with the rights of the data subject, the Applicants in their application Data Management 1 and Data Management 2Article 13 (2) of the General Data Protection Regulation(f) and Article 14 (2) (g), Article 14 (1) to (2), Article 15 (1)for infringement of Article 21 (1) (h) and Article 21 (1)unlawful processing and order, pursuant to Article 18 (1) (a) and (d),personal data and then personal data in accordance with Article 17 (1) (c)deletion.The duality already detailed above - that certain personal data is also in the public interestpublic company data - it cannot, of course, mean that the person concerned is completely affected by this circumstancewould lose its right to self-determination over the data and the disclosure of personal data aunrestricted and complete loss of the right to privacy.Rights of data subjects (including the right to information, protest and cancellation)data controller obligations related to the exercise ofArticle 12 of the Data Protection Regulation.Based on the statements and available documents Applicants (or their legal representative)The following exchanges of letters took place between the Applicant (and its journalists) during the period under review:- An e-mail from the journalist employed by the Applicant on 16 August 2019contacted the company related to the Applicants in connection with Data Management 1,attached to which letter was used to compile the compilationThe following is a brief description of the methodology:“We evaluated the companies based on the methodology of our US parent company. Wherewe knew, we calculated on the basis of EBIDTA and we took into account company court data. THEaccording to international company valuation practice, we used an industry multiplier. This is AswathWe used Damodaran, a professor at New York University, as a starting point, buttogether with our domestic company valuation experts and our regional siblingstailored to the region and the Hungarian market, where necessary. To the value thus obtainedwe added the cash stock available to the company and subtracted theloans. You can find our detailed calculation in the attached Excel file. ”In addition to the methodological description, as an attachment to the e-mail in the form of an excel spreadsheeta calculation (estimate) based on […] data was also sent.Based on the above, it can be concluded that the Applicants, contrary to their claim, did not apply in 2019.on August 26, 2019, but on August 16, 2019, were informed that aApplicant wishes to be on Forbes ’list of most valuable family businessesto be indicated in the […] Following a journalistic request, 22-26 August 2019. betweenThe following exchanges of letters took place between […] and the Applicant during the period:• Applicant on August 22, 2019 - to an e-mail unknown to the Authorityin his reply, informed the person acting on behalf of […] (or the Applicants)person that the company name and surname will be included in the list for everyone, aabove the article the owners in the company registration are indicated,as when […] was last on this list.• On 26 August 2019, […] addressed a request to the Applicant that aAs in previous years, it was requested to exclude the […] and […] familiesData Management 1 and should not be used in any compilationthe term “[…] family”.• The Applicant provided information in its reply sent on 26 August 2019that […] had not been listed in the Forbes family business in previous yearsbecause of the data for that year and the estimates based on themin their opinion, they did not fit into the top 25 companies. For three years the family and<br />
Page 42<br />
42the company was on the list at the time because it was calculated at the time to fit into the 25thamong the largest companies. On other Forbes lists - for example, the 100 largest Hungariansowned private company ranking - in recent years has also been included in the […], then formention of the family was omitted because it was not justified.- In their letter dated 30 August 2019, the Applicants referred to the General Data Protection RegulationArticle 14 of the General Data Protection Regulation.Article 16 of the General Data Protection Regulationthe right to rectification (as regards the term ‘[család] family’) and the generalincluding the right to object under Article 21 of the Data Protection Regulationa request for the exercise of a right was made to the Applicant. The right to protestThe Applicants did not explain in sufficient detail in their application for the exercise of thereasons for the protest, they merely indicated that in their view there was no such coercionlegitimate reason on the basis of which the Applicant would be entitled to process their personal data.- In its reply to the data subject's request for the exercise of the right, the Applicant• indicated the purpose of data management (informing the public, for freedom of the pressexercise of the right of access), indicated the categories of personal data (names of owners,name of their mother, names of senior executives) and personal or […]sources of information on the results of (Information in the Company Database, the e-reports downloaded from beszamolo.im.gov.hu , previous announcements of […],public announcements);• provided information that, although external experts were consulted, they did sotypically only industry multipliers are negotiated with them, external experts are preparedspecific estimates only in exceptional cases, in personbut does not provide the Requested Data during the personal consultation,but only the company name, the balance sheet data used for the estimates, the multiplier and thethe final result of the estimate is shared with them, but neither [] nor […]in the case of other family interests;• marked the person involved in compiling the list and thus the data managerstaff, with the special reference to being a trainee on the listdid not have access to the database created to create the list - so did the data for […]and his work was covered by a traineeship contract supplemented by a confidentiality clauseperformed on the basis of;• in connection with the duration of the data processing, provided information that aavailable company data were used to verify the criteria for a family businessbut not recorded by the Applicant; required for estimationdata were used to compile the list and then deleted after the material was completed;• Finally, he mentioned that […] and the name of the control family were included in the magazine(no separate family member was mentioned) and the estimated goodwill was included;the same data are included on the forbes.hu page, where an extract of the list was placedfor communication.- The Applicant in November 2019 (according to the Applicants' statement on 6 November,according to the Applicant's statement on November 14 - the exact date before the Authorityunknown) contacted the Applicants (who exactly is, it is also not possible to determineon the basis of declarations and documents received by the Authority) in relation to Data Management 2,attached to which letter was used to compile the compilationThe following is a brief description of the methodology:“We evaluated the companies based on the methodology of our US parent company. Wherewe knew, we calculated on the basis of EBIDTA and we took into account company court data. THEaccording to international company valuation practice, we used an industry multiplier. This is AswathWe used Damodaran, a professor at New York University, as a starting point, buttogether with our domestic company valuation experts and our regional siblingstailored to the region and the Hungarian market, where necessary. To the value thus obtained<br />
Page 43<br />
43we added the cash stock available to the company and subtracted theloans. The above methodology is most applicable to production companies. Financialfor service providers and real estate developers, it is also a U.S. parent fund guideWe act on the basis of: here the value accumulated in the company (mostly from assets)we start and deduct all liabilities. You will find our detailed calculationin the attached Excel file. "In addition to the methodological description, as an attachment to the e-mail in the form of an excel spreadsheeta calculation (estimate) based on business data was also sent.- The Applicants' lawyer sent to the Applicant on 15 November 2019letter of formal notice pursuant to Article 21 of the General Data Protection Regulationprotested against the data processing carried out by the Applicant concerning Applicants andthey were prohibited from accessing any personal data concerning themcollect and perform other data processing activities, includingdisclosure. Applicants were also prohibited from doing so - either by name ormentioned as a family, appear in the statement, either directly or indirectly,and called on the Applicant to provide the Applicants ’personal details without delaydelete them and do not carry out any data processing operations on them or on them.The Applicants are Article 18 (1) (a) and (d) of the General Data Protection Regulationalso requested a restriction on data processing and strongly called on theApplicant to refrain from publishing data concerning Applicants in generalcircumstances set out in Article 18 (1) (a) and (d) of the Data Protection Regulationas well as in the wake of the protest. The Applicants also called on theApplicant's attention is drawn to the fact that the data contained in the company register of the Applicants andthe conclusion reached regarding the financial situation of their family is inaccurate or erroneous, aThe data on the financial situation of the applicants differ significantly from the actual onesnotarised by a notary public. For the exercise of the right of objectionIn this application, the Applicants did not explain in sufficient detail the reasons for the protest,they merely indicated that, in their view, the data processing was seriously prejudicial toApplicants' rights and legitimate interests.- In its reply of 20 November 2019, the Applicant• Article 6 (1) (f) of the General Data Protection Regulationas a legal basis for data management; the Applicant justified this on the grounds that onean economic newspaper such as Forbes has a legitimate interest in Hungarian entrepreneursto inform the public and to refer to the State aid used by […]and to participate in the bond program of the Magyar Nemzeti Bank;• requested a proposal to change the name regarding the accuracy of personal data;• Concerned the discrepancy with the actual data, noted that earlierone of the purposes of the email sent was precisely to the Applicantshave the opportunity to comment on the valuation and the information sent by themdata and results for correction - if professionally justified andacceptable - taken into account in making estimates; the Requestedfurther noted that their professional opinion formed an approximationestimates for the publicly available fiscal year ended December 31, 2018at the same time informed the Applicants thatif there is a business decision, any other circumstances that make the assessmentaffected, the Applicant shall consider or agree to take this into accountwith the Applicants;• to inform and inform the public for the purpose of drawing up and publishing the list; andmarked the exercise of the right to freedom of the press; the position of the Candidateaccording to the presentation of whether the recipient of state mandates or stateor other public subsidies (and their owners)how the Hungarian entrepreneurial layer uses these resources<br />
Page 44<br />
44relevant information for taxpayers and, on the other hand, important for taxpayers,information of public interest;• indicated the categories of personal data (names of owners) and the personal,and the sources of data on the results of […] (available in the company databasedata and reports downloaded from e-beszamolo.im.gov.hu and the […]previous announcements, public announcements); it is not included in the article […]detailing what other assets the family has;• informed that although the Applicant consults external experts,in doing so, typically only industry multipliers are negotiated with them by external expertsspecific estimates are made only in exceptional cases, by personal consultationhowever, the Requested Data will be known during the personal consultationit does not provide, but only the company name, the balance sheet data used for the estimates, the multiplierand the final result of the estimation is shared with them, but neither […] nor[…] In the case of other family interests did not take place;• marked the person involved in compiling the list and thus the data managerstaff;• in connection with the duration of the data processing, provided information that athe data needed for estimation are used to compile the list and then the substancedeleted after completion.Articles 13-14 of the General Data Protection Regulation. Articles contain that the controlleras a minimum, which data processing conditions should be communicated to data subjects, depending on whethercollects personal data from data subjects or has not obtained it from data subjects. Given thatthat the Applicant did not use the data used to compile the lists directly from the Applicantscollected, but also in various public databases, reports and […] publicused the information contained in its communications, the Applicant's preliminaryArticle 14 of the General Data Protection Regulationcontained shall apply. Consequently, Article 13 of the General Data Protection Regulation , whichcontains the minimum information that the controller must inform the data subject if thecollects personal data from data subjects - in this case it is not relevant and thereforeNor can the alleged infringement be established.The publications examined during the procedure (Data Management 1 and Data Management 2) can be said to be becausethey are periodically published on the one hand, and the methodology applied by the Applicant on the otheryou can determine exactly who you want to include in the current list,publication - that is, it practically implements profiling - the Requested general data protectionobligation under this Regulation to provide prior information for this limited number of staffprovide information covering Article 14 (1) to (2) of the General Data Protection Regulationwith particular attention to them- the purpose and legal basis of the processing,- the categories of personal data concerned,- data processing based on Article 6 (1) (f) of the General Data Protection Regulationthe legitimate interests of the controller or of a third party,- the data subject's rights (rectification, erasure, restriction of data processing, protest),- the data subject's right to complain,- the source of the personal data and that the data are from publicly available sourcesdo they come from- the importance of profiling and for stakeholdersmay have consequences.Although it can be stated that before the lists appear, the Applicant (through his journalists) alwayscontacted the Applicants and informed them that the Applicant intended to be includedthem on that list and sent them a brief description of the methodology used andan excel spreadsheet containing a value or asset estimate based on a methodology, and<br />
Page 45<br />
45provided the Applicants with comments and, if necessary, commentsto clarify the data, the Applicant did not properly comply with the prior informationas it did not provide information on the purpose and legal basis of the data processing, thethe legitimate interest of the controller or third party and the outcome of the balance of interests, profilingthe expected consequences, all the rights of the Applicants concerned and the Applicantsthe right to complain.As the Applicant did not provide adequate prior information to the Applicants, the Authorityfinds that the Applicant has infringed Article 14 of the General Data Protection Regulation.According to recital 60 of the General Data Protection Regulation, transparent and athe principle of fair data management requires that the data subject be informed of the data processingand information that is fair and transparentnecessary to ensure the processing of personal data, taking into account the specific nature of the processing of personal datacircumstances and context.The legal predecessor of the European Data Protection Board (hereinafter "the Board"), Article 29 of Directive 95/46 / ECadopted by the Data Protection Working Party established by the General Data Protection RegulationWP260 on Transparency, which facilitates the application and interpretation ofmaintained by the EDPS after the entry into force of the General Data Protection Regulation- available to data subjects in accordance with Articles 13 and 14 of the General Data Protection Regulationas set out in the Annex on the information to be providedinformation should make it clear that they may receive information on request at their discretioninvestigation. This is essential for effective transparency when involvedthey have doubts as to whether the discretionary test was fair or ifthey wish to lodge a complaint with the supervisory authority. "As the Applicant did not properly comply with this requirement, the Authority concludes that:the Applicant has infringed Article 5 (1) (a) of the General Data Protection Regulationthe principle of transparency with regard to Data Management 1 and Data Management 2.Articles 13-14 of the General Data Protection Regulation. prior information pursuant to Article 15the information provided at the request of the data subject shall be distinguished. While 13-14. in accordance with Articleinformation is intended to provide the data subject with a general, comprehensive picture of his or her personal datauntil then, the purpose of the right of access under Article 15 is specifically toreceive information on the lawfulness of the processing of your personal datain order to establish and controlIn exercising the right of access, the controller shall be required to comply with Article 15 (1) of the General Data Protection Regulation.shall provide the data subject with the information referred to in The Applicantsin its replies to its requests for the exercise of its right of accessthe purpose of the data processing, the categories of personal data and the source of the data and the listsstaff involved in the preparation of the report, and provided information on how to make the estimaterequired data will be deleted after the list is completed. Data management 2in addition, the Applicant indicated the legal basis for the processing [Article 6 of the General Data Protection RegulationParagraph 1 (f)]. It can be determined that the Applicant has access to the Applicantsits replies to its requests for the exercise of its rights do not fully comply with theArticle 15 (1) of the General Data Protection Regulation, as in his replies theon the expected consequences of profiling, on the rights of all stakeholders of the Applicants aIt did not provide information on the applicants' right to complain.As the Applicant's request to exercise the Applicants' right of accessdid not provide adequate information to the Applicants in this context, the Authorityfinds that the Applicant has infringed Article 15 of the General Data Protection Regulation.<br />
Page 46<br />
46If the processing is in the public interest or in the legitimate interest of the controller or a third partydata subjects may object under Article 21 of the General Data Protection Regulationagainst the processing of their personal data. In this case, the data controller does not provide personal dataunless the controller proves that the processing is so compellingjustified by legitimate reasons which take precedence over the interests, rights and interests of the data subjectfreedoms or which are for the purpose of bringing, exercising or enforcing legal claimsrelated to the protection ofAccording to Article 21 (4) of the General Data Protection Regulation, the controller is obliged to the data subjectsdraw their attention explicitly to their right to protest at the latest at the latestcontact and information on this clearly and everything elseshould be displayed separately from the information.Given that the first arising in relation to the Requested Data Management 1 and Data Management 2did not draw the attention of the Applicants to the protest to which they were entitledand did not present the relevant information clearly and everything elseseparate from the information, the Applicant did not comply with Article 21 of the General Data Protection Regulation(4).This is significant because, under Article 21 (1) of the General Data Protection Regulation, aAn applicant may at any time object to the processing of his personal data in accordance with Article 6 (1) of the General Data Protection Regulation.based on points (e) and (f) of paragraph 1, which, however, is only appropriatecan live in the knowledge of information. In this case, the result of the protest is not automatic, butdepends on the process of weighing up the interests, the controller shall, upon request, prove thatother coercive force arising on his side against the rights and freedoms of the data subjectinterests take precedence.If the data subject objects to the data processing - for example, a newspaper article containing his personal datapersonal data may not be further processed by the controller, unlessif the controller proves that the processing is justified by compelling legitimate reasonswhich take precedence over the interests, rights and freedoms of the data subject. On thisconsideration of the interests and rights of the data subject exercising his or her right to objecton a case-by-case basis.From the correspondence between the Applicants and the Applicant, it can be stated that although the ApplicantsThe right to protest was also exercised with regard to Data Management 1 and Data Management 2, the specific reasons for this(namely information on the security situation of the Applicants and their families)For the exercise of the rights of the data subjects dated 30 August 2019 and 15 November 2019, respectivelythey were not indicated in their applications either, instead they referred to the Civil Code in general. and Mvtv.and that, in their view, the Applicants cannot be consideredto public actors. The position presented to the Applicants Authority that the September 2019The Forbes list drew the attention of criminal circles to the family, so it is unknown to the Applicantwas, so the Applicant was not - could not - be in possession of the information whichcould have carried out an individual balance of interests for the Applicants.The Authority notes in this regard that although the investigation is in business for a long timeApplicants and their families who are active and put their company in a market-leading position are the publicationswould have come within the scope of criminal circles as a result of its appearance, does not belong to the Authorityhowever, the Authority shares the position of thethat it was not substantiated that the actions of the criminals were (solely) the publication of the publicationwould be a consequence.In view of the above, the Authority concludes that the Applicant has not committed any infringement,when it did not carry out an individual balance of interests following the Applicants' protest. Nevertheless, thecircumstance raised by the Applicants (but not communicated to the Applicant) in connection with the protest<br />
Page 47<br />
47the data subject may be relevant for the subsequent data processing of the Applicant"Reason relating to one's own situation" and any "compelling legitimate reason"in connection with its consideration. However, to the Applicant after the protest is second, uniquebalance of interests can be properly performed, it is expected and necessary that the Applicants are adequateexplain in detail why, for what reason they object to the processing.It should be emphasized that these data are only an application for the exercise of the right to protestmay be handled and used for the purpose of assessing individual interests.The Applicant's replies to the Applicants' requests for the exercise of the rights concernedcontain data relating to the data processing objected to by the Applicantsin which it refers, inter alia, to the public interest nature of the data processing and to […]subsidies from public or other public funds.However, in its replies to the Applicants, the Applicant did not specifically address theApplicants seek to exercise their right to protest and to restrict data processingnor did it provide information on the decision taken in relation to themit did not address the remedies available to the Applicants, i.e. to make a complaintthey may do so before the Authority or have recourse to the courts. For the exercise of the rights of the data subjectunder the General Data Protection Regulationmandatory information element is information on enforcement options. The circumstance thatthe Applicants approached the Applicant through a legal representative and that ForbesThe general data management information available on the website contains the methods of enforcement, noexempts the Applicant from providing the necessary information. Based on all this, the AuthorityFinds that the Applicant has infringed Article 12 (1) and (4) of the General Data Protection Regulationparagraph.Under the General Data Protection Regulation, data subjects have the right to be deleted (forgotten)However, the general data protection regulation also provides for exceptionsfor which this right cannot be exercised. This includes cases where it isdata management the exercise of the right to freedom of expression and informationnecessary for this purpose [17. Article 3 (3) (a)] or where the public interest so requiresthe need for data management [17. Article 3 (3) (b) to (d)] or where the processing takes placenecessary for the submission, enforcement and defense of legal claims [Article 17 Article 3paragraph (e)].Data related to the Applicants or the company in the interest of the ApplicantsTreatment by the applicant (including publication) is one of the exceptions which:the right of erasure (and the erasure of personal data) cannot be exercisedArticle 17 (3) (a) of the General Data Protection Regulationhaving regard to the fact that the processing of these data is subject to freedom of expressionand necessary to ensure the right to information.In the present case, therefore, Article 17 (3) (a) of the General Data Protection Regulation createsbalance between the right of erasure and freedom of expression and the right to informationensuring freedom of the press, as well as listing onlineversion, also the freedom of the Internet.In view of the above, the part of the Applicants' application in which the Applicants request that theAuthority may order the restriction of data processing, the deletion of the personal data of the Applicants, and theThe Authority shall refuse to refuse the requested processing.<br />
Page 48<br />
48III.5. Request for suspension of the requested procedureIn its statement issued at the invitation of the Authority, the Applicant Section 48 (1) (a)(referring to a preliminary ruling within the jurisdiction of the court) requested that the proceedings be stayedAuthority, given that there is a personal relationship between the Applicants and the Applicantthe processing of your data is subject to legal proceedings, in which case the court will make a decisionwhether the data processing carried out by the Applicant is lawful.The Authority waived the requested procedure due to the following:- In order to examine and decide on the lawfulness of data processing, the Infotv. Section 38 (2) - (2a)provide the Authority with explicit tasks and powers, the courtprocedure is not a preliminary issue that would be absolutely necessary to resolvefor an objective, fair decision of the Authority, and without which the decision of the Authoritywould be unfounded.- The Acre. makes it clear that in general - merely the Acre. according to its rules - there is no placesuspension on the grounds that the Authority is aware of anotherpending proceedings which may affect its proceedings, unless otherwise provided by lawprovision does not allow for suspension. The question referred is not the same asthat the decision of another body may “affect” the legal interpretation of the Authority.- Available under Article 79 (1) of the General Data Protection Regulationadministrative or non-judicial remedies, including with the supervisory authoritywithout prejudice to the right to complain under Article 77 , all parties concerned shall be effectiveshall be entitled to a judicial remedy if, in his opinion, his personal data are covered by this Regulationtheir rights under this Regulation have been infringed as a result of improper handling.- The Authority may not be a party to any proceedings suspending the proceedingsat the request of a client, but makes an ex officio decision.III.6. The applicants' application for interim measures and for the imposition of a fineThe Applicants' application for an interim measure was submitted by the Authority to the Ákr. Pursuant to Section 46 b)rejects it, given that it is a civil lawsuit running in parallel with the data protection authority proceedingsIn the proceedings, the Applicants' application for the same right had already been examined by [ír].The Authority rejects the Applicants' request for a data protection fine, as ethe application of a legal sanction does not directly affect the rights or legitimate interests of the Applicants,for them, such a decision of the Authority does not create a right or an obligation, and therefore does notAs regards the application of a sanction falling within the scope of the public interest,with regard to the imposition of fines, the Applicants do not qualify as customers in accordance with Ákr. Section 10 (1)pursuant to paragraph Furthermore, since the Acre. Does not comply with Section 35 (1) in this regardthere is no place to file an application, so this part of the petition cannot be interpreted as an application.III.7. Data management before May 25, 2018The Applicants also objected to the lawfulness of the data processing for the period before Data Management 1.During the procedure, it was established that in the period before Data Management 1, the Applicant onlyOn one occasion, in the August 2015 issue of Forbes, it included “[…]family ”in the“ Largest Hungarian Family Enterprises ”compilation.This part of the request therefore concerns data processing for which, before 25 May 2018,took place before the date of application of the General Data Protection Regulation, to which thethe rules of this Regulation shall not apply. In view of this, Ákr. Section 47 (1) (a)the Authority will terminate the procedure as this part of the application does not comply with Infotv. 60.§ (2), as the general data processing period is general<br />
Page 49<br />
49data protection regulation was not yet applicable. For this reason, in terms of privacyno application for an administrative procedure may be made or an examination of the Authority 's own motion; andnor does it initiate official proceedings.The circumstance is that the Applicant is also in the period from August 2015 to September 2019collected data on the company in the interest of the Applicantsfrom publicly available databases accessible to anyone or from […] 's own public communications, andshall not be considered as unlawful data processing.III.8. Legal consequencesThe Authority granted the Applicants' request in part and Article 58 of the General Data Protection RegulationCondemns the Applicant under paragraph 2 (b) because Data Management 1 andHis activity in relation to Data Management 2 violated Article 5 of the General Data Protection RegulationArticle 5 (1) (a), Article 5 (2), Article 6 (1) (f), Article 12 (1) and (4)Article 14, Article 15 and Article 21 (4).Pursuant to Article 58 (2) (c) of the General Data Protection Regulation, the Authority shall instruct:Within 15 days of the decision becoming final (ex post)fully comply with its obligation to provide information to Applicants, includingthe considerations taken into account in the balance of interests and the outcome of the balance of interestsinformation.The Authority also instructs pursuant to Article 58 (2) (d) of the General Data Protection Regulationto shape the Applicant in accordance with the applicable legislation and the provisions of this decisiontransfer prior information practices as well as whether in the futurein the course of data processing, he intends to use the legitimate interest as a legal basis, then the lawcarry out a balance of interests in accordance with the provisions of this Decision,including a second, individual consideration of interests following the protest.The Authority's request to impose a data protection fine on the Applicants is set out in Section III.6. pointhowever, it examined of its own motion whether the infringements found had been establishedwhether it is justified to impose a data protection fine on the Applicant. In this context, the Authority isArticle 83 (2) of the General Data Protection Regulation and Infotv. 75 / A. § - the followingconsidered all the relevant circumstances of the case of its own motion and found that the present caseIn the case of infringements detected during the procedure, the warning is not in itself proportionate and dissuasivetherefore a fine is justified.By imposing a fine, the Authority’s specific deterrent objective is to encourage the Applicant toto carry out his / her data management activities consciously and not to the data subjects as objects and / ortreat it as an obstacle but as a genuine right holder, ensuring that their rights arising therefrom,information necessary to exercise control over the processing of their personal data, otherconditions. And it is usually required for all data controllers in a similar situationto make it clear that the processing of personal data requires increased awareness cannot benegligently trust that the data subjects will not be disadvantaged by personal dataactually uncontrolled treatment. Such conduct disregards the rights of those concernedleave and, as such, cannot go unpunished.The Authority considers that the practice, which is also present on the Hungarian market, according to which thevarious rich lists, publications listing the richest Hungarians, if enoughthey do not always include the name of the data subject and / or the data subjectbut in them, for example as a result of a well-founded protest by the data subject.instead of the full name, only one letter, and instead of an article describing the activity of the person concernedminimum information (eg name of the sector, amount of assets associated with the data subject)<br />
Page 50<br />
50will be indicated.By imposing a fine, the Authority also aims to encourage the Applicant to investigatein addition, it lists the richest Hungarians and the largest Hungarian family businessesdata management practices related to its publications. The Authority shall determine the amount of the finein addition to the specific preventive purpose, the fine sought to be achieved was taken into accountalso for general preventive purposes, with which, in addition to deterring the Applicant fromHe wants his requested data management practice to move towards full legalityto reach.In determining the need to impose a fine, the Authority considered the infringementsaggravating and mitigating circumstances as follows:The Authority considered as an aggravating circumstance that:- violations related to the exercise of the fundamental and affected rights committed by the Applicantpursuant to Article 83 (5) (a) and (b) of the General Data Protection Regulationmaximum amount (up to EUR 20 000 000 or, in the case of undertakings, the previous amount)up to 4% of the total annual world market turnover for the financial yearconstitute an infringement;the Applicants have tried several times to achieve proper data management than the Applicant, butfinally, official involvement was required [Article 83 (2) of the General Data Protection Regulationparagraph (a)];- the violations found, taking into account all the circumstances of the case, the Applicantconscious and determined attitude to data management and the exercise of data subjects' rightssubstantiated [i.e., Article 83 of the General Data Protection Regulation].Article 2 (2) (b)];- data management activities related to publications Indicated by ApplicantsDespite its shortcomings, a business transaction took place (published in December 2019)publication containing the richest Hungarians) and by the Applicants - in their opinionThe mitigation of the damage suffered took place only as a result of [általános] [general data protectionArticle 83 (2) (c) of the Regulation];- transparent to the Applicant on the lawfulness of the data processing and on the data processingfor information on Forbes worldwide recognition and recognition, as well as in the media markethas a special responsibility due to its role [Article 83 of the General Data Protection Regulation.Article 2 (2) (d)].The Authority took into account the special nature of personal data as a mitigating circumstancedata belonging to this category was not processed by the Applicant. The Applicantspersonal data entered in the company register is public data in the public interest as well as at the same timecompany data, and the data indicated in connection with the valuation of assets or values aexercise of the right to freedom of expression, based on a defined methodology for the datashall be considered as a conclusion drawn from the evaluation of the data protection [Article 83 of the General Data Protection RegulationParagraph 2 (g)].The Authority also noted that the Applicant had cooperated in the proceedingsAuthority, however, this behavior - as compliance with legal obligations did not gonot specifically assessed as an attenuating circumstance [Article 83 (2) of the General Data Protection Regulationparagraph (f)].The Authority further noted that although it had not previously established against the Applicantbreach of the processing of personal data against the ApplicantNAIH / 2019/7972 at the same time as this decisionNAIH / 2020/838/2, in part, the infringements found in this decisionalso condemned and instructed the Applicant to take similar measures,<br />
Page 51<br />
51and imposed a fine on him [Article 83 (2) (e) of the General Data Protection Regulationand (i)].Article 83 (2) of the General Data Protection Regulation applies to the imposition of fines.reviewed the other aspects of paragraph 1, but did not take them into account becauseconsidered that they were not relevant in the present case.Report of the Applicant for the general business year from 1 January 2019 to 31 December 2019was not yet available at the time of this decision and the Authority therefore set the finetook into account the business years 2018 and 2017:- Closing the General Business Year for the Applicant from 1 January 2018 to 31 December 2018,based on its publicly available report in 2018 of total salesHad net sales of HUF 727,702,000 (HUF seven hundred and twenty-seven million seven hundred and two thousand), andtaking into account both revenues and expenditures - HUF 115,194,000 (one hundred and fifteen millionone hundred and ninety-four thousand forints) with pre-tax profit.- Closing the general business year for the Applicant from 1 January 2017 to 31 December 2017based on its publicly available report in 2017 of total salesHad net sales of HUF 681,029,000 (six hundred and eighty-one million twenty-nine thousand forints), andthe year - taking into account both revenues and expenses - HUF 156,095,000(one hundred and fifty-six million to ninety-five thousand forints) with pre-tax profit.The amount of the fine is neither the net sales revenue nor the pre-tax profitless than 4% of total world market turnover. Based on the above, the amount of the fine imposedproportionate to the gravity of the infringement.ARC. Rules of procedureThe competence of the Authority is limited by the Infotv. Section 38 (2) and (2a) defines the jurisdiction of the countrycovers its entire territory.The Acre. Pursuant to Section 37 (2), the procedure is the submission of the application to the acting authoritystarts the day after your arrival. The Acre. Pursuant to Section 50 (1), unless otherwise provided by lawthe administrative period shall begin on the day on which the proceedings are instituted.The Acre. Pursuant to Section 112 (1), Section 114 (1) and Section 116 (1), respectively aThere is an administrative remedy against the decision.The operative part II. The right of independent appeal against the order contained in Art. § 112, § 114(1) and Section 116 (1) and Section 116 (4) (d).* * *A Ptk. 6:48. § (1), in the case of a debt owed, the debtor is in arrearsvalid on the first day of the calendar half-year affected by the delayshall pay default interest at the same rate as the basic interest.The rules of administrative litigation are laid down in Act I of 2017 on the Procedure of Administrative Litigation (ahereinafter: Kp.). A Kp. Pursuant to Section 12 (1) by a decision of the AuthorityThe administrative lawsuit against the court falls within the jurisdiction of the court. Section 13 (3) a)The General Court has exclusive jurisdiction under subparagraph (aa) of A Kp. Section 27 (1)(b), legal representation is mandatory in litigation within the jurisdiction of the tribunal. A Kp. § 39Pursuant to paragraph 6, the application of the application has suspensory effect on the entry into force of the Decisionno.<br />
Page 52<br />
52A Kp. Section 29 (1) and with this regard Pp. Applicable pursuant to Section 604, electronicCCXXII of 2015 on the general rules of administration and trust services. Act (ahereinafter: E-Administration Act) pursuant to Section 9 (1) (b), the legal representative of the clientobliged to communicate electronically.The time and place of filing an action against the decision of the Authority shall be determined by the Public Procurement Act. Section 39 (1)defined in paragraph Information on the possibility to request a hearing can be found in Kp.It is based on Section 77 (1) - (2). The amount of the fee for an administrative lawsuit shall be determined in accordance with the 1990 Fees Act.évi XCIII. Act (hereinafter: Itv.) 45 / A. § (1). The fee is preliminaryfrom the payment of the Itv. Section 59 (1) and Section 62 (1) (h) exempt the proceedingsinitiating party.The Acre. Pursuant to Section 135 (1) (a), the debtor is entitled to the statutory interest ratehe is obliged to pay a late payment allowance if he fails to meet his payment obligation on time.If the Applicant does not duly prove the fulfillment of the required obligation, the Authority shallconsiders that it has not fulfilled its obligation within the prescribed period. The Acre. According to Section 132, if the Applicanthas not complied with the obligation contained in the final decision of the authority, it is enforceable. The Authoritydecision of the Ákr. Pursuant to Section 82 (1), it becomes final upon notification. The Acre. Section 133implementation, unless otherwise provided by law or government decree, the decisionordered by the issuing authority. The Acre. Section 134 of the Enforcement - if law, government decreeor in the case of a municipal authority, a local government decree does not provide otherwise - thecarried out by a state tax authority. Infotv. Pursuant to Section 61 (7) in the decision of the Authorityto perform a specific act, conduct or tolerate a specific actenforcement of the decision in respect of the standstill obligationimplements.Budapest, July 23, 2020Dr. Attila PéterfalviPresidentc. professor<br />
</pre></div>
Hk
https://gdprhub.eu/index.php?title=Category:Portuguese_Court_Decisions&diff=15159
Category:Portuguese Court Decisions
2021-04-22T10:12:36Z
<p>Hk: </p>
<hr />
<div>[[Supreme Administrative Court - 0856/20.0BELRA]] on the understanding of the National Tax Number of the owner of a building as personal data, protected under the right to privacy, or personal data that should be publicly available, under the right of information. <br />
<br />
[[Tribunal da Relação de Coimbra - 4354/19.7T8CBR-A.C2]] on balancing the fundamental right to equal pay for equal work with the right to privacy of workers not included in the lawsuit. <br />
<br />
[[Tribunal Constitucional - Ruling 464/2019#English%20Machine%20Translation%20of%20the%20Decision|Tribunal Constitucional - Ruling 464/2019]] on the rules contained in articles 3 and 4 of Organic Law no. 4/2017, of 25 August, in the part in which it allows the access of the information officers of the Portuguese Security Information Service (SIS) and the Defense and Strategic Information Service (SIED), regarding basic data and equipment location for the purpose of producing information necessary to safeguard national defense and security internal. <br />
<br />
<br />
<br />
Here you can find all [[Data Protection in Portugal|Portugal]] Court decisions, arranged by court. [[Category:Court Decisions]]</div>
Hk
https://gdprhub.eu/index.php?title=Category:Portuguese_Court_Decisions&diff=15156
Category:Portuguese Court Decisions
2021-04-22T09:56:53Z
<p>Hk: </p>
<hr />
<div>[[Supreme Administrative Court - 0856/20.0BELRA]] on the understanding of the National Tax Number of the owner of a building as personal data, protected under the right to privacy, or personal data that should be publicly available, under the right of information. <br />
<br />
[[Tribunal da Relação de Coimbra - 4354/19.7T8CBR-A.C2]] on balancing the fundamental right to equal pay for equal work with the right to privacy of workers not included in the lawsuit. <br />
<br />
[[Tribunal Constitucional - Ruling 464/2019#English%20Machine%20Translation%20of%20the%20Decision|Tribunal Constitucional - Ruling 464/2019]] on the rules contained in articles 3 and 4 of Organic Law no. 4/2017, of 25 August, in the part in which it allows the access of the information officers of the Portuguese Security Information Service (SIS) and the Defense and Strategic Information Service (SIED), regarding basic data and equipment location for the purpose of producing information necessary to safeguard national defense and security internal. <br />
[[Category:Court Decisions]]</div>
Hk
https://gdprhub.eu/index.php?title=Category:Portuguese_Court_Decisions&diff=15155
Category:Portuguese Court Decisions
2021-04-22T09:56:47Z
<p>Hk: Blanked the page</p>
<hr />
<div></div>
Hk
https://gdprhub.eu/index.php?title=BVwG_-_W258_2227269-1/14E&diff=14993
BVwG - W258 2227269-1/14E
2021-04-19T15:31:56Z
<p>Hk: </p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Austria<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=BVwG<br />
|Court_With_Country=BVwG (Austria)<br />
<br />
|Case_Number_Name=W258 2227269-1/14E<br />
|ECLI=ECLI:AT:BVWG:2020:W258.2227269.1.00<br />
<br />
|Original_Source_Name_1=Rechtsinformationssystem des Bundes (RIS)<br />
|Original_Source_Link_1=https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=c4b7610d-5502-49f6-af50-791b9361c9f1&Position=1&SkipToDocumentPage=True&Abfrage=Bvwg&Entscheidungsart=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=&BisDatum=&Norm=DSGVO&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=&Dokumentnummer=BVWGT_20201126_W258_2227269_1_00<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
<br />
|Date_Decided=26.11.2020<br />
|Date_Published=02.12.2020<br />
|Year=2020<br />
<br />
|GDPR_Article_1=Article 4(7) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#7<br />
|GDPR_Article_2=Article 4(8) GDPR<br />
|GDPR_Article_Link_2=Article 4 GDPR#8<br />
|GDPR_Article_3=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_3=Article 5 GDPR#1a<br />
|GDPR_Article_4=Article 5(1)(b) GDPR<br />
|GDPR_Article_Link_4=Article 5 GDPR#1b<br />
|GDPR_Article_5=Article 6(1) GDPR<br />
|GDPR_Article_Link_5=Article 6 GDPR#1<br />
|GDPR_Article_6=Article 6(4) GDPR<br />
|GDPR_Article_Link_6=Article 6 GDPR#4<br />
|GDPR_Article_7=Article 9 GDPR<br />
|GDPR_Article_Link_7=Article 9 GDPR<br />
|GDPR_Article_8=Article 30 GDPR<br />
|GDPR_Article_Link_8=Article 30 GDPR<br />
|GDPR_Article_9=Article 35 GDPR<br />
|GDPR_Article_Link_9=Article 35 GDPR<br />
|GDPR_Article_10=Article 83(4)(a) GDPR<br />
|GDPR_Article_Link_10=Article 83 GDPR#4a<br />
|GDPR_Article_11=Article 83(5)(a) GDPR<br />
|GDPR_Article_Link_11=Article 83 GDPR#5a<br />
|GDPR_Article_12=Article 83(8) GDPR<br />
|GDPR_Article_Link_12=Article 83 GDPR#8<br />
<br />
<br />
|National_Law_Name_1=Article 133(4) Federal Constitution (Bundes-Verfassungsgesetz - B-VG)<br />
|National_Law_Link_1=https://www.ris.bka.gv.at/eli/bgbl/1930/1/A133/NOR40154584<br />
|National_Law_Name_2=§ 1 Austrian Data Protection Act (Datenschutzgesetz - DSG)<br />
|National_Law_Link_2=https://www.ris.bka.gv.at/dokument.wxe?abfrage=bundesnormen&dokumentnummer=nor40139563<br />
|National_Law_Name_3=§ 30 Austrian Data Protection (Datenschutzgesetz - DSG)<br />
|National_Law_Link_3=https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10001597&Artikel=2&Paragraf=30&Anlage=&Uebergangsrecht=<br />
|National_Law_Name_4=§ 44a Austrian Adminstrative Penal Act (Verwaltungsstrafgesetz - VStG)<br />
|National_Law_Link_4=https://www.ris.bka.gv.at/eli/bgbl/1950/172/P44a/NOR12058374<br />
|National_Law_Name_5=§ 45(1) Austrian Adminstrative Penal Act (Verwaltungsstrafgesetz - VStG)<br />
|National_Law_Link_5=https://www.ris.bka.gv.at/eli/bgbl/1950/172/P45/NOR12058375<br />
<br />
|Party_Name_1=Austrian Postal Service (fined controller)<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=DSB<br />
|Appeal_From_Case_Number_Name=DSB-D550.148/0017-DSB/2019 (not published)<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Marco Blocher<br />
|<br />
}}<br />
<br />
The Austrian Federal Administrative Court (BVwG) overturned the 18 million Euro fine imposed on the Austrian Postal Service: the Austrian DPA had failed to establish that the natural persons acting on behalf of the Austrian Postal Service had engaged in culpable conduct. <br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
The facts and cirumstances that lead to the fine can be read in the summary of [[BVwG - W258 2217446-1]], another decision of the Austrian Federal Administrative Court (Bundesverwaltungsgericht - BVwG) dealing with different legal issues of the same case.<br />
<br />
Based on the unlawful processing of data on the "affinity for a political party", the DSB imposed a 18 Mio Euro fine on the Austrian Postal Service. In detail, the DSB held the Austrian Postal Service responsible for violating<br />
<br />
*Article 5(1) GDPR<br />
*Article 6 (1) GDPR<br />
*Article 6(4) GDPR<br />
*Article 9 GDPR<br />
*Article 14 GDPR<br />
*Article 30 GDPR<br />
*Article 35 GDPR and<br />
*Article 36 GDPR.<br />
<br />
The fine was issued directly against the Austrian Postal Service as controller under Article 4(7) GDPR without establishing culpable conduct of natural persons acting on behalf of the Austrian Postal Service. Based on this omission, the Austrian Postal service appealed against the fine.<br />
<br />
===Dispute===<br />
Can the DSB impose a fine under Article 83 GDPR directly on a legal person, without having to investigate and establish culpable conduct of natural persons acting on behalf of the legal person?<br />
<br />
Are the national rules of administrative penal law of any relevance to this question or is it to be answered solely under the rules of the GDPR?<br />
<br />
===Holding===<br />
The BVwG held that the provisions of the Austrian Administrative Penal Act (Verwaltungsstrafgesetz - VStG) and the Austrian Data Protection Act (Datenschutzgesetz - DSG) apply on fines imposed by the DSB under Article 83 GDPR: Pursuant to Article 83(8) GDPR, the exercise by the supervisory authority of its powers under Article 83 GDPR shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process. In light of this provision, the BVwG held, that national procedural rules are in fact to be applied when imposing a fine for a GDPR violation.<br />
<br />
According to the BVwG, the DSB had violated § 44a and § 45 VStG and § 30 DSG by not establishing culpable conduct of natural persons acting on behalf of the Austrian Postal Service. In order to impose a fine on the Austrian Postal Service, the DSB would have had to establish that natural persons who have<br />
<br />
*the authority to represent the Austrian Postal Service,<br />
*the power to take decisions on behalf of the Austrian Postal Service, or<br />
*the authority to exercise control within the Austrian Postal Service<br />
<br />
violated the GDPR. Therefore the fine was overturned.<br />
<br />
==Comment==<br />
It must be noted that the fine was only overturned due formal mistakes by the DSB. In the desision [[BVwG - W258 2217446-1]] the BVWG considered the processing of the data on the"affinity for a political party" by the Austrian Postal Service unlawful.<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
IN THE NAME OF THE REPUBLIC!<br />
<br />
The Federal Administrative Court appointed the judge Mag. Gerold PAWELKA-SCHMIDT as chairman and the expert lay judges Dr. Gerd TRÖTZMÜLLER and Gerhard RAUB as assessors about the complaint of XXXX, represented by Schönherr Rechtsanwälte GmbH, 1010 Vienna, against the criminal judgment of the data protection authority of 23.10.2019, GZ DSB-D550.148 / 0017-DSB / 2019, rightly in a closed session recognized:<br />
<br />
A)<br />
<br />
I. The complaint will be followed, the contested conviction will be corrected and the proceedings will be discontinued according to § 45 Abs 1 Z 3 VStG.<br />
<br />
II. According to Section 52 (8) VwGVG, the complainant does not have to bear any costs.<br />
<br />
B)<br />
<br />
The revision is not permitted in accordance with Art. 133 Paragraph 4 B-VG.<br />
<br />
<br />
<br />
<br />
<br />
text<br />
<br />
Reasons for the decision:<br />
<br />
I. Procedure:<br />
<br />
1. On the basis of media reports on the alleged sale of personal data, in particular information about the "political affinity" of certain people, the authority in question initiated an official investigation procedure against the complainant on January 8, 2019, which with the decision of February 11, 2019 on the GZ DSB-D213.747 / 0002-DSB / 2019 has ended.<br />
<br />
2. On the basis of the investigation results of the official investigation procedure, the authority concerned initiated administrative criminal proceedings against the complainant and, with a request for justification on February 20, 2019, charged her with the following administrative violations: The complainant is suspected<br />
<br />
1. to have unlawfully processed special categories of personal data in accordance with Art. 9 GDPR (“party affinities”) in the course of exercising the trade “address publishers and direct marketing companies” by not obtaining the consent of the data subjects and otherwise not relying on any of the data processing in Art 9 DSGVO conclusively listed facts can be supported,<br />
<br />
2. personal data such as<br />
<br />
- Affinity for donations<br />
<br />
- bioaffinity<br />
<br />
- partnership<br />
<br />
- annual income<br />
<br />
- type of acquisition<br />
<br />
- qualification<br />
<br />
- Consumption-oriented basis<br />
<br />
- Night owls<br />
<br />
- Package frequency (number of packages in a certain period of time)<br />
<br />
- Affinity for moving<br />
<br />
- Investment affinity<br />
<br />
- phase of life<br />
<br />
to have unlawfully processed "address publishers and direct marketing companies" (storage and sale to third parties) in the course of exercising the trade, by not having obtained the consent of the data subjects and otherwise not based the data processing on any of the legality facts listed in Art 6 (1) GDPR could be<br />
<br />
3. To have violated their obligation to carry out a data protection impact assessment regarding the application "XXXX target group addresses" (note: XXXX stands for XXXX) by failing to carry out the data protection impact assessment within the period, contrary to the time specified in the data protection impact assessment March to June 2018, but at a later date, but in any case after May 25, 2018,<br />
<br />
4. To have created the data protection impact assessment for the application "XXXX - target group addresses" incorrectly because it denies the processing of special categories of personal data, although according to Annex 2D the "party affinity" is calculated, and as a result the existence of a high risk therefore I will in any case deny<br />
<br />
5. To have created the directory for processing activity "XXXX - target group addresses" incorrectly because it contained<br />
<br />
- a. processing of particularly sensitive data, including political opinion, as well as<br />
<br />
- b. extensive processing of sensitive data<br />
<br />
will be denied<br />
<br />
6. To have created the directory for processing activity "XXXX - target group addresses" inadequately because it did not list all of the data categories actually processed,<br />
<br />
7. to have failed to carry out a consultation in accordance with Art 36 GDPR and<br />
<br />
8. Not having fulfilled their obligations under Art 14 GDPR by not informing the data subject to the extent necessary about which data not collected directly from the data subject, by whom and in what manner and then transmitted to third parties - e.g. sold or on made available in another way -<br />
<br />
so administrative offenses according to<br />
<br />
To 1): Art 5 Paragraph 1, Art 9 in conjunction with Art 83 Paragraph 5 lit a GDPR<br />
<br />
To 2): Art 5 para 1, Art 6 para 1 in conjunction with Art 83 para 5 lit a GDPR<br />
<br />
Re 3) + 4): Art 35 in conjunction with Art 83 Para 4 lit a GDPR<br />
<br />
Re 5 + 6): Art 30 in conjunction with Art 83 Para 4 lit a GDPR<br />
<br />
To 7): Art 36 in conjunction with Art 83 Para 4 lit a GDPR<br />
<br />
Re 8): Art 14 in conjunction with Art 83 Para 5 lit b GDPR<br />
<br />
to have committed.<br />
<br />
4. After carrying out evidence proceedings and an oral hearing on September 23, 2019, the authority in question pronounced a penalty on October 23, 2019,<br />
<br />
The accused had been responsible as the person responsible within the meaning of Art 4 Z 7 of Regulation (EU) 2016/679 on the protection of natural persons in the processing of personal data, on the free movement of data and on the repeal of Directive 95/46 / EC (General Data Protection Regulation, hereinafter : GDPR), OJ. No. L 119 of 4.5.2016, S 1, responsible for the following:<br />
<br />
to I .: from May 25, 2018 to February 21, 2019,<br />
<br />
re II .: from May 25, 2018,<br />
<br />
to IV .: from May 25, 2018,<br />
<br />
to V .: from May 25, 2018 and<br />
<br />
to VI .: from May 25th, 2018,<br />
<br />
I. the unlawful processing of special categories of personal data within the meaning of Art 9 GDPR ("party affinities") within the scope of the business of "address publishers and direct marketing companies"; this by not obtaining the consent of the persons concerned and the data processing cannot otherwise be based on any of the facts conclusively listed in Art 9 GDPR;<br />
<br />
II.<br />
<br />
a) the unlawful further processing of personal data, namely the number of parcels received during a certain period of time (parcel frequency) and the frequency of relocations of persons concerned within the scope of the trade of "address publishers and direct marketing companies"; This is done by not obtaining the consent of the data subjects and the data processing cannot otherwise be based on any of the legality facts finally listed in Art 6 Para 1 GDPR and the data relating to the frequency of parcels and the frequency of relocation are changed to a purpose not covered by Art 6 Para 4 GDPR were;<br />
<br />
IV. The inaccuracy of the data protection impact assessment for the application "XXXX - target group addresses", since in this the processing of special categories of personal data was denied, although the "party affinity" had been calculated and processed, and yet the result was a high risk in any case it was denied,<br />
<br />
V. the flawedness of the directory for processing activity "XXXX - target group addresses", since according to this<br />
<br />
a) processing of particularly sensitive data, including political opinion, as well as<br />
<br />
b) extensive processing of sensitive data is denied and<br />
<br />
VI. the inadequacy of the directory for processing activities “XXXX - target group addresses”, since it did not list all the data categories actually processed and so it was not drawn up in sufficient detail.<br />
<br />
The breach of duty is attributed to the legal person "XXXX" because the natural persons responsible for the violations belong to the economic unit that is formed by the person responsible as a legal person.<br />
<br />
As a result, the person responsible violated the following legal provision (s):<br />
<br />
Re I .: Art. 5 Para. 1 lit. a, Art. 9 in conjunction with Art. 83 Para. 5 lit. a GDPR<br />
<br />
Re II.a): Art. 5 Para. 1 lit. a and lit. b, Art. 6 Para. 1 and Para. 4 in conjunction with Art. 83 Para. 5 lit. a GDPR<br />
<br />
On IV .: Art. 35 in conjunction with Art. 83 Para. 4 lit. a GDPR<br />
<br />
Re V. and VI .: Art. 30 in conjunction with Art. 83 Para. 4 lit. a GDPR.<br />
<br />
A fine of EUR 18,000,000.00 is therefore imposed on them in accordance with Article 83 (5) (a) GDPR and the reimbursement of procedural costs in the amount of EUR 1,800,000.00 is imposed.<br />
<br />
On the other hand, the procedure with regard to the charge<br />
<br />
II b) unlawful processing through the storage and sale of personal data of the categories<br />
<br />
- Affinity for donations<br />
<br />
- bioaffinity<br />
<br />
- partnership<br />
<br />
- annual income<br />
<br />
- type of acquisition<br />
<br />
- qualification<br />
<br />
- Consumption-oriented basis<br />
<br />
- Night owls<br />
<br />
- investment affinity<br />
<br />
- phase of life,<br />
<br />
III. The accused had thereby violated her obligation to carry out a data protection impact assessment regarding the application "XXXX target group addresses" by not doing the data protection impact assessment in the period from March to June 2018, but at a later point in time, but in any case after May 25, 2018 , was carried out,<br />
<br />
VII. According to which the accused (wrongly) failed to conduct a consultation in accordance with Art 36 GDPR,<br />
<br />
VIII. According to which the accused has not fulfilled her obligations under Art. 14 GDPR by not informing the data subject to the extent necessary about which data not collected directly from the data subject, by whom and in what manner and then transmitted to third parties sold or otherwise made available -<br />
<br />
each set in accordance with Section 45 Paragraph 1 Item 1 (1st case) VStG.<br />
<br />
5. The complaint in question of November 25, 2019 is directed against this finding because of deficiencies in the assessment, incorrect legal assessment, unlawful measurement of fault and assessment of the amount of the penalty and requested, with more detailed reasons, to remedy the penal decision without replacement and to proceed with the procedure in accordance with Section 38 VwGVG in conjunction with Section 45 (1) VStG to discontinue the procedure according to § 38 VwGVG in conjunction with § 45 Paragraph 1 Z 4 VStG in conjunction with § 11 DSG with issuance of a warning or in conjunction with § 33a VStG through advice or in conjunction with § 45 Paragraph 1 Z 1 VStG with a warning to suspend the penalty to reduce a measure appropriate to the act and guilt. Among other things, for the imposition of a fine according to the GDPR on a legal person such as the person concerned, it is not sufficient to fulfill a criminal offense, it must be for you as a legal person,who cannot act themselves, the actions of a natural person can also be attributed. The authority concerned omitted this attribution, which must be carried out in accordance with § 30 DSG.<br />
<br />
6. With the submission of files dated January 7th, 2020, received on April 16, 2020, the authority in question submitted the complaint to the Federal Administrative Court, including the administrative act, disputed the complaint and applied for the complaint to be dismissed with a detailed explanation. Among other things, the authority in question stated that since fines under the GDPR are an association responsibility model of its own, which would not reduce procedural guarantees required under fundamental law, there would be no room for an attribution rule such as Section 30 of the GDPR.<br />
<br />
7. With the parties to be heard on July 17, 2020, the authority in question was held up to the decision of the Administrative Court of May 12, 2020, Ro 2019/04/0229, which had been made in the meantime, according to which it was necessary to impose a fine on a legal person under the GDPR to demonstrate factual, illegal and culpable behavior of a natural person, which is to be attributed to the legal person and such a defect cannot be remedied by the administrative court, if the natural persons for whose behavior the legal person is to be held responsible for the first time specifies in the complaint procedure would.<br />
<br />
8. With statements of July 29th, 2020, August 13th, 2020 and November 12th, 2020, the authority in question submitted that the criminal conviction showed that the board or its members, i.e. representatives within the meaning of Section 9 VStG, had been informed about data protection processes and referred In this regard, to the findings under point 4.7 of the penal decision, according to which the project "Fitness for the GDPR" had been decided by the board, the board had been reported to the board on all data protection-relevant aspects by the relevant natural persons in a managerial function and on the board's part XXXX was responsible has been.<br />
<br />
Furthermore, the authority in question submitted that there was no “acte claire” in the sense of the case law of the European Court of Justice because, in deviation from the decision of the Austrian Administrative Court, the Conseil d'État, the highest French administrative court, in its decision of June 19, 2020, N ° 430810, assuming that it is not necessary for the imposition of fines according to the GDPR on legal persons to name natural persons whose behavior can be attributed to the legal person. Due to the different opinions of two highest courts from different Member States, this question must therefore be interpreted by the ECJ. Furthermore, the authority concerned referred to a - orally announced but not yet executed - judgment of the Bonn Regional Court of 11.11.2020,GZ 29 OWi-430 Js-OWi 366 / 20-1 / 20 LG, in Section 30 of the Administrative Offenses Act - OWiG, a regulation comparable to Section 30 DSG, according to which, for the imposition of a fine on a legal person, the attribution of the actions of a natural person Person needs to be partially incompatible with the imposition of fines according to Art 83 GDPR and the authority does not have to specifically determine which employee has committed acts.<br />
<br />
The authority in question therefore applied for the cited judgment of the Bonn Regional Court to be obtained, as well as to obtain a preliminary ruling from the ECJ in accordance with Art. 267 TFEU on the question of whether a decision imposing a fine under Art. 83 GDPR on a legal person is an infringement and culpable behavior of a natural person is to be shown, which should be attributed to the legal person.<br />
<br />
9. Mit Stellungnahme vom 04.09.2020 replizierte die Beschwerdeführerin zusammengefasst ua, dass auch mit dem ergänzenden Vorbringen der belangten Behörde kein tatbestandsmäßiges, schuldhaftes und rechtswidriges Verhalten einer natürlichen Person dargetan werde, das ihr als juristische Person zugerechnet werden könne. Mit der Anregung auf Vorabentscheidung durch den EuGH verlange die belangte Behörde vom EuGH eine unzulässige Auslegung einer nationalen Rechtsnorm, § 30 DSG, und Überprüfung der Rechtsprechung des VwGH. Die Umsetzung der Sanktionsnorm des Art 83 DSGVO sei – unter Verweis auf die Rechtsprechung des VwGH und weiterer näherer Begründung – dem nationalen Recht überlassen, weshalb es zu Unterschieden zwischen einzelnen Mitgliedstaaten kommen könne. Auch das strafrechtliche Beschleunigungsgebot spreche gegen eine Vorlage an den EuGH.<br />
<br />
Evidence was obtained through inspection of the administrative file and the decision of the Conseil d'État of June 19, 2020, N ° 430810.<br />
<br />
II. The Federal Administrative Court has considered:<br />
<br />
1. The following is certain:<br />
<br />
1.1. The authority concerned has carried out administrative criminal proceedings against the complainant, a legal person set up in the legal form of a stock corporation, for AZ DSB-D550.148.<br />
<br />
1.2. In this process were<br />
<br />
apart from the summons of witnesses, addressed letters from the authorities concerned to the complainant, for the attention of XXXX,<br />
<br />
only accused the complainant of the administrative violations and<br />
<br />
Ms. XXXX as representative of the accused questioned as accused and all other natural persons questioned as witnesses.<br />
<br />
1.4. In the criminal decision of the authority concerned dated October 23, 2019, GZ DSB-D550.148 / 0017-DSB / 2019, the following is carried out insofar as this is relevant to the procedure:<br />
<br />
"Accused: XXXX (FN XXXX)<br />
<br />
The XXXX with its seat in XXXX, XXXX, has [...]<br />
<br />
as the person responsible within the meaning of Art. 4 No. 7 of Regulation (EU) 2016/679 for the protection of natural persons in the processing of personal data, for the free movement of data and for the repeal of Directive 95/46 / EC (General Data Protection Regulation, hereinafter: GDPR ), OJ. No. L 119 of 4.5.2016, S 1, responsible for the following:<br />
<br />
[...]<br />
<br />
The breach of duty is attributed to the legal person "XXXX" because the natural persons responsible for the violations belong to the economic unit that is formed by the person responsible as a legal person.<br />
<br />
[...]<br />
<br />
Reason:<br />
<br />
I. The following facts relevant to the decision are certain on the basis of the evidence procedure carried out: [...]<br />
<br />
1.1. XXXX (hereinafter: XXXX) has been operating the business of address publishers and direct marketing companies since XXXX and sells personal data as part of the “XXXX” product that it receives from address dealers or that it has collected itself.<br />
<br />
[...]<br />
<br />
2.1. As of January 2016, a name allocation of so-called "XXXX" took place within the "Address Publishing and Direct Marketing" division. "<br />
<br />
[...]<br />
<br />
3.1. The XXXX transmits personal real data from the XXXX division, namely the XXXX division, to the “Address Publishing and Direct Marketing” division in order to assign the selection criterion of the XXXX to individual people by name and then market it.<br />
<br />
[...]<br />
<br />
4. Regarding the company's internal responsibilities:<br />
<br />
4.1. On the part of the board, XXXX was responsible for the business area of address publishing and direct marketing until XXXX, then XXXX. Below the executive board level, XXXX is responsible as the division manager of the XXXX division; it is the area in which all business activities related to addressed advertising take place. XXXX, around 800 employees of XXXX and departments that are employed in outsourced companies and group subsidiaries report. Including the head of the specialist department "XXXX" (short: XXXX, XXXX - internal term for the specialist area that deals with address and direct marketing), Mr. XXXX. The latter has held this position since XXXX, before that XXXX was in charge of this department until XXXX.The trade “address and direct marketing” within the meaning of § 151 GewO is located at XXXX in the “XXXX” department. This department belongs to the area of "XXXX".<br />
<br />
4.2. Within this area, Ms. XXXX is again the head of product and quality management; In the course of this, Ms. XXXX is also managing director for the trade of address publishers and direct marketing according to § 151 GewO. Her tasks include product development, process control and answering data protection queries from those affected. In addition, Ms. XXXX is responsible for coordinating with the data protection officer of XXXX. Ms. XXXX's position is referred to as the “data protection manager” within the corporate structure. Ms. XXXX is the company-wide data protection officer for XXXX. In addition, there are the aforementioned data protection managers in each business area.<br />
<br />
4.3. Within the XXXX, preparatory measures for the coming into force of the GDPR began in 2017. This project intensified in autumn 2017 and an external, internationally operating consulting company was brought in. These preparatory measures were referred to by XXXX as the GDPR project "Fitness for the GDPR". From December 2017 so-called "steering committees" took place regularly:<br />
<br />
4.4. The project client was the board of directors of XXXX (XXXX). The steering committee itself consisted of the following people:<br />
<br />
- XXXX<br />
XXXX<br />
XXXX<br />
XXXX<br />
XXXX<br />
XXXX<br />
XXXX<br />
XXXX<br />
XXXX<br />
XXXX<br />
XXXX<br />
<br />
The extended steering committee also included the members of the Board of Management.<br />
<br />
4.5. The project management was the responsibility of the data protection officer of XXXX, Ms. XXXX.<br />
<br />
4.6. So-called project team jour fixes, project management jour fixes each week, steering committee meetings at least monthly and extended steering committee meetings took place every two months, the latter taking place monthly from March 2018. In addition, issues related to specific cases were dealt with in board meetings. XXXX took part in the project management jour fixes.<br />
<br />
4.7. In summary, according to statements by XXXX, the aim of this project was to create the conditions for a holistic implementation of the GDPR through risk-oriented prioritization in several phases. This project order was decided and implemented by the board of directors and the steering committee. A project management team made up of representatives from the legal department and revision was used to implement the project. Regular reports on the progress of the project were made to the board of directors and management.<br />
<br />
4.8. The head of the group-wide legal department of XXXX is XXXX, this is the authorized signatory of XXXX. In this function, she is also responsible for compliance with data protection law throughout the group.<br />
<br />
[...]<br />
<br />
4.9. The respective product responsibility lies with the respective heads of the respective departments. The legal department is involved in legal issues and legally relevant documents (e.g. submissions and applications to authorities and courts) must be approved by the head of the legal department.<br />
<br />
4.10. With regard to the processing of data relating to "party affinities", the department heads, the head of the legal department and the data protection officer did not recognize any legal risk with regard to the entry into force of the GDPR on May 25, 2018; This is not because - contrary to our own practice in the case of requests for information according to Art 15 GDPR - it was assumed that it is not personal data but statistical extrapolations. Ms. XXXX was employed as data protection manager (DSM) in the area of direct marketing; according to the assessment of XXXX, she has expertise in data protection law and she assessed the data processing as uncritical. As a result, no independent external legal assessment was sought.<br />
<br />
4.11. The data protection officer, Ms. XXXX, did not express any concerns with regard to the legal risk of data processing for the creation and sale of the selection criterion of "party affinities" as part of the preparatory project for the GDPR. The same applies to the head of the group-wide legal department of XXXX.<br />
<br />
4.12. As part of the entire investigation before the data protection authority, XXXX did not submit any documents from which a detailed legal dispute and examination of the legal question as to whether the data processing in connection with the creation and sale of the selection criterion of the "party affinities" within the scope of the product range of the Business "address publishing and direct marketing" with a view to the coming into force of the GDPR are in line with this or can be brought into line. There are no relevant meeting minutes for the above-mentioned preparatory meetings for the GDPR, as they were not prepared by the relevant managers of the departments of XXXX.At the related meetings, PowerPoint presentations were created and individual transcripts were made. Open points were addressed at the next meeting.<br />
<br />
4.13. XXXX products were not discussed as part of the GDPR preparation. According to the head of the legal department, the aim was to provide general information to the board of directors about the GDPR with the mandate that the respective organizational units deal with it and report any necessary changes. Framework conditions were specified such as: the directory of processing activities and regular jour fixes for data protection managers. Regarding the XXXX in relation to party affinities, the assessment was that there was no need to change. A need for change would have been reported to the board; this, for example, if a change would have had an expected impact on sales or there would have been a need for investment.<br />
<br />
[...]<br />
<br />
III. Legally it follows from this:<br />
<br />
[...]<br />
<br />
2.17. [...] Specifically, the subjectively reproachable behavior of the accused consists in the fact that there is no legally detailed and well-founded discussion of any legal risks in connection with the product range of this business area in general and the selection criterion of the alleged party affinities in particular and the strict ones made available to political groups for a fee Requirements of the GDPR - more precisely their understanding of the term, the processing principles in Art. 5 and the processing prohibition in Art. 9 (1) - with the aim of bringing all processing operations in line with data protection requirements.<br />
<br />
In the course of the investigation, neither the data protection officer nor the head of the legal department (an authorized signatory of the company), the head of the "XXXX" division or the head of the department for product and quality management within this division (she is the long-standing commercial manager for the trade of § 151 GewO), written evidence can be provided from which an appropriate legal analysis of this business area could be derived - corresponding to the size of the company and the enormous number of data records processed, and considering the large number of potentially affected persons would.<br />
<br />
For example, no (albeit internal) legal opinion or a legal problem outline could be submitted that dealt with the legal opinion represented by the accused.<br />
<br />
[...]<br />
<br />
However, this expresses the subjectively reproachable behavior on the part of the accused and with regard to lawful alternative behavior the following would have been indicated:<br />
<br />
- The data protection officer should have subjected the product range of the party affinities - but also the other product offerings of the business areas in question in connection with direct marketing - to a detailed examination and based on the considerations of the project "Fit for the GDPR" as a basis, if necessary with the consultation of an independent external data protection expert ;<br />
<br />
- In the absence of such a check, the head of the legal department and the head of the "XXXX" division should have carried out or initiated such an examination;<br />
<br />
- Ultimately, the board of directors should have initiated such a review with the aim of ensuring that all the business areas of XXXX in question were in compliance with data protection law.<br />
<br />
The omission of all of this is to be regarded as grossly negligent behavior with regard to the scope of the data processing, the number of people affected and the resulting dangers for their legally protected legal positions.<br />
<br />
2.18. In summary, it would have been reasonable for the accused - if only because of their size, their market position, the available knowledge and the available human capacities - to deal substantially with the legal question of the data protection qualifications of the party affinities they market and, as a result, the product range of the “Address Publishing and Direct Marketing” division with the legal requirements of the GDPR. The accused can be reproached for the simple assumption that there is no data protection problem or the failure to recognize one. [...]<br />
<br />
3. Regarding ruling point II.a):<br />
<br />
[...]<br />
<br />
3.12. Regarding the subjective factual side, reference can be made to the relevant justification for point I. In summary, it would be the under point I.4. In any case, it was reasonable for the accused persons to be responsible for dealing with the legal question of the data protection admissibility of the (further) processing operations carried out by them and, as a result, the product range of the "Address Publishing and Direct Marketing" division in accordance with the legal requirements of the GDPR bring to.<br />
<br />
[...]<br />
<br />
6. Re point IV: [...]<br />
<br />
6.2. In the data protection impact assessment, the accused denies the processing of special categories of personal data, in particular the potential political opinion, even though “party affinity” is mentioned in Appendix 2D. Consequently, this date was not included in the assessment.<br />
<br />
6.3. Because the accused comes to the conclusion in the data protection impact assessment that no special categories of personal data within the meaning of Art. 9 GDPR are processed and that the risk assessment within the meaning of Art. c GDPR was carried out incorrectly, the data protection impact assessment "XXXX target group addresses" is incorrect. The accused thereby has the objective factual side of the sanction norm of Art. 83 Para. 4 lit. a GDPR fulfilled.<br />
<br />
6.4. The accused can also be subjectively reproached for this violation: it would be the duty of the data protection officer and the others in point I.4. Those responsible have been to make a correct data protection assessment of the data quality in relation to party affinity and to incorporate it into the risk assessment according to Art. 35 (7) GDPR and to draw the necessary conclusions from this. With regard to the degree of fault, it is assumed in this context that the behavior is simply negligent, as the behavior in this regard is a consequence of the general misjudgment of party affinities, according to which these are not to be assigned to the special types of data listed in Art 9 (1) GDPR.<br />
<br />
7. Regarding the ruling points V. and VI .:<br />
<br />
[...]<br />
<br />
7.6. Due to the inadequate keeping of the list of processing activities, the accused was informed about the objective facts of the sanction norm of Art. 83 (4) lit. a GDPR fulfilled.<br />
<br />
7.7. The accused can also be subjectively reproached for this behavior, since the persons responsible should have ensured compliance with the requirements of a faultless and complete list of processing activities. With regard to point V. grossly negligent behavior is assumed. Failure to list the categories of personal data in sufficient detail is regarded as simply negligent behavior.<br />
<br />
8. Regarding the imputability of the violations to the accused:<br />
<br />
[...]<br />
<br />
8.6. For the present situation, this means the following: The alleged violations are in any case attributable to the accused. They were committed by natural persons who were authorized to act on behalf of the legal person and consequently could act on their behalf. Nor can it be said that those responsible for the accused knew nothing about it; this results from the investigations carried out comprehensively for this purpose and the resulting from point I.4. stated findings. Accordingly, both the board of directors, the authorized signatories and all other executives up to the data protection officer were fully aware of all data processing operations, and they were also involved in the work project specifically carried out for this purpose in preparation for the coming into force of the GDPR.Ultimately, it would be within the competence of the board of directors to ensure that business operations are compatible with the applicable data protection law.<br />
<br />
8.7. In the period of the offense, the acting natural persons belonged to the economic unit formed by the accused. The accused never denied this in the proceedings before the data protection authority.<br />
<br />
8.8. As a result, there is a sufficient connection between the acting natural persons and the legal person, which allows the illegal and culpable behavior to be attributed to them.<br />
<br />
8.9. A specific designation of the natural persons who acted culpably within the accused or who should have been made responsible for the possibly incorrect organization of the accused is not necessary in order to impose a fine on a legal person. [...] "<br />
<br />
1.5. Further explanations on the actions of natural persons can not be found in the criminal judgment.<br />
<br />
2. The findings result from the following assessment of evidence:<br />
<br />
The findings are based on the harmless administrative act.<br />
<br />
3. Legally it follows from this:<br />
<br />
3.1. The admissible complaint is justified.<br />
<br />
3.2. The complainant argues against the conviction that it is not sufficient to impose a fine under the GDPR on a legal person, such as the person concerned, to fulfill a criminal offense; as a legal person who cannot act itself, the actions of a natural person can also be attributed. The authority in question had omitted this attribution, which must be carried out in accordance with Section 30 of the DSG. With this argument, the complainant is in the right:<br />
<br />
3.3. According to Section 30 (1) GDPR, the authority concerned can impose fines on legal persons, among other things, if violations of provisions of the GDPR have been committed by persons who have acted either alone or as part of a body of the legal person and have a management position within the legal person due to the Have the authority to represent the legal person, the authority to make decisions on behalf of the legal person, or have a power of control within the legal person.<br />
<br />
Legal persons can also be held responsible in accordance with Section 30 (2) GDPR for violations of provisions of the GDPR and Section 1 or Article 2, main part, if there is a lack of supervision or control by a person named in Section 1, the commission of these violations by a for the legal person, provided that the act does not constitute a criminal offense falling under the jurisdiction of the courts.<br />
<br />
3.4. For the imposition of a fine according to the GDPR on a legal person, the findings necessary to assess a factual, illegal and culpable behavior, which also meet any additional requirements of criminal liability, must be made in the criminal judgment and in the verdict all necessary elements for a punishment of the natural Person (§ 44a VStG), with the addition that the behavior of the natural person is attributed to the legal person. (VwGH 05/12/2020, Ro 2019/04/0229 with reference to VwGH 03/29/2019, Ro 2018/02/0023)<br />
<br />
3.5. Applied to the specific situation, this means:<br />
<br />
3.6. In the verdict of the judgment, the authority concerned did not name the natural person whose violation of the GDPR is to be attributed to the complainant. The penalty decision therefore proves to be illegal.<br />
<br />
3.7. The administrative court is not allowed to cure this deficiency. Although the administrative court is authorized and obliged to correct an incorrect verdict and, if necessary, to make any missing determinations, it is not allowed to exchange the alleged act.<br />
<br />
An inadmissible exchange of the accusation represents an extension of the accusation made by the administrative court in the complaints procedure or the use of facts other than the original basis of the punishment § 50 VwGVG does not exist. If the allegation is directed against the complainant as a legal person, then - due to the dependency of the legal person's criminal liability on the violation of the natural person attributable to it - the accusation against the natural person to be named therein is also included. (for the whole see VwGH 12.05.2020 Ro 2019/04/0229)<br />
<br />
3.8. The authority concerned did not name a natural person, neither in the administrative evidence procedure nor in the verdict, whose behavior should have been attributed to the complainant. Also in the justification of the penal decision, which could be used to interpret the verdict, no factual, illegal or culpable behavior of a natural person is set out, which should be attributed to the legal person. It is true that the authority concerned establishes various responsibilities; However, there are no determinations as to who ultimately made the decisionto carry out the data processing recognized as unlawful or to create the data protection impact assessment and the list of processing activities in the manner recognized as unlawful or which lack of monitoring or control should have made the unlawfulness possible.<br />
<br />
3.9. Thus, in the administrative criminal proceedings against the legal person, the specification of the natural person for whose behavior the legal person is held responsible would only constitute an inadmissible change in the allegation and the matter of the proceedings within the meaning of Section 50 VwGVG in the complaint procedure.<br />
<br />
3.10. Since the lack of concrete definition of the allegation represents a procedural obstacle to a review by the Federal Administrative Court (see Honeder / Praschl-Bischler, case and factual decision in the case of an imprecise verdict in administrative criminal proceedings, ZVG 2016, 294), the criminal proceedings in question had to be discontinued.<br />
<br />
3.11 The suggestion made by the authority concerned to submit the question to the ECJ for a preliminary ruling as to whether a natural person had to be shown to have acted as constitutive, illegal and culpable in order to impose a fine according to the GDPR was not to be complied with. The cited decisions of the French Conseil d'État and the Bonn Regional Court do not show any inconsistent application of European law in the individual member states:<br />
<br />
According to Art 83 (8) GDPR, the procedural regulations of the member states must also be observed when imposing fines.<br />
<br />
The requirement for the imposition of a fine on a legal person to specifically name a natural person whose behavior is to be attributed to the legal person is based on such a procedural provision, namely § 44a Z 1 VStG.<br />
<br />
According to § 44a Z 1 VStG, it is legally necessary to describe the act with regard to the perpetrator and the circumstances so precisely that the assignment of the behavior to the administrative regulation that was violated by the act is made possible with regard to all elements of the offense (VwGH 13.12. 2019 Ra 2019/02/0184). Since legal persons cannot act themselves, their criminal liability is a consequence of the actions of a natural person. If a certain group of natural persons comes into question, whose behavior could justify the criminal liability of the legal person, according to the case law of the Administrative Court with regard to § 44a Z 1 VStG it is not sufficient to determine that any person from this group has committed the act - for example Any manager - the person acting must be specifically identified (see Section 99d BWG VwGH 29.03.2019 Ro 2018/02/0023 and to § 30 DSG VwGH 12.05.2020 Ro 2019/04/0229).<br />
<br />
Before proceedings before the ECJ, against the background of the decision of the Bonn Regional Court - in the event of its confirmation by the highest court - it could be questionable whether a substantive provision such as § 30 DSG, which attributes the behavior of natural persons to the legal person to be punished, is in accordance with Art.83 GDPR, which is directly applicable in the member states.<br />
<br />
But even if § 30 DSG were not applicable, the position of the authority concerned would not be of any help. In this case - in the present case - the attribution of the behavior of natural persons to the legal person would depend on whether through the actions of one or more natural persons, the legal person as the person responsible within the meaning of Art 4 (7) GDPR or, if necessary, as a processor within the meaning of Art 4 (8) GDPR to qualify or not.<br />
<br />
Since, however, according to the case law of the VwGH according to § 44a Z 1 VStG, it is necessary to precisely determine the natural person whose behavior is to be attributed to the legal person and a reference to a potential group of possible natural persons would not be sufficient even then, if all persons from the group were active for the legal person, it would also be necessary in the case of the inapplicability of § 30 DSG due to the national procedural law of Art 44a Z 1 VStG, which is permissible under European law in accordance with Art 83 (8) GDPR To specifically name the acting persons.<br />
<br />
Any different conditions under which fines can be imposed on legal persons in the individual member states are therefore due to the European law admissibility of different procedural rights. The judgments of other member states cited by the authority in question, which are supposedly in contradiction to the relevant decision of the Administrative Court of May 12, 2020, Ro 2019/04/0229, could therefore not show any contradicting application of the GDPR in the individual member states ECJ would have to be clarified.<br />
<br />
3.12. It was therefore to be decided according to the ruling.<br />
<br />
3.13. A negotiation could be dispensed with in accordance with Section 44 (2) VwGVG.<br />
<br />
Regarding point B) inadmissibility of the revision:<br />
<br />
Pursuant to Section 25a (1) VwGG, the administrative court has to pronounce in the verdict of its decision or decision whether the revision is permissible according to Article 133 (4) B-VG. This statement must be justified briefly.<br />
<br />
The revision is inadmissible because there were no legal issues to be resolved which are of fundamental importance within the meaning of Art. On the question of whether it is necessary for the imposition of a fine under Art 83 GDPR on a legal person to demonstrate an offense, illegal and culpable behavior of a natural person attributable to it and to include it in the verdict of the penal decision, and under what conditions such a deficiency in administrative court proceedings can be cured, there is the cited case law of the Administrative Court.<br />
<br />
<br />
<br />
Catchwords<br />
Elimination of the decision Data protection Data protection officer Data protection authority Data protection procedure Data processing Data transfer Direct advertising Management function Fines Legal person Specification Control Cost bearing natural person Affinity for parties Personal data Political party illegality Criminal proceedings - setting of allegations of proceedings Termination of power of representation Administrative criminal proceedings Imputability<br />
European Case Law Identifier (ECLI)<br />
ECLI: AT: BVWG: 2020: W258.2227269.1.00<br />
In RIS since<br />
02.12.2020<br />
Last updated on<br />
02.12.2020<br />
Document number<br />
BVWGT_20201126_W258_2227269_1_00<br />
</pre></div>
Hk
https://gdprhub.eu/index.php?title=CTPDA_(Andalusia)&diff=14375
CTPDA (Andalusia)
2021-03-25T19:37:29Z
<p>Hk: /* Annual Reports */</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
! colspan="2" |Consejo de Transparencia y Protección de Datos de Andalucía<br />
[[Category:DPA]]<br />
|-<br />
| colspan="2" style="padding: 20px;" |[[File:Logo-ctpda.png|center|250px]]<br />
|-<br />
|Name:||Consejo de Transparencia y Protección de Datos de Andalucía<br />
|-<br />
|Abbreviation:||CTPDA<br />
|-<br />
|Jurisdiction:||[[Data Protection in Spain|Andalusia]]<br />
|-<br />
|Head:||Jesús Jiménez López<br />
|-<br />
|Deputy:||n/a<br />
|-<br />
|Address:||C/ Conde de Ibarra, 18 - 41004 Sevilla, Spain<br />
|-<br />
|Webpage:||https://www.ctpdandalucia.es/<br />
|-<br />
|Email:||[mailto:protecciondedatos.ctpda@juntadeandalucia.es]<br />
|-<br />
|Phone:||+34 671 563 137 - +34 639 486 481<br />
|-<br />
|Twitter:||https://twitter.com/ctpdandalucia<br />
|-<br />
|Procedural Law:||n/a<br />
|-<br />
|Decision Database:||n/a<br />
|-<br />
|Translated Decisions:||[[:Category:CTPDA (Andalusia)]]<br />
|-<br />
|Head Count:||n/a<br />
|-<br />
|Budget:|| € 2 Mio<ref>Report: Informe trimestral de actividad del consejo de transparencia y protección de datos de Andalucía 1/2020, page 24 - https://www.ctpdandalucia.es/sites/default/files/Informe%201er%20Trimestre%202020-Definitivo.pdf</ref> (2020)<br />
|}<br />
<br />
The Andalusian DPA (''Consejo de Transparencia y Protección de Datos de Andalucía'') is the regional Data Protection Authority for the Spanish autonomous region of Andalusia. It is in charge of enforcing the GDPR in the public sector within Andalusia.<br />
<br />
==Structure==<br />
''You can help us by filling in this section!''<br />
<br />
==Procedural Information==<br />
<br />
===Applicable Procedural Law===<br />
''You can help us by filling in this section!''<br />
<br />
===Complaints Procedure under Art 77 GDPR===<br />
''You can help us by filling in this section!''<br />
<br />
===''Ex Officio'' Procedures under Art 57 GDPR===<br />
''You can help us by filling in this section!''<br />
<br />
===Appeals===<br />
''You can help us by filling in this section!''<br />
<br />
==Practical Information==<br />
<br />
===Filing with the DPA===<br />
''You can help us by filling in this section!''<br />
<br />
===Known Problems===<br />
''You can help us by filling in this section!''<br />
<br />
===Filing an Appeal===<br />
''You can help us by filling in this section!''<br />
<br />
==Decision Database==<br />
''You can help us by filling in this section!''<br />
<br />
==Statistics==<br />
<br />
===Funding===<br />
''You can help us by filling in this section!''<br />
<br />
===Personal===<br />
''You can help us by filling in this section!''<br />
<br />
===Caseload===<br />
''You can help us by filling in this section!''<br />
<br />
===Fines===<br />
''You can help us by filling in this section!''<br />
<br />
===Annual Reports===<br />
The organisation publishes several trimester [https://www.ctpdandalucia.es/publicidad-activa reports], like the [https://www.ctpdandalucia.es/publicidad-activa/informacion-economica-financiera-presupuestaria Expense reports]<br />
<br />
{{DataProtectionAuthorities}}</div>
Hk
https://gdprhub.eu/index.php?title=CTPDA_(Andalusia)&diff=14374
CTPDA (Andalusia)
2021-03-25T19:30:20Z
<p>Hk: </p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
! colspan="2" |Consejo de Transparencia y Protección de Datos de Andalucía<br />
[[Category:DPA]]<br />
|-<br />
| colspan="2" style="padding: 20px;" |[[File:Logo-ctpda.png|center|250px]]<br />
|-<br />
|Name:||Consejo de Transparencia y Protección de Datos de Andalucía<br />
|-<br />
|Abbreviation:||CTPDA<br />
|-<br />
|Jurisdiction:||[[Data Protection in Spain|Andalusia]]<br />
|-<br />
|Head:||Jesús Jiménez López<br />
|-<br />
|Deputy:||n/a<br />
|-<br />
|Address:||C/ Conde de Ibarra, 18 - 41004 Sevilla, Spain<br />
|-<br />
|Webpage:||https://www.ctpdandalucia.es/<br />
|-<br />
|Email:||[mailto:protecciondedatos.ctpda@juntadeandalucia.es]<br />
|-<br />
|Phone:||+34 671 563 137 - +34 639 486 481<br />
|-<br />
|Twitter:||https://twitter.com/ctpdandalucia<br />
|-<br />
|Procedural Law:||n/a<br />
|-<br />
|Decision Database:||n/a<br />
|-<br />
|Translated Decisions:||[[:Category:CTPDA (Andalusia)]]<br />
|-<br />
|Head Count:||n/a<br />
|-<br />
|Budget:|| € 2 Mio<ref>Report: Informe trimestral de actividad del consejo de transparencia y protección de datos de Andalucía 1/2020, page 24 - https://www.ctpdandalucia.es/sites/default/files/Informe%201er%20Trimestre%202020-Definitivo.pdf</ref> (2020)<br />
|}<br />
<br />
The Andalusian DPA (''Consejo de Transparencia y Protección de Datos de Andalucía'') is the regional Data Protection Authority for the Spanish autonomous region of Andalusia. It is in charge of enforcing the GDPR in the public sector within Andalusia.<br />
<br />
==Structure==<br />
''You can help us by filling in this section!''<br />
<br />
==Procedural Information==<br />
<br />
===Applicable Procedural Law===<br />
''You can help us by filling in this section!''<br />
<br />
===Complaints Procedure under Art 77 GDPR===<br />
''You can help us by filling in this section!''<br />
<br />
===''Ex Officio'' Procedures under Art 57 GDPR===<br />
''You can help us by filling in this section!''<br />
<br />
===Appeals===<br />
''You can help us by filling in this section!''<br />
<br />
==Practical Information==<br />
<br />
===Filing with the DPA===<br />
''You can help us by filling in this section!''<br />
<br />
===Known Problems===<br />
''You can help us by filling in this section!''<br />
<br />
===Filing an Appeal===<br />
''You can help us by filling in this section!''<br />
<br />
==Decision Database==<br />
''You can help us by filling in this section!''<br />
<br />
==Statistics==<br />
<br />
===Funding===<br />
''You can help us by filling in this section!''<br />
<br />
===Personal===<br />
''You can help us by filling in this section!''<br />
<br />
===Caseload===<br />
''You can help us by filling in this section!''<br />
<br />
===Fines===<br />
''You can help us by filling in this section!''<br />
<br />
===Annual Reports===<br />
''You can help us by filling in this section!''<br />
<br />
{{DataProtectionAuthorities}}</div>
Hk
https://gdprhub.eu/index.php?title=CTPDA_(Andalusia)&diff=14373
CTPDA (Andalusia)
2021-03-25T18:20:16Z
<p>Hk: </p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
! colspan="2" |Consejo de Transparencia y Protección de Datos de Andalucía<br />
[[Category:DPA]]<br />
|-<br />
| colspan="2" style="padding: 20px;" |[[File:Logo-ctpda.png|center|250px]]<br />
|-<br />
|Name:||Consejo de Transparencia y Protección de Datos de Andalucía<br />
|-<br />
|Abbreviation:||CTPDA<br />
|-<br />
|Jurisdiction:||[[Data Protection in Spain|Andalusia]]<br />
|-<br />
|Head:||Jesús Jiménez López<br />
|-<br />
|Deputy:||n/a<br />
|-<br />
|Address:||C/ Conde de Ibarra, 18 - 41004 Sevilla, Spain<br />
|-<br />
|Webpage:||https://www.ctpdandalucia.es/<br />
|-<br />
|Email:||[mailto:protecciondedatos.ctpda@juntadeandalucia.es]<br />
|-<br />
|Phone:||+34 671 563 137 - +34 639 486 481<br />
|-<br />
|Twitter:||https://twitter.com/ctpdandalucia<br />
|-<br />
|Procedural Law:||n/a<br />
|-<br />
|Decision Database:||n/a<br />
|-<br />
|Translated Decisions:||[[:Category:CTPDA (Andalusia)]]<br />
|-<br />
|Head Count:||n/a<br />
|-<br />
|Budget:|| € 2 Mio<ref>Report: Informe trimestral de actividad del consejo de transparencia y protección de datos de andalucía 1/2020, page 24 - https://www.ctpdandalucia.es/sites/default/files/Informe%201er%20Trimestre%202020-Definitivo.pdf</ref> (2020)<br />
|}<br />
<br />
The Andalusian DPA (''Consejo de Transparencia y Protección de Datos de Andalucía'') is the regional Data Protection Authority for the Spanish autonomous region of Andalusia. It is in charge of enforcing the GDPR in the public sector within Andalusia.<br />
<br />
==Structure==<br />
''You can help us by filling in this section!''<br />
<br />
==Procedural Information==<br />
<br />
===Applicable Procedural Law===<br />
''You can help us by filling in this section!''<br />
<br />
===Complaints Procedure under Art 77 GDPR===<br />
''You can help us by filling in this section!''<br />
<br />
===''Ex Officio'' Procedures under Art 57 GDPR===<br />
''You can help us by filling in this section!''<br />
<br />
===Appeals===<br />
''You can help us by filling in this section!''<br />
<br />
==Practical Information==<br />
<br />
===Filing with the DPA===<br />
''You can help us by filling in this section!''<br />
<br />
===Known Problems===<br />
''You can help us by filling in this section!''<br />
<br />
===Filing an Appeal===<br />
''You can help us by filling in this section!''<br />
<br />
==Decision Database==<br />
''You can help us by filling in this section!''<br />
<br />
==Statistics==<br />
<br />
===Funding===<br />
''You can help us by filling in this section!''<br />
<br />
===Personal===<br />
''You can help us by filling in this section!''<br />
<br />
===Caseload===<br />
''You can help us by filling in this section!''<br />
<br />
===Fines===<br />
''You can help us by filling in this section!''<br />
<br />
===Annual Reports===<br />
''You can help us by filling in this section!''<br />
<br />
{{DataProtectionAuthorities}}</div>
Hk
https://gdprhub.eu/index.php?title=CTPDA_(Andalusia)&diff=14372
CTPDA (Andalusia)
2021-03-25T18:16:42Z
<p>Hk: </p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
! colspan="2" |Consejo de Transparencia y Protección de Datos de Andalucía<br />
[[Category:DPA]]<br />
|-<br />
| colspan="2" style="padding: 20px;" |[[File:Logo-ctpda.png|center|250px]]<br />
|-<br />
|Name:||Consejo de Transparencia y Protección de Datos de Andalucía<br />
|-<br />
|Abbreviation:||CTPDA<br />
|-<br />
|Jurisdiction:||[[Data Protection in Spain|Andalusia]]<br />
|-<br />
|Head:||Jesús Jiménez López<br />
|-<br />
|Deputy:||n/a<br />
|-<br />
|Address:||C/ Conde de Ibarra, 18 - 41004 Sevilla, Spain<br />
|-<br />
|Webpage:||https://www.ctpdandalucia.es/<br />
|-<br />
|Email:||[mailto:protecciondedatos.ctpda@juntadeandalucia.es]<br />
|-<br />
|Phone:||+34 671 563 137 - +34 639 486 481<br />
|-<br />
|Twitter:||https://twitter.com/ctpdandalucia<br />
|-<br />
|Procedural Law:||n/a<br />
|-<br />
|Decision Database:||n/a<br />
|-<br />
|Translated Decisions:||[[:Category:CTPDA (Andalusia)]]<br />
|-<br />
|Head Count:||n/a<br />
|-<br />
|Budget:|| 2 Mio (2020)<br />
|}<br />
<br />
The Andalusian DPA (''Consejo de Transparencia y Protección de Datos de Andalucía'') is the regional Data Protection Authority for the Spanish autonomous region of Andalusia. It is in charge of enforcing the GDPR in the public sector within Andalusia.<br />
<br />
==Structure==<br />
''You can help us by filling in this section!''<br />
<br />
==Procedural Information==<br />
<br />
===Applicable Procedural Law===<br />
''You can help us by filling in this section!''<br />
<br />
===Complaints Procedure under Art 77 GDPR===<br />
''You can help us by filling in this section!''<br />
<br />
===''Ex Officio'' Procedures under Art 57 GDPR===<br />
''You can help us by filling in this section!''<br />
<br />
===Appeals===<br />
''You can help us by filling in this section!''<br />
<br />
==Practical Information==<br />
<br />
===Filing with the DPA===<br />
''You can help us by filling in this section!''<br />
<br />
===Known Problems===<br />
''You can help us by filling in this section!''<br />
<br />
===Filing an Appeal===<br />
''You can help us by filling in this section!''<br />
<br />
==Decision Database==<br />
''You can help us by filling in this section!''<br />
<br />
==Statistics==<br />
<br />
===Funding===<br />
''You can help us by filling in this section!''<br />
<br />
===Personal===<br />
''You can help us by filling in this section!''<br />
<br />
===Caseload===<br />
''You can help us by filling in this section!''<br />
<br />
===Fines===<br />
''You can help us by filling in this section!''<br />
<br />
===Annual Reports===<br />
''You can help us by filling in this section!''<br />
<br />
{{DataProtectionAuthorities}}</div>
Hk
https://gdprhub.eu/index.php?title=CTPDA_(Andalusia)&diff=14371
CTPDA (Andalusia)
2021-03-25T17:47:27Z
<p>Hk: </p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
! colspan="2" |Consejo de Transparencia y Protección de Datos de Andalucía<br />
[[Category:DPA]]<br />
|-<br />
| colspan="2" style="padding: 20px;" |[[File:Logo-ctpda.png|center|250px]]<br />
|-<br />
|Name:||Consejo de Transparencia y Protección de Datos de Andalucía<br />
|-<br />
|Abbreviation:||CTPDA<br />
|-<br />
|Jurisdiction:||[[Data Protection in Spain|Andalusia]]<br />
|-<br />
|Head:||Jesús Jiménez López<br />
|-<br />
|Deputy:||n/a<br />
|-<br />
|Address:||C/ Conde de Ibarra, 18 - 41004 Sevilla, Spain<br />
|-<br />
|Webpage:||https://www.ctpdandalucia.es/<br />
|-<br />
|Email:||[mailto:protecciondedatos.ctpda@juntadeandalucia.es]<br />
|-<br />
|Phone:||+34 671 563 137 - +34 639 486 481<br />
|-<br />
|Twitter:||https://twitter.com/ctpdandalucia<br />
|-<br />
|Procedural Law:||n/a<br />
|-<br />
|Decision Database:||n/a<br />
|-<br />
|Translated Decisions:||[[:Category:CTPDA (Andalusia)]]<br />
|-<br />
|Head Count:||n/a<br />
|-<br />
|Budget:||n/a<br />
|}<br />
<br />
The Andalusian DPA (''Consejo de Transparencia y Protección de Datos de Andalucía'') is the regional Data Protection Authority for the Spanish autonomous region of Andalusia. It is in charge of enforcing the GDPR in the public sector within Andalusia.<br />
<br />
==Structure==<br />
''You can help us by filling in this section!''<br />
<br />
==Procedural Information==<br />
<br />
===Applicable Procedural Law===<br />
''You can help us by filling in this section!''<br />
<br />
===Complaints Procedure under Art 77 GDPR===<br />
''You can help us by filling in this section!''<br />
<br />
===''Ex Officio'' Procedures under Art 57 GDPR===<br />
''You can help us by filling in this section!''<br />
<br />
===Appeals===<br />
''You can help us by filling in this section!''<br />
<br />
==Practical Information==<br />
<br />
===Filing with the DPA===<br />
''You can help us by filling in this section!''<br />
<br />
===Known Problems===<br />
''You can help us by filling in this section!''<br />
<br />
===Filing an Appeal===<br />
''You can help us by filling in this section!''<br />
<br />
==Decision Database==<br />
''You can help us by filling in this section!''<br />
<br />
==Statistics==<br />
<br />
===Funding===<br />
''You can help us by filling in this section!''<br />
<br />
===Personal===<br />
''You can help us by filling in this section!''<br />
<br />
===Caseload===<br />
''You can help us by filling in this section!''<br />
<br />
===Fines===<br />
''You can help us by filling in this section!''<br />
<br />
===Annual Reports===<br />
''You can help us by filling in this section!''<br />
<br />
{{DataProtectionAuthorities}}</div>
Hk
https://gdprhub.eu/index.php?title=File:LogoES.jpg&diff=13965
File:LogoES.jpg
2021-03-10T17:24:19Z
<p>Hk: </p>
<hr />
<div></div>
Hk
https://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9529527&diff=13587
Garante per la protezione dei dati personali (Italy) - 9529527
2021-02-07T01:34:03Z
<p>Hk: /* English Machine Translation of the Decision */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Italy<br />
|DPA-BG-Color=background-color:#095d7e;<br />
|DPAlogo=LogoIT.png<br />
|DPA_Abbrevation=Garante per la protezione dei dati personali<br />
|DPA_With_Country=Garante per la protezione dei dati personali (Italy)<br />
<br />
|Case_Number_Name=9529527<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Garante per la Protezione dei DaGarante per la Protezione dei Dati Personaliti Personali<br />
|Original_Source_Link_1=https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9529527<br />
|Original_Source_Language_1=Italian<br />
|Original_Source_Language__Code_1=IT<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=17.12.2020<br />
|Date_Published=27.01.2021<br />
|Year=2020<br />
|Fine=100000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5(1)(f) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1f<br />
|GDPR_Article_2=Article 13 GDPR<br />
|GDPR_Article_Link_2=Article 13 GDPR<br />
|GDPR_Article_3=Article 14 GDPR<br />
|GDPR_Article_Link_3=Article 14 GDPR<br />
|GDPR_Article_4=Article 28 GDPR<br />
|GDPR_Article_Link_4=Article 28 GDPR<br />
|GDPR_Article_5=Article 30 GDPR<br />
|GDPR_Article_Link_5=Article 30 GDPR<br />
|GDPR_Article_6=Article 35 GDPR<br />
|GDPR_Article_Link_6=Article 35 GDPR<br />
|GDPR_Article_7=Article 83(1) GDPR<br />
|GDPR_Article_Link_7=Article 83 GDPR#1<br />
|GDPR_Article_8=Article 83(2) GDPR<br />
|GDPR_Article_Link_8=Article 83 GDPR#2<br />
|GDPR_Article_9=Article 83(4)(a) GDPR<br />
|GDPR_Article_Link_9=Article 83 GDPR#4a<br />
|GDPR_Article_10=Article 83(5)(b) GDPR<br />
|GDPR_Article_Link_10=Article 83 GDPR#5b<br />
<br />
<br />
<br />
|Party_Name_1=Azienda Unità Sanitaria Locale Toscana Sud Est<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=AS<br />
|<br />
}}<br />
<br />
The Italian DPA imposed a fine of 100,000 euros on a local public healt body amid the violation of several GDPR provisions. The data processing involved the sharing of patients’ data across several health care stakeholders.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The case involves the processing of citizens’ health data by Azienda Unità Sanitaria Locale Toscana Sud Est (hereafter simply ‘USL’), a local public health body, as part of a broader initiative from Tuscany Region related to the monitoring of chronic diseases in the population. The facts – as emerged from an initial notice received from a general practitioner (hereafter ‘GP’), the following investigation from the Italian DPA, and the information provided by the public body – read as follows.<br />
<br />
In the context of the above-mentioned public health approach, health data was shared among several public healthcare stakeholders, including general practitioners (GPs) and public clinics, coordinated by the USL. Initially, GPs sent to the USL only aggregated data pertaining to specific diseases. Until 2018, however, the USL asked GPs to fill in an Excel file with the names of the patients and their pathologies. After having gathered patients’ consent, GPs filled in the file, embedded it in a password-protected zip archive, and shared it with ‘district physicians’ via a USB drive stick. The file was then copied on the district physician’s PC and sent via email to a district physician who is competent for the whole area, who eventually sent it via the same mean to an administrative body named ‘ESTAR’. ESTAR is a data processor which manages a ‘data warehouse’ and makes data form the program available to the USL, for monitoring purposes, via a ‘data mart’. Before entering the data warehouse, data were pseudonymised using an existing regional identifier.<br />
<br />
=== Dispute ===<br />
<br />
<br />
=== Holding ===<br />
As a result of the investigation, the Garante found several violations of the GDPR.<br />
Firstly, the USL had not documented its processing activities as required by Article 30 GDPR, despite the two years between the adoption of the GDPR and its coming into force. <br />
Secondly, the legal designation of ESTAR as data processor was not clear and detailed enough to be compliant with Article 28 GDPR (nor with 29 of the Italian ‘Privacy Code’ implementing the Data Protection Directive, which was in force at the time of the initial designation).<br />
Thirdly, the process for the collection of data from GPs did not provide for sufficient technical and organisational measures, and was not designed following a risk-based approach. According to the Garante, the means used to gather and share data across the different stakeholders did not follow the security principles as per Article 5(1)(f) GDPR (ed.: the decision actually reads 5(2)(f)), highlighting ‘the absence of an assessment of the risks related to the data processing that should have been carried out in the context of the impact assessment, which does not appear to have been carried out’.<br />
Moreover, the information given to data subjects was lacking ‘some of the essential elements required by the regulation’ as per Articles 13 and 14 of the GDPR, such as: data retention periods, information about data subjects’ rights, contact data of data controller and data processor, a clear description of the data processing and the legal basis for the data processing. Again, the Italian DPA stressed that such requirements preceded the entry into force of the GDPR.<br />
Finally, the Garante found that, despite the nature of the data processed and the number of data subjects involved, no DPIA was carried out for the data processing, and that this is to be considered particularly critical as ‘some evident shortcomings concerning the adoption of adequate security measures could have been avoided if the risk of processing had been adequately assessed.’<br />
The Italian DPA then declared the processing carried out by the USL unlawful ‘on the ground that it infringes Articles 5(2)(f), 13, 14, 28, 30, 32 and 35 of the Regulation.’<br />
<br />
Since the beginning of the investigation, the USL proceeded to correct the violations of articles 13, 14, 28, and 30. Given this, and the fact that it also went back to gather only anonymous data from GPs, the Garante found that ‘the conditions for the adoption of the corrective measures referred to in Article 58(2) of the Regulation are not met’. The Authority then imposed an administrative fine to the USL as per Articles 83(5)(b) and 83(4)(a) GDPR. <br />
<br />
The elements considered to determine the amount of the fine are the following: the fact that the Garante only received one report about the infringement, and that no data breach was reported; the fact that the data processing involved health data; the lack of risk-assessment, security measures, and records of processing activities, which are part of the accountability principle as per Article 5(2) GDPR; the fact that the USL showed ‘a high degree of cooperation’; the fact that regional authorities initiated a process to properly regulate the whole health care initiative. For these reasons, the Garante found an administrative fine of 100,000 Euros to be effective, proportionate, and dissuasive. Finally, the DPA stated that ‘in quantifying the fine, the Garante took into particular consideration the fact that the violations are connected to a processing operation that started shortly before the definitive application of the Regulation.’<br />
<br />
Interestingly, despite having found violations of several articles, the Garante stated that the fine was due to the violation of ‘Articles 13 and 28 GDPR.’<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.<br />
<br />
<pre><br />
[doc. web n. 9529527]<br />
<br />
Injunction order against the Local Health Unit of Tuscany South East - 17 December 2020<br />
<br />
Record of measures<br />
n. 278 of December 17, 2020<br />
<br />
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA<br />
<br />
IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members and the cons. Fabio Mattei, general secretary;<br />
<br />
GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC, "General Data Protection Regulation" (hereinafter the "Regulation");<br />
<br />
GIVEN the legislative decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data, containing provisions for the adaptation of the national system to the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of individuals with regard to to the processing of personal data, as well as to the free circulation of such data and which repeals Directive 95/46 / EC (hereinafter the "Code");<br />
<br />
GIVEN the Regulation n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved by resolution no. 98 of 4/4/2019, published in G.U. n. 106 of 8/5/2019 and in www.gpdp.it, doc. web n. 9107633 (hereinafter "Regulation of the Guarantor no. 1/2019");<br />
<br />
GIVEN the documentation in the deeds;<br />
<br />
HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the Guarantor's Regulation n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, Doc. web n. 1098801;<br />
<br />
Professor Ginevra Cerrina Feroni will be the speaker;<br />
<br />
WHEREAS<br />
<br />
1. The violation of personal data and the preliminary investigation<br />
<br />
As part of the investigation carried out with reference to a report from a general practitioner on the initiative health care model adopted by the USL Toscana Sud Est (hereinafter the Company) and in the light of the information provided by the same at the request of the Office (note dated 13.7.2018, prot.no.21012, reply dated 24.8.2018), on 27 November 2018 an inspection was carried out at the aforementioned company aimed at verifying compliance with the rules on data protection personal data, with particular reference to the processing of particular categories of data carried out in the context of the cd “Initiative health care”.<br />
<br />
During the aforementioned inspection, it was found that:<br />
<br />
- the model of care approach of the so-called "Healthcare initiative", followed throughout Tuscany, is based on the anticipation of services to certain categories of patients, in order to prevent morbid events. This model sees the participation of various actors of the regional health service and in particular general practitioners (GPs) and the clinics of local health companies (integrated clinical networks), who operate as independent data controllers, under organizational coordination. of the territorially competent health authority. The model is realized through the impulse of the GP, who, in the so-called "Enrollment phase", selects, among its clients, those affected by chronic diseases identified at the regional level (eg. Diabetes, heart failure) and offers them Individual Assistance Plans (PAI), characterized by the offer of a performance calendar strictly connected to the pathologies suffered by the client. If the patient decides not to adhere to this plan, he will still be able to take advantage of the services offered by the regional health service, as well as access the prevention campaigns;<br />
<br />
- the initiative healthcare model promoted by the Company has had a different articulation over time. In a first phase, which ended in 2017, the GPs sent the company only the total number of patients enrolled in relation to the various chronic conditions indicated (eg diabetes). If the total number of patients enrolled had diverged significantly from the regional average (verification of the plausible number as prevalence), the Company would carry out random checks, as part of the supervisory functions assigned to it. Starting from 2018, it was decided instead to expand the range of information that GPs had to send to the Company as part of the initiative health care model promoted by the same. To this end, the Company sent the GPs the updated list of their clients on an Excel table (in zip format with password to open the file). Subject to the acquisition of a specific informed consent from the interested parties (in deeds), the GPs have sent the aforementioned list to the Company, after having reported, next to the name of each patient, the possible presence of one or more of the conditions morbid for which it was intended to enlist the same;<br />
<br />
- the sending of such data by the GPs was considered a condition for the recognition to the doctor of a portion of the funding provided for by the collective agreements (compliance with prevalence targets);<br />
<br />
- the legal basis for the communication of particular categories of personal data from GPs to the Company has been identified in the consent of the interested party and in form no. 7, annex B) to the Regulation for the processing of sensitive and judicial data of the Tuscany Region;<br />
<br />
- for the purposes of the aforementioned recruitment, the GPs proceeded, by querying their database, selecting individual patients affected by the pathologies indicated by the Company. Once the patients to be enrolled had been identified, the GP proposed to the patients, at the first contact, or with an active recall, an individual assistance plan (PAI);<br />
<br />
- until 2018, the GP only communicated to the Company the total number of activated PAIs and the global number of specialist services that the same Company would subsequently have to guarantee according to the activated PAIs;<br />
<br />
- a new procedure was subsequently adopted which provided, differently from the past, for the sending of the nominative data of the patients enrolled (and no more than the total number). According to this new procedure, the GPs saved the aforementioned Excel table with the data of the patients enrolled on a removable media owned by them (pen drive) and delivered the aforementioned support to the district doctor, who in turn saved the Excel file on his own pc and returned the removable media to the doctor. The district doctor then proceeded to send the file, via e-mail, to the district doctor referring to the provincial area. Subsequently, this doctor forwarded, again via e-mail to the Regional Administrative Technical Support Body (ESTAR), the Excel files he had received from the various district doctors, attaching them, in zip format with password for opening (message in documents ). No loss or theft of the aforementioned removable media used by GPs for communicating the data of enrolled patients to the Company has been reported;<br />
<br />
- ESTAR is designated by the Healthcare Company as the external data processor in 2016 (Prot. 0142457 of 03/10/2016 in deeds). At the time of the inspections, the Health Authority, in the context of the regional privacy table in which the representatives of the other health companies of the Tuscany Region participate, was proceeding with the revision of this designation, in order to comply with the new provisions dictated by the Regulation ;<br />
<br />
- ESTAR, after receiving the aforementioned Excel files from the referring district doctors for provincial areas, consolidated this information and entered it in a company data warehouse. ESTAR then made available to the Company a data collector (data mart) relating to the progress of the enrollment process, by pathology and by doctor, which allowed the Company to perform the aforementioned prevalence calculation (verification of the plausible as prevalence);<br />
<br />
- at the time of data entry into the data warehouse by ESTAR, the acquired information was deprived of directly identifying data (name and surname) by associating, to each enlisted client, the unique regional code also used to fulfill the information debts towards the Region and the Ministry of Health. The monitoring, evaluation, management and control activities carried out by the Company on the aforementioned data warehouse refer to those described in form no. 39, attachment B) to the Tuscany Region Regulations for the processing of sensitive and judicial data. The Company employees authorized to do so could access the aforementioned data warehouse, through specific authentication credentials;<br />
<br />
- the data described above have not been transmitted to the Tuscany Region;<br />
<br />
- with regard to the treatments described above, the health company has not carried out an impact assessment pursuant to art. 35 of the Regulation;<br />
<br />
- Furthermore, the retention time of the data collected through the aforementioned initiative health projects by doctors and the Company has not been defined;<br />
<br />
- as of the date of the inspections (27 November 2018), the Register of processing activities referred to in art. 30 of the Regulation, which was still in a working version.<br />
<br />
With an e-mail dated December 3, 2018, the Healthcare Company supplemented the documentation acquired during the aforementioned assessment, sending a copy of the register of processing activities adopted on November 30, 2018, pursuant to art. 30 of the Regulation.<br />
<br />
In relation to the results of the aforementioned investigation, the Office, with deed no. 10618 of 27 March 2019, notified the South East Tuscany Local Health Authority, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in Article 58, paragraph 2, of the Regulations, inviting the aforementioned holder to produce defensive writings or documents to the Guarantor or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of the law n. 689 of 24/11/1981).<br />
<br />
In particular, the Office, in the aforementioned deed, represented that:<br />
<br />
- in our legal system there is no specific definition and discipline of the so-called "Healthcare / initiative medicine". Despite this, this term is present in numerous policy and planning acts of the Ministry of Health and the Regions. From the analysis of these documents, it is highlighted that "initiative medicine" means a care model oriented to the "active promotion" of the health of the individual, especially if suffering from chronic diseases or disabilities, and to empowering people in their own path care (source Ministry of Health http://www.salute.gov.it/portale/temi/p2_6.jsp?id= 496 & area = Primary care% 20 & menu = care, see, among many references, Ministry of Health, General Assembly of the Superior Council of Health, "Telemedicine - national guidelines", 10 July 2012, see par. 2.3.2, Decree 02 April 2015, n. 70 - Regulation defining the relative qualitative, structural, technological and quantitative standards to hospital care, Agreement between the Government, the Regions and the Autonomous Provinces of Trento and Bolzano on the project lines for the use by the Regions of the restricted resources pursuant to Article 1, paragraphs 34 and 34 bis, of Law 23 december 1996, n. 662 for the achievement of the objectives of a priority nature and of national importance for the year 2014);<br />
<br />
- as highlighted in the report of the operations carried out, on the basis of an initiative promoted by the Company, the GPs selected, from among their patients, those affected by certain chronic diseases identified at the regional level (eg Diabetes, heart failure) (so-called Enrollment phase) and offered them individual assistance plans (PAI), characterized by the offer of a personalized service calendar, according to the pathologies suffered. Initially, the aforementioned doctors communicated to the Company only the total number of patients enrolled. Starting from 2018, on the other hand, the GPs, on the advice of the Company, compiled an Excel file containing the details of the patients enrolled with each doctor, highlighting, only for the patients enrolled, the presence of one or more of the morbid conditions for which it was intended to offer them a PAI (data in the table: name, surname, date of birth and tax code of the client);<br />
<br />
- the adoption of this procedure led to the collection and processing of health data, in order to create, with reference to specific pathologies, a health risk profile of the person concerned and therefore configured a treatment by the GP independent from the main one aimed at the care of the assisted person based, at the time of the facts, on informed consent) and, since 2018, by the Company, a processing of personal data on the health of patients, based on the consent of the interested party acquired through the model called "European Regulation for the protection of individuals with regard to the processing of personal data (n. 2016/679 RGPD) - Information pursuant to art. 13 and 14 of the Regulations "(in deeds), created by the Company, as data controller, and provided to GPs to be returned to the patient upon enrollment;<br />
<br />
- in light of the nature of the data processed and the number of interested parties, the processing described above, carried out by the Company since 2018, falls within the cases in which the owner cannot ignore an impact assessment on data protection, pursuant to the provisions of the RGPD and the criteria identified by the Group art. 29 in the Guidelines concerning "The impact assessment on data protection as well as the criteria for establishing whether a treatment" may present a high risk "pursuant to Regulation 2016/679" (No. 248 adopted in amended form on 4.10.2017 ; on this point see also the software - free and freely downloadable from the website www.cnil.fr (https://www.cnil.fr/fr/outil-pia-telechargez-et-installez-le-logiciel-de-la -cnil) which offers a guided path to the realization of the DPIA, according to a sequence in compliance with the indications provided by WP29 in the Guidelines on the DPIA). In this regard, it was acknowledged that the aforementioned assessment had not been carried out in consideration of the fact that the project had been started before the date of full application of the European Regulation;<br />
<br />
- the processing object of the investigation, not being strictly necessary for the treatment purposes pursued by the various data controllers involved, was correctly carried out after obtaining the informed consent of the interested party (articles 9, paragraph 2 read. a) and h), 13 and 14 of the Regulation). The informed consent model, acquired as part of the inspection assessment and relating to the processing activities carried out by the Company with reference to the health care initiative, was, however, lacking some of the information elements required by the aforementioned articles 13 and 14 of the Regulation, such as: the retention period of personal data, the rights recognized by the Regulation to the interested parties, the right to lodge a complaint with the Supervisory Authority and the contact details of the data controllers and the data protection officer. Furthermore, the aforementioned information model did not provide clear indications regarding the processing carried out by the Regional Health Agency "for purposes of monitoring and assessing the quality of care", with particular reference to the indications relating to the legal basis of the processing;<br />
<br />
- at the time of the inspection, the Company had not yet adopted a register of the processing activities carried out by the same (pursuant to Article 30 of the RGPD), which was only formalized subsequently on 30 November 2018;<br />
<br />
- with specific reference to the procedure for sending the nominative data of the patients enrolled by the GPs, adopted starting from 2018, the Company should have put in place adequate technical and organizational measures to ensure a level of safety proportionate to the risk, which may include, among others, pseudonymisation, encryption of personal data and measures capable of ensuring, on a permanent basis, the confidentiality, integrity, availability and resilience of processing systems and services. The methods of treatment detected during the inspection (GPs save the Excel table on a removable media -pen drive- owned by them, delivery of the material to the district doctor, save the Excel file on the PC of the district and sending it - attached to an e-mail - to the referring district doctor for the provincial area, subsequent sending by the latter of the files received from all district doctors to ESTAR, attaching them - in zip format with password for opening - to an e-mail message) do not respect the principle of integrity and confidentiality and do not guarantee the security of the processing (articles 5, paragraph 2, letter f) and 32 of the Regulation);<br />
<br />
- the designation of the ESTAR company as data processor, exhibited at the time of the inspection (Prot. 0142457 of 03/10/2016) and relating to all the processing activities carried out by the aforementioned Body on behalf of the Healthcare Company, is found to be unsuitable with respect to the provisions of art. 28 of the Regulation as it did not indicate, in an analytical way, the specific tasks assigned and did not provide timely instructions in relation to the multiple treatments carried out by the Body, including those relating to proprietary medicine.<br />
<br />
In the aforementioned deed of 12 March 2019, the Office therefore found that the Company has processed the personal data of the interested parties who have adhered to the "health initiative" model in violation:<br />
<br />
- the right of the interested parties to receive - at the time of data collection - all the information referred to in Articles 13 and 14 of the Regulations;<br />
<br />
- the obligations of the owner, with regard to the impact assessment on the protection of personal data pursuant to art. 35 of the Regulation;<br />
<br />
- the obligations of the owner, in order to comply with the basic principles of processing referred to in art. 5, par. f) of the Regulations and the security of the processing referred to in art. 32 of the Regulation;<br />
<br />
and more generally, with reference to the complex of treatments carried out by the Company, in violation:<br />
<br />
- the obligation to keep the register of processing activities pursuant to art. 30 of the Regulation;<br />
<br />
- the obligations of the owner regarding the correct designation of ESTAR as data processor pursuant to art. 28 of the Regulations, promptly identifying the tasks and instructions with reference to the multiple processing activities carried out by the Entity on behalf of the Company.<br />
<br />
With a note dated May 22, 2019, the Company asked to be heard by the Authority and sent its defense briefs, in which, in particular, it was represented that:<br />
<br />
a) "in the months following July 2018, there were no further transmissions by the GPs to this Company of lists with personal data of the patients enrolled in 2018 (with the exception of only the territorial area of Siena, in which some data were transmitted on 4 September, due to the absence of the district doctor of reference) and that to date the new data collection procedure for 2019 has not yet been started ";<br />
<br />
b) it was established that "for 2019, GPs will communicate the data in an aggregate and anonymous form, indicating only the total number of patients enrolled in relation to the various chronic conditions identified, without their names or any other personal data";<br />
<br />
c) it was decided to "start the activities for the adoption, also at ESTAR, of specific organizational, technical and security measures (...) aimed at limiting any form of use or processing of personal data relating to enrolled patients referred to in lists acquired in 2018 ";<br />
<br />
d) to want to "start the activities necessary for the cancellation of the copies of the aforementioned personal data held by the district doctors of this Company";<br />
<br />
e) with specific reference to the information to be provided to the interested party, "following the inspection (...) (have been prepared) the new information and consent forms relating to the processing of personal data of patients who intend to confirm or carry out the adherence to the Initiative Healthcare model for the year 2019 (...) and will soon be made available to GP's doctors with the communication relating to the operating instructions that will be given by this Company for carrying out the Initiative Healthcare activities for the 2019. In these instructions it will also be provided that the participating doctors will have to communicate to the Company only the aggregate data relating to the total number of patients enrolled for each of the paths identified ". “In this period of transition from the old to the new regime, as is well known, the previous provisions of Legislative Decree no. 196/2003 on the subject of information, as well as consent and other conditions of lawfulness of the processing, both general and specific with regard to the health sector (...), so it seems reasonable to believe that, also considering the framework of regulatory uncertainty, the information and consent forms prepared in the first months of 2018 may still not be fully aligned with the new provisions of the Regulation ";<br />
<br />
f) with specific reference to keeping the register of processing activities, "at the time of the inspection on November 27, 2018 (...) this Company was in possession of a version of the processing register still in progress, concerning the processing common to companies territorial and hospital, the result of the work carried out within the "Regional / Bodies and companies of the regional health service", and had then completed and formally adopted the final version of this register, with the integration of further treatments pertaining to the 'Company, the following 30 November ";<br />
<br />
g) with specific reference to the designation of ESTAR as data processor, the "Company had in any case attributed to ESTAR the designation and obligations of data processor pursuant to the previous art. 29 of the Privacy Code, according to the scheme prepared by the Tuscany Region, which already contained various elements corresponding, in substance, to those provided for by art. 28 of the Regulation "and" on 13 November 2018 (ie before the inspection), this Company had already resolved to proceed with the signing of the new scheme which was then formalized at the end of the year (in any case prior to the notification of the alleged violation) ";<br />
<br />
h) with specific reference to the drafting of an impact assessment, the "Company did not consider at the time to proceed with an impact assessment, as the personal data processing activity in question had in any case been configured and started before the application of the Regulation ". The "Company had indicated its intention to proceed instead with an impact assessment with regard to the possible technological developments of the procedure for sending the data in question through a platform technically managed by ESTAR, also in light of the provision published in that period by this Authority concerning the list of types of processing subject to the impact assessment requirement pursuant to art. 35, par. 4, of the Regulations ";<br />
<br />
i) with specific reference to the obligations of the owner with regard to security criteria, the "remarks made in relation to the procedure followed in 2018 are currently to be considered overcome in light of (...) (of) the decision of this Company to provide for a communication by GPs only of aggregated and anonymous data referring to the total number of patients enrolled for the indicated paths and to adopt some specific measures aimed at making the previously collected data unusable "and that" there are also no losses or thefts or in any case, security incidents resulting from the operation described above which, in the limited period of time in which it was implemented, although it can certainly be perfected in order to raise security levels ";<br />
<br />
On February 3, 2020, the Company withdrew from the hearing and integrated the documentation relating to the treatment in question, representing the additional activities carried out under the so-called "Health care initiative", highlighting, in particular, that:<br />
<br />
a) it was established that "each GP, as data controller, at the time of the first contact with the patient for the confirmation of adherence or for a new enrollment in the" Healthcare initiative "assistance model (therefore, both for patients already enrolled in 2018, both for those enrolled in 2019), issue the information to the interested party and acquire their consent on the basis of the new forms prepared by the Company ";<br />
<br />
b) it was established that "communications from GPs participating in the Healthcare initiative to the Company concern only the total number of patients enrolled in relation to the various chronic conditions identified, without their names or any other personal data" ;<br />
<br />
c) "with regard to the nominative data of the enrolled patients referred to in the lists transmitted by the GPs in 2018 and kept by the district doctors employed by the Company, this Company has in any case acquired from the latter also a formal written attestation of the cancellation of each copy of the same data, confirming what is indicated in point 2, second paragraph, third line, of the defense briefs. In this regard, it should be noted that the certificates received are kept in the records of this Company and that they can be made available to this Office, if deemed necessary ";<br />
<br />
d) “the Tuscany Region, in consideration of the relevance of the healthcare model called" Healthcare initiative ", has activated the institutional process for the integration into the regional legislation of a complete discipline of this innovative assistance modality".<br />
<br />
2. Outcome of the investigation.<br />
<br />
The investigation carried out by the Office and the subsequent preliminary activity concerned the processing of personal data carried out by the Azienda USL Toscana Sud Est within the scope of the so-called "Sanità di iniziativa" care model.<br />
<br />
Although this model is not regulated by any national legislation, since 2009 it has constituted a reference organisational-assistance model at regional level, which has had - over time - different forms and application names (e.g. chronic care model). These models have been created in order to favour "a methodological approach to the taking charge of and the process of caring for the patient" which translates into an "active and periodic recall of the patient in order to subject him or her to educational and clinical care activities aimed at correcting lifestyles, empowermenting, and early diagnosis" (statements in the documents on file). The care model described in the documents on file foresees the involvement of different holders of the treatment, who intervene at different times and for the achievement of specific aims. A central role is attributed to the GP, who is called to carry out the phase of enrolment of the patients and that of monitoring the individual patient regarding the adherence to the proposed care model.<br />
<br />
This organisational model of care has been promoted, at a regional level, with some resolutions of the Region of Tuscany (cf. DGRT nos. 650/2016 and 930/2017), but each health authority has started it operationally, on its own initiative in the territorial area of competence, since 2017, coordinating the activities of the GPs and providing them with organisational indications on the procedures and the timing of the proposed model of care.<br />
<br />
In this context, the local health authority also created the models containing the information to be provided to the interested parties, for the processing of personal data carried out by the same in the context of initiative healthcare, providing that the GPs would submit them to the patients to be enrolled.<br />
<br />
The preliminary investigation carried out by the Office concerned the activities carried out by the Company within the framework of the processing carried out through the implementation of the care model described above. From what emerged during the preliminary investigation, in the first phase, the Health Authority, in carrying out the aforementioned coordination activities, did not process personal data of the patients who adhered to the aforementioned model of initiative-based healthcare. From the beginning of 2018 and until September of the same year, due to the change in the way in which the activities connected to the implementation of this healthcare model were carried out, the Health Authority, on the basis of the consent of the data subject, instead processed personal data of the patients enrolled in its capacity as data controller for the purposes of monitoring, evaluation and quality of the care provided through the "initiative healthcare" healthcare model (see Model Information Notice in the file).<br />
<br />
As a result of the preliminary investigation carried out by the Office and of the critical points that emerged, the Company declared that, in order to achieve the aforementioned purposes, in future it would only use aggregated and anonymous information on patients that was provided by the GPs.<br />
<br />
Having taken note of what has been represented by the Company in the documents on file and in the defence briefs, it is noted that:<br />
<br />
1. at the time of the inspection, the Company had not yet adopted, for all the processing operations carried out by it, the register of processing activities required by Article 30 of the Regulation, which was adopted only on 30 November 2018. The keeping of the register is an essential element for the governance of processing operations and for the effective identification of those at greater risk. The Company was obliged to adopt the aforementioned register on the date of full application of the Regulation (25 May 2018), since the exemption from keeping the register provided for by the Regulation does not apply in the presence of even just one of the elements indicated in Article 30(5) (processing that presents a risk for the rights and freedoms of the data subject, processing that is not occasional, processing that includes special categories of data referred to in Article 9 or data relating to criminal convictions and offences), which are undoubtedly present in the case under consideration. It must also be borne in mind that the provisions of the Regulation had already been in force since 25 May 2016 and that the two years that elapsed before their full application were to be used by data controllers to adapt their processing to the provisions of the Regulation;<br />
<br />
2. the appointment of ESTAR as data controller, made by act of 3 October 2016 with reference to the complexity of the processing operations carried out by that body on behalf of the Company, was unsuitable with regard to the provisions of Article 28 of the Regulation but also with regard to the provisions of Article 29 of the Code, in force at the time of the adoption of the appointment. The act, in fact, does not indicate in detail the tasks assigned to ESTAR in relation to the many treatments carried out by the body, including those relating to initiative medicine (processing of personal data of patients in Excel files compiled by district doctors referring to provincial areas, consolidation of such information, inclusion of the same in a company data warehouse and creation of a data mart relating to the progress of the enrolment process by pathology and by doctor, which allowed the Company to carry out the above-mentioned prevalence calculation) and, consequently, does not include specific instructions, in relation to the multiplicity of treatments carried out by ESTAR on behalf of the Health Company (art. 29 of the Code, in force at the time of the designation and Article 28 of the Regulation, in force at the time of the inspection). The Company renewed ESTAR's designation as data controller by deed dated 27 December 2018;<br />
<br />
3. with reference to the procedure, adopted as of 2018, for sending the named data of enrolled patients by GPs to the Company, the Company has not put in place adequate technical and organisational measures to ensure a level of security proportionate to the risk. The methods described above, ascertained in the course of the inspection, (saving by the GPs of the Excel table on a removable support (pen drive) owned by them, delivery of the support to the district doctor, saving of the file on the district doctor's PC and sending of the same - attached to an e-mail - to the district doctor responsible for the provincial area, subsequent sending by the latter to ESTAR of the files received from all the district doctors, attaching them - in zip format with a password for opening - to an e-mail message) do not in fact comply with the principles and criteria of security described by Articles. 5(2)(f) and 32 of the Regulation. These methods of processing highlight the absence of a risk assessment of the processing that should have been carried out in the context of the impact assessment, which does not appear to have been carried out;<br />
<br />
4. the information model called "European Regulation for the protection of individuals with regard to the processing of personal data (No 2016/679 GDPR) - Information pursuant to Art. 13 and 14 of the Regulation" produced by the Company, in its capacity as data controller for the purposes of monitoring, evaluation and quality of the care provided through the "Health initiative care model", and provided to GPs so that it could be made available to patients at the time of enrolment, lacks some of the essential elements required by the regulations in force at the time of enrolment, such as: the period of retention of personal data, the rights recognised by the Regulation to data subjects, the right to lodge a complaint with the Supervisory Authority and the contact details of the data controllers and the data protection officer. Moreover, the above-mentioned model information notice did not provide clear indications concerning the processing carried out by the Regional Health Agency 'for purposes of monitoring and evaluating the quality of care', with specific reference to the indication of the legal basis of the processing. Although these models were prepared by the Regional Health Agency prior to the date of full application of the Regulation, they refer to a collection of data that took place during the period of application of the European discipline, which, moreover, is mentioned in the header of the model. It should also be pointed out that these models are also devoid of some of the essential elements that were already provided for by the previous regulation (art. 13 of the Code), such as: the rights of the data subjects and precise indications on the role of the Regional Health Agency. Moreover, it should be noted that the above-mentioned model did not make any reference to other sources (e.g. websites of the various owners involved) for the acquisition of the missing information;<br />
<br />
5. in light of the nature of the data processed and the number of data subjects, the processing carried out by the Company in 2018, with reference to the health initiative, falls within the cases for which the data controller cannot disregard a data protection impact assessment. In this respect, however, it was ascertained that the Company had not carried out the required impact assessment pursuant to Article 35 of the Regulation. In this respect, it should be noted that, although the processing operations started before the full application of the Regulation, the impact assessment was in any case necessary since they were carried out also during the period of full application of the Regulation. As stated above, some obvious shortcomings relating to the adoption of adequate security measures could have been avoided if the risk of processing had been adequately assessed. In this regard, it is noted that in future the transmission of data to the Company by the GPs will concern exclusively anonymous information.<br />
<br />
Finally, with specific reference to the processing of personal data carried out in the context of the so-called initiative medicine models, it should be noted that the Garante recently issued an opinion to the Council of State stating that such models are often linked to a profiling of the patients (so-called "stratification" activity) which is often carried out by means of a system of data processing. activity of "stratification") that requires an adequate legal basis that has the characteristics required by the European Regulation (art. 6, par. 3) (Opinion to the Council of State on the new methods of distribution of the health fund between the regions proposed by the Ministry of Health and based on population stratification - 5 March 2020, doc web n. 9304455).<br />
<br />
Lastly, the Garante also gave its opinion on a draft law of the Autonomous Province of Trento which also contained provisions on own-initiative medicine (opinion of 8 May 2020, doc web no. 9344635). In this respect, the Authority pointed out the need to revise the legislation in order to take into account the principles of lawfulness, fairness, purpose limitation, minimisation and security of the Regulation, since processing operations carried out for statistical purposes, administrative purposes and health care purposes are lumped together without the necessary distinctions. The Garante then recalled the specific constraints, in terms of data protection and transparency, that must be respected in the event that initiative medicine is based on the profiling of patients through the use of an algorithm, referring to what has recently been represented, in this regard, by the Council of State (Cons. St., sez. VI, 13 December 2019, no. 8472). In this context, it has been pointed out that the collection and processing of health data in order to create, with reference to specific pathologies, a health risk profile of the data subject is an autonomous treatment with respect to the main one aimed at the treatment of the assisted person, which must therefore be carried out on the basis of the consent of the data subject, since it is an automated treatment not strictly necessary for the purposes of the treatment of the data subject (Articles 9(2)(h) and 22 of the Regulation). These considerations were also reiterated in the opinion rendered by the Authority on an outline of regulations relating to the implementing provisions of the aforementioned provincial law for initiative medicine in the Trentino provincial health service (opinion of 1 October 2020).<br />
<br />
4. Conclusions.<br />
<br />
In light of the above assessments, taking into account the statements made by the data controller and data processors during the ˗ investigation and considering that, unless the act constitutes a more serious offence, whoever, in proceedings before the Garante, falsely declares or attests information or circumstances or produces false acts or documents is liable under art. 168 of the Code "False statements to the Guarantor and interruption of the performance of the duties or exercise of the powers of the Guarantor" ˗ the elements provided by the data controller in the pleadings do not allow to overcome the findings notified by the Office with the act of initiation of proceedings, not occurring, moreover, any of the cases provided for in Article 11 of the Regulation of the Guarantor No 1/2019.<br />
<br />
For these reasons, the processing of personal data carried out by the Azienda Unità Sanitaria Locale Toscana Sud Est is unlawful, in the terms set out in the grounds, for breach of Articles 5(2)(f), 13, 14, 28, 30, 32 and 35 of the Regulation.<br />
<br />
In this context, considering, in any event, that the conduct has exhausted its effects, given that the Azienda has declared that it has coordinated the amendment of the models containing the information to be provided to the interested parties pursuant to Articles. 13 and 14 of the Regulation, that it has renewed the appointment of ESTAR as the person responsible for the processing operations carried out by the Body on behalf of the Company, that in future - for the model of own-initiative healthcare - only anonymous information will be transmitted to the Company by the GPs and that a register of the processing operations carried out by the Company has been adopted, the conditions for the adoption of the corrective measures referred to in Article 58(2) of the Regulation are not met.<br />
<br />
5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i and 83 of the Regulation; article 166, paragraph 7, of the Code).<br />
<br />
The violation of articles 5, paragraph 2, letter f), 13, 14, 28, 30, 32, 35 of the Regulation, caused by the conduct of the Azienda Unità Sanitaria Locale Toscana Sud Est, is subject to the application of the pecuniary administrative sanction pursuant to, respectively, article 83, paragraph 5, letter b) and paragraph 4, letter a) of the Regulation.<br />
<br />
In this case - also considering the reference contained in Article 166, paragraph 2, of the Code - the breach of the aforementioned provisions is subject to the application of the same administrative fine provided for by Article 83, paragraph 5, of the GDPR, which therefore applies to this case.<br />
<br />
It should be noted that the Garante, pursuant to Articles 58(2)(i) and 83 of the Regulation, as well as Art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case" and, within this framework, "the Board [of the Guarantor] adopts the injunction, with which it also orders the application of the accessory administrative sanction of its publication, in full or in extracts, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code" (Art. 16, paragraph 1, of the Guarantor's Regulation No. 1/2019).<br />
<br />
The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, should be determined in its amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in Article 83(1) of the Regulation, in light of the elements provided for in Article 85(2) of the Regulation in relation to which it is noted that:<br />
<br />
- the Authority has received only one report from a GP on the data processing carried out by the Health Authority with reference to the initiative health model, and no thefts, losses of data or unlawful processing by the different subjects involved in the data processing have been reported (Article 83(2)(a) and (h) of the Regulation);<br />
<br />
- the data processing carried out by the Company, through the initiative health model, concerns data capable of collecting information on the health of a large number of data subjects, i.e. all the patients of the Company itself (Article 4(1), no. 15 of the Regulation and Article 83(2)(a) and (g) of the Regulation);<br />
<br />
- the Company, also as a consequence of a lack of risk assessment, had not adopted adequate security measures in relation to the methods of data processing carried out by the doctors and had not adopted (at the time of the inspection) either the register of processing activities, requirements which are an expression of the principle of accountability enshrined in the Regulation (Article 5(2) of the Regulation);<br />
<br />
- the Company has shown a high degree of cooperation, by modifying the model of initiative medicine, by providing, for the future, that only anonymous information will be transmitted to the same and by taking an active part in the creation of a new model for the information to be provided to the persons concerned (Article 83, par. 2, letters c), d) and f) of the Regulation);<br />
<br />
- the institutional process has been started for the integration into the regional legislation of a complete regulation of the healthcare model of initiative-based healthcare.<br />
<br />
On account of the aforementioned elements, assessed as a whole, also taking into account the phase of first application of the sanctioning provisions pursuant to art. 22, paragraph 13, of Legislative Decree 10/08/2018, no. 101, it is deemed appropriate to determine the amount of the pecuniary sanction provided for by art. 83, par. 4, lett. a) and par. 5, lett. b) of the Regulation, in the amount of euro 100,000.00 (one hundred thousand) for the violation of Articles 13 and 28 of the Regulation as a pecuniary administrative sanction considered, pursuant to Article 83, par. 1, of the Regulation, effective, proportionate and dissuasive. In quantifying the fine, the Garante took into particular consideration the fact that the violations are connected to a processing operation that started shortly before the definitive application of the Regulation.<br />
<br />
It is also considered that the ancillary sanction of the publication of this measure on the website of the Garante, as provided for by Article 166, paragraph 7 of the Code and Article 16 of the Regulation of the Garante no. 1/2019, should be applied, also in view of the potential number of data subjects and the type of personal data subject to unlawful processing.<br />
<br />
Finally, it should be noted that the prerequisites set out in Article 17 of Regulation No. 1/2019 concerning internal procedures with external relevance, aimed at performing the tasks and exercising the powers delegated to the Supervisor, are met.<br />
<br />
ALL THE FOREGOING THE GUARANTOR<br />
<br />
declares the unlawfulness of the processing of personal data carried out by the Azienda Unità Sanitaria Locale Toscana Sud Est, for breach of Articles 5(2)(f), 13, 14, 28, 30, 32 and 35 of the Regulation in the terms set out in the grounds.<br />
<br />
ORDER<br />
<br />
Pursuant to articles 58, paragraph 2, letter i) and 83 of the Regulation, as well as article 166 of the Code, to Azienda Unità Sanitaria Locale Toscana Sud Est, with registered office in Arezzo (AR), Via Curtatone, 54 - C.F./P. IVA 02236310518, in the person of its pro-tempore legal representative, to pay the sum of € 100,000.00 (one hundred thousand) as a pecuniary administrative sanction for the violations indicated in this measure, according to the methods indicated in the annex, within 30 days from the notification in the grounds; it should be noted that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the sanction imposed.<br />
<br />
PLEASE NOTE<br />
<br />
the aforesaid Company to pay the sum of €100,000.00 (one hundred thousand), in accordance with the methods indicated in the annex, within 30 days of the notification of this measure, failing which the consequent executive measures pursuant to art. 27 of law no. 689/1981 shall be adopted. In this regard, it is reminded that the offender has the right to settle the dispute by paying - again according to the methods indicated in the annex - an amount equal to half of the penalty imposed, within 30 days from the date of notification of this measure, pursuant to art. 166, paragraph 8, of the Code (see also art. 10, paragraph 3, of the legislative decree no. 150 of 1 September 2011);<br />
<br />
ORDER<br />
<br />
pursuant to Section 166(7) of the Code, the publication of this provision in its entirety on the website of the Garante and deems that the conditions set out in Section 17 of Regulation 1/2019 concerning internal procedures of external relevance, aimed at performing the tasks and exercising the powers delegated to the Garante, are met.<br />
<br />
Pursuant to Article 78 of the Regulation, Article 152 of the Code and Article 10 of Legislative Decree no. 150/2011, an appeal against this measure may be lodged with the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the measure itself, or within sixty days if the appellant resides abroad.<br />
<br />
Rome, 17 December 2020<br />
<br />
THE PRESIDENT<br />
Stanzione<br />
<br />
THE REPORTER<br />
Cerrina Feroni<br />
<br />
THE SECRETARY GENERAL<br />
Mattei<br />
</pre></div>
Hk
https://gdprhub.eu/index.php?title=Datatilsynet_(Norway)_-_20/01984&diff=13286
Datatilsynet (Norway) - 20/01984
2021-01-15T12:06:00Z
<p>Hk: /* English Machine Translation of the Decision */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Norway<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoNO.png<br />
|DPA_Abbrevation=Datatilsynet<br />
|DPA_With_Country=Datatilsynet (Norway)<br />
<br />
|Case_Number_Name=20/01984<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Datatilsynet<br />
|Original_Source_Link_1=https://www.datatilsynet.no/regelverk-og-verktoy/lover-og-regler/avgjorelser-fra-datatilsynet/2020/overtredelsesgebyr-til-indre-ostfold-kommune/<br />
|Original_Source_Language_1=Norwegian<br />
|Original_Source_Language__Code_1=NO<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=16.11.2020<br />
|Date_Published=16.11.2020<br />
|Year=2020<br />
|Fine=200000<br />
|Currency=NOK<br />
<br />
|GDPR_Article_1=Article 5 GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR<br />
|GDPR_Article_2=Article 6 GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR<br />
|GDPR_Article_3=Article 32(1)(b) GDPR<br />
|GDPR_Article_Link_3=Article 32 GDPR#1b<br />
<br />
<br />
|National_Law_Name_1=The Education Act § 15(1)<br />
|National_Law_Link_1=https://lovdata.no/dokument/NLE/lov/1998-07-17-61<br />
|National_Law_Name_2=Public Administration Act § 13 no. 1<br />
|National_Law_Link_2=https://lovdata.no/dokument/NLE/lov/1967-02-10<br />
<br />
|Party_Name_1=Indre Østfold kommune (municipality)<br />
|Party_Link_1=https://www.io.kommune.no/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Rie Aleksandra Walle<br />
|<br />
}}<br />
<br />
The Norwegian DPA (Datatilsynet) fined Indre Østfold municipality €18,860 for publishing a former student's school folder openly on their website, therefore breaching Articles 32(1)(b), (5), and (6) of the GDPR.<br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
A former student asked a school to share their school folder. The municipality's routine is to keep records for access requests, which meant, in this case, that the folder was scanned and made available for access. It was, however, made openly available on their website and a local journalist was able to download the entire folder with its contents. The information was confidential, cf. the Education Act. <br />
<br />
When the error was discovered, the folder was removed and the municipality notified the DPA of the personal data breach, as well as the affected data subject. <br />
<br />
===Dispute===<br />
Was publishing the student's school folder online a breach of Article 32?<br />
<br />
===Holding===<br />
The DPA concluded that the municipality had breached the required information security requirements as per Article 32(1)(b), cf. Article 5, and that they didn't have any legal grounds for this processing as per Article 6, cf. Article 5 (the latter because the information was confidential and should never have been published openly). The municipality was fined €18,860. <br />
<br />
==Comment==<br />
It's interesting to note that the DPA also held that the municipality had breached Article 6, with the following logic: The folder and its content was subject to confidentiality as per the Freedom of Information Act. When the folder was openly published, the GDPR came into effect, meaning the municipality would require legal grounds for processing as per Article 6. However, since the personal data by law weren't allowed to be shared publically, none of the requirements for establishing legal grounds as per Article 6, were applicable, i.e. the municipality breached Article 6.<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.<br />
<br />
<pre><br />
Violation fee to Indre Østfold municipality<br />
<br />
The Norwegian Data Protection Authority has decided to give Indre Østfold municipality an infringement fee of NOK 200,000 for breach of confidentiality. Personal information that should have been protected was made available to unauthorized persons.<br />
<br />
Violation fee to Indre Østfold municipality<br />
Indre Østfold municipality, formerly Askim municipality, published the student folder of a former student on the municipality's website. The student file contained personal information that is subject to a duty of confidentiality.<br />
<br />
Got tips from local newspaper<br />
<br />
The starting point for the incident was that the student needed the student file in a study context, and therefore asked the municipality to send it over. The municipality's routine is for requests for access to be recorded. This means that the document in which access has been requested is also scanned and made available for access.<br />
<br />
The student folder was available on the municipality's website from Friday 27 September to Monday 30 September. The municipality was made aware of the case by a journalist in the local newspaper Smaalenenes Avis. The documents were removed from the mailing list and exempted from public access immediately after they were discovered. The affected person was then notified.<br />
<br />
The infringement fee does not change<br />
<br />
After the Data Inspectorate sent a notification of infringement fines, we received feedback from the municipality. Here they regret that "personal sensitive information" was posted on the mailing list. The municipality also asked the Data Inspectorate to assess the size of the fee in light of the measures that were introduced afterwards.<br />
<br />
An infringement fee shall reflect the severity of the offense in question. It follows from Norwegian law that the municipality must implement the necessary measures to prevent future offenses. The Norwegian Data Protection Authority has come to the conclusion that the subsequent measures to rectify the incidents, in view of the seriousness of the breach, do not have a significant effect on the size of the infringement fee.<br />
<br />
We have therefore concluded that the notified fee will not change.<br />
</pre></div>
Hk
https://gdprhub.eu/index.php?title=Datatilsynet_(Norway)_-_20/02172&diff=13285
Datatilsynet (Norway) - 20/02172
2021-01-15T11:58:05Z
<p>Hk: /* English Machine Translation of the Decision */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Norway<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoNO.png<br />
|DPA_Abbrevation=Datatilsynet<br />
|DPA_With_Country=Datatilsynet (Norway)<br />
<br />
|Case_Number_Name=DT-20/02172<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Datatilsynets<br />
|Original_Source_Link_1=https://www.datatilsynet.no/regelverk-og-verktoy/lover-og-regler/avgjorelser-fra-datatilsynet/2021/overtredelsesgebyr-til-lindstrand-trading-as/<br />
|Original_Source_Language_1=Norwegian<br />
|Original_Source_Language__Code_1=NO<br />
<br />
|Type=Complaint<br />
|Outcome=Rejected<br />
|Date_Decided=04.01.2021<br />
|Date_Published=06.01.2021<br />
|Year=2021<br />
|Fine=100000<br />
|Currency=NOK<br />
<br />
|GDPR_Article_1=Article 6(1)(f) GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR#1f<br />
|GDPR_Article_2=Article 24 GDPR<br />
|GDPR_Article_Link_2=Article 24 GDPR<br />
<br />
<br />
<br />
|Party_Name_1=Lindstrand Trading AS<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Rie Aleksandra Walle<br />
|<br />
}}<br />
<br />
The Norwegian DPA (Datatilsynet) fined Lindstrand Trading AS NOK 100,000 (€9,700) for subjecting the complainant to multiple credit ratings without a legal basis under Article 6(1)(f) GDPR. The DPA also requires that the company implement internal controls of their credit rating process as per Article 24 GDPR.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The general manager of Lindstrand Trading AS conducted multiple credit ratings of the complaintant and her sole proprietorship, despite having no customer relationship or any other affiliation with the company. The DPA noted that the general manager used the credit rating tool for personal purposes, completely outside of the company's area of business. Consequently, Lindstrand Trading did not have a legal basis for such processing as per Article 6(1)(f) GDPR. <br />
<br />
=== Dispute ===<br />
Did Lindstrand Trading AS have legal grounds for processing the personal data of the complaintant for a credit scoring, as per Article 6(1)(f) GDPR? And did they have sufficient internal controls for the use of credit scoring in their business?<br />
<br />
=== Holding ===<br />
No, Lindstrand Trading AS did not have legal grounds for processing the personal data of the complaintant for credit scorings, as per Article 6(1)(f) GDPR. For this offense, the company was fined NOK 100,000. <br />
<br />
They also didn't have sufficient internal controls for the use of credit scoring in their business, as per Article 24 GDPR. For this offense, the company is required to establish corresponding internal controls and, within four weeks after the expiry of the appeal period, submit a written confirmation and actual documentation of the internal controls, to the DPA.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.<br />
<br />
<pre><br />
ADVOKATFIRMAET ECKHOFF FOSMARK & CO<br />
DA Excluded from public:<br />
PO Box 2624 Solli<br />
Offl. § 13 cf. fvl. § 13 (1) no.1<br />
<br />
0203 OSLO<br />
<br />
Marius Vernan<br />
<br />
<br />
<br />
<br />
Their reference Our reference Date<br />
<br />
20 / 02172-4 03.12.2020<br />
<br />
<br />
<br />
Decisions on orders and infringement fines - Credit assessments without legal action<br />
basis - Lindstrand Trading AS (formerly DSD Pharma AS)<br />
<br />
1 Introduction<br />
<br />
<br />
We refer to our notification of decision of 11 August 2020. We received Lindstrand Trading AS<br />
("Lindstrand Trading")'s comments on the notice via associate attorney Marius Vernan 10.<br />
<br />
September 2020. Our comments on the comments follow below.<br />
<br />
<br />
2. Decision on order<br />
<br />
The Data Inspectorate adopts the following order:<br />
<br />
<br />
Pursuant to Article 58 (2), letter i of the Privacy Ordinance is imposed<br />
LINDSTRAND TRADING AS (Formerly DSD PHARMA NORGE AS), org. No. 913 169<br />
<br />
581, to pay an infringement fee to the Treasury of NOK 100,000 in order to four times<br />
have obtained a credit assessment without a legal basis, cf. the Privacy Ordinance<br />
Article 6 (1) (f).<br />
<br />
<br />
2. Pursuant to the Privacy Ordinance art. 58 No. 2 letter d is imposed<br />
LINDSTRAND TRADING AS to establish internal control over credit assessment, cf.<br />
<br />
Article 24 of the Privacy Regulation, as it was missing at the time of the inspection.<br />
<br />
Our legal basis for issuing orders is Article 58 (2) of the Privacy Ordinance.<br />
<br />
<br />
The deadline for implementing the orders is stated in section 7 of the decision.<br />
<br />
<br />
3. Details of the facts of the case<br />
<br />
In your reply of 10 September 2020, you confirm that Ketil Lindstrand, the owner of Lindstrand<br />
<br />
Trading, has completed the four credit assessments of ("complaints"),<br />
<br />
<br />
<br />
Postal address: Office address: Telephone: Fax: Org.nr: Website:<br />
PO Box 458 Sentrum Tollbugt 322 39 69 00 22 42 23 50 974 761 467 www.datatilsynet.no<br />
0105 OSLOhes sole proprietorship, and off, but denies that this<br />
has occurred in violation of the Privacy Ordinance.<br />
<br />
You confirm that the credit assessments were carried out in connection with<br />
, men<br />
states that Lindstrand Trading had a legal basis for the four credit assessments that were made<br />
carried out in that context.<br />
<br />
<br />
In the event that you did not have a legal basis for the credit assessments, you state that<br />
The infringement fee is disproportionately high in relation to the company's financial<br />
situation.<br />
<br />
We also refer to our account of the proceedings in the notification of decision section 2.<br />
<br />
<br />
4. More about the requirements of the Personal Data Act<br />
<br />
4.1. Legal basis for obtaining credit information<br />
<br />
Obtaining credit information on individuals and sole proprietorships ("the registered")<br />
constitutes a processing of personal data, cf. the Privacy Ordinance Article 4 No. 2 and<br />
the Personal Data Act § 1.<br />
<br />
<br />
Article 6 (1) of the Privacy Regulation requires that all processing of personal data has a<br />
legal basis.<br />
<br />
When a company must obtain credit information about the registered person without it being available<br />
consent, or the credit rating is strictly necessary to implement an agreement with it<br />
<br />
registered, Article 6 (1) (f) is the most relevant legal basis.<br />
<br />
Article 6 (1) (f) requires that the collection of credit information is "necessary" to:<br />
safeguard a "legitimate interest" which, after a balance of interests, outweighs consideration<br />
individual privacy.<br />
<br />
The legitimate interest must be legal, clearly defined in advance, real and objectively justified<br />
<br />
in business. Which interests meet this depends on an assessment there, among other things<br />
what benefits the company obtains with the treatment, how important the interest is for<br />
the business, or whether the treatment has a public interest or safeguards non-profit interests<br />
which benefit more are relevant moments.<br />
<br />
Furthermore, the treatment in question must be "necessary" for purposes related to the beneficiary<br />
interests. That is, the business must consider whether it can achieve the purpose in a way that<br />
<br />
better safeguards privacy. One must therefore choose the treatment that is least invasive.<br />
<br />
Then the business must make a balance of interests to decide whether the individual<br />
privacy outweighs the business' legitimate interest. What type of information<br />
it is relevant to process, for example whether the collection of the relevant information can<br />
<br />
<br />
<br />
<br />
2 is perceived as offensive, and what expectations the individual has for the treatment of<br />
the personal data, are relevant factors in the balancing of interests.<br />
<br />
1<br />
The now repealed Personal Data Regulations § 4-3 contained an additional condition that<br />
Credit information could only be obtained unless the business had a "factual need" for it<br />
credit information.<br />
<br />
<br />
Section 4-3 of the regulations is continued in accordance with the regulations on transitional rules on the processing of<br />
personal data § 4. 2<br />
<br />
However, the Privacy Ordinance does not provide national room for maneuver for special regulation of<br />
<br />
obtaining credit information. We therefore believe that the requirement for "objective need" does not constitute one<br />
additional terms to Article 6 (1) (f).<br />
<br />
However, the assessment of whether the business has a "factual need" pursuant to section 4-3 of the regulations is close<br />
connection with the assessment pursuant to Article 6, paragraph 1, letter f. We therefore believe that earlier<br />
<br />
administrative practice regarding the requirement of objective need is still relevant when assessing an article<br />
6 No. 1 letter f.<br />
<br />
4.2. About the duty of internal control<br />
<br />
<br />
According to Article 24 of the Privacy Ordinance, all companies are obliged to be able to prove that they<br />
processes personal data in accordance with the law. If it stands in a reasonable relation to<br />
the treatment activities, the company shall implement appropriate guidelines for the protection of<br />
personal information.<br />
<br />
<br />
Credit rating is an intrusive processing of personal data and constitutes a large<br />
encroachment on individuals' right to privacy. Businesses must therefore be able to document<br />
their internal routines or processes, so-called internal control, which meet the requirement of objectivity<br />
by credit rating.<br />
<br />
<br />
The routines must describe when and how credit information is to be obtained and how to access it<br />
shall be provided, and shall ensure that credit assessments are not obtained without the requirement of objective need being<br />
fulfilled. Furthermore, the company must have routines for handling deviations.<br />
<br />
<br />
5. The Data Inspectorate's assessment<br />
<br />
5.1. Internal control<br />
<br />
<br />
Lindstrand Trading has not commented on our notice of an order to establish<br />
internal control.<br />
We therefore maintain our conclusion to order the company to establish internal control<br />
for credit assessments, and refers to our assessment in section 5.1 of the notice.<br />
<br />
<br />
1<br />
2Personal Information Regulations of 15 December 2000 no. 1265.<br />
Transitional rules on the processing of personal data of 15 June 2018 no. 877.<br />
<br />
<br />
<br />
3 5.2. Legal basis for obtaining credit information<br />
<br />
The relevant treatment basis for Lindstrand Trading's acquisition of<br />
credit information on complaints and is Article 6 (1) of the Privacy Regulation<br />
letter f. The question is whether the company had a legal basis in Article 6 no. 1 letter f<br />
when the general manager obtained credit information about complaints<br />
<br />
<br />
<br />
Lindstrand Trading's comments<br />
<br />
In their comments on the notice of decision, Lindstrand Trading stated that the company had<br />
legitimate interest in credit rating complaints. This justifies you with that<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In support of the fact that Lindstrand Trading had a legitimate interest in the credit assessments shows<br />
to the Privacy Board's decision PVN-2010-04. In this decision, the tribunal considered<br />
whether a lawyer on behalf of his client fulfilled the requirement of "factual need" in<br />
the Personal Data Regulations § 4-3.<br />
<br />
The defendant's lawyer had credit-rated his client's counterparty in a dispute, and the client was<br />
<br />
disagrees that there was a factual need for credit assessments. The tribunal points in its assessment to<br />
the party constellations in the case, and that the lawyer's client had a claim that was approaching<br />
obsolescence. On the basis of this, the tribunal assessed the case so that it did not appear unnatural<br />
the defendant's attorney's client to consider civil action. The tribunal then came to that<br />
the requirement for objective needs was met. The decision was made in accordance with the Personal Data Act of 2000<br />
and the Personal Data Regulations § 4-3.<br />
<br />
<br />
The Data Inspectorate's assessment<br />
<br />
Article 6 (1) (f) of the Privacy Regulation reads as follows:<br />
<br />
the processing is necessary for purposes related to the legitimate interests such as<br />
pursued by the data controller or a third party, unless it is registered<br />
interests or fundamental rights and freedoms take precedence and require protection<br />
<br />
personal data, especially if the data subject is a child<br />
<br />
Proposition 47 of the Privacy Ordinance states that in the assessment of «the entitled<br />
the interests of a data controller ", among other things, the data subject's must be taken into account<br />
expectations based on the relationship between the data controller and the data subject. The<br />
<br />
<br />
<br />
<br />
4 must also be emphasized whether it was foreseeable for the registered at the time of collection that<br />
the information would be processed for the purpose in question.<br />
<br />
The legitimate interest must be legal, clearly defined in advance, real and objectively justified<br />
in business.<br />
<br />
It follows from Article 5 (1) (a) of the Privacy Regulation (principle of legality) and<br />
the requirement of a legal basis in Article 6 that it is the person responsible for processing who is<br />
<br />
the subject of the obligation in the regulation, and who must meet the requirements of the regulation before processing<br />
personal information starts.<br />
<br />
It follows from the wording of Article 6, paragraph 1, letter f and paragraph 47 that what constitutes a<br />
<br />
legitimate interest shall be assessed on the basis of the business the operator responsible for processing. This<br />
also follows from the Article 29 Working Party's guidance on "legitimate interest" as a matter of law<br />
basis for processing personal data. 4<br />
<br />
Lindstrand Trading AS is responsible for processing the collection of credit information about<br />
<br />
complaints. Lindstrand Trading operates according to<br />
Brønnøysundregistrene business with «import and sale in e-commerce, with cosmetic<br />
goods, sporting goods and electronics. "<br />
<br />
Lindstrand Trading has referred to PVN-2010-04 as support that the company had one<br />
<br />
legitimate interest in carrying out the contested credit assessments in our case.<br />
<br />
Section 4-3 of the Personal Data Regulations' requirement for a "factual need" for obtaining<br />
Credit ratings are no longer a direct additional term for the individual<br />
<br />
the business that collects credit information. We refer to our account of this in ours<br />
notice of decision section 3.1.<br />
<br />
Assessments related to whether a business has an "objective need" for<br />
However, section 4-3 of the Personal Data Regulations is closely related<br />
<br />
with the assessment pursuant to Article 6, No. 1, letter f. Previous practice from the Privacy Board<br />
related to "objective need" is therefore still relevant when assessing "legitimate interest" in<br />
Article 6 (1) (f) of the Privacy Regulation.<br />
<br />
PVN-2010-04 confirms that the assessment of whether the person responsible for treatment has a «justified<br />
<br />
interest ”shall be based on the business of the operator responsible for processing. In the case is the tribunal<br />
assessment of "factual need" related to the person in charge of processing the practice of law,<br />
that the credit assessment of a counterparty took place within this business, and in connection<br />
with an assignment the data controller had for a client. This was the background for<br />
<br />
the tribunal's conclusion that the lawyer fulfilled the requirement of "factual need"<br />
<br />
On the contrary, the general manager in our case has used Lindstrand Trading's credit assessment tool<br />
for personal purposes completely outside the company's business area.<br />
<br />
3<br />
4 «The Personal Data Act and the Privacy Ordinance - Commentary edition», Skullerud et al. (2019).<br />
Article 29 Working Party Opinion 06/2014 on the concept of legitimate interests of the data controller under<br />
Article 7 of Directive 95/46 / EC, WP217, p. 24.<br />
<br />
<br />
<br />
5No complain personally, her sole proprietorship or have had any relationship with<br />
or contact Lindstrand Trading, and had no expectation that the business would<br />
Obtain their credit information. It was not foreseeable for complaints<br />
the time of collection that Lindstrand Trading should process their credit information.<br />
<br />
Lindstrand Trading has obtained credit information about two individuals without any kind of<br />
customer relationship or contact or other affiliation with their business. The entitled<br />
<br />
the interest must be objectively justified in the business, and in our case Ketil Lindstrand has<br />
obtained credit information for personal use for a purpose completely outside Lindstrand<br />
Trading's business area.<br />
<br />
On the basis of this, we maintain our assessment that the requirement of "legitimate interest" in<br />
Article 6 (1) (f) of the Privacy Regulation is not complied with in the case.<br />
<br />
<br />
We therefore uphold our conclusion that Lindstrand Trading had no legal basis<br />
in the Privacy Regulation Article 6 No. 1 letter f for the four credit assessments in total<br />
of complaints, her sole proprietorship, and<br />
<br />
We also refer to our assessment of the legal basis in the notice, section 5.2.<br />
<br />
6. Infringement fee<br />
<br />
<br />
6.1. General information about infringement fines<br />
<br />
Infringement fees are a tool to ensure effective compliance and enforcement of<br />
the personal data regulations. We believe it is necessary to respond to the violations with<br />
infringement fine, cf. Article 83 of the Privacy Regulation.<br />
<br />
<br />
In accordance with the Supreme Court's practice (cf. Rt. 2012 page 1556), we assume that<br />
infringement fines are to be regarded as penalties under the European Convention on Human Rights<br />
Article 6. Therefore, a clear preponderance of probabilities for offenses is required in order to be able to impose<br />
fee. The case and the question of imposing an infringement fee have been considered<br />
starting point in this evidentiary requirement.<br />
<br />
<br />
In this context, reference is made to Chapter IX of the Public Administration Act on administrative<br />
sanctions. By an administrative sanction is meant a negative reaction that can be imposed by a<br />
administrative body, which addresses a committed violation of law, regulation or individual<br />
decision, which is considered a punishment under the European Convention on Human Rights<br />
(EMK).<br />
<br />
For companies, the debt assessment is unique. Section 46, first paragraph, of the Public Administration Act states:<br />
<br />
<br />
When it is stipulated by law that an administrative sanction may be imposed on an enterprise,<br />
the sanction can be imposed even if no individual has shown guilt.<br />
<br />
In Prop. 62 L (2015-2016) page 199 it is stated about § 46:<br />
<br />
<br />
<br />
<br />
6 The wording that ‘no individual has shown guilt’ is taken from the section on<br />
corporate punishment in the Penal Code § 27 first paragraph and shall be understood in the same way. Responsibility<br />
is therefore basically objective.<br />
<br />
<br />
6.2. Assessment of whether an infringement fee is to be imposed<br />
<br />
Lindstrand Trading has commented on the size of the notified fee. Spring<br />
assessment is that these remarks do not change our assessment that a fee should be charged for<br />
the violation, and refers to our assessment of this in section 6.2 of the notice.<br />
<br />
<br />
6.3. Assessment of the size of the fee<br />
<br />
Lindstrand Trading's comments<br />
<br />
<br />
Lindstrand Trading has stated that the notified fee of NOK 100,000 has been set too high, and<br />
has in this connection referred to several decisions from the Privacy Board, as well as factors for<br />
determination of infringement fines pursuant to the Personal Data Act of 2000 § 46 with preparatory work.<br />
<br />
In conclusion, you state that the fee will affect the company's finances disproportionately<br />
hard, and writes that there are no funds in the company to cover a possible infringement fee.<br />
<br />
You have also attached a printout from proff.no with accounting figures from the company.<br />
<br />
You refer in the comments to several decisions from the Privacy Board, and note that the fees<br />
in these cases is set lower than in our case and that the persons responsible for processing in the cases had better<br />
economy than Lindstrand Trading. The cases you refer to have been processed accordingly<br />
<br />
the Personal Data Act of 2000. Our assessment is that these cases do not govern ours<br />
assessment of the amount of the fee in this case under the Privacy Ordinance Article 83.<br />
<br />
The Data Inspectorate's assessment<br />
<br />
The Privacy Ordinance facilitates a higher level of fines than that which applied thereafter<br />
<br />
the Personal Data Act of 2000, and it follows from Article 83 (1) of the Regulation that<br />
infringement fines shall be determined specifically so that in each individual case it is effective, it says<br />
in a reasonable proportion to the violation and acts as a deterrent. The main purpose of<br />
infringement fines are contraception, ie the risk of being charged a fee must work<br />
deterrent and thereby contribute to increased compliance with the regulations. 5<br />
<br />
<br />
By Skullerud et al. (2019), page 347, it appears:<br />
<br />
Contraceptive considerations dictate that the fee for a violation must be set so high that this<br />
actually perceived as an evil by the offender. This means that the offender<br />
financial ability should be important in the measurement, so that the fee is higher the more<br />
<br />
stronger carrying capacity of the offender. […] When assessing the financial carrying capacity of a<br />
<br />
5<br />
«The Personal Data Act and the Privacy Ordinance - Commentary edition», Skullerud et al. (2019).<br />
<br />
<br />
<br />
7 companies, it may be relevant to look at the company's total global annual turnover in<br />
previous financial year, cf. art. 83 Nos. 4 and 5.<br />
<br />
And further:<br />
<br />
The consideration of ensuring an individual assessment in each individual case indicates that<br />
Regulators should avoid establishing standardized fee rates. This applies<br />
<br />
even if national law allows for standardized rates, cf. the Public Administration Act § 43.<br />
<br />
The fee must therefore be measured specifically in each case, and have a deterrent effect on the individual<br />
the business.<br />
<br />
When assessing whether a fee should be charged and when measuring, the Data Inspectorate shall take into account<br />
to the elements of the Privacy Regulation Article 83 (2) (a) to (k). The Norwegian Data Protection Authority may impose<br />
<br />
infringement fee after a discretionary overall assessment, but the listed factors<br />
lays down guidelines for the exercise of discretion by highlighting aspects that are to be given special consideration<br />
weight.<br />
<br />
Obtaining credit information about an individual or sole proprietorship without<br />
basis for processing constitutes a violation of the basic principle of legality in<br />
Article 5 (1) (a) of the Privacy Ordinance<br />
<br />
very private character, which the data subject has a high expectation of not obtaining<br />
unless it is objectively justified in their relationship with a data controller. This is<br />
weighty factors that argue for a fee of a certain size.<br />
<br />
In our case, Lindstrand Trading has illegally obtained credit ratings a total of four times. This<br />
we emphasize in an aggravating direction.<br />
<br />
<br />
The violations in our case are also committed by the general manager, who in the case shows little knowledge<br />
about the requirements of the Privacy Ordinance that must be met in order to obtain<br />
credit information. We emphasize this in an aggravating direction, as<br />
The Privacy Ordinance presupposes a strong anchoring with the data controller<br />
management, cf. the principle of liability in Article 5 (2).<br />
<br />
<br />
We also place aggravating emphasis on the fact that the business, according to the information, was not in place<br />
technical or organizational measures in the form of written routines to ensure compliance with<br />
the regulations, cf. Article 24 of the Privacy Regulation.<br />
<br />
We also refer to our assessment of the seriousness of the infringement in the notification section 6.2, and maintain<br />
this assessment.<br />
<br />
<br />
The serious circumstances we have pointed out above and in our notice of decision justify a fee of<br />
a certain size. Contraceptive considerations dictate that the fee for a violation must be set so high that<br />
this is actually perceived as an evil by the offender. This means that the offender<br />
<br />
<br />
<br />
<br />
<br />
<br />
8economic ability should be important when measuring, so that the fee is higher the stronger<br />
carrying capacity of the offender.<br />
<br />
At the same time, the company's finances are only one of several factors that the supervisory authority can add<br />
<br />
emphasis in the determination of infringement fines under the Privacy Regulation Article 83. The<br />
The financial situation is not in itself sufficient to avoid an infringement charge<br />
supervisory authority, and must be seen in relation to the seriousness of the infringement.<br />
<br />
In the case, you have argued that there are no funds in the company to cover a fee, and you<br />
<br />
has attached accounting figures from proff.no which show that the company has not had turnover in<br />
financial years 2018 and 2019.<br />
<br />
In our calculation of the notified fee of NOK 100,000, we have already emphasized<br />
<br />
the business's financial situation. We remind you that violations of the Privacy Regulation<br />
Article 6 may lead to sanctions in the form of infringement fines of up to EUR 20 million, see<br />
the Privacy Ordinance, Article 83, No. 5, letter a. This corresponds to NOK 214,000,000. 7<br />
The fee imposed in this case is thus at the very bottom of what the regulation is<br />
<br />
prescribes for such breaches of regulations.<br />
<br />
The accounting figures show that Lindstrand Trading is registered with a share capital of 800,000<br />
NOK. Lindstrand Trading also runs the online store DSD de Luxe, which sells beauty<br />
<br />
and wellness products. It appears from the online store's website that it is in operation, that it sells one<br />
large selection of goods, and that it currently has a stock sale. Our assessment is that the company's high<br />
share capital, and the fact that there is operation in the company's online store, suggests that Lindstrand Trading can<br />
bear an infringement charge.<br />
<br />
<br />
On the basis of the serious violations in the case, and after taking into account the business<br />
financial situation, we maintain our assessment that the infringement fee is set at 100<br />
000 kroner.<br />
<br />
<br />
We also refer to our justification for the calculation of the fee in the notice, sections 6.2 and 6.3.<br />
<br />
7. Right of appeal and further proceedings<br />
<br />
<br />
You can appeal the decision. Any complaint must be sent to us within three weeks after this<br />
the letter has been received, cf. the Public Administration Act §§ 28 and 29. If we uphold our decision, we will<br />
forward the case to the Privacy Board for complaint processing.<br />
<br />
<br />
If you do not appeal the order for an infringement fee, the fulfillment deadline is 4 weeks after<br />
the expiry of the time limit for appeal, cf. section 27 of the Personal Data Act.<br />
<br />
<br />
<br />
<br />
<br />
6 «The Personal Data Act and the Privacy Ordinance - Commentary edition», Skullerud et al. (2019).<br />
Calculated on 2 December, acc. information at norges-bank.no/tema/Statistikk/Valutakurser<br />
8https: //www.dsddeluxe.no/ (last visited 20.11.20).<br />
<br />
<br />
<br />
<br />
9The deadline for implementing the order section 2 on internal control is 4 weeks after the expiry of the appeal deadline.<br />
If you do not appeal the order point 2, you must within this deadline you must send us one<br />
written confirmation, as well as documentation, that the order for internal control has been implemented.<br />
<br />
8. Transparency and publicity<br />
<br />
You have the right to access the case documents, cf. the Public Administration Act § 18. We will also inform<br />
<br />
that all documents are in principle public, cf. the Public Access to Information Act § 3. If<br />
you believe that there is a basis for exempting all or part of the document from public access<br />
we you to justify this.<br />
<br />
If you have questions about the case, you can contact Ole Martin Moe on telephone 22 39<br />
69 59 or e-mail omm@datatilsynet.no.<br />
<br />
<br />
<br />
<br />
<br />
With best regards<br />
<br />
<br />
Jørgen Skorstad<br />
<br />
department director, law<br />
Ole Martin Moe<br />
legal adviser<br />
<br />
The document is electronically approved and therefore has no handwritten signatures<br />
<br />
<br />
<br />
Copy to:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
10<br />
</pre></div>
Hk
https://gdprhub.eu/index.php?title=Datatilsynet_(Norway)_-_20/02178&diff=13284
Datatilsynet (Norway) - 20/02178
2021-01-15T11:55:44Z
<p>Hk: /* English Machine Translation of the Decision */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Norway<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoNO.png<br />
|DPA_Abbrevation=Datatilsynet<br />
|DPA_With_Country=Datatilsynet (Norway)<br />
<br />
|Case_Number_Name=DT-20/02178<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Datatilsynet<br />
|Original_Source_Link_1=https://www.datatilsynet.no/regelverk-og-verktoy/lover-og-regler/avgjorelser-fra-datatilsynet/2021/far-gebyr-for-videresending-av-e-post/<br />
|Original_Source_Language_1=Norwegian<br />
|Original_Source_Language__Code_1=NO<br />
<br />
|Type=Complaint<br />
|Outcome=Rejected<br />
|Date_Decided=07.12.2020<br />
|Date_Published=13.01.2021<br />
|Year=2020<br />
|Fine=400000<br />
|Currency=NOK<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 5(2) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#2<br />
|GDPR_Article_3=Article 6(1)(f) GDPR<br />
|GDPR_Article_Link_3=Article 6 GDPR#1f<br />
|GDPR_Article_4=Article 13 GDPR<br />
|GDPR_Article_Link_4=Article 13 GDPR<br />
|GDPR_Article_5=Article 21 GDPR<br />
|GDPR_Article_Link_5=Article 21 GDPR<br />
|GDPR_Article_6=Article 24 GDPR<br />
|GDPR_Article_Link_6=Article 24 GDPR<br />
<br />
<br />
|National_Law_Name_1=§§2-3 Forskrift om arbeidsgivers innsyn i e-postkasse og annet elektronisk lagret materiale<br />
|National_Law_Link_1=https://lovdata.no/dokument/SF/forskrift/2018-07-02-1108<br />
<br />
|Party_Name_1=Excempt from public disclosure<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Rie Aleksandra Walle<br />
|<br />
}}<br />
<br />
The Norwegian DPA (Datatilsynet) fined a company NOK 400 000 (€38,800) for enabling automatic forwarding of an employee's emails during a sick leave, without informing the employee or accepting her objection.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
In 2019, the general manager of a company enabled automatic forwarding of an employee's emails during a sick leave, because the employee had "failed to enable her out of office reply". The company admitted that they had breached §§2 and 3 of a national regulation concerning employers' access to employees' inboxes and other electronical material, that they had no legal basis as per Article 6(1)(f) GDPR and that they had failed to inform the employee as per Article 13 GDPR, cf. the national regulation.<br />
<br />
They argued, however, that because the employee had failed to enable her out of office reply, they had legitimate grounds to enable automatic forwarding of her emails. Despite objections from the employee, the company continued to forward her emails, as long as she didn't herself enable the out of office reply. In the end, the company did this on her behalf, but only after having monitored her emails for five weeks.<br />
<br />
=== Dispute ===<br />
Did the company breach Article 6(1)(f) GDPR for lack of legal basis, Article 21 for lack of considering an objection, Article 13 for lack of information and Article 24 for lack of internal controls?<br />
<br />
=== Holding ===<br />
Yes, the company was found to have breached Article 6(1)(f) GDPR for lack of legal basis, Article 21 for lack of considering an objection, Article 13 for lack of information and Article 24 for lack of internal controls concerning the company's access to employees' inboxes (emails). The DPA also found that the company had breached the fundamental principles as per the GDPR, specifically Article 5(1)(a) and 5(2). <br />
<br />
For this, they were fined NOK 400 000 (€38,800) and required to update their internal routines and submit a written confirmation of the latter, including documentation, to the DPA within four weeks (unless they appeal the decision).<br />
<br />
== Comment ==<br />
Following the DPA's notification of a decision, the company argued that the penalty was too severe, due to the following reasons: the processing was "the employee's own fault" as she had failed to enable the out of office reply; the breach was an "isolated incident", which took place relatively shortly after "a new and very complex law was introduced" and that the rules concerning an employer's access to an employee's inbox "have been unclear".<br />
<br />
The DPA firmly rejected all these arguments and referred to the fact that the GDPR has been in process for several years, it came into effect already in 2016 and the breaches would also have been determined as such also from the preceding laws. They also noted that the processing could have been done in a less invasive way and argue that the company realized this themselves as they did enable the out of office reply in the end. <br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.<br />
<br />
<pre><br />
Receives fee for forwarding e-mail<br />
<br />
The Norwegian Data Protection Authority has fined a company an infringement fee of NOK 400,000 for illegal automatic forwarding of an employee's e-mail box.<br />
<br />
Receives fee for forwarding e-mail<br />
The background to the case is a complaint from an employee who experienced that the employer had activated automatic forwarding of the person's e-mail box in the company.<br />
<br />
Lacks legal basis<br />
<br />
The automatic forwarding was activated in connection with the employee's sick leave, and lasted for more than a month. After investigating the case further, the Data Inspectorate has concluded that the forwarding has taken place in violation of the rules in the regulations on the employer's access to e-mail boxes and other electronic material, as well as the Privacy Ordinance's legal basis, information to the data subject and the duty to assess the employee's protest. .<br />
<br />
On the basis of this, the Data Inspectorate has decided that the company must improve the written routines for access to e-mail boxes, as well as an order to pay an infringement fee of NOK 400,000 for the illegal forwarding.<br />
<br />
The company's name is exempt from publicity to protect the complainant's identity. The company has appealed the decision.<br />
</pre></div>
Hk
https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_73/2020&diff=12883
APD/GBA (Belgium) - 73/2020
2020-12-11T00:20:59Z
<p>Hk: /* English Machine Translation of the Decision */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Belgium<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoBE.png<br />
|DPA_Abbrevation=APD/GBA<br />
|DPA_With_Country=APD/GBA (Belgium)<br />
<br />
|Case_Number_Name=73/2020<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Beslissing ten gronde 73/2020 van 13 November 2020<br />
|Original_Source_Link_1=https://gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-73-2020.pdf<br />
|Original_Source_Language_1=Dutch<br />
|Original_Source_Language__Code_1=NL<br />
<br />
|Type=Complaint<br />
|Outcome=Partly Upheld<br />
|Date_Decided=13.11.2020<br />
|Date_Published=<br />
|Year=2020<br />
|Fine=1500<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5 GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR<br />
|GDPR_Article_2=Article 6 GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR<br />
|GDPR_Article_3=Article 12 GDPR<br />
|GDPR_Article_Link_3=Article 12 GDPR<br />
|GDPR_Article_4=Article 13 GDPR<br />
|GDPR_Article_Link_4=Article 13 GDPR<br />
|GDPR_Article_5=Article 15 GDPR<br />
|GDPR_Article_Link_5=Article 15 GDPR<br />
|GDPR_Article_6=Article 30 GDPR<br />
|GDPR_Article_Link_6=Article 30 GDPR<br />
|GDPR_Article_7=Article 37(5) GDPR<br />
|GDPR_Article_Link_7=Article 37 GDPR#5<br />
|GDPR_Article_8=Article 37(7) GDPR<br />
|GDPR_Article_Link_8=Article 37 GDPR#7<br />
|GDPR_Article_9=Article 38(1) GDPR<br />
|GDPR_Article_Link_9=Article 38 GDPR#1<br />
|GDPR_Article_10=Article 83(7) GDPR<br />
|GDPR_Article_Link_10=Article 83 GDPR#7<br />
<br />
<br />
|National_Law_Name_1=Art. 6 § 2 Camera law<br />
|National_Law_Link_1=https://www.belgium.be/nl/justitie/privacy/camerabewaking<br />
|National_Law_Name_2=Art. 6 § 3 Camera law<br />
|National_Law_Link_2=https://www.belgium.be/nl/justitie/privacy/camerabewaking<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Enzo Marquet<br />
|<br />
}}<br />
<br />
The Belgian DPA (APD/GBA) imposed an administrative fine of €1500 on a Social Housing Company for breaching several fundamental principles and obligations of the GDPR.<br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
The complainant lives in the social housing of the defendant. <br />
<br />
Several cases are bundled in this one decision, the complainant raised several issues at different times:<br />
<br />
1) They exercised its right of access and said the defendant wasn't sufficiently clear or thorough in the information they provided.<br />
<br />
2) The website of the defendant wasn't sufficiently secure and the privacy policy was short and vague.<br />
<br />
3) There is no cookie policy nor is it clear if cookies are used. Consent for cookies was never asked. The retention period of personal data is never discussed.<br />
<br />
4) It is unclear why certain personal data of medical nature are required.<br />
<br />
5) The usage of digital meters of gas wasn't communicated, nor with whom the data was shared.<br />
<br />
6) There is no mentioning of cameras in the privacy policy and there was no information upon installation of 4 cameras.<br />
<br />
===Dispute===<br />
<br />
1) Exercise of right of access.<br />
<br />
2) Website security and the privacy policy.<br />
<br />
3) Cookie policy and consent for cookies.<br />
<br />
4) Processing of medical data.<br />
<br />
5) Lack of information on the use of digital meters of gas.<br />
<br />
6) Lack of information on the 4 surveillance cameras in the privacy policy.<br />
===Holding===<br />
The GBA split the cases in several subtopics:<br />
<br />
- Privacy Policy & Right of Access<br />
<br />
- DPO<br />
<br />
- Cookie Policy<br />
<br />
- Processing of health data<br />
<br />
- Law on cameras<br />
<br />
- Processing through digital meters<br />
<br />
The DPA points out that, pursuant to [[Article 5 GDPR#2|Article 5(2)]] and [[Article 24 GDPR]], the person responsible for processing personal data must take appropriate technical and organizational measures in order to guarantee and be able to demonstrate that the processing of personal data is carried out in accordance with the GDPR. In doing so, the GPDR requires, among other things, that the nature and scope of the processing as well as the risks for the data subjects are taken into account. These elements will play an important role in assessing whether and to what extent sanctions should be imposed.<br />
<br />
<b>1) Privacy Policy & Right of Access</b> <br />
<br />
The DPA upheld that a privacy policy should serve to fully inform the data subject about what is actually done with his or her personal data and in what context those data are processed. Any processing of personal data should be lawful, proper and transparent. Data subjects should be clearly informed of what data is being processed, how the processing is being carried out and why the personal data is being processed. It is not possible to deduce from the Privacy Sheet presented what exactly the personal data is used for. Clear and concrete language must be used when communicating to data subjects. <br />
<br />
Because the data subjects are socially disadvantaged people, the language must be adapted to them to be clear and plain. <br />
<br />
The word "concise" in [[Article 12 GDPR#1|Article 12(1)]]however , does not mean incomplete, all mandatory information from [Article 13 GDPR]] must still be included. The contact details of the DPO must be filled in correctly as well. <br />
<br />
The defendant does not fulfil its requirement of transparency by inadequately informing the data subjects.<br />
<br />
<b>2) DPO</b> <br />
<br />
Pursuant to [[Article 37 GDPR#5|Article 37(5) GDPR]], the DPO should be designated, inter alia, on the basis of its in data protection law and practice. [[Article 37 GDPR#7|Article 37(7) GDPR]] provides that the contact details of the DPO shall be disclosed and communicated to the supervisory authority. These two requirements were not fulfilled. The choice for the DPO was not sufficiently motivated (in light of a tender) and the DPO wasn't communicated to the data subjects as single point of contact. <br />
<br />
Furthermore, the contact to the DPO must be direct, and not through several parts of an organisation as this can dissuade people from contacting the DPO. <br />
<br />
Lastly, the DPO was not properly involved in all data protection manners, which means the defendant breached [[Article 38 GDPR#1|Article 38(1) GDPR]]<br />
<br />
<b>3) Cookie policy</b><br />
<br />
For a Google-DoubleClick.net cookie, no consent was asked. In the ''[[CJEU - C-673/17 - Planet49|Planet49]]'' judgment, the Court of Justice ruled that information must be provided by the person responsible for processing in order to place cookies. The information provided must show for how long the cookies will remain active and whether third parties can also have access to those cookies. This is necessary in order to guarantee proper and transparent information.<br />
<br />
The consent requirement does not apply to the technical storage of information. Even if the placement of cookies is necessary for the provision of a service expressly requested by the subscriber or end user, the consent requirement does not apply.<br />
<br />
The processing of personal data through cookies without consent is a breach of [[Article 6 GDPR#1|Article 6(1) GDPR]] as there is no legal basis for the processing.<br />
<br />
<b>4) Processing of health data</b><br />
<br />
The e-mail exchanges between the parties show that the complainant voluntarily informed the defendant of his health situation and indicated that he could provide the defendant with another medical certificate if necessary. The processing of sensitive information was necessary for purposes of [[Article 9 GDPR#h|Article 9(2)(h) GDPR]].<br />
<br />
<b>5) CCTV surveillance</b><br />
<br />
The complainant argues that there is camera surveillance in several residential units of the apartment. According to the complainant, the privacy policy does not mention anything about camera surveillance. Complainant also wants to know the legal basis and purpose of this processing.<br />
<br />
In the renting agreement, cameras are mentioned but nothing more. The cameras were installed for safety, on request of some residents and are legally registered. The DPA determined that it wasn't clear why the cameras were installed exactly nor do the elements brought up suffice to determine if the cameras are compliant to the the law on cameras.<br />
<br />
No register of camera processing was kept (article 6 § 2 Camera law) nor was the retention period of 30 days respected (article 6 § 3 Camera law). <br />
<br />
The DPA found a violation of the requirement to keep a register of processing activities of [[Article 30 GPDR]] and storage limitation [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]].<br />
<br />
<b>6) Digital meters</b><br />
<br />
The Complainant complains that the defendant uses digital consumption meters and thus records the consumption of the tenants and unlawfully processes data about that consumption without a valid legal basis. The Complainant indicates that it has not given its consent to the processing of data relating to its consumption of gas and electricity.<br />
<br />
During the hearing, the defendant indicated that the digital meters are linked to the address. In this way, it is read how much has been consumed at a certain address. This data is also passed on to a third party (local company) with whom there is a processing agreement. That company reads out the consumption. The defendant receives a list of this and links it to the tenant files, according to the defendant.<br />
<br />
On the basis of [[Article 6 GDPR]], the person responsible for processing personal data must have a legal basis in order for the processing to be lawful. On the basis of [[Article 24 GPDR|Article 24]] and [[Article 25 GDPR]], the defendant must therefore take appropriate technical and organizational measures in order to guarantee and be able to demonstrate that the processing takes place in accordance with the GDPR. <br />
<br />
In doing so, the data controller must effectively implement the principles of data protection, protect the rights of the data subjects and only process personal data that is necessary for each specific purpose of the processing. Based on these facts and documents, the DPA finds that the defendant has not been able to demonstrate that any privacy policy has been developed with respect to the digital remote reading of meter readings. Moreover, it is unclear on what legal basis the data are processed in accordance with [[Article 6 GDPR]]. This constitutes a breach of [[Article 6 GDPR]].<br />
<br />
Complainant indicates that it has not given permission for the processing. The defendant does not invoke any other legal grounds for the processing. In addition, the DPA inds in this case a violation of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] now that it appears from the above that the personal data are not processed in a lawful, proper and transparent manner. The defendant indicates that a third party reads out the consumption data and forwards them to the defendant. The DPA points out that according to [[Article 28 GDPR#3| Article 28(3) GDPR]] the processing by a processor should be regulated in a contract between the controller and the processor.<br />
<br />
<b>Sanction</b><br />
<br />
The DPA considers it particularly necessary in this case to give a strict interpretation to the (optional) exemption from administrative fines provided for in Article 83(7) for "government bodies and agencies". Moreover, the article does not allow Member States to define the concept of "public authorities and public bodies". It is therefore a concept of Union law that must be given an autonomous and uniform meaning. It is therefore only up to the Union institutions, in particular the Court of Justice, to define the limits of that concept.<br />
<br />
In the opinion of the DPA, a private law organization such as the Defendant's Housing Company does not fall under this category, even though this organization carries out tasks in the public interest in the field of social housing.<br />
<br />
On these grounds, the DPA orders the defendant to become complaint within 3 months, to inform the DPA about this as well and to pay an administrative fine of €1500. <br />
==Comment==<br />
''Share your comments here!''<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.<br />
<br />
<pre><br />
1/31<br />
<br />
Dispute room<br />
Decision on the substance 73/2020 of 13 November<br />
2020<br />
<br />
<br />
<br />
File reference : DOS-2018-04368, DOS-2018-06611, DOS-2019-02464, DOS-2019-<br />
04329, DOS-2020-00543 and DOS 2020-00574.<br />
<br />
Subject: Complaints against the social housing company for failure to comply with<br />
several principles of data processing, including those of lawfulness, and<br />
transparency.<br />
<br />
<br />
<br />
The Litigation Chamber of the Data Protection Authority, composed of Mr Hielke<br />
Hijmans, Chairman, and Messrs Dirk Van Der Kelen and Jelle Stassijns, Members;<br />
<br />
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016<br />
on the protection of individuals with regard to the processing of<br />
personal data and on the free movement of such data and repealing directive<br />
95/46/EC (general data protection regulation), hereinafter AVG;<br />
<br />
Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereafter<br />
WOG;<br />
<br />
Having regard to the Internal Rules of Procedure approved by the Court of Auditors of<br />
Members of Parliament on 20 December 2018 and published in the Moniteur belge on<br />
15 January 2019;<br />
<br />
Having regard to the documents in the file;<br />
<br />
<br />
<br />
.<br />
.<br />
. Decision on the substance 73/2020 - 2/31<br />
<br />
has taken the following decision on:<br />
- The complainant: Mr X<br />
- The defendant: Y Housing company .<br />
<br />
<br />
1. Facts and procedure<br />
<br />
1. At various points in time, the Complainant submitted a total of six complaints against<br />
defendant. Since the defendant, who is also the person responsible for processing, in all files<br />
is the Y Housing Company, the complaints will be dealt with jointly. The<br />
<br />
The Inspectorate has issued an inspection report on the first three complaints.<br />
<br />
Complaint 1: DOS-2018-04368, Right of inspection<br />
2. This complaint was lodged on 19 November 2018 and declared admissible by the<br />
First-line service on 14 January 2019. The complaint concerns the exercise of the right to<br />
<br />
access by the defendant in accordance with Article 15 of the AVG.<br />
<br />
3. On 4 October 2018, the complainant requested access to all the information that the defendant had obtained from him.<br />
processed since his registration as candidate tenant. In doing so, the complainant has processed a number of<br />
questions put to the defendant. Those questions concern the purposes of the processing, the<br />
categories of personal data, the recipients or categories of recipients to whom<br />
the data are provided and in particular the recipients abroad, the<br />
retention periods, question or right to rectify or erase personal data<br />
exists, the source of data in the case of indirect data collection, and finally the<br />
the question of automated decision-making.<br />
<br />
4. In response to this request, the complainant received a document called Extract<br />
Personal details Candidate - tenant Y Housing CVBA. The personal data provided on<br />
the extract includes the following: name, address and place of residence as well as<br />
the national register number, bank account, e-mail address, income details and<br />
telephone number. The same extract states that personal data will only be used for the following purposes<br />
shared with "authorised parties". In his complaint, the complainant asks who<br />
which are authorised parties, what is the function of the personal data on the extract<br />
and what purpose the extract serves. The defendant claims to use these data;<br />
However, the complainant wonders how and for what purposes the various data<br />
are processed. Decision on the merits 73/2020 - 3/31<br />
<br />
<br />
5. Furthermore, the complainant considers that the defendant does not make it clear and unambiguous<br />
how, inter alia, the right of rectification and erasure of data can be addressed to data subjects<br />
shall be exercised. In addition, the complainant notes that the legal texts and relevant<br />
documents are difficult to find and consult.<br />
<br />
<br />
Complaint 2 : dos-2018-06611, Website [...]<br />
6. The second complaint was lodged on 20 November 2018 and declared admissible on 14 January.<br />
2019. This complaint concerns the website [...]. The complainant complains that the website<br />
does not comply at all with privacy legislation. According to the complainant, the website is inadequate<br />
secure, as an http connection is used instead of a<br />
https connection while, according to the complainant, confidential information is being processed. At the<br />
use of an https connection, according to the complainant the data is encrypted at the time of the<br />
send it. In addition, a non-secure website (which uses an http-<br />
connection) subject to possible external attacks, according to the complainant. The complainant asks<br />
wonder what mechanisms are in place by the defendant to deal with possible attacks<br />
to avert them. According to the complainant, no explanation or information is given anywhere about how the<br />
data will be secured. The part of the website where you can log in to see<br />
at which point on the waiting list the prospective tenant also goes via a<br />
unsecured http connection, according to the complainant. Requesting a new password to be entered in<br />
logging via the same http connection and, according to the complainant, is totally against the<br />
principles of data protection.<br />
<br />
7. According to the complainant, the forms used on the website are also as follows<br />
unsecured. Secure forms should be used in order to make everything<br />
more orderly and streamlined.<br />
<br />
8. According to the complainant, nowhere is it made clear whether and to what extent use is made of<br />
made from Google Analytics.<br />
<br />
9. The complainant claims that the defendant also uses cookies on the website [...] (see also the<br />
<br />
separate complaint on this subject: complaint 3). According to the complainant, there is no indication of what the<br />
cookies are used, with what content and who their recipients are.<br />
In addition, there is no possibility of rejecting cookies. There<br />
in addition, according to the complainant, use is made of 'keywords' and 'description' of the<br />
website which, according to the complainant, indicates that the defendant wishes to be found through<br />
search engines. This will lead to more visitors on an unsecured website. Decision on the merits 73/2020 - 4/31<br />
<br />
<br />
10. According to the complainant, the privacy statement is of a very general nature and refers to<br />
legislative texts, deliberations, etc., without indicating where to find them, and<br />
can be consulted. According to the complainant, the defendant is attempting to avoid the liability of<br />
to disclaim the use of a disclaimer by stating that the website should not be<br />
visits in the event of disagreement with the defendant's general terms and conditions.<br />
<br />
11. With regard to the protection of personal data, the privacy statement shall<br />
indicate that the data collected will be processed for the purposes of efficient and<br />
correct composition of the file and that it is stored in the files of<br />
Y Housing and that of the Vlaamse Maatschappij voor Sociaal Wonen. Here is according to<br />
there is no uniformity and consistency between the complainant.<br />
<br />
12. The Complainant further complains about the fact that the information on the website of<br />
the defendant is completely incomprehensible and unclear. He points out that most<br />
(candidate) tenants of a social housing company such as that of the defendant<br />
belong to vulnerable groups of persons for whom it is difficult to obtain this information<br />
is fathom.<br />
<br />
13. Finally, the complainant asks what other personal data are collected from<br />
visiting the website, through whom it is done and how it is done. The complainant also points out<br />
once on 'GO4it media group' which is the operator of the defendant's website. Complainant<br />
notes that that website does use https security.<br />
<br />
<br />
Complaint 3 DOS-2019-02464, Website www.[...].be<br />
14. The Complainant filed a complaint on 1 July 2019. The complaint was admissible on 3 July 2019.<br />
declared by the First Line Service.<br />
<br />
The complainant complains about the website [...] used by the defendant. According to the complainant<br />
the website does not comply with current privacy legislation. The complainant states that the only thing there is<br />
in function of data protection, a document called "privacy policy" is a<br />
contains very brief text. The complainant indicates that it is a new additional website of<br />
concerns the defendant. The complainant is disturbed that there is no correct and complete<br />
There would be a privacy statement and there would be no cookie policy either.<br />
<br />
16. The complainant states that personal data are collected by means of a web form. Also<br />
a number of preferred themes should be passed on and agreed upon<br />
with the defendant's privacy statement, according to the complainant. In addition, according to the complainant<br />
use of cookies from Google Analytics and others. In addition, the Complainant complains that Judgment on the merits 73/2020 - 5/31<br />
<br />
no indication is given as to which third parties are involved in the processing of the<br />
content of the web forms.<br />
<br />
17. Personal data are stored and, according to the complainant, no indication is given as to how long<br />
<br />
the data are kept and for which they will be used. According to<br />
Neither does the complainant indicate how and by whom the data will be processed.<br />
<br />
Complaint 4 DOS-2019-04329, Processing medical data<br />
<br />
18. This complaint was lodged on 16 August 2019 and declared admissible on 30 September.<br />
2019. The complainant complains that the defendant has provided personal data, and in particular<br />
medical data, are processed and these processes are carried out in violation of the AVG. In order to be able to<br />
to be eligible for a ground floor/adapted dwelling the complainant has medical<br />
provides information to the defendant. From the annexes, it appears that the complainant will receive a medical certificate<br />
mailed to the defendant so that his housing preferences could be adjusted. Defendant<br />
replied to that e-mail that the housing preferences following the submission of the<br />
medical certificate would be adapted to ground floor residences only. On<br />
the list of documents to be produced at the time of registration includes medical certificates<br />
mentioned. According to the complainant, it is completely unclear what the processing purposes are.<br />
The complainant argues that the processing of health data in the present case is contrary to the articles.<br />
5, 6, 12 and 13 AVG. Also in this complaint, the complainant discusses the general privacy policy of<br />
Defendant reiterating that the defendant has violated privacy laws<br />
violates the policies being pursued.<br />
<br />
<br />
Complaint 5 DOS-2020-00543, Use digital meters<br />
<br />
19. The complaint was lodged on 23 January 2020 and declared admissible on 4 February 2020.<br />
On 10 January 2020, the complainant received a letter from the defendant called<br />
"interim review - consumption of gas. On the document you can read what the consumption is on<br />
heating and hot water over the last two months. The complainant does not claim<br />
to have given consent to the defendant to process his consumption data.<br />
Consumption of gas and electricity is recorded by the defendant without the plaintiff<br />
The complainant stated that he knew, let alone gave his consent. According to the complainant<br />
unnecessary processing as customers can pass on the meter readings themselves.<br />
In an email dated 20 January 2020 from the email address [...], the defendant writes that<br />
the data is read automatically and sent to the defendant via an Internet connection<br />
are sent. Decision on the merits 73/2020 - 6/31<br />
<br />
<br />
Complaint 6 DOS-2020-00574, Use of surveillance cameras<br />
<br />
20. The complainant submitted a complaint on 30 January 2020, which was admissible on 4 February 2020.<br />
was declared by the First Line Service. The complainant alleges that the defendant's personal data<br />
Processed by means of various fixed cameras in various residential entities. There are<br />
according to the complainant 4 security cameras placed on the roof, 2 in the common<br />
entrance halls and 1 in the communal basement entrance. About the use of the cameras<br />
According to the complainant, the privacy policy does not mention anything. The rental agreement contains<br />
according to the complainant, only the use of surveillance cameras is reported. The complainant also requests<br />
this processing to know the legal basis and the purpose.<br />
<br />
Continuation of the procedure<br />
<br />
21. The Inspectorate was set up on 7 June 2019 with regard to complaints 1 to 3 . 1<br />
<br />
<br />
22. On 9 August 2019, the Inspectorate wrote a letter with questions to the<br />
defendant.<br />
<br />
<br />
23. The letter contained questions to the defendant, in which the Inspectorate identified possible infringements of<br />
wished to examine and improve Articles 5, 6, 12, 13, 15, 24, 37, 38 and 39 of the AVG<br />
wishes to gain insight into the complaints.<br />
<br />
24. The inspectorate requested the following information in relation to the defendant:<br />
<br />
(a) The communication from the defendant to the complainant concerning the request for access to<br />
the complainant, and the opinions thereon delivered by the Data Protection Officer<br />
of the defendant.<br />
<br />
b.) As regards the privacy policy of the website [...] , a copy of the decisions that<br />
<br />
were taken on the privacy policy which can be consulted on the website, as well as<br />
copy of the opinions of the Data Protection Officer on the<br />
privacy policy on the website.<br />
<br />
(c) Copy of the decisions concerning legal information and the disclaimer on the website<br />
of the defendant and a copy of the official's opinions for<br />
data protection on this information and the disclaimer.<br />
<br />
1<br />
Concerning DOS-2018-06611, DOS-2018-04368 and DOS-2019-02464. Decision on the merits 73/2020 - 7/31<br />
<br />
<br />
d.) Copy of the register of processing operations.<br />
<br />
<br />
e.) A reasoned and documentary reply to the question whether the defendant<br />
has or does not have a data protection officer. If so, did the<br />
inspectorate to receive an organisation chart showing the place of the official<br />
for data protection, his title and the tasks he carries out, including<br />
orders not related to data protection.<br />
<br />
<br />
25. On 2 July 2019, the Inspectorate received a reply to its letter of 7 June 2019. At<br />
the reply was annexed to a letter from the defendant dated 25 October 2018<br />
in response to the complainant's request of 4 October 2018 for access to his file, to<br />
to obtain the defendant. The response shall contain an extract of personal data from<br />
the prospective tenant, in this case the complainant. The extract contains the name, address and<br />
residence details as well as the national register number, bank account, e-mail address, income<br />
and telephone number.<br />
<br />
26. In addition, a privacy datasheet has been added as an appendix which states that<br />
information and personal data are kept of (candidate) tenants to see<br />
whether a person is entitled to social housing. The information which, according to the defendant<br />
kept are: identification data, national register number, address and<br />
contact details, family composition, language knowledge, financial data, ownership details,<br />
and, in some cases, accompanying services. It is mentioned that the<br />
data are kept for 10 years, in accordance with the Archives Act.<br />
<br />
27. The defendant also indicated that it queried a number of bodies in order to obtain data on the following<br />
obtain. These bodies are :<br />
<br />
a) Federal Public Service Finance: data on taxable income and<br />
ownership data;<br />
(b) National Register: national register number, surname and forenames, date of birth, gender,<br />
main residence and history, the place and date of death, civil<br />
State, composition of the family, nationality and history, legal<br />
cohabitation, the register of registration and legal capacity;<br />
<br />
c) Federal Public Service Social Security: data on living wage;<br />
d) Flemish Agency for Integration and Integration: data on integration and<br />
linguistic readiness; decision on the merits 73/2020 - 8/31<br />
<br />
<br />
(e) VREG (independent authority of the Flemish energy market): housing data on<br />
the energy value of social housing.<br />
<br />
28. On 9 July 2019, following the replies it received on 2 July<br />
2019 received from the defendant, in response to its questions, provisional findings and<br />
supplementary questions put to the defendant. The provisional findings of the<br />
The Inspectorate was as follows :<br />
<br />
a. The defendant does not have at his disposal any advice given by the official for<br />
data protection has been provided in relation to the complainant's request for access;<br />
b. The defendant does not have access to opinions of the Data Protection Officer.<br />
concerning the privacy policy on the website [...] ;<br />
<br />
c. Respondent does not have at his disposal decisions taken on privacy policy<br />
on the website;<br />
d. The copy of the processing register does not contain the name and contact details of the<br />
controller and data-processing official and shall include<br />
nor the processing purposes;<br />
e. The defendant does not explain the duties and powers of the official for<br />
data protection.<br />
<br />
29. The Inspectorate also put further questions to the defendant about the<br />
Data Protection Officer. For example, a copy of the<br />
documents justifying the choice of that person as<br />
Data Protection Officer, the date of notification to the<br />
Data protection authority of that Data Protection Officer and finally<br />
a copy was requested of the documents proving the effective exercise of<br />
his mission appears to be, more specifically, advice, correspondence and the like.<br />
<br />
30. By email of 8 August 2019, the defendant's response to the temporary injunction was made public.<br />
the inspectorate's findings. The response contains a number of annexes including<br />
email correspondence between the defendant and the data protection officer who<br />
works at Infosentry. This e-mail is referred to as advice from the officer for<br />
data protection on the complaint.<br />
<br />
31. As a privacy policy communication requested by the Inspectorate,<br />
the defendant sent an e-mail from the Vlaamse Maatschappij voor Sociaal Wonen (VMSW) (Flemish Social Housing Company)<br />
enclosed. The mail contains the message that the VMSW has new privacy statements for customers Decision on the merits 73/2020 - 9/31<br />
<br />
<br />
of social housing companies. This is an e-mail addressed to all<br />
social landlords. In addition, general information sheets have always been added.<br />
<br />
32. It should also be noted that the processing register has been amended as a result of<br />
of the Inspectorate's temporary findings.<br />
<br />
33. The Inspectorate's questions to the defendant concerning the designation of the<br />
Article 37 AVG Data Protection Officer (outside the scope)<br />
were also answered. It was indicated that the appointment of the official for<br />
data protection was carried out on the initiative of the VMSW, which, by means of a call for tenders, issued an<br />
had concluded a framework agreement with the company Infosentry NV.<br />
<br />
<br />
34. The defendant points out in this connection that : The defendant points out in this connection that: "The companies could, on their own initiative<br />
subscribe to the services of Infosentry NV, which offers all its employees on top of an<br />
minimum experience is also required to obtain a minimum number of certificates in the<br />
<br />
domain of knowledge of data protection'.<br />
<br />
<br />
35. The date of notification of the Data Protection Officer shall be 25.<br />
May 2018. The defendant points out that it has submitted a new notification to the GBA<br />
in which another person was registered as an official. The latter is according to<br />
Therefore, the defendant is the actual Data Protection Officer.<br />
<br />
36. On 16 September 2019, the Inspectorate made its report to the Disputes Chamber<br />
on the basis of Article 92, 3° of the WOG.<br />
<br />
37. The inspection report shall identify potential breaches of Articles 5, 6, 12, 13, 15, 30, 31,<br />
32 and 37 to 39 of the AVG.<br />
<br />
38. The Inspectorate finds that the defendant has failed to comply with the obligations imposed by Articles 5<br />
and 6 of the AVG. The Inspectorate has now reached the following conclusion<br />
the answers given by the defendant do not show any justification as to which decisions there are<br />
have been taken concerning the legal info / legal disclaimer and general terms and conditions<br />
2<br />
on the webpage [...]<br />
<br />
<br />
<br />
<br />
2<br />
See page 3 of inspection report DOS-2018-006611 document 21. Decision on the merits 73/2020 - 10/31<br />
<br />
<br />
39. In addition, the defendant acknowledges that no advice was given by the officer for<br />
data protection since, in the defendant's view, that advice is not normally covered by<br />
the duties of the official.<br />
<br />
40. Nor do the replies of the defendant indicate what decisions were taken<br />
on those parts of the website [...] which involve the processing of personal data<br />
<br />
Facilitate such as the contact page.<br />
<br />
41. According to the Inspectorate, the privacy policy Y Housing is not transparent and not<br />
understandable to those concerned. It is not made clear what happens to the<br />
personal data obtained. According to the Inspectorate, the privacy policy is confusing and<br />
contains all kinds of concepts that are incomprehensible to those concerned. In addition, the<br />
policy indicating that in the event a data subject contacts the defendant and does so<br />
via an electronic medium other than the website, the privacy statement of that other<br />
medium has priority. According to the Inspectorate, this also indicates that there are no<br />
Transparency is towards those involved.<br />
<br />
42. The Inspectorate points out that, despite its express request, it did not<br />
has received opinions from the defendant from the Data Protection Officer.<br />
<br />
43. According to the Inspectorate, technical investigations have shown that use is being made of<br />
made from cookies on the website [...] . One of these concerns a necessary technical<br />
cookie called "hs_js" and another, a marketing cookie called "IDE" originating<br />
from Google-Doubleclick. No permission is asked for the latter cookie<br />
to the visitors of the website. The processing of personal data which, in that context<br />
takes place, is therefore, according to the Inspectorate, unlawful.<br />
<br />
44. With regard to Articles 12, 13 and 14 of the AVG, the Inspectorate also has<br />
infringements detected. The service comes to these findings as the Annex Internal<br />
rental regulations annex 11 which is not related to the privacy policy of the defendant<br />
is transparent and comprehensible to those concerned, thus infringing Article 12.1<br />
AVG is established by the Inspectorate. It is not made clear what should<br />
various terms used in that Annex shall be understood to mean<br />
11. The contact details of the data protection officer of the defendant<br />
are missing. The processing purposes and the legal basis for the processing are lacking.<br />
Finally, the data subjects are not made aware of the right of access, according to the Court.<br />
Inspectorate. Decision on the substance 73/2020 - 11/31<br />
<br />
<br />
45. As of 1 July 2019, an amended privacy policy has been published by the defendant on its website.<br />
3<br />
website. The document containing the defendant's privacy policy is, according to the<br />
Inspectorate not transparent and comprehensible to those concerned and therefore not satisfactory<br />
meet the requirements of Article 12.1 AVG. In addition, not all information provided in accordance with the<br />
Articles 13 and 14 of the AVG are actually prescribed in the privacy policy.<br />
described. Different terms are used interchangeably and the contact details<br />
of the Data Protection Officer is missing, according to the inspection report.<br />
<br />
46. In response to the complainant's request for access on the basis of Article 15 AVG, the defendant<br />
reacted by sending, inter alia, a document called "GDPR". Also this<br />
document is neither transparent nor comprehensible, according to the Inspectorate, to<br />
involved, as a result of which the defendant does not meet the requirements set out in Article 12.1 AVG.<br />
According to the Inspectorate, the answer does not meet the requirements of Article 15.1 AVG either.<br />
The obligatory information to be stated, such as stating the recipients of the<br />
<br />
personal data is missing.<br />
<br />
47. An infringement of Articles 28 and 30 was also found by the Inspectorate and<br />
for the following reasons. The defendant has indicated that a company called<br />
C-Works designed the website [...]. Via that website, personal data of<br />
tenants collected and processed. The defendant does not regard the company as a processor. It<br />
it is not clear to the inspectorate, in view of the information provided, whether<br />
a processor and whether there is thus a processor's contract in accordance with Article 28 of the CMR<br />
should have been closed.<br />
<br />
<br />
Additional findings ( outside the scope of the complaints )<br />
<br />
48. The obligations imposed by articles 37.5 and 37.7 of the AVG are, according to the<br />
<br />
Inspectorate not complied with by the defendant. The justification for the choice of the<br />
The data protection officer shall not be given by the defendant. Defendant<br />
indicates only that this was done on the initiative of VMSW which, by means of a call for tenders, issued a<br />
had a framework agreement with Infosentry. The contact details of the official for<br />
data protection is also not disclosed and this implies a breach of<br />
Article 37.7 AVG according to the Inspectorate.<br />
<br />
49. Finally, the Inspectorate has established that the obligations set out in Articles 38.1 and 38.3<br />
AVG are also not being complied with by the defendant. From the various documents provided by the<br />
<br />
3<br />
Decision on the substance 73/2020 - 12/31<br />
<br />
<br />
Inspectorate received from the defendant it may be concluded that the<br />
No opinion was sought from the Data Protection Officer for, inter alia, the<br />
processing of personal data via the website [...].<br />
<br />
<br />
Treatment on the merits by the Dispute Chamber<br />
<br />
50. On 21 March 2020, the Dispute Settlement Chamber shall inform the parties that the six individually<br />
Complaints submitted will be joined and the Chamber of Disputes will decide on<br />
on the basis of art. 95, §1, 1° and art. 98 of the WOG that the dossier is ready to be processed at the end of the year.<br />
ground. The parties shall also be notified of the<br />
time limits for submitting their defences. The final date for receipt of the<br />
conclusion of the defendant's response was thereby recorded on 26 March 2020, that<br />
<br />
for the conclusion of the reply of the complainant of 27 April 2020 and the conclusion of<br />
Reply of the defendant on 27 May 2020.<br />
<br />
51. On 26 March 2020, the Data Protection Officer, employed by<br />
the company Infosentry, on behalf of the defendant, by e-mail in the form of order sought by the defendant,<br />
in which he also expresses his desire to be heard.<br />
<br />
52. On 19 August 2020, the parties were informed that the oral hearing would<br />
take place on 23 September 2020.<br />
<br />
53. On 23 September 2020, the parties will be heard by the Chamber of Disputes.<br />
<br />
54. The minutes of the hearing will be presented to the parties on 29 September 2020.<br />
<br />
55. On 2 October 2020, the Data Protection Officer, on behalf of the defendant, issued an<br />
<br />
send a response to the minutes to the Chamber of Disputes, stating that<br />
4<br />
asked for a number of corrections to be made to the minutes.<br />
<br />
56. On 8 October 2020, the complainant replied to the official report by e-mail. The complainant replied in<br />
his reaction to the official report is a detailed reiteration of his earlier arguments. The<br />
The Dispute Settlement Chamber points this out, as already mentioned at the hearing,<br />
no new facts can be added as the debates have already taken place<br />
closed. The official report is only sent to see if everything is correct.<br />
<br />
<br />
4<br />
See e-mail of 2 October 2020 with feedback on DPO Cranium's official report on behalf of the defendant to the Chamber of Disputes. Decision on the merits 73/2020 - 13/31<br />
<br />
<br />
displayed. Therefore, the arguments put forward after the closure of the debates will not<br />
5<br />
will be taken into account in the decision.<br />
<br />
<br />
57. In its conclusions of 26 March 2020, the defendant acknowledges that, with regard to the legal information /<br />
legal disclaimer no opinions have been issued by the officer for<br />
data protection. It should be noted that the document will be<br />
removed as it does not contain any conditions attached to the exchange of<br />
personal data shall apply.<br />
<br />
58. As regards the Inspectorate's findings concerning the website [...] responds<br />
<br />
defendant as follows : "With regard to the technical examination carried out on the website<br />
Y Housing rests in the fact that findings made by the Inspectorate<br />
are correct and a marketing cookie did work on the web page. Considering<br />
the one-off event that was organised and the brief use of the website is Y<br />
Housing continued in good faith on explanation of the website builder (Go4IT), a<br />
e-mail to substantiate this was attached as a document to the previous file, which does not contain cookies.<br />
were active on the website. Y Housing acknowledges that not submitting the website<br />
a test on this can constitute a reprehensible omission and learns the necessary lessons from it.<br />
for the future. “<br />
<br />
<br />
59. The defendant further states that it has taken note of the findings of the<br />
Inspectorate for the establishment of transparent information, communication and<br />
detailed arrangements for exercising the rights of the person concerned (Articles 12 and 13)<br />
AVG). The defendant indicates that it will amend the privacy statements.<br />
<br />
<br />
60. With regard to the findings concerning the right of inspection in Article 15 of the AVG, the following replies are given<br />
Defendant as follows. The defendant states that it is always seeking to ensure transparency and transparency.<br />
provide clear information in response to questions received from her (candidate)<br />
tenants. The defendant then states that it "to the best of its ability, the necessary documentation<br />
has transmitted, following the exercise of the right of access of the person concerned, acknowledges the<br />
society that some elements of this document may not be fully clear after<br />
its first reading. As a modest SME, it is the first time that Y Housing<br />
<br />
was faced with such a request. The organisation recognises that areas for improvement and<br />
efficiency gains would be possible if such a request were to recur".<br />
<br />
<br />
5<br />
E-mail from the complainant to the Chamber of Disputes of 8 October 2020 following the minutes of the hearing. Decision on the merits 73/2020 - 14/31<br />
<br />
<br />
61. The defendant points out that it is open at all times to questions from and communication with<br />
(candidate) tenants. The defendant was ignorant of the circumstance that<br />
the document contained ambiguities and would rather expect the complainant to first<br />
<br />
had communicated to the defendant before lodging a complaint.<br />
<br />
62. The defendant indicates that it has taken note of the Inspectorate's findings.<br />
concerning the register of processing operations. The register has now been updated<br />
according to the defendant.<br />
<br />
<br />
63. The defendant concludes as follows :<br />
<br />
"In conclusion, Y Housing stresses that the necessary efforts to be made in<br />
The AVG has been delivered in conformity with the AVG. Furthermore, Y Housing acknowledges<br />
the importance of the protection of personal data and the role played by the<br />
Data protection authority has a role to play here. Nevertheless, Y Housing<br />
In recent weeks and months, this procedure has had to undergo most of all. Although Y<br />
Housing always tries to accommodate its (prospective) tenants in the most suitable way.<br />
comply with the necessary legislation, while also being in contact as far as possible<br />
with stakeholder organisations, it has been shown that, as a modest social<br />
rental company required an excessive workload, and financial effort, to<br />
deal with this administrative procedure to the necessary level of detail. With this<br />
Consideration Y Housing would like to stress once again the importance of being heard<br />
in this case."<br />
<br />
64. By email of 23 October 2020, the Chamber of Disputes notifies the defendant of the<br />
intention to impose an administrative fine as well as the amount of the<br />
fine and the possibility for the defendant to communicate his defences in this respect.<br />
<br />
65. On 30 October 2020, the defendant replied by email to the intention to impose an injunction.<br />
fine. The Dispute Chamber points out in this regard that there can be no new facts.<br />
be added as the debates were already closed. The reaction of<br />
In summary, the defendant is as follows: The amount of the fine, according to the defendant, is as follows<br />
high. The defendant indicates that these are difficult times for them financially. That is why<br />
the defendant would have been compelled, inter alia, to sell dwellings in order to<br />
to be able to continue. This has a direct impact on their target group, namely the<br />
weaker members of society, according to the defendant. The defendant shares the view of the<br />
Litigation chamber on the (in)accessibility of the Data Protection Officer Decision on the merits 73/2020 - 15/31<br />
<br />
does not. According to the defendant, the official can be reached in the manner prescribed by<br />
the AVG. The defendant states that the positive result of EUR 528,355 such as<br />
included in the penalty form is incorrect and adds other figures. As regards the<br />
Infringements detected in relation to the surveillance cameras, the defendant pleads<br />
<br />
largely in the opinion of the Dispute Settlement Chamber, but with the<br />
addition that the images were not consulted by the defendant but were merely consulted<br />
saved.<br />
<br />
<br />
<br />
2. Reasons Dispute Chamber<br />
<br />
66. In view of the number and size of the cases submitted, the Litigation Chamber assesses the following<br />
complaints, for reasons of procedural economy, the degree to which they are well-founded, to<br />
the subject of the complaint. Consequently, complaints 1 to 6 will not be included in those<br />
order but shall be grouped under the themes to which they relate<br />
belong. The themes which are the subject of the various complaints and<br />
on which the Chamber of Disputes will give its verdict are the following:<br />
<br />
<br />
- privacy policy & right of access in accordance with article 15 AVG (section 2.1)<br />
- data processing officer (section 2.2)<br />
- cookie policy (section 2.3)<br />
- health data processing (section 2.4)<br />
- camera law (section 2.5)<br />
- processing by means of digital meters (section 2.6)<br />
<br />
<br />
67. The Dispute Chamber points out that, pursuant to the articles, the controller<br />
5.2 and 24 AVG must take appropriate technical and organisational measures to<br />
ensure and be able to demonstrate that the processing of personal data in<br />
be carried out in accordance with the AVG. In doing so, the AVG requires, among other things<br />
account shall be taken of the nature and volume of the processing operations and of the<br />
Risks to those involved. In assessing whether and to what extent<br />
Sanctions will have to be imposed, these elements will play an important role.<br />
<br />
<br />
2.1 Privacy Policy & Right of Access in accordance with Article 15 AVG Decision on the merits 73/2020 - 16/31<br />
<br />
<br />
68. As regards the right of access to Article 15 AVG and the information provided by the complainant (especially in complaint 1)<br />
alleged infringements, the Litigation Chamber argues as follows.<br />
<br />
69. The document called "Extract Personal Data Candidate - Tenant Y Housing<br />
CVBA" contains various data, including the national register number, name, address and<br />
residence data as well as nationality, email address, sex, date of birth and<br />
Family income of (prospective) tenants. In addition to the extract, a document to the complainant<br />
transferred called: "Privacy: what information does Y Housing have?". This info sheet contains<br />
the following opening paragraph : "Via Y Housing you can rent a social housing. We<br />
Therefore, keep information about you in lists and files to see if you have a right to a particular item.<br />
on. Or to help you better. “ 6<br />
<br />
Articles 13.1 and 13.2 AVG stipulate as follows:<br />
1. When personal data relating to a data subject become<br />
<br />
the controller shall provide the data subject with the following information at the time of obtaining<br />
the personal data already contain the following information:<br />
(a) the identity and contact details of the controller and, in<br />
where appropriate, of the representative of the controller;<br />
(b) where appropriate, the contact details of the officer for<br />
data protection;<br />
(c) the processing purposes for which the personal data are intended, as well as the<br />
legal basis for processing;<br />
(d) the legitimate interests of the controller or of a third party,<br />
if the processing is based on Article 6(1)(f);<br />
(e) where appropriate, the recipients or categories of recipients of the<br />
personal data;<br />
(f) where appropriate, that the controller intends to delete the<br />
to transfer personal data to a third country or an international organisation; or<br />
whether or not an adequacy decision by the Commission exists; or, in the case of<br />
<br />
Article 46, Article 47 or the second subparagraph of Article 49(1), which shall include the transfers referred to in<br />
are appropriate or suitable safeguards, how a copy can be obtained or where<br />
they can be consulted.<br />
2. In addition to the information referred to in paragraph 1, the controller shall provide the<br />
data subject at the time of obtaining the personal data, the following additional information<br />
to ensure proper and transparent processing:<br />
<br />
<br />
<br />
6<br />
See attachment to e-mail of 4 October 2018 from complainant to GBA Decision on the merits 73/2020 - 17/31<br />
<br />
(a) the period for which the personal data will be stored, or if<br />
that is not possible, the criteria for setting that deadline;<br />
(b) the legitimate interests of the controller or of a third party,<br />
if the processing is based on Article 6(1)(f);<br />
<br />
(c) that the data subject shall have the right to request the controller to<br />
access, rectification or erasure of personal data or limitation of personal data relating to him or her<br />
concerning processing, as well as the right to object to such processing and to have it carried out<br />
right to data portability;<br />
(d) where the processing is pursuant to Article 6(1)(a) or Article 9(2)(a)<br />
<br />
based on the fact that the person concerned has the right to withdraw consent at any time,<br />
without prejudice to the lawfulness of processing based on the<br />
consent before its withdrawal;<br />
(e) that the data subject has the right to lodge a complaint with a supervisory authority<br />
authority;<br />
(f) whether the transmission of personal data is a legal or contractual obligation<br />
or a necessary condition for the conclusion of an agreement, and whether the<br />
the data subject is obliged to provide the personal data and what the possible consequences are<br />
are when these data are not provided;<br />
(g) the existence of automated decision making, including that referred to in Article 22,<br />
profiling as referred to in paragraphs 1 and 4 and, at least in those cases, useful information on<br />
the underlying logic as well as the importance and the expected consequences of that processing<br />
for the person concerned.<br />
<br />
70. During the hearing, the defendant stated that the privacy statement on the website is<br />
published after having been reviewed and endorsed by the Board of Directors. It is a<br />
privacy statement derived from the example of the VMSW, according to the defendant.<br />
<br />
71. The Dispute Settlement Chamber finds that the aforementioned privacy statement - also in the form of a<br />
information sheet after the declaration has been adapted and is in force<br />
entered into force on 1 July 2019 - does not meet the requirements for processing<br />
in accordance with Articles 12 and 13 AVG. Such a privacy data sheet should<br />
must fully inform the person concerned of what is actually happening.<br />
personal data is done and in the context of which it is processed.<br />
Any processing of personal data must be lawful, adequate and transparent.<br />
happen. Those concerned should be clearly informed which<br />
data are processed, how the processing is carried out and why the personal data is processed<br />
are processed. It cannot be deduced from the privacy sheet what exactly the<br />
personal data are used. Decision on the substance 73/2020 - 18/31<br />
<br />
72. The Privacy Sheet contains the following paragraph concerning the processing of personal data:<br />
"Via Y Housing you can rent a social housing. We therefore keep in lists and<br />
<br />
files information about you. We use this information to find out if you have any information about you.<br />
have a right to it. Or to be able to help you better."<br />
<br />
<br />
73. The Disputes Chamber is of the opinion that the above is a very vague, general and<br />
concerns unclear text from which it is in no way possible to deduce what the collected<br />
<br />
personal data are actually used. This text does not comply with the AVG. It is<br />
For example, it is absolutely unclear what is meant by 'we use this information to<br />
to see if you have a right to something. Or to be able to help you better." There should be a clear<br />
and clear language to be communicated to those concerned.<br />
<br />
<br />
74. Transparency requirements are laid down in the AVG and further explained in the<br />
Guidelines on transparency in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council<br />
Article 29 Data Protection Working Party which states that "One of the key elements of<br />
the principle of transparency as referred to in these provisions is that interested parties shall be informed in advance<br />
be able to determine the scope and effects of the processing and not subsequently<br />
7<br />
be surprised by other ways in which their personal data have been used'. The<br />
specific interest in question must be identified for the benefit of the person concerned.<br />
<br />
75. In addition, information and communication concerning privacy should comply with the<br />
principle of transparency, i.e. that information is simple, accessible and<br />
<br />
must be comprehensible in accordance with Article 12.1 AVG. Under "comprehensible" is understood that<br />
the message must contain, inter alia, a certain level of linguistic usage, namely<br />
"clear and simple language". In addition, the use of language should be adapted to<br />
the target group . This means communicating in clear and simple language.<br />
to those concerned. The defendant would, (all the more so) now that<br />
<br />
(candidate) tenants of a social housing company, more understandable and clearer<br />
have to draw up. After all, these are tenants with low incomes and in general<br />
<br />
<br />
<br />
7<br />
Transparency guidelines p.8.<br />
8 Data Protection Working Party, Guidelines on consent under Regulation 2016/679, WP259,<br />
p. 4.; Guidelines on transparency in accordance with Regulation (EU) 2016/679, WP260, p. 7: "The requirement that information shall<br />
must be "comprehensible" means that the information must be comprehensible to an average member of the intended<br />
public. Understandability is closely linked to the requirement to use clear and simple language. A<br />
Processing controller respecting the principle of accountability will have knowledge of the<br />
persons from whom information is collected and can use this knowledge to determine what the target group is likely to be<br />
understand. For example, a data controller who collects personal data of working professionals may assume<br />
that his or her target group has a higher level of understanding than the target group of a data controller who<br />
collects children's personal data. […]”.<br />
9Recital 39 at AVG. Decision on the merits 73/2020 - 19/31<br />
<br />
<br />
(barring exceptions) a low level of education which makes the policy more comprehensible<br />
is all the more necessary.<br />
<br />
76. In addition to the infringements mentioned above, the defendant's privacy policy is even more difficult to enforce.<br />
now understand, in different places and different times, various concepts such as<br />
"personal data", "information" and "data" are used interchangeably in the<br />
privacy sheet. In addition, references are made without an explanatory statement.<br />
glossary or clear explanations. The information provided is often not up to date. As<br />
example can be given of the referral to the website of the supervisory authority<br />
<br />
authority, as both the complainant and the Inspectorate are right to do, for example<br />
commented, referred to www.privacycommission.be while the current website since May<br />
2018 www.gegevensbeschermingsautoriteit.be.<br />
<br />
77. The Disputes Chamber also finds that the defendant's privacy policy is incomplete,<br />
as it does not contain the mandatory information as laid down in Article 13 of the AVG.<br />
According to Article 12 of the AVG, the privacy information must be "concise"; this does not in any way mean<br />
that the obligation to provide information in accordance with the following may be waived<br />
Article 13 AVG.<br />
<br />
78. The privacy policy of the defendant contains this mandatory information in accordance with Article 13.1 under<br />
(b) AVG, such as the contact details of the Data Protection Officer not on<br />
10<br />
a manner that complies with the legislation and the guidelines of the Working Party 29 on the<br />
Data Protection Officer. In order to comply with the requirement of the<br />
provision of prior information, these contact details should indeed<br />
be included in the privacy policy.<br />
<br />
79. As rightly pointed out by the Inspectorate, the e-mail address [...] is indicated on the<br />
privacy sheet, according to the "Explanation of organisation chart" provided by the defendant linked to<br />
the mailbox of the defendant's IT administrator while the function of<br />
According to the defendant, the data protection officer has been subcontracted to a third party in<br />
11<br />
the framework contract of VMSW. The Data Protection Officer<br />
appears to be employed by that third party, in this case the company Infosentry. The e-mail address<br />
of the official is [...], according to various documents and mail correspondence between<br />
the defendant and the official. Accordingly, the data relating to the persons concerned are inaccurate<br />
of the Data Protection Officer and may, in the event of need<br />
<br />
<br />
10Group on Data Protection, WP243 rev.01, Guidelines on Data Protection Officers p.12.<br />
11Stuk 10 of dos-2018-06611. Decision on the merits 73/2020 - 20/31<br />
<br />
do not turn to the right person. As a result of this<br />
list of findings finding an infringement of Article 13(1)(b)<br />
AVG. The fact that, as of 1 September 2020, a new official for the<br />
data protection has been infringed, the infringement up to that date<br />
<br />
continued and a new appointment does not retroactively rectify the infringement committed<br />
makes.<br />
<br />
80. The Litigation Chamber deduces from the findings of infringements listed above that the<br />
the defendant's obligations of transparency under Article 12 of the AVG and its obligation to provide information<br />
has failed to comply with Article 13 of the AVG. The defendant acknowledges this in its conclusion. As a result<br />
the defendant has acted imputably negligently in breach of his duty of accountability, such as<br />
determined in Articles 5.2 and 24 of the AVG. This information must be in accordance with<br />
with Articles 12 and 13 of the AVG.<br />
<br />
81. Article 15 AVG in which the right of inspection of the person concerned is laid down reads as follows :<br />
<br />
1. The data subject shall have the right to obtain from the controller confirmation of the following<br />
whether or not to process personal data concerning him and, where that is the case, to have access to them<br />
obtain those personal data and the following information:<br />
<br />
(a) the processing purposes;<br />
<br />
(b) the categories of personal data concerned;<br />
<br />
(c) the recipients or categories of recipients to whom the personal data have been or will be disclosed<br />
provided, in particular to recipients in third countries or international organisations;<br />
<br />
(d) if possible, the period during which the personal data are expected to be kept<br />
stored or, if that is not possible, the criteria for setting that time limit;<br />
<br />
(e) that the data subject shall have the right to ask the controller for that personal data<br />
be rectified or erased, or that the processing of personal data concerning him/her be carried out<br />
limited, as well as the right to object to such processing;<br />
<br />
(f) that the data subject has the right to lodge a complaint with a supervisory authority;<br />
<br />
(g) where personal data are not collected from the data subject, all available information<br />
on the source of that data;<br />
<br />
(h) the existence of computerised decision-making, including those referred to in Article 22(1) and (4),<br />
and, at least in those cases, useful information on the underlying logic,<br />
as well as the importance and the expected consequences of such processing for the data subject. Decision on the substance 73/2020 - 21/31<br />
<br />
<br />
<br />
2. Where personal data are transferred to a third country or an international<br />
organisation, the person concerned shall have the right to be informed of the appropriate safeguards<br />
<br />
in accordance with Article 46 on transfers.<br />
3. The controller shall provide the data subject with a copy of the personal data which<br />
are processed. If the data subject requests additional copies, the<br />
a reasonable charge on the basis of administrative costs<br />
charge. Where the person concerned submits his application electronically, and not for any other arrangement<br />
<br />
request, the information shall be provided in a common electronic format.<br />
4. The right to obtain a copy referred to in paragraph 3 shall be without prejudice to rights and freedoms<br />
of others.<br />
<br />
<br />
<br />
82. The defendant's privacy policy does not contain several mandatory elements from Article 15.1 AVG. From<br />
the privacy document does not disclose the exact purposes of the processing of the data which<br />
request the defendant to (candidate) tenants. It should be precisely defined for which<br />
every piece of data collected is used precisely. If data on the<br />
<br />
health then it will have to be stated that these data are being processed, for example<br />
with the aim of being able to ascertain whether, on the basis of a given health situation, an<br />
Adapted accommodation can be granted. There is also no indication as to who the recipients and<br />
are categories of recipients. In addition, there is no mention of the right<br />
that the data subject has the right to request that his/her data be rectified and/or deleted in accordance with<br />
Article 15.1 under e. It is also not stated that the processing of personal data will<br />
be restricted. By doing so, the Disputes Chamber also deems a violation of Article 15.1 to have been proven.<br />
<br />
83. In addition, the complainant claims that he has not been granted access to all of his personal data transmitted by<br />
defendant are processed. According to the complainant, this is a sheet containing only general information from the<br />
National Registry. There is no indication as to whether the information provided is complete, according to the complainant.<br />
<br />
84. The Chamber of Disputes recalls that Article 15 AVG "gives the person concerned the right to<br />
to have access to personal data collected about him, and to exercise that right simply and with reasonable<br />
to carry out periodic checks to ensure that he is aware of the processing operation and that it is lawful<br />
...can control it." 12<br />
<br />
<br />
It is clear from all of the above that the information provided by the defendant on their<br />
processed data of the complainant does not comply with the requirements of Article 15. The complainant has rightly noted<br />
<br />
12<br />
Introductory recital 63 to AVG. Decision as to substance 73/2020 - 22/31<br />
<br />
that he has not been able to exercise his right of inspection properly. Between the personal data of<br />
complainants processed by the defendant and those to which the complainant had had access were as follows<br />
for example, not the medical certificates that the plaintiff will provide to the defendant, as will be shown below in section 2.4<br />
had submitted.<br />
<br />
<br />
2.2 Data Protection Officer<br />
<br />
85. Additional findings were also made in the inspection report with regard to the<br />
Data Protection Officer, which are outside the scope of the complaint. The<br />
<br />
The Inspectorate has established that the defendant has acted in violation of Article 37.5 and<br />
Article 37.7 AVG. On the basis of article 37.5, the officer must be appointed, under<br />
more, on the basis of its expertise in the field of legislation and practice on the<br />
data protection. Article 37.7 states that the contact details of the officer shall be known<br />
must be made and communicated to the supervisory authority.<br />
<br />
86. From the defendant's replies to the Inspectorate concerning the appointment of the official<br />
as regards data protection, it appears that that appointment was made on the initiative of the VMSW through<br />
a company with which it had a framework agreement. The Chamber of Disputes finds that<br />
the defendant fails to comply with the duty to choose the Data Protection Officer<br />
to be accounted for. The defendant refers only to very general information and communication from<br />
the VMSW to the defendant. Moreover, the defendant cites several times that there is a<br />
Framework agreement was concluded between the VMSW and Infosentry NV as DPO. The Chamber of Disputes<br />
points out that the defendant is ultimately responsible and has a duty to comply with Article 37.5<br />
AVG which provides that the Data Protection Officer shall be designated on the basis of<br />
of his professional qualities and, in particular, his expertise in the field of the<br />
data protection legislation and practice. This shows a lack of<br />
justification for the defendant's choice of official. In addition, the data are<br />
of the officer not disclosed as prescribed in Article 37.7 AVG. In doing so, the<br />
Disputes Chamber established infringements of articles 37.5 and 37.7 AVG.<br />
<br />
87. The Dispute Settlement Chamber refers to the guidelines of the Working Group 29 for officials for<br />
data protection which provides for the following with regard to external officers: "With the<br />
in order to ensure legal transparency and good organisation and to avoid conflicts of interest for members of the<br />
team, it is recommended in the Guidelines to avoid the tasks within the external team.<br />
Data Protection Officer to be clearly set out in a service contract Decision on the substance 73/2020 - 23/31<br />
<br />
<br />
as well as a single person for the customer as the main contact person and "responsible person<br />
13<br />
to be appointed.<br />
<br />
88. At the hearing, the current Data Protection Officer, who has been in office since 1<br />
September 2020 the official is that, as a new official for<br />
data protection, in line with the WP29 guidelines on the role of data protection in the protection of personal data.<br />
Data Protection Officer. Essentially, the officer for<br />
data protection must be available to the controller. That some<br />
correspondence first arrived at the defendant's IT administrator and was forwarded to<br />
<br />
the Data Protection Officer was, according to the Data Protection Officer<br />
14<br />
correct. The Dispute Chamber points out that according to the Guidelines of the Working Party 29, the<br />
requirements to disclose the contact details of the official in order to ensure<br />
that both data subjects (both inside and outside the organisation) and supervisory authorities<br />
be able to contact the Data Protection Officer easily and directly. The<br />
access should be direct, without having to involve another part of the organisation<br />
contact. In the present case, the contact was made via the defendant's IT manager, which was<br />
goes against the intention of the regulator. Confidentiality is equally important.<br />
employees are reluctant to complain to the Data Protection Officer<br />
if the confidentiality of their communications is not guaranteed.<br />
<br />
<br />
89. Article 38.1 and Article 38.3 AVG stipulate that the data-processing controller must ensure that<br />
shall ensure that the Data Protection Officer is involved in all matters that<br />
<br />
relate to the protection of personal data. The official for<br />
Data protection must not be instructed in the performance of those tasks. The<br />
The Inspectorate stated that in the light of the replies and the documents obtained<br />
noted that no opinion was sought from the Data Protection Officer concerning<br />
privacy issues. The Dispute Settlement Chamber finds that indeed no justification is given for<br />
the person responsible for processing has been presented with the decisions taken for the<br />
website [...] , on legal information and general terms and conditions. There are no opinions from the<br />
Data Protection Officer as regards the processing of data via this website.<br />
Moreover, in its conclusion, the defendant acknowledges indeed that it did not request an opinion from the<br />
<br />
Data Protection Officer. The Litigation Chamber therefore finds that the defendant<br />
infringed Article 38.1 of the AVG.<br />
<br />
<br />
2.3 Cookie policy<br />
<br />
13Directions for Data Protection Officers of the Working Party 29 p.28.<br />
14Page 5 of the verbal proceedings of the hearing of 23 September 2020. Decision on the substance 73/2020 - 24/31<br />
<br />
<br />
<br />
90. As already mentioned above, the plaintiff claims that the defendant uses cookies on the<br />
website [...] . and [...]. According to the complainant, no consent is sought for the use of the<br />
cookies. The Inspectorate has established by means of a technical report that on the website<br />
<br />
[...] use was made of cookies. As previously indicated, this is a necessary<br />
technical cookie called "hs_js" from the defendant himself and a cookie called "IDE" derived from it<br />
from Google-Doubleclick.net. For this last "IDE" cookie no consent was given.<br />
asked of visitors to the website, according to the Inspectorate's report. 15<br />
<br />
91. At the hearing, the defendant acknowledged that the website dates from the year 2010 and therefore<br />
does not comply with the current regulations. There is no question of unwillingness; however, the technical<br />
<br />
Restrictions do not allow, for example, the display of a pop-up for the use of cookies. Also<br />
setting up a secure connection via https domain name is not possible on the current website, according to<br />
defendant. A new website is currently under construction. According to the defendant<br />
will most probably be finished by the end of this year.<br />
<br />
<br />
92. The Court of Justice ruled in the Planet49 judgment that, for the placing of cookies<br />
information must be provided by the controller. 16 From the data<br />
information must show for how long cookies will remain active and whether third parties will also have access<br />
may have up to those cookies. This is necessary in order to ensure proper and transparent information.<br />
guarantees.<br />
<br />
<br />
93. Article 129 of the Electronic Communications Act stipulates that the user shall<br />
must have given his consent for placing and consulting cookies on his computer.<br />
terminal equipment. The consent requirement shall not apply to the technical storage of information. Also<br />
when the placement of cookies is necessary for the delivery of a cookie expressly requested by the<br />
subscriber or end-user requested service, the consent requirement does not apply. 17<br />
<br />
<br />
94. The Chamber of Disputes also draws attention to the following considerations from the abovementioned judgment<br />
Planet49: "Regulation 2016/679 now explicitly provides for active consent<br />
<br />
prescribed. In this context, it should be noted that, according to recital 32 of these<br />
Regulation, the consent may be expressed in particular by clicking on a box next to a<br />
visit to a website. On the other hand, this recital expressly excludes "silence, the<br />
<br />
15Inspection report, p5.<br />
16<br />
Judgment of the Court of Justice of 1 October 2019, C-673/17, ECLI:EU:C:2019:801.<br />
17See also Decision No 12/2019 of the Disputes Chamber of 17 December 2019. Decision on the merits 73/2020 - 25/31<br />
<br />
<br />
use of already ticked boxes or inactivity" may constitute consent. It follows from this<br />
that the consent provided for in Articles 2(f) and 5(3) of Directive 2002/58, read in conjunction with<br />
in conjunction with Articles 4(11) and 6(1)(a) of Regulation 2016/679, not<br />
is validly granted when the storage of information or the gaining of access to<br />
information which is already stored in the terminal equipment of the user of a website shall be<br />
<br />
allowed by means of a standard checkbox to be unchecked by the user<br />
if he refuses to give his consent. . 18<br />
<br />
<br />
95. The consent must also be 'specific'. The Dispute Chamber refers to the Guidelines<br />
19<br />
on consent under regulation 2016/679 endorsed by the EDPB:<br />
<br />
<br />
"Article 6(1)(a) confirms that the person's consent must be given with<br />
in relation to "one or more specific" purposes, and that a data subject has a choice in relation to<br />
20<br />
each of these purposes' . This means 'that a data controller who wishes to obtain consent<br />
for a number of different purposes, must offer a separate opt-in for each purpose in order to allow users to<br />
to enable specific authorisations to be granted for specific purposes". 21<br />
<br />
<br />
96. On the basis of the technical report drawn up by the inspectorate, the Dispute Settlement Chamber states that<br />
ascertained that the consent of the complainant has not been sought by the defendant on the websites<br />
for placing a cookie for marketing purposes, namely the "IDE" cookie. In addition,<br />
the defendant answered the Inspectorate's question as to whether cookies had been used<br />
On the websites, no. The defendant returned to the foregoing by concluding that<br />
<br />
acknowledge that they have made use of cookies for which consent was required. Defendant<br />
indicates that he has changed his cookie policy and will ask for permission from now on.<br />
of the users. 22<br />
<br />
<br />
97. In view of the above facts and findings, the Litigation Chamber considers the processing of<br />
personal data through the placement of cookies, without a valid legal basis of<br />
to have permission in accordance with Article 6.1 AVG, unlawful.<br />
<br />
<br />
98. The controller must, pursuant to Articles 5.2 and 24 AVG, provide appropriate technical information to the controller.<br />
and take organisational measures to ensure and demonstrate that the<br />
<br />
<br />
18<br />
19Arrest Planet49, ro. 62 and 63.<br />
Working Party on Data Protection, Guidelines on consent under Regulation 2016/679, WP259, p. 4.<br />
20<br />
Ibid., p. 14.<br />
21Ibid., p. 14. Decision on the merits 73/2020 - 26/31<br />
<br />
processing of personal data using cookies in accordance with Articles 12<br />
and 13 AVG is being carried out. In its conclusion, the defendant acknowledges that certain mandatory<br />
statements such as the processing purposes in the original privacy statement of the website<br />
were missing.<br />
<br />
<br />
<br />
2.4 Health data<br />
<br />
99. The complainant claims that the defendant is also processing medical data. The Complainant states that his medical<br />
<br />
to have issued certificates to the defendant. According to the complainant, the defendant is processing on systematic<br />
wrongful medical data. The complainant takes the view that it is not the task of the defendant<br />
to make a substantive assessment of the health situation of a (prospective) tenant.<br />
<br />
100. Attached to the complaint are mail exchanges between the complainant and the defendant. From the<br />
In any case, several e-mails reveal the following. In an e-mail dated 30 August 2016<br />
defendant to have received the doctor's certificate from the complainant, but not to be able to provide a guarantee<br />
that a positive decision will be taken on the complainant's request for candidates higher up the<br />
list for the allocation of a dwelling. The complainant therefore requested a<br />
higher up the list. From another email dated 6 February 2019 from the complainant to the defendant, it appears that<br />
that the complainant voluntarily sent an e-mail to the defendant in which he wrote to the<br />
informed him of his changed medical condition. The complainant closed the e-mail with " Supplementary<br />
a medical certificate may be provided for again, should you again have doubts as to whether there is a<br />
I have my own opinion about my medical condition. I therefore urge you<br />
to want to take due account of my medical physical limitations and to live close to my home.<br />
to want to put hospital first. In view of the seriousness of the problem of (...) I would ask you to<br />
to absolutely avoid living in a busy residential environment".<br />
<br />
101. At the hearing, the defendant indicated that only a medical certificate was requested.<br />
in the event that the (prospective) tenant requests special housing preferences as in this case.<br />
The defendant states that the medical certificates do not contain any diagnoses. Complainant speaks<br />
not against it. The doctor asks for the situation of the person concerned to be taken into account and asks<br />
than, for example, a house with a lift or a house in a quiet area. The medical<br />
According to the defendant, the only purpose of attestations is to enable a correct allocation to be made.<br />
<br />
102. On the basis of the above, the Disputes Chamber decides that there is no question of a<br />
unlawful processing of health data. Such processing is necessary and<br />
can be based on Article 9(h) the processing is necessary for the purposes of the substantive decision 73/2020 - 27/31<br />
<br />
preventive or occupational medicine, for the assessment of fitness for work of the<br />
worker, medical diagnosis, the provision of health care or social services, or<br />
treatment or the management of health care systems and services or social systems, and<br />
services, on the basis of Union or Member State law, or under an agreement with an<br />
<br />
health professional and subject to the conditions and safeguards laid down in paragraph 3, in the absence of any<br />
diagnoses in the medical certificates. Moreover, it appears from the exchanges of e-mails that the complainant has his own<br />
movement informed the defendant of his state of health, indicating that he was<br />
may, if necessary, provide a further medical certificate.<br />
<br />
2.3 Camera surveillance<br />
<br />
103. The complainant alleges that there is camera surveillance in various residential entities of the<br />
flat. According to the complainant, the privacy policy says nothing about camera surveillance. Complainant wishes<br />
to know the legal basis and purpose of this processing as well.<br />
<br />
<br />
104. It appears from the documents submitted that point 11 of the tenancy agreement mentions<br />
made from the surveillance cameras that are installed on the roof, in the communal entrance halls and the<br />
communal cellar entrances have been suspended. Apart from this information, nothing is known about the<br />
Use of cameras.<br />
<br />
105. At the hearing, the defendant indicated, upon request, that the surveillance cameras in<br />
2012 at the request of residents in cellars and corridors have been hung for safety. The cameras<br />
are legally registered and used as a kind of deterrent, according to the defendant. There<br />
nothing else would be done with the images. A year and a half ago, the camera images<br />
according to the defendant, consulted once. The cameras are, according to the defendant, difficult to consult.<br />
management because there is too little budget for its maintenance. There is currently no<br />
maintenance contract for the surveillance cameras. Respondent indicates that the images can<br />
consult and be responsible for the processing of the images. The official for<br />
data protection points out that the Camerawet is the legal basis for the<br />
processing of the camera images.<br />
<br />
106. On the basis of the documents available in the file, the Chamber of Disputes and<br />
what emerged from the hearing shows that there are very many uncertainties as to what<br />
concerns the use of surveillance cameras. As a processing purpose, first of all the<br />
The prevention of nuisance has been mentioned. Subsequently, during the hearing, the defendant indicated that there was also<br />
once asked to consult the images in connection with illegal dumping. The Dispute Room is<br />
considers that the defendant is not entirely clear as to what the cameras actually do Decision 73/2020 - 28/31 on the merits<br />
<br />
serve. In addition, according to the Dispute Chamber, from the elements that are available<br />
are insufficiently drawn up as to whether the Camerawet is correctly complied with by the defendant. In article<br />
6 § 2 of the Camerawet provides that the controller shall keep a register containing<br />
keeps a record of the image processing activities of the surveillance cameras and this register on request<br />
<br />
made available to the Data Protection Authority and the police services. Such a<br />
register is not kept by the defendant. Moreover, it is apparent from what the defendant said at the hearing<br />
has declared that the retention period in Article 6 § 3 is also not complied with now that this article<br />
it appears that if "the images cannot contribute to proving a crime, of<br />
damage or nuisance", these should in principle be removed after one month. The<br />
The Dispute Chamber thus establishes infringements of Article 30 of the AVG (keeping of register of<br />
processing activities) and article 5.1 under e AVG (storage restriction).<br />
<br />
<br />
2.4 Digital Consumption Meters<br />
<br />
107. The plaintiff complains that the defendant is using digital consumption meters and on those<br />
the way in which tenants' consumption is recorded and data on that consumption unlawfully without<br />
valid legal basis processed. The complainant indicates that he has not given his consent for the<br />
processing of data relating to its consumption of gas and electricity.<br />
<br />
108. During the hearing, the defendant indicated that the digital meters will be linked to the<br />
address. In this way, you can see how much has been consumed at a particular address. These data<br />
are also passed on to a third party (local company) with whom there is a processing agreement<br />
is. That company reads the consumption. The defendant receives a list of this and links it to the<br />
tenants' files, according to the defendant.<br />
<br />
<br />
109. On the basis of Article 6 of the AVG, the person responsible for processing the<br />
to have a legal basis for the processing of personal data in order to ensure that the processing<br />
would be lawful. On the basis of Articles 24 and 25 of the AVG, the defendant must therefore<br />
take appropriate technical and organisational measures to ensure and be able to<br />
demonstrate that processing takes place in accordance with the AVG. The person responsible for processing must<br />
in doing so, effectively implement the principles of data protection, the rights of the<br />
protect data subjects and process only those personal data that are necessary for each of the following<br />
specific purpose of processing. On the basis of the facts and documents presented, the<br />
Litigation Chamber finds that the defendant has not been able to prove that there is any privacy policy<br />
Developed for the digital remote reading of meter readings. It is also<br />
unclear on the basis of which legal basis the data are processed in accordance with Article 6 of the AVG.<br />
An infringement of Article 6 of the Data Protection Act is thus established. The complainant states that he does not consent to the decision on the merits 73/2020 - 29/31<br />
<br />
have given for processing. The defendant does not rely on any other legal basis.<br />
for processing. In addition, the Disputes Chamber alleges in the present case a breach of Article 5.1(a)<br />
AVG now that it is clear from the above that the personal data are not in a lawful, legitimate and proper manner.<br />
and are processed transparently. The defendant indicates that a third party is processing the data.<br />
<br />
read out the consumption and forward it to the defendant. The Chamber of Disputes points out that<br />
according to article 28.3 GC, the processing by a processor must be arranged in a<br />
agreement between the controller and the processor.<br />
<br />
Sanction to be imposed<br />
<br />
<br />
In view of the above, the Dispute Settlement Chamber will impose two sanctions:<br />
1. order that the processing be brought into conformity in accordance with Article 100 § 1, 9°;<br />
2. impose an administrative fine in accordance with Article 100 § 1, 13°.<br />
<br />
Taking into account Article 83 of the AVG and the case law of the Market Court, the Disputes Chamber gives its reasons<br />
the imposition of an administrative fine in concrete terms:<br />
- Seriousness of the infringement: the reasons given above show the seriousness of the infringement.<br />
- The duration of the infringement: the defendant sought to rectify certain infringements and to comply with<br />
privacy rules; however, many of the breaches identified are still ongoing.<br />
- This is a necessary deterrent to prevent further infringements. As regards the nature and seriousness of the<br />
infringement (Art. 83.2 a) AVG), the Chamber of Disputes stresses that compliance with the principles provides for<br />
in Article 5 of the AVG - in the present case, in particular, the principle of legality - is essential, since the<br />
concerns fundamental principles of data protection. The Litigation Chamber considers the infringement of<br />
the defendant relies on the principle of lawfulness set out in Article 6 of the AVG, therefore, as a serious<br />
Infringement. The Disputes Chamber finds that article 83.7 AVG stipulates the following: "Without prejudice to the<br />
powers of the supervisory authorities to take remedial action<br />
In accordance with Article 58(2), each Member State may lay down rules on whether and to what extent<br />
administrative pecuniary sanctions may be imposed on public authorities established in that Member State, and<br />
public bodies. The AVG does not give any further explanation on the scope of what is covered by public bodies.<br />
and public bodies' is to be understood. However, according to the Dispute Chamber, it is certain that these<br />
derogation must be interpreted strictly.<br />
<br />
The Litigation Chamber considers it particularly necessary in this case to give a strict interpretation to the<br />
(optional) exemption from an administrative fine provided for in Article 83.7 of the AVG for<br />
"public authorities and public bodies". For this reason, Article 221, § 2, Law<br />
Data protection, which implements Article 83.7 AVG, to be interpreted strictly. Article 83.7 AVG leaves<br />
Moreover, it does not allow the Member States to define the concept of 'public authorities and bodies'. The decision in substance 73/2020 - 30/31<br />
<br />
<br />
It is therefore a concept of Union law that must be given an autonomous and uniform meaning. It will come<br />
Therefore, only the Union institutions, in particular the Court of Justice, should be required to respect the limits of<br />
to define that concept.<br />
<br />
In the opinion of the Disputes Chamber, a private law organisation such as the Y<br />
It does not include housing companies, even though this organisation carries out tasks in the public interest<br />
the area of social housing. 23<br />
<br />
The Dispute Chamber finds that there is a serious attributable shortcoming on the part of<br />
defendant. As explained in detail above, the Litigation Chamber has a considerable number of<br />
identified shortcomings. Among those deficiencies are breaches of fundamental principles of<br />
data protection. The infringements established justify, in the opinion of the<br />
A high fine in its own right. In determining the administrative fine<br />
However, the Chamber of Disputes takes into account a number of moderating factors, including the following shown<br />
<br />
the defendant's willingness to adapt certain matters, the appointment of an expert<br />
Data Protection Officer and a new website which, according to the defendant, will be AVG compliant<br />
are. In addition, when determining the amount of the fine, the Dispute Chamber shall take into account<br />
that this is a not-for-profit social housing company. The fact that<br />
In its response to the penalty form, the defendant states that it is not financially sound, and this<br />
If the decision is supported by figures, the Dispute Settlement Chamber will take the decision into account.<br />
<br />
<br />
<br />
<br />
FOR THESE REASONS,<br />
<br />
the Data Protection Authority's Litigation Chamber shall, after deliberation, decide :<br />
<br />
Pursuant to Article 100, §1, 9° WOG, order the defendant to order that the processing in<br />
<br />
is brought into line with Articles 5.1(a) and (b), 5.2, 6.1, 12.1, art.<br />
13.1. b) and c) , Art. 13.2. b), Art. 15.1, Art. 25.2, Art. 37.5, Art. 37.7, Art. 38.1, Art. 38.3, and<br />
Article 39 of the AVG, no later than three months after notification of the decision, and within three months of the date of notification of the decision.<br />
the same deadline, to the Data Protection Authority (Disputes Chamber) by e-mail (via<br />
to inform the e-mail address: litigationchamber@apd-gba.be ) that the above order<br />
was carried out.<br />
<br />
<br />
<br />
23<br />
See recital 52 of the judgment 31/2020 of 16 June 2020 of the Chamber of Disputes Decision on the merits 73/2020 - 31/31<br />
<br />
<br />
- on the basis of art. 100 § 1, 13° and art. 100 WOG an administrative fine on<br />
of EUR 1 500.<br />
<br />
<br />
This decision may be appealed against under Article 108(1) of the WOG within one of the following days.<br />
period of thirty days from the date of notification to the Court of Justice of the European Communities with the<br />
Data protection authority as defendant.<br />
<br />
<br />
<br />
<br />
<br />
Hielke Hijmans<br />
President of the Chamber of Disputes<br />
</pre></div>
Hk
https://gdprhub.eu/index.php?title=Datatilsynet_(Norway)_-_20/01626&diff=12882
Datatilsynet (Norway) - 20/01626
2020-12-11T00:14:24Z
<p>Hk: /* English Machine Translation of the Decision */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Norway<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoNO.png<br />
|DPA_Abbrevation=Datatilsynet<br />
|DPA_With_Country=Datatilsynet (Norway)<br />
<br />
|Case_Number_Name=20/01626<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Datatilsynet<br />
|Original_Source_Link_1=https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2020/varsel-om-overtredelsesgebyr-til-norges-idrettsforbund/<br />
|Original_Source_Language_1=Norwegian<br />
|Original_Source_Language__Code_1=NO<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=02.12.2020<br />
|Date_Published=02.12.2020<br />
|Year=2020<br />
|Fine=2500000<br />
|Currency=NOK<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1c<br />
|GDPR_Article_3=Article 5(1)(f) GDPR<br />
|GDPR_Article_Link_3=Article 5 GDPR#1f<br />
|GDPR_Article_4=Article 6 GDPR<br />
|GDPR_Article_Link_4=Article 6 GDPR<br />
|GDPR_Article_5=Article 32 GDPR<br />
|GDPR_Article_Link_5=Article 32 GDPR<br />
<br />
<br />
<br />
|Party_Name_1=Norges idrettsforbund og olympiske og paralympiske komité (NIF)<br />
|Party_Link_1=https://www.idrettsforbundet.no/<br />
|Party_Name_2=the Norwegian Olympic and Paralympic Committee and Confederation of Sports (NIF)<br />
|Party_Link_2=https://www.idrettsforbundet.no/english/<br />
|Party_Name_3=The Norwegian Olympic and Paralympic Committee and Confederation of Sports (NIF)<br />
|Party_Link_3=https://www.idrettsforbundet.no/english/<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Rie Aleksandra Walle<br />
|<br />
}}<br />
<br />
The Norwegian DPA (Datatilsynet) notified the Norwegian Olympic and Paralympic Committee and Confederation of Sports (NIF) that they will be fined €236,165 for a data breach in which the personal data of 3.2 million people was exposed online. NIF has until January 4 2021 to contest the fine. <br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
Following a routine sweep of Irish IP addresses, the Irish National Cyber Security Centre (CSIRT-IE) discovered the exposed personal data of millions of people. They alerted the Norwegian National Cyber Security Centre (NCSC), who then alerted NIF.<br />
<br />
The data breach followed NIF's move from an on-premise solution to Azure and was related to testing of a service (Elasticsearch) that was meant to improve member administration. NIF decided to conduct the testing on real data and, further, that it was necessary to use a significant amount of data. They also felt it was essential to conduct the testing quickly. NIF has admitted that they didn't conduct sufficient risk assessments, nor did they assess whether it was possible to use anonymized data or a narrower data selection. <br />
<br />
The personal data was exposed online in a total of 87 days. As soon as NIF was notified of the breach, they immediately corrected the mistake. It's not know if anyone has actually exploited the data breach.<br />
<br />
The personal data involved in the breach were names, gender, birth date, address, phone number, email address and club affiliation. Of the 3,2 million people affected by the breach, almost half a million were children aged 3-17 years. <br />
<br />
===Dispute===<br />
Did NIF uphold the principles of the GDPR, when they tested their new, cloud-based platform with real member personal data?<br />
<br />
===Holding===<br />
The DPA held that NIF breached several fundamental principles as per the GDPR, as they lacked sufficient risk assessment, considerations, routines and security measures.<br />
<br />
The DPA found that the testing was conducted without sufficient risk assessments and that NIF lacked routines and security measures to properly protect the personal data, thus breaching Article 32. The DPA also emphasized that the purpose for the processing (testing new solutions for member administration) could have been achieved in a less intrusive way, e.g. by processing synthetic data - or, at least, through processing significantly less personal data. NIF should also have limited the categories of data subjects on which the testing was conducted.<br />
<br />
The DPA further assessed and concluded that NIF didn't have a purpose for the processing as per Article 5(1)(b), nor legal grounds as per Article 6. <br />
<br />
In sum, the DPA found that NIF had breached Article 5(1)(a), (c) and (f), Article 6, and Article 32. For this, NIF has received a notice of a €236,165 fine. NIF has until 4 January 2021 to provide their feedback, before the DPA will make their final decision.<br />
<br />
==Comment==<br />
''Share your comments here!''<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.<br />
<br />
<pre><br />
Notification of decision on violation fee - Notification of deviation - NORWEGIAN SPORTS ASSOCIATION AND OLYMPIC AND PARALYMPIC COMMITTEE<br />
We refer to previous correspondence in the case, most recently by the Norwegian Sports Confederation (hereinafter «NIF») sending a report from Orange Cyberdefense on the deviation on 30 June 2020.<br />
1. Notice of Infringement Fee<br />
This is a prior notice, cf. the Public Administration Act § 16, that the Danish Data Protection Agency will make the following decision:<br />
Pursuant to Article 58 (2) (2) of the Privacy Ordinance, the Norwegian Sports Confederation and the Olympic and Paralympic Committee, org. No. 947 975 072, to pay an infringement fee to the Treasury of 2 500 000 - two million five hundred thousand - kroner for violation of the Privacy Regulation Article 5 No. 1 letter a, c and f, Article 6 and Article 32.<br />
2. Details of the facts of the case<br />
Below, we will reproduce the facts in the case as stated in the non-conformance report, NIF's response to the requirement for a statement on 28 February 2020, Skype meeting with the Data Inspectorate on 4 May 2020, NIF's response to the requirement for a new statement on 25 May 2020 Cyber defense of June 3, 2020.<br />
NIF's work with the transition from on-premise solution to cloud solution<br />
An IT committee appointed by the Sports Board prepared a report in 2016 that laid down guidelines for all development and operation to the greatest possible extent through the use of standard components and based on<br />
Postal address: Office address: Telephone: Fax: Org.nr: Website: Postboks 458 Sentrum Tollbugt 3 22 39 69 00 22 42 23 50 974 761 467 www.datatilsynet.no 0105 OSLO<br />
<br />
cloud services. It was decided that NIF would build a new digital platform based on Microsoft's cloud services.<br />
Following a tender round, a collaboration was entered into with Albatross IT Consultant AS, which had particular expertise in Microsoft's solutions. A plan was established for a gradual transition from solutions in NIF's own data center to services established using Microsoft Azure. An assessment of privacy consequences (DPIA) was not carried out as described in Article 35 of the Privacy Ordinance, as NIF did not consider that such a transfer to Azure in itself triggered an obligation to make a DPIA.<br />
About the discrepancy<br />
On 20 December 2019, the Norwegian Data Protection Authority received a deviation report from NIF. The non-conformance report stated that NIF received an inquiry from the National Cyber Security Center (NCSC-NO) on 18.12.19 regarding an extract from the sport's member database which was available without access control at a public IP address. By entering via a URL, it was possible to search for people in the database that contains 3.2 million entries. This was discovered as part of a routine scan of Irish IP addresses conducted by the Irish National Cyber Security Center (CSIRT-IE). CSIRT-IE notified NCSC-NO of the discovery, which in turn notified NIF.<br />
The discrepancy arose in connection with the transfer of resources from an on-premise solution to Azure, and related to the testing of a service in Azure called Elasticsearch. Elasticsearch was used in connection with testing a possible solution for third-party suppliers of membership systems for Norwegian sports, in order to enable verification of persons against the sports' central database. Elasticsearch contains a product called Kibana, which runs on a port that is not open via NIF's network and onto the Internet.<br />
In connection with the establishment of the test solution, it was considered that there was a need to test real personal information, and that one had to have a significant scope to get a real test of the solution. For this solution to work, it was considered important to ensure the integrity of information, and to have the most realistic communication test possible. It was also considered that it was time-critical to have the solution tested. Based on these assessments, it was concluded that the best solution was to use real data, and NIF extracted a significant part of the sport's central database.<br />
NIF acknowledges that this assessment was not correct, and that a job was started with extraction of the sport's central database for cache without sufficient risk assessments or assessments of whether it was possible to use deidentified or a more limited selection of data. in this work. At the time of the incident, no operating routines or technical safety solutions related to the new cloud-based environment had been established, as the cloud-based environment was not in production at this time.<br />
The application was not set up with any authentication mechanism, and an error was made which resulted in the establishment of a public IP address. Elasticsearch and Kibana were rejected shortly after, and NIF went ahead with another solution. It was decided to postpone the deletion of the content in the test environment until a later date. NIF had established<br />
2<br />
<br />
this did not include Elasticsearch and Kibana. NIF thus did not discover that the information was open<br />
available.<br />
NIF revealed that the access had been open for 87 days, and immediately initiated measures to stop the access. The affected are members, volunteers and other people with connections to Norwegian sports, a total of approx. 3.2 million people. Of these, 486,447 were minors, divided between the ages of 3-17 years.<br />
The service used did not initially expose the data for download, but allowed for single searches. Kibana also offers the possibility of "fuzzy search", which means that mass search is possible. In order to be able to conduct mass searches, for example search for all members at a post office or in a club, there was still a need for special knowledge<br />
The solution was also not covered by open indexing solutions, and one thus had to either know the IP<br />
address or do more targeted searches to find the service.<br />
The categories of personal information that were exposed as a result of the discrepancy were name, date of birth, gender, address, e-mail, telephone number and club affiliation. Persons with the strictly confidential address (code 6) or confidential address (code 7) were not part of the extract that was exposed.<br />
NIF has no indication that anyone other than the Irish and Norwegian security authorities has conducted a search. However, Elastic Search and Kibana had not established access logs as this was only a trail version, and due to this it can not be ruled out that a data breach has taken place.<br />
Based on this, NIF considers it unlikely that anyone other than the Irish and Norwegian security authorities have conducted a search.<br />
The purpose of the Orange Cyberdefense investigation was to find out whether the personal data has been used criminally, and found no indications of this. However, the investigation had its limitations, and can only find personal information for sale that is advertised on the market or forum, but for example not what is sold through private messages between forum members. The investigation also took place between 21 May and 2 June, and does not capture personal data for sale that is advertised on the market or forum before this time, and which has left no trace.<br />
The report from Orange Cyberdefense emphasizes that there are several types of tools that monitor database leaks, and which can automatically find cases of Elasticseach and Kibana that are exposed online. However, this does not mean that all cases of exposed databases will be<br />
3<br />
<br />
found and exploited. Furthermore, an exposed database can be found and exploited without the attacker trying to sell the information.<br />
Summary and NIF's further work with cloud solutions<br />
NIF acknowledges that at the time of the incident you had not established good enough security solutions and routines related to the new cloud-based environment. No separate routines for test data were established in the cloud-based environment at the time of the incident. The testing of the service that exposed the data was not planned to be used in the cloud-based environment, and was therefore not covered by the security assessments made at this time.<br />
In the time since the incident, NIF has worked extensively to revise and improve existing operating routines, as well as establish new routines where needed. NIF has tightened requirements for risk assessments to be carried out, and for these to be documented in advance of changes.<br />
The incident has also revealed a need to improve NIF's routines for handling test data, where NIF will to a greater extent than before use synthetic test data. NIF writes that it has been difficult to make changes to the old on-premise solutions, especially due to the fact that a lot of business logic has been in the database. NIF needs to carry out thorough tests on a large volume of data due to the complexity of building up Norwegian sports, and that you have sports teams in all municipalities and towns in Norway. NIF is now working to establish new test environments where all testing is synthetic data, and with a more limited number of information categories.<br />
3. More about the requirements of the Personal Data Act<br />
The basic principles for the processing of personal data<br />
The basic principles for the processing of personal data follow from Article 5 (1) of the Privacy Regulation. We refer to Article 5 (1) (a), (b), (c) and (f):<br />
«1. Personal information must (...)<br />
(a) be treated in a lawful, equitable and transparent manner with respect to the data subject ("legality, fairness and transparency");<br />
b) collected for specific, expressly stated and justified purposes and not further processed in a manner incompatible with those purposes (...) ("purpose limitation");<br />
c) be adequate, relevant and limited to what is necessary for the purposes for which they are processed ("data minimization"), (...)<br />
f) processed in a manner that ensures adequate security of personal data, including protection against unauthorized or illegal processing<br />
4<br />
<br />
(...) through the use of appropriate technical or organizational measures ("integrity and confidentiality") ".<br />
The data controller is responsible and must be able to demonstrate that the principles are complied with, cf. Article 5 (2).<br />
Legal basis for the processing of personal data<br />
All processing of personal data must have a legal basis in Article 6 in order to be lawful. We refer here to the alternative legal bases in Article 6, paragraph 1, letters b) and f), as well as paragraph 4 on further processing:<br />
«1. The treatment is only legal if and to the extent that at least one of the following conditions is met: (...)<br />
b) the processing is necessary to fulfill an agreement to which the data subject is a party (...)<br />
f) processing is necessary for purposes related to the legitimate interests pursued by the controller or a third party, unless the data subject's interests or fundamental rights and freedoms take precedence and require the protection of personal data, in particular if the data subject is a child. (...)<br />
4. If the processing for a purpose other than that for which the personal data have been collected is not based on the data subject's consent or on Union law or the national law of the Member States which constitutes a necessary and proportionate measure in a democratic society to ensure the attainment of the objectives Article 23 (1), the controller shall, in order to determine whether the processing for another purpose is compatible with the purpose for which the personal data were originally collected, take into account, inter alia:<br />
a) any connection between the purposes for which the personal data has been collected and the purposes of the intended further processing,<br />
b) the context in which the personal data has been collected, in particular with regard to the relationship between the data subject and the data controller;<br />
(c) the nature of the personal data, in particular whether special categories of personal data are processed, in accordance with Article 9, or whether personal data on criminal convictions and offenses are processed, in accordance with Article 10;<br />
d) the possible consequences of the intended further processing for the data subjects,<br />
5<br />
<br />
(e) whether there are necessary guarantees, which may include encryption or pseudonymisation »<br />
Safety during treatment<br />
The requirements for personal data security are further regulated in Article 32. It follows:<br />
«1. Taking into account the technical development, the implementation costs and the nature, scope, purpose and context of the treatment, as well as the risks of varying degrees of probability and severity for natural persons' rights and freedoms, the data controller and data processor shall implement appropriate technical and organizational measures for to achieve a level of safety that is suitable with regard to the risk, including, among other things, depending on what is suitable, (...)<br />
a) pseudonymisation and encryption of personal data,<br />
b) ability to ensure lasting confidentiality, integrity, availability and robustness in the treatment systems and services, (...)<br />
d) a process for regular testing, analysis and assessment of how effective the treatment's technical and organizational security measures are.<br />
2. In assessing the appropriate level of security, special consideration shall be given to the risks associated with the processing, in particular as a result of (...) unauthorized disclosure of or access to personal data transferred, stored or otherwise processed ».<br />
4. The Data Inspectorate's assessment<br />
4.1.Legal basis for processing and the principles of legality and data minimization - Article 6 and Article 5 (1) (a) and (c)<br />
The purpose of the processing of personal data<br />
It follows from the privacy statement of NIF that you process personal information about members that is necessary for membership and activity in sports, and that registration of member information is a prerequisite for membership in Norwegian sports. The Data Inspectorate thus assumes that the necessary member administration is the purpose of NIF's processing of personal data about members of Norwegian sports, and that NIF has a legal basis in Article 6 no. 1 letter b for this processing.<br />
It follows from Article 5 (1) (b) of the Privacy Regulation that personal data shall only be processed for specific, explicitly stated and justified purposes, and the purpose must be determined before the processing of personal data is commenced.<br />
6<br />
<br />
It is not specifically and explicitly stated in the information from NIF to the data subjects that personal data will be used to test new possible solutions for member administration to investigate whether these are appropriate to use.<br />
The Data Inspectorate first assesses whether the processing of personal data for the purpose of testing new possible cloud solutions for member administration is covered by the original purpose for which the personal data of NIF's members was processed - processing for the stated purpose of necessary member administration for participation in Norwegian sports.<br />
The use of the personal data of members of Norwegian sports for testing new possible solutions for member administration is not in isolation necessary to facilitate the individual member's participation in sports. Testing of new cloud solutions thus differs in nature from the purpose of the necessary member administration to enable participation in Norwegian sports. This applies even if the solutions to be tested are also linked to member administration.<br />
In light of the requirement that the purpose must be specific and explicitly stated, the Data Inspectorate considers the processing of personal data for the purpose of testing new possible cloud solutions for member administration is not covered by the original purpose of necessary member administration for participation in Norwegian sports.<br />
Processing of the personal data of members of Norwegian sports for the purpose of testing new possible cloud solutions for member administration is thus a new purpose.<br />
Assessment of whether there was a legal basis for the processing of personal data<br />
For the processing of personal data for a purpose other than that for which the personal data was collected, there are two cumulative requirements in the Privacy Ordinance.<br />
First, as with any processing of personal data, it is required that the processing has a legal basis in Article 6 (1) in order to be lawful.<br />
In addition, it is required that the new purpose of the processing of personal data is compatible with the purpose for which the personal data was collected, cf. Article 6 no. 4. There is an exception to this condition if the new processing is based on the data subject's consent or is based on law, but it is clear that this exception does not apply in this case.<br />
The Data Inspectorate first assesses whether NIF had a legal basis under Article 6 (1) for processing a number of categories of personal data to 3.2 million members of Norwegian sports for the purpose of testing new possible cloud solutions for member administration.<br />
The Norwegian Data Protection Authority has asked NIF what legal basis under Article 6 you had for processing the members' personal data in connection with testing the new cloud solution in both our requirements for statements of 10 February 2020 and 24 March 2020, respectively. NIF has not referred to anything legal basis for this processing of personal data in some of their responses, and the Data Inspectorate thus assumes that it was never assessed whether there was a legal basis for the relevant processing of<br />
7<br />
<br />
personal information. The Norwegian Data Protection Authority will nevertheless make an independent assessment of the basis for processing.<br />
The Data Inspectorate first assesses whether NIF has a legal basis in accordance with Article 6, No. 1, letter b, for the relevant processing of personal data, as this is the legal basis that is apparently assumed in NIF's privacy statement. For the sake of order, the Data Inspectorate points out that the Privacy Ordinance, Article 13, paragraph 1, letter c, requires that information be provided about the legal basis for the processing.<br />
It follows from Article 6 (1) (b) that the processing must be "necessary" to fulfill an agreement to which the data subject is a party. It must therefore be considered whether it was necessary to fulfill a number of categories in order to fulfill the agreement between the members and NIF. of personal data to 3.2 million members of Norwegian sports for testing new possible cloud solutions for member administration.<br />
The data controller must make specific assessments of which personal data it is necessary to process in connection with each individual purpose. With the support of the rulings of the European Court of Justice, the Privacy Council (EDPB) has in its guidelines for Article 6 no. 1 letter b related to online services, pointed out that in the assessment of necessity it must be considered whether<br />
1 purpose can be achieved by minimizing privacy interventions. This corresponds to that<br />
follows from advocacy clause 39 in the Privacy Ordinance. If there are realistic, less invasive alternatives, the treatment is not "necessary".<br />
Furthermore, the Privacy Council states that the data controller may only use "necessary to fulfill an agreement to which the data subject is a party" if the relevant processing of personal data is objectively and genuinely necessary for the fulfillment of the specific agreement. Article 6 (1) (b) thus does not cover treatment which is useful to it<br />
2<br />
In connection with the testing of the cloud solution, NIF decided to use a number of categories of personal data of 3.2 million people from their central database. NIF acknowledges that insufficient assessments were made of whether it was possible to use deidentified or a more limited sample of data in this work, and that this decision that was made was not correct. NIF has since worked to improve their routines for handling test data, and is now working to establish new test environments<br />
synthetic data, and with a more limited number of information categories.<br />
The processing of personal data of members of Norwegian sports for testing new possible cloud solutions for member administration is not in isolation necessary to facilitate that the individual member can participate in sports. Thus, it is not relevant either<br />
1 Guidelines 2/2019 on the processing of personal data under Article 6 (1) (b) GDPR in the context of the provision of online services to data subjects, section 25<br />
2 Guidelines 2/2019 sections 25-28<br />
responsible for processing, but which is not objectively necessary to fulfill the agreement.<br />
In some cases, the data controller must consider other treatment bases. The Norwegian Data Protection Authority assumes that these interpretations also apply to the assessment of necessity pursuant to Article 6, paragraph 1, letter b, on a general basis - and not only to online services.<br />
In such<br />
8<br />
<br />
the processing of personal data objectively and genuinely necessary to fulfill the membership agreement with the members of Norwegian sports. For the record, the Data Inspectorate finds it clear that the purpose of testing new possible solutions for member administration could be achieved in less privacy-intrusive ways, including by processing synthetic data - or at least by processing far less personal data.<br />
The Data Inspectorate thus considers that it was not necessary to fulfill the agreement between the members and NIF to process a number of categories of personal data to 3.2 million members of Norwegian sports for testing new cloud solutions for member administration. As the condition of necessity is not met, NIF did not have a legal basis under Article 6 (1) (b) for this relevant processing of personal data.<br />
NIF has not itself stated that Article 6 No. 1 letter f was a relevant legal basis in the case, nor has information been provided about this legal basis to the registered persons pursuant to Article 13 No. 1 letter c, or what legitimate interests may be involved. pursued in accordance with Article 13, No. 1, letter d. The Norwegian Data Protection Authority nevertheless makes an independent assessment of the legal basis under this alternative.<br />
The Data Inspectorate thus assesses whether the processing of a number of categories of personal data to 3.2 million members of Norwegian sports for testing new possible cloud solutions for member administration was necessary for a purpose related to NIF's legitimate interest, and whether this interest took precedence over the data subjects' interests and basic rights and freedoms, cf. the Privacy Ordinance Article 6 No. 1 letter f.<br />
The Data Inspectorate assumes that the purpose of testing new cloud solutions for member administration to assess whether these are appropriate to use is a purpose related to NIF's legitimate interest.<br />
It must then be considered whether the processing of a number of categories of personal data to 3.2 million members of Norwegian sports was "necessary" for the purpose of testing new possible cloud solutions for member administration.<br />
As we have explained in connection with the condition of necessity pursuant to 6 no. 1 letter b, it will also have to be considered for the condition of necessity in Article 6 no. 1 letter f whether the purpose can be achieved in less invasive ways. If there are realistic, less invasive alternatives, treatment is not necessary.<br />
As mentioned above in the assessment of the necessity condition according to 6 no. 1 letter b, the Data Inspectorate finds it clear that the purpose of testing new possible solutions for member administration could be achieved in less privacy-intrusive ways than processing a number of categories of personal data to 3.2 million members of Norwegian sports. The purpose could be achieved by processing synthetic data - or at least through the processing of far less personal data.<br />
The Data Inspectorate does not find it necessary for the case to go specifically into the assessment of whether it was possibly necessary for the purpose to process a much smaller proportion of the relevant<br />
9<br />
<br />
the personal data for the purpose of testing new possible cloud solutions for member administration.<br />
As the condition of necessity has not been met, NIF also had no legal basis in Article 6 no. 1 letter f for the processing of a number of categories of personal data to 3.2 million members of Norwegian sports for testing new possible cloud solutions for member administration.<br />
Thus, the processing of personal data in question did not have a legal basis in Article 6 (1), and the processing was illegal.<br />
As the requirement of a legal basis has not been met, the Data Inspectorate does not find it necessary to address the assessment of whether this new purpose was compatible with the purpose for which the personal data of the members of Norwegian sports was collected, cf. Article 6 no. 4 of the Privacy Ordinance.<br />
Assessment of the principle of legality<br />
The principle that a treatment must be lawful pursuant to Article 5 (1) (a) means that it must have a legal basis in the Privacy Regulation. A processing of personal data without a legal basis will automatically be illegal, and thus be contrary to the basic requirement in principle in Article 5, paragraph 1, letter a. As shown above, we find that there was no legal basis for the processing of a number of categories of personal data to 3.2 million members of Norwegian sports for testing new possible cloud solutions for member administration, and the processing is thus contrary to the principle of legality, article 5 no. 1 letter a.<br />
Assessment of the principle of data minimization<br />
The principle of data minimization in Article 5 (1) (c) implies that personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed. According to the principle of data minimization, it is not sufficient that it is practical or desirable to process personal data; the treatment must be necessary for the purpose to be achieved. The data controller must make specific assessments of which personal data it is necessary to process in connection with each individual purpose.<br />
As follows from the assessment of the legal basis and the condition of necessity pursuant to Article 6 (1) above, the Data Inspectorate finds that the processing of a number of categories of personal data of 3.2 million persons from the sport's central database is not limited to what is necessary for the purpose of testing of new possible cloud solutions for member administration. The purpose of the relevant processing of personal data could be achieved by using synthetic data, or at least by processing far fewer personal data. The processing was thus also contrary to the principle of data minimization in Article 5, paragraph 1, letter c.<br />
4.2. Security of personal data processing - Article 5 (1) (f) and Article 32<br />
10<br />
<br />
As stated in paragraph 3, Article 5 (f) of the Privacy Regulation requires that personal data be processed in a way that ensures adequate security of personal data, including protection against unauthorized or illegal processing, using appropriate technical or organizational measures. Article 32 requires the controller to take appropriate technical and organizational measures to achieve a level of safety appropriate to the risk.<br />
As is clear from the wording of both provisions, any breach of personal data security does not constitute a breach of Article 5 (1) (f) or Article 32 of the Privacy Regulation. The question is whether the data controller has complied with the obligation to take appropriate technical and organizational measures. to achieve a level of safety appropriate to the risks associated with the treatment.<br />
The appropriate measures and safety level must be based on the assessment made of the risks associated with the treatment, in addition to the technical development, implementation costs and the nature, scope, purpose and context in which the treatment is carried out, cf. Article 32 no. 1 and No. 2.<br />
The Data Inspectorate thus assesses whether NIF implemented appropriate technical and organizational measures to achieve a level of security that was suitable with regard to the risk associated with processing a number of categories of personal data to 3.2 million members of Norwegian sports for testing new cloud solutions for member administration, cf. Article 32 (1).<br />
In this case, it is largely a matter of processing contact information, in addition to information about date of birth and club affiliation. In principle, these are not the categories of personal data with the greatest risks associated with them. However, the scope of processing is enormous, as it involves personal data of approximately 3.2 million<br />
3<br />
Children's personal data also have a special protection under the Privacy Ordinance, cf. the Privacy Ordinance's proposition point 38. When testing the cloud solution, personal data on 486,447 minors were processed, divided between the ages of 3-17 years.<br />
The number of data subjects and the extent of personal data processed, in addition to the extent of personal data on minors registered, suggest that the personal data had a great need for protection, and that the risks associated with any unauthorized disclosure or access to personal data were significant.<br />
It is acknowledged in the statements to NIF that no sufficient or specific risk assessments were made prior to NIF extracting personal data of 3.2 million people from the sport's central database to the cloud-based test environment. The relevant testing was not covered by the risk assessments that had been made in connection with work on cloud solutions at this time. In a document that NIF has submitted from 2018, it is on<br />
people - about 60% of Norway's population.<br />
3 https://www.ssb.no/befolkning/statistikker/folkemengde/aar-per-1-januar<br />
11<br />
<br />
overall level described a number of risks where the risk level is described as "high" at the transition to the cloud solution, but neither the risk assessments nor the measures outlined in this document were followed up at the time of the incident.<br />
As NIF had not sufficiently or specifically assessed the risk of the treatments in question, you also did not have the prerequisite to identify the specific risks involved in the treatment. Thus, you also did not have the prerequisite to assess which level of safety was suitable with regard to the risk, or which technical and organizational measures were suitable to achieve this level of safety.<br />
Article 32 no. 1 highlights examples of categories of measures that are potentially suitable depending on the processing, and the Data Inspectorate considers that three of these categories of measures could have been suitable in the present case:<br />
a) pseudonymisation and encryption of personal data,<br />
b) ability to ensure lasting confidentiality, integrity, availability and robustness in the treatment systems and services, (...)<br />
d) a process for regular testing, analysis and assessment of how effective the treatment's technical and organizational security measures are.<br />
When it comes to more specific guidelines on technical and organizational measures that can<br />
carried out for such processes, the Norwegian Data Protection Authority refers to the National Security Authority (NSM)<br />
4<br />
«Basic principles for ICT security 2.0», and in particular section 2.1 «Ensure security in<br />
procurement and development processes »5 and the point on« Use of outsourcing and<br />
6<br />
cloud services »in the introduction. NSM's basic principles are rooted in the global<br />
7<br />
At the time of the incident, however, NIF had not established operating routines or technical security solutions related to the new cloud-based environment, as at that time it had not been put into production. There were also no separate routines for test data in the cloud-based environment. NIF has a general norm for the processing of personal data and information security in sports, but the points in this on risk assessment and measures to ensure confidentiality and integrity were not followed up for the relevant processing of personal data. The points about measures in the overall document NIF has submitted from 2018 were also not followed up.<br />
4 https://nsm.no/regelverk-og-hjelp/rad-og-anbefalinger/grunnprinsipper-for-ikt-sikkerhet-2-0/beskytte-og- opprettholde / ivareta-safety-in-procurement-and-development-processes /<br />
5 https://nsm.no/regelverk-og-hjelp/rad-og-anbefalinger/grunnprinsipper-for-ikt-sikkerhet-2-0/beskytte-og- opprettholde / ivareta-safety-in-procurement-and-development-processes /<br />
6 https://nsm.no/regelverk-og-hjelp/rad-og-anbefalinger/grunnprinsipper-for-ikt-sikkerhet-2-0/introduksjon- 1 / bruk-av -jenesterutsetting-og-skytjenester /<br />
7 https://nsm.no/regelverk-og-hjelp/rad-og-anbefalinger/grunnprinsipper-for-ikt-sikkerhet-2-0/stotteprodukter/<br />
the ISO 27002 (Information Security) framework.<br />
12<br />
<br />
In light of this, the Data Inspectorate considers that there have been fundamental shortcomings in the follow-up of the internal management system and information security in the relevant processing of personal data related to testing of cloud solutions for member administration. NIF did not implement appropriate technical and organizational measures to achieve a level of security that is appropriate with regard to the risk associated with the relevant processing of personal data, and there is a breach of the obligations in Article 32 of the Privacy Regulation.<br />
As the assessment of Article 32 above shows, NIF has also not processed personal data in a way that ensured adequate security of the personal data, including protection against unauthorized or illegal processing using appropriate technical or organizational measures. The treatment was thus also in conflict with the principle of confidentiality, cf. Article 5 no. 1 letter f.<br />
5. Infringement fee<br />
5.1. Assessment of whether an infringement fee is to be imposed<br />
Infringement fees are a tool to ensure effective compliance and enforcement of personal data regulations. We believe it is necessary to respond to the infringements, and hereby give notice of the imposition of an infringement fee (cf. Article 83 of the Privacy Ordinance).<br />
In accordance with the Supreme Court's practice (cf. Rt. 2012 page 1556), we assume that infringement fines are to be regarded as punishment under the European Convention on Human Rights, Article 6. A clear balance of probabilities is therefore required for offenses in order to be able to impose a fee.<br />
When assessing whether a fee should be charged and when measuring, the Data Inspectorate shall take into account the elements in the Privacy Ordinance, Article 83, paragraph 2, letters a) to k). The Data Inspectorate may impose a violation fee after a discretionary overall assessment, but the listed factors place guidelines on the exercise of discretion by highlighting factors that are to be given special weight.<br />
Here we will assess the relevant aspects on an ongoing basis.<br />
a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the treatment concerned and the number of data subjects affected, and the extent of the damage they have suffered;<br />
The violation involves a breach of several of the basic principles of the processing of personal data, the basic requirement that all processing of personal data must have a legal basis to be legal, in addition to clear breaches of the requirements for security of processing. The infringement in question involves the processing of a number of categories of personal data of 3.2 million persons without a legal basis, far beyond the processing necessary for the purpose, without adequate risk assessments and in a way that did not safeguard the security of the processing. This must be characterized as a clear deviation from the obligations that follow from the Privacy Ordinance, and these conditions are considered by the Data Inspectorate to be very aggravating circumstances.<br />
13<br />
<br />
Of the 3.2 million people exposed, 486,447 minors were aged 3-17. Children are a vulnerable group, and we refer here to the Privacy Ordinance's advocacy point 38, where it is pointed out that children's personal data have a special right to protection. The fact that the violation includes personal information about minors on such a large scale is also considered by the Data Inspectorate to be a very aggravating circumstance.<br />
The personal data was exposed for 87 days, which the Data Inspectorate considers to be a significant period. The fact that NIF had not implemented measures that enabled you to discover that the database was exposed, and that it is unclear whether or when you would have discovered this yourself, is also an aggravating factor.<br />
Although it cannot be ruled out that the personal data has gone astray, the Data Inspectorate considers that there is no clear overriding probability for this. There is thus no clear overriding probability of material or non-material damage slightly beyond the data subjects' sense of losing control of their personal data. The fact that no such specific damage can be proven is a mitigating circumstance in the case. However, the Norwegian Data Protection Authority points out that this may be due to coincidences. As it cannot be ruled out that the personal data has gone astray, the extent of any damage is nevertheless unknown.<br />
b) whether the infringement was committed intentionally or negligently<br />
The relevant processing of personal data was carried out without an assessment of the legal basis for the processing, sufficient risk assessments or the implementation of specific appropriate technical or organizational measures. This must be characterized as clearly negligent.<br />
c) any measures taken by the data controller or data processor to limit the damage suffered by the data subjects;<br />
NIF ensured that access to the personal information was closed when you were made aware of it. NIF then used Orange Cyberdefense to conduct an investigation into whether the personal data has been used criminally, which the Data Inspectorate considers to be a mitigating circumstance in the case.<br />
(d) the degree of responsibility of the controller or processor, taking into account the technical and organizational measures they have implemented in accordance with Articles 25 and 32;<br />
NIF has a general norm for the processing of personal data and information security in sports, but the points in this on risk assessment and measures to ensure confidentiality and integrity were not followed up in this case. The fact that the relevant processing of personal data was carried out without an assessment of the legal basis for the processing, adequate risk assessments or the implementation of any specific appropriate technical or organizational measures, indicates shortcomings in the internal management system.<br />
14<br />
<br />
e) any previous violations committed by the data controller or data processor<br />
The Norwegian Data Protection Authority has not emphasized any previous violations in this case.<br />
(f) the degree of cooperation with the supervisory authority in order to remedy the infringement and reduce the possible negative effects of it;<br />
NIF has answered the questions from the Norwegian Data Protection Authority as required. This therefore pulls neither in an aggravating nor mitigating direction.<br />
g) the categories of personal data affected by the infringement<br />
The personal information concerned in this case is to a large extent contact information, in addition to information about date of birth and club affiliation, to which, as a starting point, the greatest risks are not associated. This is based on a mitigating bill, but as mentioned above, the Data Inspectorate has also emphasized that minors' personal data is affected by the violation, which is an aggravating factor.<br />
The Data Inspectorate considers that health information can be deduced through club affiliation in clubs called "disability sports teams" or similar, and thus special categories of personal information covered by Article 9 no. are members or support staff in disability sports teams, however, it will not be possible to draw clear conclusions about functional ability in many cases. The Norwegian Data Protection Authority has therefore placed limited emphasis on this aspect.<br />
h) the manner in which the supervisory authority became aware of the infringement, in particular whether and, if so, to what extent the data controller or data processor has notified of the infringement<br />
NIF itself reported the deviation to the Norwegian Data Protection Authority.<br />
(i) if the measures referred to in Article 58 (2) have previously been taken against the data controller or data controller concerned in respect of the same subject matter, that such measures are complied with;<br />
No measures have previously been taken against NIF with regard to the same subject matter.<br />
(j) compliance with approved standards of conduct in accordance with Article 40 or approved certification mechanisms in accordance with Article 42;<br />
The Norwegian Data Protection Authority does not find this aspect relevant in the case.<br />
k) and any other aggravating or mitigating factor in the case, e.g. financial benefits obtained, or losses avoided, directly or indirectly, as a result of the infringement<br />
15<br />
<br />
It is important for society that everyone has the opportunity to practice sports based on their wishes and needs, and participation in sports can contribute to joy, socialization, better physical and mental health, integration and cohesion and unity with other people - both for children and adults. As follows from the privacy statement of NIF, registration of member information is a prerequisite for membership in Norwegian sports. As a gatekeeper for an important public good, NIF has a special responsibility to manage this member information in a legal and responsible manner - something that has not been done in this case. The Norwegian Data Protection Authority considers this to be an aggravating circumstance.<br />
The Data Inspectorate assumes that NIF has not achieved any financial benefits as a result of the violation, beyond any savings by not implementing appropriate technical and organizational measures to achieve a level of security that is suitable with regard to the risk.<br />
It can also be seen in the company's financial situation. NIF receives most of its income through grants from the public sector and other agencies. According to their accounts from 2019, NIF had operating revenues of NOK 1,948,935,000 and an operating profit of NOK 7,607,000. The Norwegian Data Protection Authority finds that NIF has the finances to bear an infringement fee.<br />
The Norwegian Data Protection Authority is not aware of any other aggravating or mitigating factors in the case that will affect the outcome of the assessment.<br />
Based on the assessments above, the Data Inspectorate concludes that an infringement fee should be imposed.<br />
5.2. Assessment of the size of the fee<br />
In accordance with Article 83 (1), the infringement charge must be effective, proportionate and dissuasive. This means that the supervisory authority must make a concrete, discretionary assessment in each individual case.<br />
When measuring the size of the fee, emphasis shall be placed on the same assessment factors that have been reviewed in section 5.1 of the decision. The Data Inspectorate therefore refers to the assessments made above, and that these together speak in favor of a fee of a certain size.<br />
In an aggravating direction, we place particular emphasis on NIF's clear deviations from the key obligations set out in Article 5 no. 1, letters a, c and f of the Privacy Ordinance, Article 6 and Article 32. We also place particular emphasis on the scope of personal data affected by the infringement, and in particular the scope of personal data on minors registered.<br />
In the mediating direction, we emphasize that the breach largely concerns categories of personal data to which the greatest risks are not associated, and that there is no known or clear overriding probability that the breach has led to material or non-material damage to the data subjects. is affected.<br />
The business's financial capacity will also be important, although it is not relevant to utilize the range in the size of the infringement fee that follows from Article 83. no. 5. The Privacy Ordinance, Article 83 no. 5, sets a higher maximum amount for fees when the case<br />
16<br />
<br />
deals with violations of the fundamental principles of the processing of personal data in accordance with Articles 5 and 6 of the Privacy Regulation.<br />
As mentioned, NIF receives most of its income through grants from the public sector and other agencies. According to their accounts from 2019, NIF had operating revenues of NOK 1,948,935,000 and an operating profit of NOK 7,607,000. NIF's significant financial figures suggest that the decision must be of a certain size in order for the preventive considerations behind the infringement fee to be taken into account as a form of reaction.<br />
After an overall assessment of the elements in the case that we have reviewed above and the seriousness of the violation, we have come to the conclusion that a violation fee of NOK 2,500,000 is considered correct.<br />
If NIF, due to the social situation with covid-19, experiences conditions that are relevant to the notified decision on infringement fines, we ask that you provide us with feedback with relevant documentation.<br />
Information on further progress<br />
This is a prior notice (cf. the Public Administration Act § 16). If you have any comments on this notice, you must send us feedback on this as soon as possible and no later than 4 January 2021.<br />
Transparency and publicity<br />
You have the right to access the case documents (cf. the Public Administration Act § 18). We will also inform you that all the documents are in principle public (cf. the Public Access to Information Act § 3.)<br />
If you believe that there is a basis for exempting all or part of the document from public access, we ask you to justify this.<br />
If you have any questions, you can contact Anders Obrestad on telephone 22 39 69 71.<br />
With best regards<br />
Bjørn Erik Thon director<br />
The document is electronically approved and therefore has no handwritten signatures<br />
Anders Sæve Obrestad legal senior adviser<br />
17<br />
</pre></div>
Hk
https://gdprhub.eu/index.php?title=RvS_-_201907720/1/A3&diff=12881
RvS - 201907720/1/A3
2020-12-11T00:09:40Z
<p>Hk: </p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Netherlands<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=RvS<br />
|Court_With_Country=RvS (Netherlands)<br />
<br />
|Case_Number_Name=201907720/1/A3<br />
|ECLI=ECLI:NL:RVS:2020:2833<br />
<br />
|Original_Source_Name_1=Rechtspraak.nl <br />
|Original_Source_Link_1=https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RVS:2020:2833&showbutton=true&keyword=AVG<br />
|Original_Source_Language_1=Dutch<br />
|Original_Source_Language__Code_1=NL<br />
<br />
|Date_Decided=09.12.2020<br />
|Date_Published=09.12.2020<br />
|Year=2020<br />
<br />
<br />
|EU_Law_Name_1=Article 35 Personal Data Protection Act<br />
|EU_Law_Link_1=https://wetten.overheid.nl/BWBR0011468/2018-05-01<br />
<br />
<br />
|Party_Name_1=Council of Mayor and Aldermen of Heemskerk <br />
|Party_Link_1=https://www.heemskerk.nl/over-heemskerk/samenstelling-college-van-bw<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=District Court of Noord-Holland<br />
|Appeal_From_Case_Number_Name=18/817<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The establishment of the data subject's identity must be sound, but may not be so impeding that it affects the right of the data subject to freely request access to his data. <br />
<br />
In this decision, this was not considered to be the case. The data controller had valid reasons to have doubts as to the identity of the applicant, and was therefore entitled to ask for additional information or to impose additional requirements.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The Council of Mayor and Aldermen of Heemskerk (which exercises the executive power of the municipal government) declined the request of the appellant to access his personal data. The data subject attached a copy of an expired passport to this request, but the Council of Mayor and Aldermen of Heemskerk announced that it was unable to establish the applicant's identity properly with an expired passport. It therefore requested the appellant to send a certified copy of a valid identity document (i.e. copy of an original document that has been authorised or stamped as being a true copy of the original, by a<br />
qualified individual) or to visit the town hall in person. The appellant then sent a copy of a valid passport, without further explanations.<br />
<br />
The Council however decided not to consider the request. It took the view that it was not possible to properly establish the identity of the applicant with the information at its disposal. Although a copy of a valid passport had been submitted, it had emerged from the administration that the signature on the request and on the passport did not match the signature on previously submitted requests by a person with the same name who lives at the same address. According to the Council, it was therefore necessary to establish the identity of the applicant by means of one of the two options offered (certified copy or visit at the town hall).<br />
<br />
=== Dispute ===<br />
Is a data controller entitled to request the data subject to send a certified copy of an identity document or to visit its building in person to establish its identity, or are these two options so impeding that it affects the right of the data subject to freely request access to his data?<br />
<br />
=== Holding ===<br />
On appeal, the Council of Mayor and Aldermen took the view that the appellant misused his rights because he made the access request with a view not to take cognisance of the personal data processed concerning him, but merely to collect penalty payments and obtaining reimbursement of legal costs from the public authorities (financial motive only). The District Court of Noord-Holland and the Council of State however ruled that there was insufficient ground to reach this conclusion.<br />
<br />
The District Court of Noord-Holland and the Council of State considered that the Council of Mayor and Aldermen of Heemskerk could reasonably take the view that the different signatures gave rise to doubts as to the identity of the applicant and that a copy of the passport alone was not sufficient in this case.<br />
<br />
It could therefore reasonably ask the applicant to send a certified copy of an identity document or to visit the town hall in person, to guarantee a proper establishment of his identity. The two options given by the Council were not disproportionately onerous. Although the distance to the town hall was considerable for the appellant, the alternative of a certified copy did not involve such high costs that the right of the data subject to freely request access to his data was infringed.<br />
<br />
The Council of Mayor and Aldermen was therefore entitled to disregard the access request.<br />
<br />
== Comment ==<br />
On 25 May 2018, the General Data Protection Regulation became applicable. The decision from the Council is from before that date. Therefore, the Dutch Personal Data Act (Wet Bescherming Persoonsgegevens) still applied to this case.<br />
<br />
This decision should be compared to: https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RVS:2020:2915&showbutton=true&keyword=AVG<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.<br />
<br />
<pre><br />
201907720/1/A3.<br />
Date of judgment: 9 December 2020<br />
SECTION<br />
ADMINISTRATIVE LAW<br />
Judgment on the appeals of:<br />
1. [appellant under 1], residing at [place of residence],<br />
2. the Municipal Executive of Heemskerk,<br />
appellants,<br />
against the judgment of the District Court of North Holland of 12 September 2019 in Case No 18/817 in the interlocutory proceedings:<br />
[appellant under 1]<br />
and<br />
the college.<br />
Process sequence<br />
By decision of 19 September 2017, the Board rejected the request by [appellant under 1] for access to his personal data.<br />
By decision of 18 January 2018, the Board dismissed [appellant sub 1]'s objection to that request as unfounded.<br />
By decision of 13 February 2018, the Board decided that no penalty payment had been forfeited on account of the failure to decide on the objection in good time.<br />
By decision of 12 September 2019, the Court declared the appeal lodged by [appellant sub 1] against the decision of 18 January 2018 unfounded and upheld the appeal lodged against the decision of 13 February 2018, annulled that decision and set the penalty payment forfeited by the Board at € 520. This judgment is attached.<br />
The [appellant under 1] has lodged an appeal against that decision.<br />
The Board made a written statement and lodged an incidental appeal.<br />
The Division heard the case on 3 August 2020, where [the appellant sub 1], assisted by [the agent], legal aid provider, and the Board of Appeal, represented by C.N. van der Sluis, attorney at law in Rotterdam, appeared.<br />
Recitals<br />
Applicable law<br />
1. On 25 May 2018, the General Data Protection Regulation became applicable. The decision on objections is from before that date. Therefore, the Wbp still applies to this case. For the text of the relevant provisions of the Wbp and the General Administrative Law Act (hereinafter: the Awb), reference is made to the annex, which forms part of the decision.<br />
Decision-making<br />
2. On 30 July 2017 [appellant sub 1] requested access to the processing of his personal data as referred to in article 35 of the Wbp. According to [Appellant under 1], his personal data were processed in connection with, among other things, a request submitted previously under the Government Information (Public Access) Act (hereinafter: the Wob). He has also requested that, insofar as the Board has processed his personal data by posting messages on the forum of the Association of Netherlands Municipalities (hereinafter: VNG), the content of these messages be included in the overview. He attached a copy of an expired passport to this request.<br />
2.1. On 7 August 2017, the Municipal Executive announced that it was unable to establish the applicant's identity properly with an expired passport. It requested [the appellant under 1] to send a certified or authorised copy of a valid identity document or to visit the town hall in person. [appellant sub 1] then sent a copy of a valid passport, without further explanation.<br />
2.2. By decision of 19 September 2017, the Municipal Executive decided not to consider the request. Pursuant to Section 37(2) of the Wbp, it is required to properly establish the identity of the applicant in the case of an application. The Municipal Executive took the view that this was not possible with the information at its disposal. Although a copy of a valid passport had been submitted, it had emerged from the administration that a person with the same name as [appellant under 1] had previously sent letters to the Board, but that the signature on those letters did not match the signature on the application for inspection. In view of this, it was necessary, in the opinion of the Board, to establish the identity by means of one of the two options offered. In its appeal, the College maintained the decision.<br />
Ruling attacked<br />
3. On appeal, the College took the view that [the appellant under 1] was misusing his rights, because [the appellant under 1] made the request for inspection with the aim of collecting periodic penalty payments and obtaining reimbursement of legal costs. The court ruled that there is insufficient ground for the conclusion that [appellant sub 1] submitted the request for inspection under the Wbp for a purpose other than that for which it was granted. The court also ruled that the Board could reasonably ask for a certified or authorised copy of an identity document to be sent or for an appointment to be made at the town hall. Now that [the appellant under 1] has failed to do so, the court ruled that the Municipal Executive could disregard its request.<br />
Appeal by the College<br />
4. The incidental appeal of the Board is the most far-reaching. That is why it will be the first to be assessed. The College submits that the Court erred in finding that [appellant under 1] did not commit an abuse of rights. There are several aspects which, viewed in conjunction, must lead to a finding that there is an abuse of rights. For example, the conduct of [the appellant under 1] and [the agent] is established. In the past, [appellant sub 1] has submitted Wob requests in almost all municipalities. There have been many proceedings on this subject, which has ultimately led to decisions by the Division in which it is ruled that [appellant sub 1] has abused his rights with these requests. Now [appellant sub 1] has submitted a Wbp request to almost all municipalities. In addition, various aspects show that [appellant sub 1] and [authorised representative] have a financial motive. For example, in a similar case, [the agent] approached the Municipal Executive to buy off proceedings, a request for compensation for breach of a reasonable period of time was made on appeal and the notice of appeal is an almost literal repetition of the notice of appeal, which indicates a minimum effort. Failure to appear at a hearing also indicates this. In addition, the financial interests of [appellant under 1] and [agent] are apparent from [person's] no-cure-no-pay practice. Finally, there is another way for [appellant under 1] to obtain the personal data processed on the VNG forum. He had in fact initiated proceedings against the VNG in order to access those data and could have continued those proceedings. There was also the possibility of filing a new Wbp application, according to the College.<br />
4.1. In its decision of 23 January 2019, ECLI:NL:RVS:2019:184, the Division ruled that the Wob and the Wbp relate to different matters. This means that the judgment that there has been an abuse of rights with regard to the Wob does not automatically mean that there has also been an abuse of rights with regard to the Wbp. The purpose of the Wbp is, among other things, to give citizens access to the way in which administrative bodies, among others, process their personal data. In its decision of 21 August 2019, ECLI:NL:RVS:2019:2797, which concerns a similar case of [appellant sub 1], the Division ruled that there were insufficient grounds for the opinion that [appellant sub 1] had made an abuse of rights by submitting the request for inspection and using legal remedies. The circumstance that the representative of [appellant sub 1] was declared inadmissible earlier in the context of Wob proceedings, that [appellant sub 1] had submitted requests for inspection to various municipalities, and that many proceedings were in progress about this, the fact that [the appellant under 1] is keeping a close eye on the time-limit for taking a decision and, if that time-limit is exceeded, requests the imposition of periodic penalty payments following formal notice and damages, was not considered sufficient for it to be concluded that [the appellant under 1] did not intend to take cognisance of the personal data processed concerning him, but merely attempted to collect sums of money from the public authorities.<br />
4.2. Contrary to the decision of 21 August 2019, the Division sees no reason to consider that [appellant sub 1] has misused the authority to submit requests for inspection. Finding out which municipalities have posted the applicant's personal data on the VNG forum is in line with the purpose of the Wbp. As [appellant sub 1] explained at the session, the VNG has removed everything from him from the forum. A request to the VNG for inspection therefore makes no sense. He hopes that the Board has made screenshots of the forum or can find out in some other way what was posted on the forum. If the Board has unlawfully processed his personal data, he will request compensation. Under the AVG there is the possibility to do so. The fact that this is the underlying purpose of this request, and also of the other requests for inspection that he has submitted, does not mean that the purpose of the request is no longer in line with the purpose of the Wbp. Nor does the Division see any reason to reach a different conclusion in what has otherwise been argued. In fact, the arguments put forward are very similar to those put forward in the case that led to the judgment of 21 August 2019.<br />
4.3. The argument fails.<br />
Appeal by [appellant under 1]<br />
5. [appellant under 1] submits that the court erred in finding that the College was entitled to ask him to send a certified or authorised copy of an identity document or to visit the town hall. The copy of his identity document enabled the Municipal Executive to establish his identity properly. The signature on the request corresponds to the signature in the passport. The request for inspection was submitted from the address on which he is registered in the basic registration of persons, which is an important factor in establishing his identity, according to [appellant sub 1].<br />
5.1. It follows from the lack of specific points of reference in the Wbp that, in principle, the Municipal Executive has room for manoeuvre with regard to the manner in which it wishes to establish the identity of the applicant. That scope is also determined, on the one hand, by the principle that the determination of identity must be sound. On the other hand, the fact that the determination of identity may not be so impeding that it affects the right of the person concerned to apply freely to the College with a request for inspection.<br />
5.2. It is not considered unreasonable to ask for a copy of an identity document in the case of a request for inspection. This will guarantee a proper determination of the identity without prejudice to the right of the persons concerned to apply freely to the Board. In this case, the College noted that the signature on the request and on the passport did not correspond to the signature on previously submitted Wob requests of a person with the same name who lives at the same address. It could therefore reasonably take the view that this gave rise to doubts as to the identity of the applicant and that a copy of the passport alone was not sufficient in this case. The fact that, according to [appellant sub 1], the request for inspection had been submitted from the address with which he is registered in the basic registration of persons and that the overview could be sent to that address, could not have been considered sufficient by the Board to establish the identity properly. The Board was entitled to request additional information to establish the identity of [appellant under 1]. The Court correctly ruled that the two options given by the Municipal Executive [appellant sub 1], the submission of a certified or authorised copy of a valid identity document or the personal visit to the town hall, were not disproportionately onerous in this case. Although the distance to the town hall is considerable for [appellant sub 1], the alternative of a certified or authorised copy does not involve such high costs that the right to freely request inspection is infringed.<br />
5.3. The argument fails.<br />
5.4. 5.4. [appellant under 1] has also requested compensation for exceeding the reasonable period of time. He withdrew that request at the hearing and will therefore not be assessed.<br />
Final sum<br />
6. The appeals brought by [appellant under 1] and by the College are unfounded. The decision of the court must be upheld in so far as it has been attacked.<br />
7. The Board must be ordered to reimburse the costs of the proceedings in a manner to be reported. The fact that [appellant sub 1] is more often objected to the fact that he has misused his right to submit requests for inspection does not, contrary to what he has argued, give cause to apply a heavier weighting factor.<br />
Decision<br />
The Administrative Jurisdiction Division of the Council of State:<br />
I. confirms the decision of the court, in so far as attacked;<br />
II. orders the Municipal Executive of Heemskerk to compensate [appellant sub 1] for legal costs incurred by [appellant sub 1] in connection with the hearing of the appeal up to an amount of € 1,184.53 (in words: eleven hundred and eighty-four euros and fifty-three cents).<br />
Thus established by Mr C.J. Borman, Chairman, and Mr S.F.M. Wortmann and Mr J. Gundelach, Members, in the presence of Mr P. Klein, Registrar.<br />
The chairman is prevented from signing the decision.<br />
w.g. Klein<br />
Registrar<br />
Pronounced in public on 9 December 2020<br />
176-851.<br />
<br />
Annex<br />
<br />
Personal Data Protection Act<br />
Article 35<br />
1. The data subject shall have the right to address himself/herself freely and at reasonable intervals to the data controller with a request to inform him/her whether personal data relating to him/her are being processed. The data controller shall inform the data subject in writing within four weeks whether or not personal data relating to him or her are being processed.<br />
[…].<br />
Article 37<br />
1. […].<br />
2. The person responsible shall ensure that the identity of the applicant is properly established.<br />
[…].<br />
General Administrative Law Act<br />
Article 4:5<br />
1. The administrative body may decide not to consider the application if:<br />
a. the applicant has not complied with any legal requirement for the application to be considered, or<br />
b. the application has been refused, in whole or in part, on the grounds of Article 2:15, or<br />
c. the information and documents provided are inadequate for the evaluation of the application or the preparation of the decision,<br />
provided that the applicant has had the opportunity to complete the application within a period set by the administrative authority.<br />
[…].<br />
</pre></div>
Hk
https://gdprhub.eu/index.php?title=Pers%C3%B3nuvernd_-_2020010673&diff=12880
Persónuvernd - 2020010673
2020-12-11T00:06:30Z
<p>Hk: /* English Machine Translation of the Decision */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Iceland<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoIS.png<br />
|DPA_Abbrevation=Persónuvernd<br />
|DPA_With_Country=Persónuvernd (Iceland)<br />
<br />
|Case_Number_Name=2020010673<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Persónuvernd<br />
|Original_Source_Link_1=https://www.personuvernd.is/urlausnir/urskurdur-um-vinnslu-personuupplysinga-af-halfu-elisu-gudrunar-ehf.-lifandi-visinda<br />
|Original_Source_Language_1=Icelandic<br />
|Original_Source_Language__Code_1=IS<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=27.10.2020<br />
|Date_Published=24.11.2020<br />
|Year=2020<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 5(1)(b) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1b<br />
|GDPR_Article_3=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_3=Article 5 GDPR#1c<br />
|GDPR_Article_4=Article 5(1)(e) GDPR<br />
|GDPR_Article_Link_4=Article 5 GDPR#1e<br />
|GDPR_Article_5=Article 6(1)(f) GDPR<br />
|GDPR_Article_Link_5=Article 6 GDPR#1f<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The Icelandic DPA (Persónuvernd) held that a controller breached the GDPR by not conducting a legitimate interest assessment and by not substantiating how its interest outweighed those of the data subject in the context of direct marketing communications. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The complainant had a subscription with the controller for a magazine, which he cancelled. Several years after terminating the subscription, he was called by the company and asked whether he would like a new subscription. <br />
<br />
The data subject claims complained to the DPA that the controller acted in breach of the GDPR by contacting him for marketing purposes when he had already cancelled his subscription years before.<br />
<br />
=== Dispute ===<br />
Did the data controller breach the GDPR by storing the contact details of the former subscriber for years after cancelling the subscription, and by contacting him for marketing purposes (offering a new subscription)?<br />
<br />
=== Holding ===<br />
The Persónuvernd first ruled out the possibility of the processing being based on consent in this case. With regards to legitimate interest (Article 6(1)(f)), the DPA held that the temporarily storing the name and telephone number of former customers can be considered to be carried out in the interests of the company's legitimate interests. <br />
<br />
However, the controller did not conduct a legitimate interest assessment to establish the need to preserve the information. In addition, the company did not specifically substantiate how its interests in the processing in question outweighed the interests of the complainant. In view of this, the DPA considered that the processing in question was not in accordance with the GDPR.<br />
<br />
Furthermore, the DPA held that the controller breached the principles enshrined in Articles 5(1)(a), (b), (c), and (e), especially in light of storing the data for several years after the cancellation of the subscription.<br />
<br />
Finally, the The DPA emphasised that the controller did not take special measures to delete the personal data of older subscribers on a regular basis. <br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.<br />
<br />
<pre><br />
Ruling on the processing of personal information by Elísa Guðrún ehf. (Living Science)<br />
Case no. 2020010673<br />
<br />
24.11.2020<br />
<br />
The Data Protection Authority has ruled in a case where a complaint was made about the processing of personal information in connection with marketing by Elísa Guðrún ehf. (Living Science). The ruling concludes that the preservation and use of Elísa Guðrún ehf. (Living Science) on the personal information of the complainant did not comply with Act no. 90/2018 and Regulation (EU) 2016/679.<br />
<br />
Ruling<br />
<br />
<br />
On October 27, 2020, the Data Protection Authority issued a ruling in case no. 2020010673 (formerly 2019091811):<br />
<br />
I.<br />
<br />
Procedure<br />
<br />
<br />
1.<br />
<br />
Outline of case<br />
<br />
On September 27, 2019, the Data Protection Authority received a complaint from [A] (hereinafter referred to as "the complainant"), dated September 23, 2019. The complainant claims to have received a phone call from Elísa Guðrún ehf., Which publishes the journal Lifandi vísindi. It was a marketing call where he was offered a presentation and a subscription to a magazine.<br />
<br />
By letter dated October 22, 2019, reiterated by letters dated. 17 December 2019 and 18 June 2020, Elísa Guðrún ehf. (hereafter Living Sciences) invited to provide explanations regarding the complaint. Two emails were answered on July 14, 2020.<br />
<br />
By letter dated On 20 July 2020, the complainant was given an opportunity to comment on the above explanations of Living Sciences. The answer was sent by e-mail on August 7, 2020.<br />
<br />
All the above documents have been taken into account in resolving the case, although not all of them are specifically described in the following ruling.<br />
<br />
2.<br />
<br />
The complainant's views<br />
<br />
The complainant claimed to have turned down an offer of a new subscription, in a call he received from Living Sciences, but he was abroad when he was called and the relationship was poor.<br />
<br />
He subsequently received a magazine sent home and a claim to an online bank. The complainant had contacted the magazine's office and said he was not interested in paying the claim. He also asked why he had been contacted. The complainant's answers were that they were calling old subscribers and offering them a new subscription. The complainant considers that by doing so, Lifandi vísindi has violated the provisions of the Act on Personal Data Protection and the Processing of Personal Data. The complainant wants to find out whether the magazine is authorized to own and store information about subscribers, many years back in time.<br />
<br />
3.<br />
<br />
The views of the responsible party<br />
<br />
Lifandi vísinda's response states that the company is on the phone all year round and calls people who have been subscribers before, but that those who are on a banned list are cleared of lists that are called after.<br />
<br />
It says that the company has considered it okay to call former subscribers, but will stop if it is not okay.<br />
<br />
II.<br />
<br />
Assumptions and conclusion<br />
<br />
<br />
1.<br />
<br />
Scope - Responsible party<br />
<br />
Scope of Act no. 90/2018, on personal data protection and the processing of personal data and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automatic and the processing by other methods than automatic of personal data that are or are to become part of a file.<br />
<br />
Personal information includes information about a person who is personally identifiable or personally identifiable, and an individual is considered personally identifiable if it is possible to identify him or her, directly or indirectly, with reference to his or her identity or one or more factors that are characteristic of him or her, cf. 2. tölul. Article 3 of the Act and point 1. Article 4 of the Regulation.<br />
<br />
Processing refers to an action or series of actions where personal information is processed, whether the processing is automatic or not, cf. Number 4 Article 3 of the Act and point 2. Article 4 of the Regulation.<br />
<br />
This case concerns the processing of personal information about the complainant by Living Sciences in connection with marketing. In this respect and in the light of the above provisions, this case concerns the processing of personal data which falls within the competence of the Data Protection Authority.<br />
<br />
The person responsible for the processing of personal information complies with Act no. 90/2018 is named the responsible party. According to point 6. Article 3 of the Act refers to an individual, legal entity, government authority or other party who decides alone or in collaboration with other purposes and methods of processing personal information, cf. 7. tölul. Article 4 of the Regulation. As such, Elísa Guðrún ehf. (Living Science) be responsible for the processing in question.<br />
<br />
2.<br />
<br />
Legality of processing<br />
<br />
All processing of personal data must be subject to one of the authorization provisions of Article 9. Act no. 90/2018, Coll. Article 6 Regulation (EU) 2016/679. The sources that are particularly relevant here are that the data subject has given his consent for the processing of personal information about himself for the benefit of one or more specific purposes, cf. 1. tölul. Article 9 that processing is necessary to fulfill a contract to which the data subject is a party, cf. 2. tölul. Article 9 or that processing is necessary due to legitimate interests that the responsible party or a third party may pursue, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail, cf. 6. tölul. same articles.<br />
<br />
In this case, it is tested whether Lifandi vísindum was allowed to retain information about the complainant's name and telephone number, after he had canceled his subscription and use it later in the direct marketing of new subscription channels.<br />
<br />
In particular, in the implementation of the Data Protection Authority, it has been considered that direct marketing can be based on either the consent of the data subject or that it is necessary due to the legitimate interests of the party responsible for the marketing. In this case, it is not clear that the data subject has given his consent to the processing in question and the processing will therefore not be considered to have been permitted on that basis. It is then examined whether the company had a legitimate interest in directing marketing to it. It is generally considered that three conditions must be met in order for personal information to be processed on the basis of point 6. Paragraph 1 Article 9 Act no. 90/2018, Coll. paragraph 1 (f) Article 6 of the Regulation. First, processing must be carried out in the interests of the legitimate interests of the controller or a third party who has access to the personal information. Secondly, it is required that the processing is necessary in the interests of them. Thirdly, the interests and fundamental rights of the data subject that require the protection of personal data must not outweigh the interests of others in the processing.<br />
<br />
In the opinion of the Data Protection Authority, temporary storage of information on the names and telephone numbers of former customers can be considered to take place in the interests of the company's legitimate interests. From the explanations of Living Sciences, however, it can be concluded that no assessment has been made of the need to preserve the information. In addition, the company did not specifically substantiate how its interests in the processing in question outweighed the interests of the complainant. In view of this, the Data Protection Authority considers that the processing in question was not in accordance with Act no. 90/2018.<br />
<br />
In addition to the authorization according to the above, the processing of personal information must satisfy all the basic requirements of the first paragraph. Article 8 Act no. 90/2018, Coll. Article 5 Regulation (EU) 2016/679. Among other things, it stipulates that personal information shall be processed in a lawful, fair and transparent manner towards the data subject (point 1); that they shall be obtained for clearly defined, legitimate and objective purposes and not further processed for other and incompatible purposes (paragraph 2); and that they shall be sufficient, appropriate and not in excess of what is necessary for the purpose of the processing (paragraph 3); that they are preserved in such a way that it is not possible to identify registered persons for longer than is necessary for the purpose of processing (point 5).<br />
<br />
The complainant has stated that although several years have passed since he canceled his subscription to Living Sciences and has therefore not been challenged by the responsible party.<br />
<br />
The Data Protection Authority does not consider it possible to rule out that after the end of a business relationship, it can be assumed for some time that individual aspects of the relationship or individual accounts and other related legal instruments may be tried. However, such storage shall not be for an indefinite period, unless otherwise provided by law. The guarantor has not stated that he has taken special measures to delete information on older subscribers on a regular basis and it will therefore not be considered that the processing was in accordance with the above-mentioned point of the provision.<br />
<br />
<br />
<br />
From r k e r ð a r o r ð:<br />
<br />
Preservation and use of Elísa Guðrún ehf. (Living Science) personal information [A] in connection with marketing was not in accordance with Act no. 90/2018 and Regulation (EU) 2016/679.<br />
<br />
<br />
In Privacy, October 27, 2020<br />
<br />
<br />
<br />
Helga Þórisdóttir Helga Sigríður Þórhallsdóttir<br />
</pre></div>
Hk
https://gdprhub.eu/index.php?title=Welcome_to_GDPRhub&diff=12620
Welcome to GDPRhub
2020-12-01T15:30:04Z
<p>Hk: /* Most active users */</p>
<hr />
<div><big><b>GDPRhub is a free and open wiki that allows anyone to find and share GDPR insights across Europe!</b></big><br />
<br />
The content on GDPRhub is divided into two databases: decisions and knowledge. <br />
<br />
In the <b>decisions</b> section we collect summaries of decisions by national DPAs and courts in English. The summaries can be searched by relevant GDPR article, issuing DPA or deciding court. Every day we monitor more than 100 webpages across all Member State. This page currently contains 500+ decisions and they are getting more day by day. We believe a good overview of national decisions is a key to a pan-European debate on the interpretation of contentious GDPR issues. Get all new decisions delivered right to your mailbox and subscribe to the [[GDPRtoday|'''GDPRtoday newsletter''']]!<br />
<br />
In the <b>knowledge</b> section we collect commentaries on GDPR articles, DPA profiles, and 32 GDPR jurisdictions (EU + EEA). In this database you can find anything from the phone number of the Icelandic DPA to a deep dive into each article of the GDPR.<br />
<br />
Your ''noyb.eu'' Team<br />
<br />
<br />
{| class="desktop-only" style="background-color:#f8f9fa; width:100%;" border="0"<br />
! colspan="3" style="text-align: center; background-color:#9c0a7d; color:#ffffff; width=50%; padding: 5px;" |GDPR Decision Database<br />
! colspan="3" style="text-align: center; background-color:#9c0a7d; color:#ffffff; width=50%; padding: 5px;" |GDPR Knowledge<br />
|-<br />
| colspan="3" |Here you can find 500+ national GDPR decisions, arranged by GDPR Article, DPAs or the relevant Courts.<br />
| colspan="3" |Here you can find a commentary on the first 21 GDPR Articles, profiles on 32 DPAs and profiles on 32 GDPR jurisdictions.<br />
|- <br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px;" |<br />
[[File:Icon gdpr.png|center|100px|link=:Category:Decisions on GDPR Articles|alt="text"]] [[:Category:Decisions on GDPR Articles|Decisions by Articles]]<br />
<br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px;" |<br />
[[File:Icon dpa.png|center|100px|link=:Category:DPA Decisions|alt=]] [[:Category:DPA Decisions|DPA Decisions]]<br />
<br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px;" |<br />
[[File:Icon court.png|center|100px|link=:Category:Court Decisions|alt=]] [[:Category:Court Decisions|Court Decisions]]<br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px;" |[[File:Icon gdpr info 2.png|alt="GDPR Commentary"|center|100px|link=Article_1_GDPR]][[Article 1 GDPR|GDPR Commentary]]<br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px;" |[[File:Icon dpa procedure 1.png|alt="DPAs & Procedures"|center|100px|link=:Category:DPA]][[:Category:DPA|DPAs & Procedures]]<br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px;" |<br />
[[File:Icon jurisdictions.png|center|100px|link=:Category:Country Overview|alt="Jurisdictions"]] [[:Category:Country Overview|Member State Law]]<br />
|}<br />
{| class="mobile-only" style="background-color:#f8f9fa; width:100%;" border="0"<br />
! colspan="3" style="text-align: center; background-color:#9c0a7d; color:#ffffff; padding: 5px;" |GDPR Decision Database<br />
|-<br />
| colspan="3" |Here you can find 100+ national GDPR decisions, arranged by GDPR Article, DPAs or the relevant Courts.<br />
|- <br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px; width: 33% !important;" |<br />
[[File:Icon gdpr.png|center|100px|link=:Category:Decisions on GDPR Articles|alt="text"]] [[:Category:Decisions on GDPR Articles|Decisions by Articles]]<br />
<br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px; width: 34% !important;" |<br />
[[File:Icon dpa.png|center|100px|link=:Category:DPA Decisions|alt=]] [[:Category:DPA Decisions|DPA Decisions]]<br />
<br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px; width: 33% !important;" |<br />
[[File:Icon court.png|center|100px|link=:Category:Court Decisions|alt=]] [[:Category:Court Decisions|Court Decisions]]<br />
|}<br />
{| class="mobile-only" style="background-color:#f8f9fa; width:100%;" border="0"<br />
! colspan="3" style="text-align: center; background-color:#9c0a7d; color:#ffffff; padding: 5px;" |GDPR Knowledge<br />
|-<br />
| colspan="3" |Here you can find a commentary on the first 21 GDPR Articles, profiles on 32 DPAs and profiles on 32 GDPR jurisdictions.<br />
|- <br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px; width: 33% !important;" |<br />
[[File:Icon gdpr info 2.png|center|100px|link=Article 1 GDPR|alt="GDPR Commentary"]] [[Article 1 GDPR|GDPR Commentary]]<br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px; width: 34% !important;" |<br />
[[File:Icon dpa procedure 1.png|center|100px|link=:Category:DPA|alt="DPAs & Procedures"]] [[:Category:DPA|DPAs & Procedures]]<br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px; width: 33% !important;" |<br />
[[File:Icon jurisdictions.png|center|100px|link=:Category:Country Overview|alt="Jurisdictions"]] [[:Category:Country Overview|Jurisdiction Profiles]]<br />
|}<br />
<br /><br />
==Get a summary of new decisions with GDPRtoday!==<br />
[[File:GDPRtoday.png|right|350px|alt=|class=desktop-only|link=https://newsletter.noyb.eu/pf/433/5gqtL]]<br />
<br />
Our team will send you a quick overview of all national decisions of the past days from all across Europe - right to your mailbox and in English. Obviously it's free and you can cancel at any time!<br />
<br />
[[File:Newsletter button.png|200px|link=https://newsletter.noyb.eu/pf/433/5gqtL]]<br />
<br />
<br /><br />
<br />
==Start contributing today!==<br />
[[File:GDPRhub Submission Form.png|350px|alt=|border|right|class=desktop-only|link=https://gdprhub.eu/index.php?title=How_to_add_a_new_decision]]<br />
Anyone can help add more information to this wiki, improve existing pages or correct mistakes in existing articles. Simply click the "edit" button at the top of any page and help grow open and freely available GDPR knowledge right now!<br />
<br />
[[File:submit.png|200px|link=https://gdprhub.eu/index.php?title=How_to_add_a_new_decision]]<br />
<br />
→ [[How to edit a page on GDPRhub]]<br />
<br />
→ [[How to add a new decision]]<br />
<br />
<br /><br />
<br />
==Become a GDPRhub Country Reporter today!==<br />
[[File:Gdprhub reporter.png|right|350px|alt=|class=desktop-only|link=https://gdprhub.eu/index.php?title=GDPRhub_Country_Reporters]]We try to cover all EU/EEA member states and the UK. There are of course a lot of new decisions and we rely on volunteers to help with this effort. As a "country reporter" we will inform you about new decisions via email or our internal chat system and ask you if you can submit a summary. Having country reports makes keeping the GDPRhub consistent, up to date and accurate much easier then solely relying on volunteers. Ideally you can update the GDPRhub for your home jurisdiction that you may be aware of in your daily work anyways.<br />
<br />
[[File:Reporter button.png|200px|link=https://gdprhub.eu/index.php?title=GDPRhub_Country_Reporters]]<br />
<br />
→ [[GDPRhub Country Reporters|More Information]]<br />
<br />
<br /><br />
<br />
==Page Status==<br />
<br />
*<u>GDPR Decisions:</u> Currently the page includes 500+ [[:Category:DPA Decisions|DPA decisions]] and [[:Category:Court Decisions|Court decisions]], mainly from the end of 2019 and 2020. New decisions are constantly added.<br />
*<u>[[:Category:GDPR Articles|GDPR Commentary]]:</u> An initial basic commentary of Articles 1 to 21 is included. All other Articles need comments.<br />
*<u>[[:Category:DPA|DPA Profiles]]:</u> So far, profiles of about 10 DPAs are complete. The 16 German state DPAs are currently missing and will be added soon. All other DPA profiles include the basic information, but need to be completed.<br />
*<u>[[:Category:Country Overview|Jurisdiction Profiles]]:</u> So far, profiles of about 10 GDPR jurisdictions are complete. All other jurisdiction profiles include basic information but need to be completed.<br />
<br />
==Most active users==<br />
Here you can see the most 10 most active users in the past 30 days (excluding ''noyb'' staff). If you want to top this list soon, create an account and start editing existing decisions or add a new decision to GDPRhub today!<br />
<br />
{{Special:ContributionScores/50/30/notools}}<br />
<br />
__NOTOC__</div>
Hk
https://gdprhub.eu/index.php?title=Welcome_to_GDPRhub&diff=12619
Welcome to GDPRhub
2020-12-01T15:29:57Z
<p>Hk: /* Most active users */</p>
<hr />
<div><big><b>GDPRhub is a free and open wiki that allows anyone to find and share GDPR insights across Europe!</b></big><br />
<br />
The content on GDPRhub is divided into two databases: decisions and knowledge. <br />
<br />
In the <b>decisions</b> section we collect summaries of decisions by national DPAs and courts in English. The summaries can be searched by relevant GDPR article, issuing DPA or deciding court. Every day we monitor more than 100 webpages across all Member State. This page currently contains 500+ decisions and they are getting more day by day. We believe a good overview of national decisions is a key to a pan-European debate on the interpretation of contentious GDPR issues. Get all new decisions delivered right to your mailbox and subscribe to the [[GDPRtoday|'''GDPRtoday newsletter''']]!<br />
<br />
In the <b>knowledge</b> section we collect commentaries on GDPR articles, DPA profiles, and 32 GDPR jurisdictions (EU + EEA). In this database you can find anything from the phone number of the Icelandic DPA to a deep dive into each article of the GDPR.<br />
<br />
Your ''noyb.eu'' Team<br />
<br />
<br />
{| class="desktop-only" style="background-color:#f8f9fa; width:100%;" border="0"<br />
! colspan="3" style="text-align: center; background-color:#9c0a7d; color:#ffffff; width=50%; padding: 5px;" |GDPR Decision Database<br />
! colspan="3" style="text-align: center; background-color:#9c0a7d; color:#ffffff; width=50%; padding: 5px;" |GDPR Knowledge<br />
|-<br />
| colspan="3" |Here you can find 500+ national GDPR decisions, arranged by GDPR Article, DPAs or the relevant Courts.<br />
| colspan="3" |Here you can find a commentary on the first 21 GDPR Articles, profiles on 32 DPAs and profiles on 32 GDPR jurisdictions.<br />
|- <br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px;" |<br />
[[File:Icon gdpr.png|center|100px|link=:Category:Decisions on GDPR Articles|alt="text"]] [[:Category:Decisions on GDPR Articles|Decisions by Articles]]<br />
<br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px;" |<br />
[[File:Icon dpa.png|center|100px|link=:Category:DPA Decisions|alt=]] [[:Category:DPA Decisions|DPA Decisions]]<br />
<br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px;" |<br />
[[File:Icon court.png|center|100px|link=:Category:Court Decisions|alt=]] [[:Category:Court Decisions|Court Decisions]]<br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px;" |[[File:Icon gdpr info 2.png|alt="GDPR Commentary"|center|100px|link=Article_1_GDPR]][[Article 1 GDPR|GDPR Commentary]]<br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px;" |[[File:Icon dpa procedure 1.png|alt="DPAs & Procedures"|center|100px|link=:Category:DPA]][[:Category:DPA|DPAs & Procedures]]<br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px;" |<br />
[[File:Icon jurisdictions.png|center|100px|link=:Category:Country Overview|alt="Jurisdictions"]] [[:Category:Country Overview|Member State Law]]<br />
|}<br />
{| class="mobile-only" style="background-color:#f8f9fa; width:100%;" border="0"<br />
! colspan="3" style="text-align: center; background-color:#9c0a7d; color:#ffffff; padding: 5px;" |GDPR Decision Database<br />
|-<br />
| colspan="3" |Here you can find 100+ national GDPR decisions, arranged by GDPR Article, DPAs or the relevant Courts.<br />
|- <br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px; width: 33% !important;" |<br />
[[File:Icon gdpr.png|center|100px|link=:Category:Decisions on GDPR Articles|alt="text"]] [[:Category:Decisions on GDPR Articles|Decisions by Articles]]<br />
<br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px; width: 34% !important;" |<br />
[[File:Icon dpa.png|center|100px|link=:Category:DPA Decisions|alt=]] [[:Category:DPA Decisions|DPA Decisions]]<br />
<br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px; width: 33% !important;" |<br />
[[File:Icon court.png|center|100px|link=:Category:Court Decisions|alt=]] [[:Category:Court Decisions|Court Decisions]]<br />
|}<br />
{| class="mobile-only" style="background-color:#f8f9fa; width:100%;" border="0"<br />
! colspan="3" style="text-align: center; background-color:#9c0a7d; color:#ffffff; padding: 5px;" |GDPR Knowledge<br />
|-<br />
| colspan="3" |Here you can find a commentary on the first 21 GDPR Articles, profiles on 32 DPAs and profiles on 32 GDPR jurisdictions.<br />
|- <br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px; width: 33% !important;" |<br />
[[File:Icon gdpr info 2.png|center|100px|link=Article 1 GDPR|alt="GDPR Commentary"]] [[Article 1 GDPR|GDPR Commentary]]<br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px; width: 34% !important;" |<br />
[[File:Icon dpa procedure 1.png|center|100px|link=:Category:DPA|alt="DPAs & Procedures"]] [[:Category:DPA|DPAs & Procedures]]<br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px; width: 33% !important;" |<br />
[[File:Icon jurisdictions.png|center|100px|link=:Category:Country Overview|alt="Jurisdictions"]] [[:Category:Country Overview|Jurisdiction Profiles]]<br />
|}<br />
<br /><br />
==Get a summary of new decisions with GDPRtoday!==<br />
[[File:GDPRtoday.png|right|350px|alt=|class=desktop-only|link=https://newsletter.noyb.eu/pf/433/5gqtL]]<br />
<br />
Our team will send you a quick overview of all national decisions of the past days from all across Europe - right to your mailbox and in English. Obviously it's free and you can cancel at any time!<br />
<br />
[[File:Newsletter button.png|200px|link=https://newsletter.noyb.eu/pf/433/5gqtL]]<br />
<br />
<br /><br />
<br />
==Start contributing today!==<br />
[[File:GDPRhub Submission Form.png|350px|alt=|border|right|class=desktop-only|link=https://gdprhub.eu/index.php?title=How_to_add_a_new_decision]]<br />
Anyone can help add more information to this wiki, improve existing pages or correct mistakes in existing articles. Simply click the "edit" button at the top of any page and help grow open and freely available GDPR knowledge right now!<br />
<br />
[[File:submit.png|200px|link=https://gdprhub.eu/index.php?title=How_to_add_a_new_decision]]<br />
<br />
→ [[How to edit a page on GDPRhub]]<br />
<br />
→ [[How to add a new decision]]<br />
<br />
<br /><br />
<br />
==Become a GDPRhub Country Reporter today!==<br />
[[File:Gdprhub reporter.png|right|350px|alt=|class=desktop-only|link=https://gdprhub.eu/index.php?title=GDPRhub_Country_Reporters]]We try to cover all EU/EEA member states and the UK. There are of course a lot of new decisions and we rely on volunteers to help with this effort. As a "country reporter" we will inform you about new decisions via email or our internal chat system and ask you if you can submit a summary. Having country reports makes keeping the GDPRhub consistent, up to date and accurate much easier then solely relying on volunteers. Ideally you can update the GDPRhub for your home jurisdiction that you may be aware of in your daily work anyways.<br />
<br />
[[File:Reporter button.png|200px|link=https://gdprhub.eu/index.php?title=GDPRhub_Country_Reporters]]<br />
<br />
→ [[GDPRhub Country Reporters|More Information]]<br />
<br />
<br /><br />
<br />
==Page Status==<br />
<br />
*<u>GDPR Decisions:</u> Currently the page includes 500+ [[:Category:DPA Decisions|DPA decisions]] and [[:Category:Court Decisions|Court decisions]], mainly from the end of 2019 and 2020. New decisions are constantly added.<br />
*<u>[[:Category:GDPR Articles|GDPR Commentary]]:</u> An initial basic commentary of Articles 1 to 21 is included. All other Articles need comments.<br />
*<u>[[:Category:DPA|DPA Profiles]]:</u> So far, profiles of about 10 DPAs are complete. The 16 German state DPAs are currently missing and will be added soon. All other DPA profiles include the basic information, but need to be completed.<br />
*<u>[[:Category:Country Overview|Jurisdiction Profiles]]:</u> So far, profiles of about 10 GDPR jurisdictions are complete. All other jurisdiction profiles include basic information but need to be completed.<br />
<br />
==Most active users==<br />
Here you can see the most 10 most active users in the past 30 days (excluding ''noyb'' staff). If you want to top this list soon, create an account and start editing existing decisions or add a new decision to GDPRhub today!<br />
<br />
{{Special:ContributionScores/10/30/notools}}<br />
<br />
__NOTOC__</div>
Hk
https://gdprhub.eu/index.php?title=Welcome_to_GDPRhub&diff=12616
Welcome to GDPRhub
2020-12-01T15:28:15Z
<p>Hk: /* Most active users */</p>
<hr />
<div><big><b>GDPRhub is a free and open wiki that allows anyone to find and share GDPR insights across Europe!</b></big><br />
<br />
The content on GDPRhub is divided into two databases: decisions and knowledge. <br />
<br />
In the <b>decisions</b> section we collect summaries of decisions by national DPAs and courts in English. The summaries can be searched by relevant GDPR article, issuing DPA or deciding court. Every day we monitor more than 100 webpages across all Member State. This page currently contains 500+ decisions and they are getting more day by day. We believe a good overview of national decisions is a key to a pan-European debate on the interpretation of contentious GDPR issues. Get all new decisions delivered right to your mailbox and subscribe to the [[GDPRtoday|'''GDPRtoday newsletter''']]!<br />
<br />
In the <b>knowledge</b> section we collect commentaries on GDPR articles, DPA profiles, and 32 GDPR jurisdictions (EU + EEA). In this database you can find anything from the phone number of the Icelandic DPA to a deep dive into each article of the GDPR.<br />
<br />
Your ''noyb.eu'' Team<br />
<br />
<br />
{| class="desktop-only" style="background-color:#f8f9fa; width:100%;" border="0"<br />
! colspan="3" style="text-align: center; background-color:#9c0a7d; color:#ffffff; width=50%; padding: 5px;" |GDPR Decision Database<br />
! colspan="3" style="text-align: center; background-color:#9c0a7d; color:#ffffff; width=50%; padding: 5px;" |GDPR Knowledge<br />
|-<br />
| colspan="3" |Here you can find 500+ national GDPR decisions, arranged by GDPR Article, DPAs or the relevant Courts.<br />
| colspan="3" |Here you can find a commentary on the first 21 GDPR Articles, profiles on 32 DPAs and profiles on 32 GDPR jurisdictions.<br />
|- <br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px;" |<br />
[[File:Icon gdpr.png|center|100px|link=:Category:Decisions on GDPR Articles|alt="text"]] [[:Category:Decisions on GDPR Articles|Decisions by Articles]]<br />
<br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px;" |<br />
[[File:Icon dpa.png|center|100px|link=:Category:DPA Decisions|alt=]] [[:Category:DPA Decisions|DPA Decisions]]<br />
<br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px;" |<br />
[[File:Icon court.png|center|100px|link=:Category:Court Decisions|alt=]] [[:Category:Court Decisions|Court Decisions]]<br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px;" |[[File:Icon gdpr info 2.png|alt="GDPR Commentary"|center|100px|link=Article_1_GDPR]][[Article 1 GDPR|GDPR Commentary]]<br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px;" |[[File:Icon dpa procedure 1.png|alt="DPAs & Procedures"|center|100px|link=:Category:DPA]][[:Category:DPA|DPAs & Procedures]]<br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px;" |<br />
[[File:Icon jurisdictions.png|center|100px|link=:Category:Country Overview|alt="Jurisdictions"]] [[:Category:Country Overview|Member State Law]]<br />
|}<br />
{| class="mobile-only" style="background-color:#f8f9fa; width:100%;" border="0"<br />
! colspan="3" style="text-align: center; background-color:#9c0a7d; color:#ffffff; padding: 5px;" |GDPR Decision Database<br />
|-<br />
| colspan="3" |Here you can find 100+ national GDPR decisions, arranged by GDPR Article, DPAs or the relevant Courts.<br />
|- <br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px; width: 33% !important;" |<br />
[[File:Icon gdpr.png|center|100px|link=:Category:Decisions on GDPR Articles|alt="text"]] [[:Category:Decisions on GDPR Articles|Decisions by Articles]]<br />
<br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px; width: 34% !important;" |<br />
[[File:Icon dpa.png|center|100px|link=:Category:DPA Decisions|alt=]] [[:Category:DPA Decisions|DPA Decisions]]<br />
<br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px; width: 33% !important;" |<br />
[[File:Icon court.png|center|100px|link=:Category:Court Decisions|alt=]] [[:Category:Court Decisions|Court Decisions]]<br />
|}<br />
{| class="mobile-only" style="background-color:#f8f9fa; width:100%;" border="0"<br />
! colspan="3" style="text-align: center; background-color:#9c0a7d; color:#ffffff; padding: 5px;" |GDPR Knowledge<br />
|-<br />
| colspan="3" |Here you can find a commentary on the first 21 GDPR Articles, profiles on 32 DPAs and profiles on 32 GDPR jurisdictions.<br />
|- <br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px; width: 33% !important;" |<br />
[[File:Icon gdpr info 2.png|center|100px|link=Article 1 GDPR|alt="GDPR Commentary"]] [[Article 1 GDPR|GDPR Commentary]]<br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px; width: 34% !important;" |<br />
[[File:Icon dpa procedure 1.png|center|100px|link=:Category:DPA|alt="DPAs & Procedures"]] [[:Category:DPA|DPAs & Procedures]]<br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px; width: 33% !important;" |<br />
[[File:Icon jurisdictions.png|center|100px|link=:Category:Country Overview|alt="Jurisdictions"]] [[:Category:Country Overview|Jurisdiction Profiles]]<br />
|}<br />
<br /><br />
==Get a summary of new decisions with GDPRtoday!==<br />
[[File:GDPRtoday.png|right|350px|alt=|class=desktop-only|link=https://newsletter.noyb.eu/pf/433/5gqtL]]<br />
<br />
Our team will send you a quick overview of all national decisions of the past days from all across Europe - right to your mailbox and in English. Obviously it's free and you can cancel at any time!<br />
<br />
[[File:Newsletter button.png|200px|link=https://newsletter.noyb.eu/pf/433/5gqtL]]<br />
<br />
<br /><br />
<br />
==Start contributing today!==<br />
[[File:GDPRhub Submission Form.png|350px|alt=|border|right|class=desktop-only|link=https://gdprhub.eu/index.php?title=How_to_add_a_new_decision]]<br />
Anyone can help add more information to this wiki, improve existing pages or correct mistakes in existing articles. Simply click the "edit" button at the top of any page and help grow open and freely available GDPR knowledge right now!<br />
<br />
[[File:submit.png|200px|link=https://gdprhub.eu/index.php?title=How_to_add_a_new_decision]]<br />
<br />
→ [[How to edit a page on GDPRhub]]<br />
<br />
→ [[How to add a new decision]]<br />
<br />
<br /><br />
<br />
==Become a GDPRhub Country Reporter today!==<br />
[[File:Gdprhub reporter.png|right|350px|alt=|class=desktop-only|link=https://gdprhub.eu/index.php?title=GDPRhub_Country_Reporters]]We try to cover all EU/EEA member states and the UK. There are of course a lot of new decisions and we rely on volunteers to help with this effort. As a "country reporter" we will inform you about new decisions via email or our internal chat system and ask you if you can submit a summary. Having country reports makes keeping the GDPRhub consistent, up to date and accurate much easier then solely relying on volunteers. Ideally you can update the GDPRhub for your home jurisdiction that you may be aware of in your daily work anyways.<br />
<br />
[[File:Reporter button.png|200px|link=https://gdprhub.eu/index.php?title=GDPRhub_Country_Reporters]]<br />
<br />
→ [[GDPRhub Country Reporters|More Information]]<br />
<br />
<br /><br />
<br />
==Page Status==<br />
<br />
*<u>GDPR Decisions:</u> Currently the page includes 500+ [[:Category:DPA Decisions|DPA decisions]] and [[:Category:Court Decisions|Court decisions]], mainly from the end of 2019 and 2020. New decisions are constantly added.<br />
*<u>[[:Category:GDPR Articles|GDPR Commentary]]:</u> An initial basic commentary of Articles 1 to 21 is included. All other Articles need comments.<br />
*<u>[[:Category:DPA|DPA Profiles]]:</u> So far, profiles of about 10 DPAs are complete. The 16 German state DPAs are currently missing and will be added soon. All other DPA profiles include the basic information, but need to be completed.<br />
*<u>[[:Category:Country Overview|Jurisdiction Profiles]]:</u> So far, profiles of about 10 GDPR jurisdictions are complete. All other jurisdiction profiles include basic information but need to be completed.<br />
<br />
==Most active users==<br />
Here you can see the most 10 most active users in the past 30 days (excluding ''noyb'' staff). If you want to top this list soon, create an account and start editing existing decisions or add a new decision to GDPRhub today!<br />
<br />
{{Special:ContributionScores/50/30/notools}}<br />
<br />
__NOTOC__</div>
Hk
https://gdprhub.eu/index.php?title=Welcome_to_GDPRhub&diff=12615
Welcome to GDPRhub
2020-12-01T15:28:00Z
<p>Hk: /* Most active users */</p>
<hr />
<div><big><b>GDPRhub is a free and open wiki that allows anyone to find and share GDPR insights across Europe!</b></big><br />
<br />
The content on GDPRhub is divided into two databases: decisions and knowledge. <br />
<br />
In the <b>decisions</b> section we collect summaries of decisions by national DPAs and courts in English. The summaries can be searched by relevant GDPR article, issuing DPA or deciding court. Every day we monitor more than 100 webpages across all Member State. This page currently contains 500+ decisions and they are getting more day by day. We believe a good overview of national decisions is a key to a pan-European debate on the interpretation of contentious GDPR issues. Get all new decisions delivered right to your mailbox and subscribe to the [[GDPRtoday|'''GDPRtoday newsletter''']]!<br />
<br />
In the <b>knowledge</b> section we collect commentaries on GDPR articles, DPA profiles, and 32 GDPR jurisdictions (EU + EEA). In this database you can find anything from the phone number of the Icelandic DPA to a deep dive into each article of the GDPR.<br />
<br />
Your ''noyb.eu'' Team<br />
<br />
<br />
{| class="desktop-only" style="background-color:#f8f9fa; width:100%;" border="0"<br />
! colspan="3" style="text-align: center; background-color:#9c0a7d; color:#ffffff; width=50%; padding: 5px;" |GDPR Decision Database<br />
! colspan="3" style="text-align: center; background-color:#9c0a7d; color:#ffffff; width=50%; padding: 5px;" |GDPR Knowledge<br />
|-<br />
| colspan="3" |Here you can find 500+ national GDPR decisions, arranged by GDPR Article, DPAs or the relevant Courts.<br />
| colspan="3" |Here you can find a commentary on the first 21 GDPR Articles, profiles on 32 DPAs and profiles on 32 GDPR jurisdictions.<br />
|- <br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px;" |<br />
[[File:Icon gdpr.png|center|100px|link=:Category:Decisions on GDPR Articles|alt="text"]] [[:Category:Decisions on GDPR Articles|Decisions by Articles]]<br />
<br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px;" |<br />
[[File:Icon dpa.png|center|100px|link=:Category:DPA Decisions|alt=]] [[:Category:DPA Decisions|DPA Decisions]]<br />
<br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px;" |<br />
[[File:Icon court.png|center|100px|link=:Category:Court Decisions|alt=]] [[:Category:Court Decisions|Court Decisions]]<br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px;" |[[File:Icon gdpr info 2.png|alt="GDPR Commentary"|center|100px|link=Article_1_GDPR]][[Article 1 GDPR|GDPR Commentary]]<br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px;" |[[File:Icon dpa procedure 1.png|alt="DPAs & Procedures"|center|100px|link=:Category:DPA]][[:Category:DPA|DPAs & Procedures]]<br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px;" |<br />
[[File:Icon jurisdictions.png|center|100px|link=:Category:Country Overview|alt="Jurisdictions"]] [[:Category:Country Overview|Member State Law]]<br />
|}<br />
{| class="mobile-only" style="background-color:#f8f9fa; width:100%;" border="0"<br />
! colspan="3" style="text-align: center; background-color:#9c0a7d; color:#ffffff; padding: 5px;" |GDPR Decision Database<br />
|-<br />
| colspan="3" |Here you can find 100+ national GDPR decisions, arranged by GDPR Article, DPAs or the relevant Courts.<br />
|- <br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px; width: 33% !important;" |<br />
[[File:Icon gdpr.png|center|100px|link=:Category:Decisions on GDPR Articles|alt="text"]] [[:Category:Decisions on GDPR Articles|Decisions by Articles]]<br />
<br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px; width: 34% !important;" |<br />
[[File:Icon dpa.png|center|100px|link=:Category:DPA Decisions|alt=]] [[:Category:DPA Decisions|DPA Decisions]]<br />
<br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px; width: 33% !important;" |<br />
[[File:Icon court.png|center|100px|link=:Category:Court Decisions|alt=]] [[:Category:Court Decisions|Court Decisions]]<br />
|}<br />
{| class="mobile-only" style="background-color:#f8f9fa; width:100%;" border="0"<br />
! colspan="3" style="text-align: center; background-color:#9c0a7d; color:#ffffff; padding: 5px;" |GDPR Knowledge<br />
|-<br />
| colspan="3" |Here you can find a commentary on the first 21 GDPR Articles, profiles on 32 DPAs and profiles on 32 GDPR jurisdictions.<br />
|- <br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px; width: 33% !important;" |<br />
[[File:Icon gdpr info 2.png|center|100px|link=Article 1 GDPR|alt="GDPR Commentary"]] [[Article 1 GDPR|GDPR Commentary]]<br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px; width: 34% !important;" |<br />
[[File:Icon dpa procedure 1.png|center|100px|link=:Category:DPA|alt="DPAs & Procedures"]] [[:Category:DPA|DPAs & Procedures]]<br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px; width: 33% !important;" |<br />
[[File:Icon jurisdictions.png|center|100px|link=:Category:Country Overview|alt="Jurisdictions"]] [[:Category:Country Overview|Jurisdiction Profiles]]<br />
|}<br />
<br /><br />
==Get a summary of new decisions with GDPRtoday!==<br />
[[File:GDPRtoday.png|right|350px|alt=|class=desktop-only|link=https://newsletter.noyb.eu/pf/433/5gqtL]]<br />
<br />
Our team will send you a quick overview of all national decisions of the past days from all across Europe - right to your mailbox and in English. Obviously it's free and you can cancel at any time!<br />
<br />
[[File:Newsletter button.png|200px|link=https://newsletter.noyb.eu/pf/433/5gqtL]]<br />
<br />
<br /><br />
<br />
==Start contributing today!==<br />
[[File:GDPRhub Submission Form.png|350px|alt=|border|right|class=desktop-only|link=https://gdprhub.eu/index.php?title=How_to_add_a_new_decision]]<br />
Anyone can help add more information to this wiki, improve existing pages or correct mistakes in existing articles. Simply click the "edit" button at the top of any page and help grow open and freely available GDPR knowledge right now!<br />
<br />
[[File:submit.png|200px|link=https://gdprhub.eu/index.php?title=How_to_add_a_new_decision]]<br />
<br />
→ [[How to edit a page on GDPRhub]]<br />
<br />
→ [[How to add a new decision]]<br />
<br />
<br /><br />
<br />
==Become a GDPRhub Country Reporter today!==<br />
[[File:Gdprhub reporter.png|right|350px|alt=|class=desktop-only|link=https://gdprhub.eu/index.php?title=GDPRhub_Country_Reporters]]We try to cover all EU/EEA member states and the UK. There are of course a lot of new decisions and we rely on volunteers to help with this effort. As a "country reporter" we will inform you about new decisions via email or our internal chat system and ask you if you can submit a summary. Having country reports makes keeping the GDPRhub consistent, up to date and accurate much easier then solely relying on volunteers. Ideally you can update the GDPRhub for your home jurisdiction that you may be aware of in your daily work anyways.<br />
<br />
[[File:Reporter button.png|200px|link=https://gdprhub.eu/index.php?title=GDPRhub_Country_Reporters]]<br />
<br />
→ [[GDPRhub Country Reporters|More Information]]<br />
<br />
<br /><br />
<br />
==Page Status==<br />
<br />
*<u>GDPR Decisions:</u> Currently the page includes 500+ [[:Category:DPA Decisions|DPA decisions]] and [[:Category:Court Decisions|Court decisions]], mainly from the end of 2019 and 2020. New decisions are constantly added.<br />
*<u>[[:Category:GDPR Articles|GDPR Commentary]]:</u> An initial basic commentary of Articles 1 to 21 is included. All other Articles need comments.<br />
*<u>[[:Category:DPA|DPA Profiles]]:</u> So far, profiles of about 10 DPAs are complete. The 16 German state DPAs are currently missing and will be added soon. All other DPA profiles include the basic information, but need to be completed.<br />
*<u>[[:Category:Country Overview|Jurisdiction Profiles]]:</u> So far, profiles of about 10 GDPR jurisdictions are complete. All other jurisdiction profiles include basic information but need to be completed.<br />
<br />
==Most active users==<br />
Here you can see the most 10 most active users in the past 30 days (excluding ''noyb'' staff). If you want to top this list soon, create an account and start editing existing decisions or add a new decision to GDPRhub today!<br />
<br />
{{Special:ContributionScores/10/30/notools}}<br />
<br />
{{Special:ContributionScores/5/30}}<br />
<br />
__NOTOC__</div>
Hk
https://gdprhub.eu/index.php?title=Welcome_to_GDPRhub&diff=12614
Welcome to GDPRhub
2020-12-01T15:27:02Z
<p>Hk: /* Most active users */</p>
<hr />
<div><big><b>GDPRhub is a free and open wiki that allows anyone to find and share GDPR insights across Europe!</b></big><br />
<br />
The content on GDPRhub is divided into two databases: decisions and knowledge. <br />
<br />
In the <b>decisions</b> section we collect summaries of decisions by national DPAs and courts in English. The summaries can be searched by relevant GDPR article, issuing DPA or deciding court. Every day we monitor more than 100 webpages across all Member State. This page currently contains 500+ decisions and they are getting more day by day. We believe a good overview of national decisions is a key to a pan-European debate on the interpretation of contentious GDPR issues. Get all new decisions delivered right to your mailbox and subscribe to the [[GDPRtoday|'''GDPRtoday newsletter''']]!<br />
<br />
In the <b>knowledge</b> section we collect commentaries on GDPR articles, DPA profiles, and 32 GDPR jurisdictions (EU + EEA). In this database you can find anything from the phone number of the Icelandic DPA to a deep dive into each article of the GDPR.<br />
<br />
Your ''noyb.eu'' Team<br />
<br />
<br />
{| class="desktop-only" style="background-color:#f8f9fa; width:100%;" border="0"<br />
! colspan="3" style="text-align: center; background-color:#9c0a7d; color:#ffffff; width=50%; padding: 5px;" |GDPR Decision Database<br />
! colspan="3" style="text-align: center; background-color:#9c0a7d; color:#ffffff; width=50%; padding: 5px;" |GDPR Knowledge<br />
|-<br />
| colspan="3" |Here you can find 500+ national GDPR decisions, arranged by GDPR Article, DPAs or the relevant Courts.<br />
| colspan="3" |Here you can find a commentary on the first 21 GDPR Articles, profiles on 32 DPAs and profiles on 32 GDPR jurisdictions.<br />
|- <br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px;" |<br />
[[File:Icon gdpr.png|center|100px|link=:Category:Decisions on GDPR Articles|alt="text"]] [[:Category:Decisions on GDPR Articles|Decisions by Articles]]<br />
<br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px;" |<br />
[[File:Icon dpa.png|center|100px|link=:Category:DPA Decisions|alt=]] [[:Category:DPA Decisions|DPA Decisions]]<br />
<br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px;" |<br />
[[File:Icon court.png|center|100px|link=:Category:Court Decisions|alt=]] [[:Category:Court Decisions|Court Decisions]]<br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px;" |[[File:Icon gdpr info 2.png|alt="GDPR Commentary"|center|100px|link=Article_1_GDPR]][[Article 1 GDPR|GDPR Commentary]]<br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px;" |[[File:Icon dpa procedure 1.png|alt="DPAs & Procedures"|center|100px|link=:Category:DPA]][[:Category:DPA|DPAs & Procedures]]<br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px;" |<br />
[[File:Icon jurisdictions.png|center|100px|link=:Category:Country Overview|alt="Jurisdictions"]] [[:Category:Country Overview|Member State Law]]<br />
|}<br />
{| class="mobile-only" style="background-color:#f8f9fa; width:100%;" border="0"<br />
! colspan="3" style="text-align: center; background-color:#9c0a7d; color:#ffffff; padding: 5px;" |GDPR Decision Database<br />
|-<br />
| colspan="3" |Here you can find 100+ national GDPR decisions, arranged by GDPR Article, DPAs or the relevant Courts.<br />
|- <br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px; width: 33% !important;" |<br />
[[File:Icon gdpr.png|center|100px|link=:Category:Decisions on GDPR Articles|alt="text"]] [[:Category:Decisions on GDPR Articles|Decisions by Articles]]<br />
<br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px; width: 34% !important;" |<br />
[[File:Icon dpa.png|center|100px|link=:Category:DPA Decisions|alt=]] [[:Category:DPA Decisions|DPA Decisions]]<br />
<br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px; width: 33% !important;" |<br />
[[File:Icon court.png|center|100px|link=:Category:Court Decisions|alt=]] [[:Category:Court Decisions|Court Decisions]]<br />
|}<br />
{| class="mobile-only" style="background-color:#f8f9fa; width:100%;" border="0"<br />
! colspan="3" style="text-align: center; background-color:#9c0a7d; color:#ffffff; padding: 5px;" |GDPR Knowledge<br />
|-<br />
| colspan="3" |Here you can find a commentary on the first 21 GDPR Articles, profiles on 32 DPAs and profiles on 32 GDPR jurisdictions.<br />
|- <br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px; width: 33% !important;" |<br />
[[File:Icon gdpr info 2.png|center|100px|link=Article 1 GDPR|alt="GDPR Commentary"]] [[Article 1 GDPR|GDPR Commentary]]<br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px; width: 34% !important;" |<br />
[[File:Icon dpa procedure 1.png|center|100px|link=:Category:DPA|alt="DPAs & Procedures"]] [[:Category:DPA|DPAs & Procedures]]<br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px; width: 33% !important;" |<br />
[[File:Icon jurisdictions.png|center|100px|link=:Category:Country Overview|alt="Jurisdictions"]] [[:Category:Country Overview|Jurisdiction Profiles]]<br />
|}<br />
<br /><br />
==Get a summary of new decisions with GDPRtoday!==<br />
[[File:GDPRtoday.png|right|350px|alt=|class=desktop-only|link=https://newsletter.noyb.eu/pf/433/5gqtL]]<br />
<br />
Our team will send you a quick overview of all national decisions of the past days from all across Europe - right to your mailbox and in English. Obviously it's free and you can cancel at any time!<br />
<br />
[[File:Newsletter button.png|200px|link=https://newsletter.noyb.eu/pf/433/5gqtL]]<br />
<br />
<br /><br />
<br />
==Start contributing today!==<br />
[[File:GDPRhub Submission Form.png|350px|alt=|border|right|class=desktop-only|link=https://gdprhub.eu/index.php?title=How_to_add_a_new_decision]]<br />
Anyone can help add more information to this wiki, improve existing pages or correct mistakes in existing articles. Simply click the "edit" button at the top of any page and help grow open and freely available GDPR knowledge right now!<br />
<br />
[[File:submit.png|200px|link=https://gdprhub.eu/index.php?title=How_to_add_a_new_decision]]<br />
<br />
→ [[How to edit a page on GDPRhub]]<br />
<br />
→ [[How to add a new decision]]<br />
<br />
<br /><br />
<br />
==Become a GDPRhub Country Reporter today!==<br />
[[File:Gdprhub reporter.png|right|350px|alt=|class=desktop-only|link=https://gdprhub.eu/index.php?title=GDPRhub_Country_Reporters]]We try to cover all EU/EEA member states and the UK. There are of course a lot of new decisions and we rely on volunteers to help with this effort. As a "country reporter" we will inform you about new decisions via email or our internal chat system and ask you if you can submit a summary. Having country reports makes keeping the GDPRhub consistent, up to date and accurate much easier then solely relying on volunteers. Ideally you can update the GDPRhub for your home jurisdiction that you may be aware of in your daily work anyways.<br />
<br />
[[File:Reporter button.png|200px|link=https://gdprhub.eu/index.php?title=GDPRhub_Country_Reporters]]<br />
<br />
→ [[GDPRhub Country Reporters|More Information]]<br />
<br />
<br /><br />
<br />
==Page Status==<br />
<br />
*<u>GDPR Decisions:</u> Currently the page includes 500+ [[:Category:DPA Decisions|DPA decisions]] and [[:Category:Court Decisions|Court decisions]], mainly from the end of 2019 and 2020. New decisions are constantly added.<br />
*<u>[[:Category:GDPR Articles|GDPR Commentary]]:</u> An initial basic commentary of Articles 1 to 21 is included. All other Articles need comments.<br />
*<u>[[:Category:DPA|DPA Profiles]]:</u> So far, profiles of about 10 DPAs are complete. The 16 German state DPAs are currently missing and will be added soon. All other DPA profiles include the basic information, but need to be completed.<br />
*<u>[[:Category:Country Overview|Jurisdiction Profiles]]:</u> So far, profiles of about 10 GDPR jurisdictions are complete. All other jurisdiction profiles include basic information but need to be completed.<br />
<br />
==Most active users==<br />
Here you can see the most 10 most active users in the past 30 days (excluding ''noyb'' staff). If you want to top this list soon, create an account and start editing existing decisions or add a new decision to GDPRhub today!<br />
<br />
{{Special:ContributionScores/10/30/notools}}<br />
<br />
{{Special:ContributionScores/50/30}}<br />
<br />
__NOTOC__</div>
Hk
https://gdprhub.eu/index.php?title=Welcome_to_GDPRhub&diff=12613
Welcome to GDPRhub
2020-12-01T15:26:42Z
<p>Hk: /* Most active users */</p>
<hr />
<div><big><b>GDPRhub is a free and open wiki that allows anyone to find and share GDPR insights across Europe!</b></big><br />
<br />
The content on GDPRhub is divided into two databases: decisions and knowledge. <br />
<br />
In the <b>decisions</b> section we collect summaries of decisions by national DPAs and courts in English. The summaries can be searched by relevant GDPR article, issuing DPA or deciding court. Every day we monitor more than 100 webpages across all Member State. This page currently contains 500+ decisions and they are getting more day by day. We believe a good overview of national decisions is a key to a pan-European debate on the interpretation of contentious GDPR issues. Get all new decisions delivered right to your mailbox and subscribe to the [[GDPRtoday|'''GDPRtoday newsletter''']]!<br />
<br />
In the <b>knowledge</b> section we collect commentaries on GDPR articles, DPA profiles, and 32 GDPR jurisdictions (EU + EEA). In this database you can find anything from the phone number of the Icelandic DPA to a deep dive into each article of the GDPR.<br />
<br />
Your ''noyb.eu'' Team<br />
<br />
<br />
{| class="desktop-only" style="background-color:#f8f9fa; width:100%;" border="0"<br />
! colspan="3" style="text-align: center; background-color:#9c0a7d; color:#ffffff; width=50%; padding: 5px;" |GDPR Decision Database<br />
! colspan="3" style="text-align: center; background-color:#9c0a7d; color:#ffffff; width=50%; padding: 5px;" |GDPR Knowledge<br />
|-<br />
| colspan="3" |Here you can find 500+ national GDPR decisions, arranged by GDPR Article, DPAs or the relevant Courts.<br />
| colspan="3" |Here you can find a commentary on the first 21 GDPR Articles, profiles on 32 DPAs and profiles on 32 GDPR jurisdictions.<br />
|- <br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px;" |<br />
[[File:Icon gdpr.png|center|100px|link=:Category:Decisions on GDPR Articles|alt="text"]] [[:Category:Decisions on GDPR Articles|Decisions by Articles]]<br />
<br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px;" |<br />
[[File:Icon dpa.png|center|100px|link=:Category:DPA Decisions|alt=]] [[:Category:DPA Decisions|DPA Decisions]]<br />
<br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px;" |<br />
[[File:Icon court.png|center|100px|link=:Category:Court Decisions|alt=]] [[:Category:Court Decisions|Court Decisions]]<br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px;" |[[File:Icon gdpr info 2.png|alt="GDPR Commentary"|center|100px|link=Article_1_GDPR]][[Article 1 GDPR|GDPR Commentary]]<br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px;" |[[File:Icon dpa procedure 1.png|alt="DPAs & Procedures"|center|100px|link=:Category:DPA]][[:Category:DPA|DPAs & Procedures]]<br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px;" |<br />
[[File:Icon jurisdictions.png|center|100px|link=:Category:Country Overview|alt="Jurisdictions"]] [[:Category:Country Overview|Member State Law]]<br />
|}<br />
{| class="mobile-only" style="background-color:#f8f9fa; width:100%;" border="0"<br />
! colspan="3" style="text-align: center; background-color:#9c0a7d; color:#ffffff; padding: 5px;" |GDPR Decision Database<br />
|-<br />
| colspan="3" |Here you can find 100+ national GDPR decisions, arranged by GDPR Article, DPAs or the relevant Courts.<br />
|- <br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px; width: 33% !important;" |<br />
[[File:Icon gdpr.png|center|100px|link=:Category:Decisions on GDPR Articles|alt="text"]] [[:Category:Decisions on GDPR Articles|Decisions by Articles]]<br />
<br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px; width: 34% !important;" |<br />
[[File:Icon dpa.png|center|100px|link=:Category:DPA Decisions|alt=]] [[:Category:DPA Decisions|DPA Decisions]]<br />
<br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px; width: 33% !important;" |<br />
[[File:Icon court.png|center|100px|link=:Category:Court Decisions|alt=]] [[:Category:Court Decisions|Court Decisions]]<br />
|}<br />
{| class="mobile-only" style="background-color:#f8f9fa; width:100%;" border="0"<br />
! colspan="3" style="text-align: center; background-color:#9c0a7d; color:#ffffff; padding: 5px;" |GDPR Knowledge<br />
|-<br />
| colspan="3" |Here you can find a commentary on the first 21 GDPR Articles, profiles on 32 DPAs and profiles on 32 GDPR jurisdictions.<br />
|- <br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px; width: 33% !important;" |<br />
[[File:Icon gdpr info 2.png|center|100px|link=Article 1 GDPR|alt="GDPR Commentary"]] [[Article 1 GDPR|GDPR Commentary]]<br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px; width: 34% !important;" |<br />
[[File:Icon dpa procedure 1.png|center|100px|link=:Category:DPA|alt="DPAs & Procedures"]] [[:Category:DPA|DPAs & Procedures]]<br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px; width: 33% !important;" |<br />
[[File:Icon jurisdictions.png|center|100px|link=:Category:Country Overview|alt="Jurisdictions"]] [[:Category:Country Overview|Jurisdiction Profiles]]<br />
|}<br />
<br /><br />
==Get a summary of new decisions with GDPRtoday!==<br />
[[File:GDPRtoday.png|right|350px|alt=|class=desktop-only|link=https://newsletter.noyb.eu/pf/433/5gqtL]]<br />
<br />
Our team will send you a quick overview of all national decisions of the past days from all across Europe - right to your mailbox and in English. Obviously it's free and you can cancel at any time!<br />
<br />
[[File:Newsletter button.png|200px|link=https://newsletter.noyb.eu/pf/433/5gqtL]]<br />
<br />
<br /><br />
<br />
==Start contributing today!==<br />
[[File:GDPRhub Submission Form.png|350px|alt=|border|right|class=desktop-only|link=https://gdprhub.eu/index.php?title=How_to_add_a_new_decision]]<br />
Anyone can help add more information to this wiki, improve existing pages or correct mistakes in existing articles. Simply click the "edit" button at the top of any page and help grow open and freely available GDPR knowledge right now!<br />
<br />
[[File:submit.png|200px|link=https://gdprhub.eu/index.php?title=How_to_add_a_new_decision]]<br />
<br />
→ [[How to edit a page on GDPRhub]]<br />
<br />
→ [[How to add a new decision]]<br />
<br />
<br /><br />
<br />
==Become a GDPRhub Country Reporter today!==<br />
[[File:Gdprhub reporter.png|right|350px|alt=|class=desktop-only|link=https://gdprhub.eu/index.php?title=GDPRhub_Country_Reporters]]We try to cover all EU/EEA member states and the UK. There are of course a lot of new decisions and we rely on volunteers to help with this effort. As a "country reporter" we will inform you about new decisions via email or our internal chat system and ask you if you can submit a summary. Having country reports makes keeping the GDPRhub consistent, up to date and accurate much easier then solely relying on volunteers. Ideally you can update the GDPRhub for your home jurisdiction that you may be aware of in your daily work anyways.<br />
<br />
[[File:Reporter button.png|200px|link=https://gdprhub.eu/index.php?title=GDPRhub_Country_Reporters]]<br />
<br />
→ [[GDPRhub Country Reporters|More Information]]<br />
<br />
<br /><br />
<br />
==Page Status==<br />
<br />
*<u>GDPR Decisions:</u> Currently the page includes 500+ [[:Category:DPA Decisions|DPA decisions]] and [[:Category:Court Decisions|Court decisions]], mainly from the end of 2019 and 2020. New decisions are constantly added.<br />
*<u>[[:Category:GDPR Articles|GDPR Commentary]]:</u> An initial basic commentary of Articles 1 to 21 is included. All other Articles need comments.<br />
*<u>[[:Category:DPA|DPA Profiles]]:</u> So far, profiles of about 10 DPAs are complete. The 16 German state DPAs are currently missing and will be added soon. All other DPA profiles include the basic information, but need to be completed.<br />
*<u>[[:Category:Country Overview|Jurisdiction Profiles]]:</u> So far, profiles of about 10 GDPR jurisdictions are complete. All other jurisdiction profiles include basic information but need to be completed.<br />
<br />
==Most active users==<br />
Here you can see the most 10 most active users in the past 30 days (excluding ''noyb'' staff). If you want to top this list soon, create an account and start editing existing decisions or add a new decision to GDPRhub today!<br />
<br />
{{Special:ContributionScores/10/30/notools}}<br />
<br />
{{Special:ContributionScores/10/30}}<br />
<br />
__NOTOC__</div>
Hk
https://gdprhub.eu/index.php?title=Welcome_to_GDPRhub&diff=12612
Welcome to GDPRhub
2020-12-01T15:26:07Z
<p>Hk: /* Most active users */</p>
<hr />
<div><big><b>GDPRhub is a free and open wiki that allows anyone to find and share GDPR insights across Europe!</b></big><br />
<br />
The content on GDPRhub is divided into two databases: decisions and knowledge. <br />
<br />
In the <b>decisions</b> section we collect summaries of decisions by national DPAs and courts in English. The summaries can be searched by relevant GDPR article, issuing DPA or deciding court. Every day we monitor more than 100 webpages across all Member State. This page currently contains 500+ decisions and they are getting more day by day. We believe a good overview of national decisions is a key to a pan-European debate on the interpretation of contentious GDPR issues. Get all new decisions delivered right to your mailbox and subscribe to the [[GDPRtoday|'''GDPRtoday newsletter''']]!<br />
<br />
In the <b>knowledge</b> section we collect commentaries on GDPR articles, DPA profiles, and 32 GDPR jurisdictions (EU + EEA). In this database you can find anything from the phone number of the Icelandic DPA to a deep dive into each article of the GDPR.<br />
<br />
Your ''noyb.eu'' Team<br />
<br />
<br />
{| class="desktop-only" style="background-color:#f8f9fa; width:100%;" border="0"<br />
! colspan="3" style="text-align: center; background-color:#9c0a7d; color:#ffffff; width=50%; padding: 5px;" |GDPR Decision Database<br />
! colspan="3" style="text-align: center; background-color:#9c0a7d; color:#ffffff; width=50%; padding: 5px;" |GDPR Knowledge<br />
|-<br />
| colspan="3" |Here you can find 500+ national GDPR decisions, arranged by GDPR Article, DPAs or the relevant Courts.<br />
| colspan="3" |Here you can find a commentary on the first 21 GDPR Articles, profiles on 32 DPAs and profiles on 32 GDPR jurisdictions.<br />
|- <br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px;" |<br />
[[File:Icon gdpr.png|center|100px|link=:Category:Decisions on GDPR Articles|alt="text"]] [[:Category:Decisions on GDPR Articles|Decisions by Articles]]<br />
<br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px;" |<br />
[[File:Icon dpa.png|center|100px|link=:Category:DPA Decisions|alt=]] [[:Category:DPA Decisions|DPA Decisions]]<br />
<br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px;" |<br />
[[File:Icon court.png|center|100px|link=:Category:Court Decisions|alt=]] [[:Category:Court Decisions|Court Decisions]]<br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px;" |[[File:Icon gdpr info 2.png|alt="GDPR Commentary"|center|100px|link=Article_1_GDPR]][[Article 1 GDPR|GDPR Commentary]]<br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px;" |[[File:Icon dpa procedure 1.png|alt="DPAs & Procedures"|center|100px|link=:Category:DPA]][[:Category:DPA|DPAs & Procedures]]<br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px;" |<br />
[[File:Icon jurisdictions.png|center|100px|link=:Category:Country Overview|alt="Jurisdictions"]] [[:Category:Country Overview|Member State Law]]<br />
|}<br />
{| class="mobile-only" style="background-color:#f8f9fa; width:100%;" border="0"<br />
! colspan="3" style="text-align: center; background-color:#9c0a7d; color:#ffffff; padding: 5px;" |GDPR Decision Database<br />
|-<br />
| colspan="3" |Here you can find 100+ national GDPR decisions, arranged by GDPR Article, DPAs or the relevant Courts.<br />
|- <br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px; width: 33% !important;" |<br />
[[File:Icon gdpr.png|center|100px|link=:Category:Decisions on GDPR Articles|alt="text"]] [[:Category:Decisions on GDPR Articles|Decisions by Articles]]<br />
<br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px; width: 34% !important;" |<br />
[[File:Icon dpa.png|center|100px|link=:Category:DPA Decisions|alt=]] [[:Category:DPA Decisions|DPA Decisions]]<br />
<br />
| style="text-align: center; vertical-align: top; border: 0px; padding: 5px; width: 33% !important;" |<br />
[[File:Icon court.png|center|100px|link=:Category:Court Decisions|alt=]] [[:Category:Court Decisions|Court Decisions]]<br />
|}<br />
{| class="mobile-only" style="background-color:#f8f9fa; width:100%;" border="0"<br />
! colspan="3" style="text-align: center; background-color:#9c0a7d; color:#ffffff; padding: 5px;" |GDPR Knowledge<br />
|-<br />
| colspan="3" |Here you can find a commentary on the first 21 GDPR Articles, profiles on 32 DPAs and profiles on 32 GDPR jurisdictions.<br />
|- <br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px; width: 33% !important;" |<br />
[[File:Icon gdpr info 2.png|center|100px|link=Article 1 GDPR|alt="GDPR Commentary"]] [[Article 1 GDPR|GDPR Commentary]]<br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px; width: 34% !important;" |<br />
[[File:Icon dpa procedure 1.png|center|100px|link=:Category:DPA|alt="DPAs & Procedures"]] [[:Category:DPA|DPAs & Procedures]]<br />
<br />
| style="text-align:center; vertical-align:top; border: 0px; padding: 5px; width: 33% !important;" |<br />
[[File:Icon jurisdictions.png|center|100px|link=:Category:Country Overview|alt="Jurisdictions"]] [[:Category:Country Overview|Jurisdiction Profiles]]<br />
|}<br />
<br /><br />
==Get a summary of new decisions with GDPRtoday!==<br />
[[File:GDPRtoday.png|right|350px|alt=|class=desktop-only|link=https://newsletter.noyb.eu/pf/433/5gqtL]]<br />
<br />
Our team will send you a quick overview of all national decisions of the past days from all across Europe - right to your mailbox and in English. Obviously it's free and you can cancel at any time!<br />
<br />
[[File:Newsletter button.png|200px|link=https://newsletter.noyb.eu/pf/433/5gqtL]]<br />
<br />
<br /><br />
<br />
==Start contributing today!==<br />
[[File:GDPRhub Submission Form.png|350px|alt=|border|right|class=desktop-only|link=https://gdprhub.eu/index.php?title=How_to_add_a_new_decision]]<br />
Anyone can help add more information to this wiki, improve existing pages or correct mistakes in existing articles. Simply click the "edit" button at the top of any page and help grow open and freely available GDPR knowledge right now!<br />
<br />
[[File:submit.png|200px|link=https://gdprhub.eu/index.php?title=How_to_add_a_new_decision]]<br />
<br />
→ [[How to edit a page on GDPRhub]]<br />
<br />
→ [[How to add a new decision]]<br />
<br />
<br /><br />
<br />
==Become a GDPRhub Country Reporter today!==<br />
[[File:Gdprhub reporter.png|right|350px|alt=|class=desktop-only|link=https://gdprhub.eu/index.php?title=GDPRhub_Country_Reporters]]We try to cover all EU/EEA member states and the UK. There are of course a lot of new decisions and we rely on volunteers to help with this effort. As a "country reporter" we will inform you about new decisions via email or our internal chat system and ask you if you can submit a summary. Having country reports makes keeping the GDPRhub consistent, up to date and accurate much easier then solely relying on volunteers. Ideally you can update the GDPRhub for your home jurisdiction that you may be aware of in your daily work anyways.<br />
<br />
[[File:Reporter button.png|200px|link=https://gdprhub.eu/index.php?title=GDPRhub_Country_Reporters]]<br />
<br />
→ [[GDPRhub Country Reporters|More Information]]<br />
<br />
<br /><br />
<br />
==Page Status==<br />
<br />
*<u>GDPR Decisions:</u> Currently the page includes 500+ [[:Category:DPA Decisions|DPA decisions]] and [[:Category:Court Decisions|Court decisions]], mainly from the end of 2019 and 2020. New decisions are constantly added.<br />
*<u>[[:Category:GDPR Articles|GDPR Commentary]]:</u> An initial basic commentary of Articles 1 to 21 is included. All other Articles need comments.<br />
*<u>[[:Category:DPA|DPA Profiles]]:</u> So far, profiles of about 10 DPAs are complete. The 16 German state DPAs are currently missing and will be added soon. All other DPA profiles include the basic information, but need to be completed.<br />
*<u>[[:Category:Country Overview|Jurisdiction Profiles]]:</u> So far, profiles of about 10 GDPR jurisdictions are complete. All other jurisdiction profiles include basic information but need to be completed.<br />
<br />
==Most active users==<br />
Here you can see the most 10 most active users in the past 30 days (excluding ''noyb'' staff). If you want to top this list soon, create an account and start editing existing decisions or add a new decision to GDPRhub today!<br />
<br />
{{Special:ContributionScores/10/30/notools}}<br />
<br />
{{Special:ContributionScores/50/30}}<br />
<br />
__NOTOC__</div>
Hk
https://gdprhub.eu/index.php?title=UODO_(Poland)_-_ZSPR.421.2.2019&diff=12374
UODO (Poland) - ZSPR.421.2.2019
2020-11-23T22:26:33Z
<p>Hk: /* English Machine Translation of the Decision */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Poland<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoPL.png<br />
|DPA_Abbrevation=UODO<br />
|DPA_With_Country=UODO (Poland)<br />
<br />
|Case_Number_Name=ZSPR.421.2.2019<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=UODO<br />
|Original_Source_Link_1=https://uodo.gov.pl/decyzje/ZSPR.421.2.2019<br />
|Original_Source_Language_1=Polish<br />
|Original_Source_Language__Code_1=PL<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=10.09.2019<br />
|Date_Published=<br />
|Year=2019<br />
|Fine=2830410<br />
|Currency=PLN<br />
<br />
|GDPR_Article_1=Article 5(1)(f) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1f<br />
|GDPR_Article_2=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1a<br />
|GDPR_Article_3=Article 5(2) GDPR<br />
|GDPR_Article_Link_3=Article 5 GDPR#2<br />
|GDPR_Article_4=Article 6(1) GDPR<br />
|GDPR_Article_Link_4=Article 6 GDPR#1<br />
|GDPR_Article_5=Article 7(1) GDPR<br />
|GDPR_Article_Link_5=Article 7 GDPR#1<br />
|GDPR_Article_6=Article 24(1) GDPR<br />
|GDPR_Article_Link_6=Article 24 GDPR#1<br />
|GDPR_Article_7=Article 25(1) GDPR<br />
|GDPR_Article_Link_7=Article 25 GDPR#1<br />
|GDPR_Article_8=Article 32(1)(b) GDPR<br />
|GDPR_Article_Link_8=Article 32 GDPR#1b<br />
|GDPR_Article_9=Article 32(1)(d) GDPR<br />
|GDPR_Article_Link_9=Article 32 GDPR#1d<br />
|GDPR_Article_10=Article 32(2) GDPR<br />
|GDPR_Article_Link_10=Article 32 GDPR#2<br />
|GDPR_Article_11=Article 58(2)(i) GDPR<br />
|GDPR_Article_Link_11=Article 58 GDPR#2i<br />
|GDPR_Article_12=Article 83(3) GDPR<br />
|GDPR_Article_Link_12=Article 83 GDPR#3<br />
|GDPR_Article_13=Article 83(4)(a) GDPR<br />
|GDPR_Article_Link_13=Article 83 GDPR#4a<br />
|GDPR_Article_14=Article 83(5)(a) GDPR<br />
|GDPR_Article_Link_14=Article 83 GDPR#5a<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=WSA Warsaw (Poland)<br />
|Appeal_To_Case_Number_Name=[[II SA/Wa 2559/19]]<br />
|Appeal_To_Status=Appealed - Confirmed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Agnieszka Rapcewicz<br />
|<br />
}}<br />
<br />
The Polish DPA (UODO) find the company Morele.net €660000 for violating the principle of data confidentiality and failing to ensure the security and confidentiality of personal data processed. <br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
In November 2018, the Company reported to the President of the UODO two breaches of personal data protection, which concerned unauthorised access to the database of customers of online shops and obtaining by an unauthorised person access to the account of the Company's employee and, consequently, obtaining personal data of customers shopping in the above-mentioned online shops. In December 2018 the Company reported another infringement consisting in gaining unauthorised access to the Company's employee account. The employees of UODO conducted an inspection in the Company. <br />
<br />
The DPA found that the Company violated the principle of confidentiality as a result of two attempts to gain access to the Company's employee panel and access to the database of all the Company's clients by unauthorised persons. The access to the Company's employee panel and to the data of all the Company's clients from the Company's database system resulted in the materialisation of the risk of infringement of rights and the freedom of natural persons whose data are processed by the Company in the form of the application of the method called phishing, which is aimed at extracting data, e.g. credentials to a bank account by impersonating the Company in SMS messages and using the fact of making an order by the customer.<br />
<br />
===Dispute===<br />
<br />
Did the technical and organisational measures applied by the company comply with the standards of security measures in the business activity of entrepreneurs in the area of e-commerce of a scale and nature similar to the scale and nature of the company's activity in 2018? Were the technical and organisational measures applied by the company appropriate taking into account the state of technical knowledge, the cost of implementation and the nature, scope, context and objectives of the processing, as well as the risk of infringement of the rights or freedoms of natural persons of different probability and seriousness of the threat?<br />
===Holding===<br />
The DPA found that the company violated the rules of personal data processing and imposed a fine of PLN 2,830,410 on it.<br />
<br />
==Comment==<br />
In the opinion of the DPA, it was an ineffective means of authentication that contributed to the event of obtaining unauthorised access to the employee's panel. Due to the access of many people to the panel which contains the data of current purchase transactions of individual customers, and taking into account the risks associated with obtaining unauthorised access to data, the use of an authentication measure exclusively in the form of a login and password was insufficient.<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.<br />
<br />
<pre><br />
DECISION<br />
<br />
<br />
<br />
CP 421.2.2019<br />
<br />
<br />
<br />
Pursuant to Article 104(1) of the Act of 14 June 1960, the Code of Administrative Procedure (Journal of Laws of 2018, item 2096 as amended) and Article 7(1) and (2), Article 60, Article 101,<br />
<br />
Article 103 of the Personal Data Protection Act of 10 May 2018. (Journal of Laws of 2018, item 1000 as amended) in relation to Article 5(1)(a) and (f), Article 5(2), Article 6(1), Article 7(1), Article 24(1), Article 25(1), Article 32(1)(b), (c), (d), (d), (e) and (f), Article 5(2), Article 6(1), Article 7(1), Article 24(1), Article 25(1), Article 32(1)(b), Article 32(1)(c) and Article 32(1)(b), Article 32(1)(c) and Article 32(1)(d). d, 32(2), 58(2)(i) and 83(3), 83(4)(a), 83(5)(a) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016. on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 04.05.2016, p. 1 and OJ L 127, 23.05.2018, p. 2), following administrative proceedings concerning the processing of personal data by Morele.net Sp. z o.o. with its registered office in Krakow at ul. Fabryczna 20A, President of the Office for Personal Data Protection<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
(2) Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 2016/679 of 27 April 2016). EU Official Journal L 119 of 04.05.2016, p. 1, and EU Official Journal L 127 of 23.05.2018, p. 2), hereinafter: "Regulation 2016/679" imposes on Morele.net Sp. z o. o. with its registered office in Krakow, ul. Fabryczna 20A, a fine of PLN 2,830,410 (equivalent to EUR 660,000), according to the average euro exchange rate announced by the National Bank of Poland in the table of exchange rates as of 28 January 2019.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
EXPLANATORY MEMORANDUM<br />
<br />
<br />
<br />
On [...] November 2018. Morele.net Sp. z o. o. with its registered office in Krakow at ul. Fabryczna 20A, (hereinafter referred to as the "Company"), reported to the President of the Office for Personal Data Protection (hereinafter also referred to as the "President of the Office for Personal Data Protection") two violations of personal data protection, which concerned unauthorised access to the database of customers of apricot online shops.net, hulahop.pl, amfora.pl, pupilo.pl, trennujesz.pl, motoria.pl, digitalo.pl, ubrieramy.pl, meblujesz.pl, sklep-presto.pl, budujesz.pl and obtaining by an unauthorised person access to [...], and consequently obtaining personal data of customers shopping in the above mentioned internet shops. Then, on [...] December 2018, the Company reported to the President of the Office for Personal Data Protection another infringement consisting in obtaining unauthorised access to [...].<br />
<br />
<br />
<br />
From [...] to [...] January 2019, in order to control the compliance of data processing with the provisions on personal data protection, control activities were carried out in Morele.net Sp. z o. o. with its registered office in Krakow at 20A Fabryczna Street. The scope of control included the processing of personal data of customers of the following online shops: morele.net, hulahop.pl, amfora.pl, pupilo.pl, trennujesz.pl, motoria.pl, digitalo.pl, ubrieramy.pl, meblujesz.pl, sklep-presto.pl, zbudujuj.pl, whose administrator is the Company.<br />
<br />
<br />
<br />
On the basis of the collected evidence, it has been established that in the process of personal data processing, the Company, as the controller, violated the provisions on personal data protection. These deficiencies consisted in: violation by the Company of the principle of data confidentiality expressed in Article 5(1)(f) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 2016/679 of 27 April 2016). (OJ L 119, 04.05.2016, p. 1, and OJ L 127, 23.05.2018, p. 2), hereinafter referred to as "Regulation 2016/679", reflected in the form of the obligations laid down in Article 24(1), Article 25(1) and points (b) and (d) of Article 32(1), Article 2(2) and Article 2(3) of Regulation (EC) No 45/2001. 32(2) of Regulation 2016/679 consisting in the failure to ensure the security and confidentiality of personal data processed, which resulted in unauthorised persons gaining access to the personal data of the Company's clients and in a breach of the principles of legality, reliability and accountability expressed in Article 5(1)(a) and Article 5(1)(b) and (d) of Regulation 2016/679. 5(2) of Regulation 2016/679, as specified in Article 7(1) and Article 6(1) of Regulation 2016/679, by not showing that personal data from instalment applications collected before 25 May 2018 were processed by Morele.net Sp. z o. o. with its registered office in Krakow on the basis of the consent of the data subject.<br />
<br />
<br />
<br />
The President of UODO, on the basis of the evidence gathered, established the following facts of the case:<br />
<br />
<br />
<br />
The Company's business includes retail sale via mail order houses or the Internet. The company operates Internet shops: apricot.net, hulahop.pl, amfora.pl, pupilo.pl, trennujesz.pl, motoria.pl, digitalo.pl, ubrieramy.pl, meblujesz.pl, sklep-presto.pl, budujesz.pl.<br />
<br />
In connection with its business, the Company processes personal data of customers who have registered on the morele.net website (and websites of other shops, mentioned above, whose administrator is the Company). The number of people whose data is processed by the Company is approximately 2,200,000 (approximately two million two hundred thousand) . The scope of these data includes: name, surname, e-mail address, telephone number and delivery address, and access to these data is [...]. Until December 2018. The company also processed data from instalment applications. The scope of these data included: first name, surname, e-mail address (e-mail), telephone number, PESEL number, series and number of the identity document, date of issue of the identity document, expiry date of the identity document, education, registered office address, correspondence address, source of income, monthly net income, household maintenance costs, number of dependants, marital status, amount of monthly other liabilities in financial institutions, information on the amount of maintenance and other liabilities resulting from court judgments (collected from 2016). Their total number was approximately 35 000 [...].<br />
<br />
[…].<br />
<br />
On [...] November 2018. The Company was informed by clients that they were receiving short text messages informing them of the need to pay an additional fee of 1 PLN in order to complete the order. The message contained a link to a fake DotPay electronic payment gateway. The Company immediately notified the Police about the incident and attempted to clarify the matter.<br />
<br />
[…]<br />
<br />
The breach of personal data protection was found by the Company on [...] November 2018.<br />
<br />
After carrying out monitoring activities on [...] November 2018. The Company reported the breach to the President of the Office for Personal Data Protection. Moreover, the Company posted on its website a warning information about false text messages. The same information was sent by the Company to clients in e-mails and text messages. On [...] December 2018. The Company again informed the data subjects about the infringement, informing them, among other things, about potential access to data from instalment applications.<br />
<br />
As indicated in the reports sent to the President of the Office for Personal Data Protection and supplementary reports, the Company undertook work on introducing additional technical security measures, among others in the form of [...].<br />
<br />
On [...] November 2018. The Company received an e-mail from an unknown person informing about the theft of the Company's customer database.<br />
<br />
On [...] November 2018, the Company reported to the President of the Office for Personal Data Protection a breach concerning potential unauthorised access to the Company's customer database. The infringement concerned approximately 2 200 000 (approximately two million two hundred thousand) users.<br />
<br />
On [...] December 2018, the Company sent 2,200,000 (approximately two million two hundred thousand) e-mail messages to the clients containing a notification of unauthorised access to the clients' database (the content of the notification of data subjects was sent to the Office in addition to the notification of the infringement). In the above information addressed to customers, the Company informed that it does not process data from credit applications.<br />
<br />
On [...] December 2018. The Company identified another unauthorised access to [...], used to resend false text messages, of which 600 persons to whom the unauthorised person had access were informed. On [...] December 2018, the infringement was reported to the President of the Office for Personal Data Protection.<br />
<br />
Due to the fact that the notification of the data subjects did not meet the requirements set out in Article 34 of Regulation 2016/679, on [...] January 2019, the President of the Office for Personal Data Protection pursuant to Article 52 paragraph 1 of the Act on Personal Data Protection of 10 May 2018. (Journal of Laws of 2018, item 1000 as amended), addressed a request to the Company to inform the data subjects about the violation of their personal data again and to provide them with recommendations on how to minimise the potential effects of the violation. In response to the speech of the President of the Office for Personal Data Protection, the Company once again sent the notification of a personal data breach to 35,000 (thirty-five thousand) persons.<br />
<br />
In order to determine the circumstances of the data protection violations reported by the Company and to determine the technical security measures applied by the Company, the measures applied to minimize the effects of the violation and to prevent similar events, on [...] January 2019, the President of the Office for Personal Data Protection sent a request to the Company for explanations.<br />
<br />
In response to the call of [...] January 2019, by letter of [...] January 2019, the Company provided extensive explanations, including, inter alia: a description of the Company's activities following the incident, a description of the technical and organisational security measures applied by the Company, a description of the procedure for handling the requests of the data subjects.<br />
<br />
For explanations of [...] January 2019. The Company has attached the financial statements for the financial year from January 1st 2017 to December 31st 2017, from which it follows that the amount of net revenue from sales and equalised with them is equal: […].<br />
<br />
As established in the course of the audit, making purchases in Internet shops, the administrator of which is the Company, requires prior registration. The necessary information to set up an account includes an e-mail address (e-mail) and a password to the user account, which is entered by the shop's customer. After logging in, the user is able to enter his name, surname, address and telephone number (for the purpose of determining the basic data necessary for delivery of the purchased goods). The user account exists in the Company's system until the termination of the agreement, i.e. deletion of the account by[MB1] user.<br />
<br />
As established in the course of the audit, the documentation in force in the Company concerning the processing of personal data was updated in 2016. In 2017. The Company began work on the application of the provisions of Regulation 2016/679, with regard to the adaptation of the website, user profile, newsletter, adaptation of documents within the Company, circulation of documents within the Company, physical and technical security measures. As indicated in the explanations adopted during the audit, the risk analysis was carried out by the Company on an ad hoc basis for individual processes, in an informal manner.<br />
<br />
In the course of the audit, a copy of the Company's internal documentation entitled "The Company's internal documentation" was obtained. "Report after the database was stolen". (Annex B10 to the inspection report), [...].<br />
<br />
[…].<br />
<br />
As established during the audit, the module supporting [...] does not record the information entered by the Client in the Company's database. […]<br />
<br />
According to the explanations adopted during the audit, the Company has never collected data on scans of identity cards belonging to customers submitting [...]. The instalment purchase form from around [...] October 2018 contained space to enter only the amount of maintenance obligations or the amount of obligations arising from other court decisions. The Company does not confirm that such data was recorded in the database deleted in December 2018.<br />
<br />
By letter of [...] February 2019. The Company requested the President of the Office for the Protection of Personal Data to examine the case as a matter of urgency, indicating that due to the media character of the case and uncertainty as to how the President of the Office for the Protection of Personal Data would end the case, any lengthy examination of the case may pose a threat to the functioning of the Company. […] .<br />
<br />
In connection with the above, on [...] June 2019, in the letter mark: ZSPR.421.2.2019/43412, the President of the Office for Personal Data Protection initiated ex officio administrative proceedings in respect of the identified breaches, in order to clarify the circumstances of the case.<br />
<br />
<br />
<br />
In response to the notice of initiation of administrative proceedings, the Company's proxy (power of attorney in the case file), by letter of [...] July 2019, submitted explanations, in which he indicated, inter alia, that:<br />
<br />
<br />
<br />
In the Company's opinion, the findings made during the audit do not indicate that the Company has infringed Article 5(1)(f), Article 24(1), Article 25(1), Article 32(1)(b) and (d) and Article 32(2) of Regulation 2016/679 in the processing of personal data.<br />
<br />
In the course of the inspection (in accordance with the request of the inspectors), the Company submitted the content of the consent clause legalizing the processing of data from instalment applications, therefore it cannot be considered that the Company processed data from instalment applications without a legal basis and, as a result, it is not correct for the President of the Office for Personal Data Protection to state that in this respect the Company violates Article 5(1)(a) and Article 5(2) of Regulation 2016/679.<br />
<br />
The Company had security measures, technical and organisational, adequate to the identified threats, taking into account the conditions specified in Article 24 and Article 32 of Regulation 2016/679.<br />
<br />
The Company has been analysing the risks of the existing threats on an ongoing basis and has been implementing new and up-to-date methods to ensure the security of the processed data, taking into account the conditions specified in Article 24 and Article 32 of Regulation 2016/679.<br />
<br />
The Company does not agree with the allegation that it did not assess and monitor potential threats to the rights and freedoms of persons whose data it processes on a current basis, as for many years the Company has been regularly conducting research, verifying threats and hiring external companies to carry out security audits. In the course of the audit, the Company provided a number of evidence for this circumstance, [...].<br />
<br />
The company also referred to the list of security measures applied, submitted during the audit.<br />
<br />
In the Company's opinion, indirect evidence confirming the fact of current monitoring of threats and implementation of adequate safety measures is the Company's reaction to the suspected data leakage which took place in November 2018. The Company has updated its risk position and implemented new safeguards [...] and stopped collecting data from the instalment forms. These actions were not of a one-off nature (due to a security incident). The Company always took appropriate actions when, on the recommendation of the IT team or IOD, it was necessary to update, upgrade or expand the personal data processing safeguards.<br />
<br />
The Company's security monitoring is confirmed by orders which are drawn up in order to improve the security features, [...].<br />
<br />
The Company also disagrees with the allegation that potential threats are not monitored on an ongoing basis. Such a claim is not confirmed by any evidence gathered during the inspection. On the contrary, in the Company's opinion, the evidence gathered indicates that action has been taken in this respect. The President of UODO did not specify to what specific extent, in his opinion, the Company has failed to comply with the obligation to monitor the threats on a current basis, which makes it impossible to more precisely refer to the allegation formulated and to formulate additional evidential conclusions.<br />
<br />
Regulation 2016/679 imposes an obligation on administrators to provide adequate (for threats) safeguards, and not safeguards effective in all circumstances. The risks associated with the processing always exist, regardless of the means used. The task of the administrator is to minimize them by applying appropriate measures, which the Company has done and does.<br />
<br />
Contrary to the claims of the President of the Office of Electronic Communications (UODO) concerning the selection of ineffective measures at the level of network traffic monitoring, the Company monitors network traffic, as evidenced by the technical security measures adopted, including network traffic monitoring, i.e.; [...].<br />
<br />
The Company also points out that the "Report after the database is stolen" (Annex B10 to the control protocol) would not have been created if the Company had not monitored the traffic (see table indicating the level of network traffic).<br />
<br />
In the Company's opinion, there are no grounds for concluding that the Company did not examine the level of data security on an ongoing basis and did not adjust it to the identified threats.<br />
<br />
In the Company's opinion, the allegation of failure to assess the risk of gaining access to [...] is not confirmed by the evidence gathered during the audit. The risk analysis conducted by the Company shows that only authorised persons (employees of the Company), who have been granted appropriate rights, had access to [...].<br />
<br />
The Company also points out that Regulation 2016/679 requires the analysis and evaluation of personal data processing processes, not individual IT systems. The IT systems (and their security) are only applied technical means referred to e.g. in Article 24(1) of Regulation 2016/679 or in Article 32(1) of Regulation 2016/679.<br />
<br />
The analysis of the facts and the reassessment of the risks have led the Management Board to decide [...].<br />
<br />
As the President of UODO summarised the allegations and concluded that an earlier implementation and the introduction of additional measures could significantly reduce the risk of unauthorised access, the Company notes that this claim was not supported by any arguments, as well as a justification as to why it was inappropriate in view of the safeguards applied by the Company.<br />
<br />
According to the Company's assessment, the technical and organisational security measures applied were appropriate to the risks related to the processing of personal data, in accordance with Articles 24(1) and 32(1) of Regulation 2016/679. There are no grounds to the contrary in the evidence. The Company is of the opinion that the technical and organisational security measures applied were adequate to the risks and met the conditions specified in the regulations.<br />
<br />
Referring to the allegation of the President of the Office for Personal Data Protection that the Company is not able to precisely indicate the date on which the functionality of saving data from instalment applications was activated, the Company indicates that the content of the consent is on the first page of Annex A22 and Annex A23 to the control protocol. […]. Therefore, the allegation of the President of the Office for the Protection of Personal Data in this respect is incorrect and is not supported by the collected evidence.<br />
<br />
The evidence does not justify the allegation made by the President of the Office for the Protection of Personal Data that the Company does not have a documented analysis of the data processing process with regard to the functionality of recording data from instalment applications. The evidence shows that the Company has verified, evaluated and monitored the data processing process related to instalment applications on an ongoing basis. An example of the conducted analysis is [...] determining the content of the consent, which was prepared in connection with the current analysis of the processing process.<br />
<br />
As an example of the analysis and application of appropriate (adequate) technical measures to personal data related to [...]. Only the user (customer) of the shop was able to display the data during the next filling in of the Privacy-by-Default form.<br />
<br />
The company argued that according to the principle of accountability, the controller is obliged to demonstrate compliance with Regulation 2016/679, but may use any means, including system logs, procedures (whether documentary or not). In this case, an example of ensuring accountability is [...].<br />
<br />
Referring to the allegation of the President of the Office for the Protection of Personal Data that the Company deleted personal data from installment applications without detailed analysis, the Company indicates that Regulation 2016/679 allows and orders the deletion of data at the moment when the controller ceases to have the purpose of processing. The Company has completed the processing of data whose processing was based on consent and had no other purposes of processing, so the data were deleted. The closure of the process was motivated by a risk analysis carried out in connection with correspondence with the blackmailer.<br />
<br />
Referring to the remark of the President of the Office for Personal Data Protection that the Company did not document the deletion of the data, the Company indicates that due to the closure of the data processing process, the process was deleted from the Register of Processing Activities. The deletion of the database has also been documented [...]. Moreover, the President of the Office for Personal Data Protection has not indicated the provision which the Company would violate in connection with the removal of the database.<br />
<br />
In the Company's opinion, the evidence gathered in the case does not justify the statement of the President of the Office for Personal Data Protection that the Company processed personal data from instalment applications without a legal basis, i.e. without the consent of the data subject, as the content of the collected consents is included in Annex A22 and Annex A23 to the control protocol.<br />
<br />
Moreover, in the letter responding to the notice of initiation of administrative proceedings, the Company's attorney asked the President of the Office for the Protection of Personal Data about the following<br />
<br />
<br />
<br />
admitting and carrying out evidence from an expert opinion in the field of information systems security in order to: a) establish technical and organisational standards of security measures in business activity of entrepreneurs in the area of e-commerce of a scale and nature similar to that of the Company in 2018.b) assess whether the technical and organisational measures applied by the Company complied with the standards of security measures in the business activity of entrepreneurs in the area of e-commerce of a scale and nature similar to the scale and nature of the Company's activity in 2018; c) assess whether the technical and organisational measures applied by the Company were appropriate taking into account the state of technical knowledge, cost of implementation and the nature, scope, context and purposes of processing, as well as the risk of infringement of the rights or freedoms of natural persons of varying probability and seriousness of the threat;<br />
<br />
attach to the file of proceedings a copy of the existing correspondence between the UODO and the Company (the Company's letter of [...] January 2019, the Company's letter of [...] February 2019, as well as reports of violations made by the Company). <br />
<br />
Order of [...] August 2019. The President of the Office for Personal Data Protection refused to accept the Company's application for admission and to carry out the application from the expert opinion.<br />
<br />
<br />
<br />
In response to the decision of [...] August 2019 and information about the collection of evidence of [...] August 2019, the Company's attorney sustained the Company's current position and requested the discontinuation of the administrative proceedings in question. In particular, the Company maintains the previously expressed position that there is no evidence indicating a breach of personal data protection regulations by the Company, in particular with respect to the application of appropriate security measures, and does not agree with the statement of the President of the Data Protection Office contained in the notice of initiation of the procedure of [...] June 2019 on the breach of the provisions of Regulation 2016/679.<br />
<br />
<br />
<br />
After reviewing all the evidence gathered in the case, the President of the Office for Personal Data Protection weighed the following:<br />
<br />
<br />
<br />
Article 5 of Regulation 2016/679, formulates the rules on the processing of personal data which must be respected by all controllers, i.e. the entities which alone or jointly with others determine the purposes and means of processing personal data. According to Article 5(1)(f) of Regulation 2016/679, personal data must be processed in such a way as to ensure adequate security of personal data, including protection against unlawful or incompatible processing and accidental loss, destruction or damage, by appropriate technical or organisational means ("confidentiality and integrity").<br />
<br />
<br />
<br />
In accordance with Article 24(1) of Regulation 2016/679, taking into account the nature, scope, context and purposes of the processing, and the risks of violation of the rights or freedoms of natural persons of varying degrees of likelihood and gravity, the controller shall implement appropriate technical and organisational measures to ensure that the processing is carried out in accordance with this Regulation and to demonstrate this. Those measures shall be reviewed and updated as necessary.<br />
<br />
<br />
<br />
Pursuant to Article 25(1), both in determining the means of processing and during the processing itself, the controller shall implement appropriate technical and organisational measures designed to effectively implement data protection principles (data protection by design).<br />
<br />
<br />
Pursuant to point (b) of Article 32(1) of Regulation 2016/679, taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of the processing, and the risk of infringement of the rights or freedoms of individuals of varying likelihood and seriousness, the controller and processor shall implement appropriate technical and organisational measures to ensure a degree of security appropriate to those risks, including, inter alia, the ability to ensure the continuing confidentiality, integrity, availability and resilience of the processing systems and services, where appropriate, and in accordance with Article 32(1)(b) of Regulation 2016/679. 32(1)(d) of Regulation 2016/679 to regularly test, measure and evaluate the effectiveness of the technical and organisational measures to ensure the security of processing.<br />
<br />
In accordance with Article 32(2) of Regulation 2016/679, when assessing whether the degree of security is adequate, the controller shall in particular take account of the risks represented by the processing, in particular those arising from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.<br />
<br />
<br />
<br />
The provisions of Articles 24(1), 25(1), 32(1)(b) and (d) and 32(2) of Regulation 2016/679 thus constitute a concretisation of the principle of confidentiality set out in Article 5(1)(f) of Regulation 2016/679. Therefore, the matter in question should be examined with a view to meeting the co-existence conditions for technical and organisational measures.<br />
<br />
<br />
<br />
The principle of confidentiality, the correct implementation of which ensures that the data are not made available to unauthorised persons, has been breached in the facts of the case as a result of having accessed [...] twice. [...] and to the data of all clients from the Company's database system resulted in the materialisation of the risk of infringing the rights and freedoms of natural persons whose data are processed by the Company, in the form of applying the method called phishing, aimed at extracting data, including those which authenticate the bank account by impersonating the Company in SMS messages and using the fact that the client placed an order.<br />
<br />
<br />
<br />
In the opinion of the President of the Office for Personal Data Protection, the breach of confidentiality in question should be considered from the perspective of two events: obtaining unauthorized access to [...] and obtaining data of all clients from the Company's database system.<br />
<br />
<br />
<br />
In the facts of the case in question, in the opinion of the President of the Office for the Protection of Personal Data, an ineffective means of authentication has contributed to the event of unauthorised access [...].<br />
<br />
<br />
<br />
As indicated by the Company in its letter of [...] January 2019, as soon as an infringement consisting in obtaining access [...] by an unauthorised person has been detected, work has been undertaken to introduce additional technical security measures, inter alia, in the form of [...].<br />
<br />
<br />
<br />
The President of the Office for Personal Data Protection, in the notice of initiation of administrative proceedings, indicated that the Company has failed to fulfil the obligation resulting from art. 32 sec. 1 and 2 of Regulation 2016/679 consisting in the selection of effective technical and organisational measures at the level of access control and authentication. In response, the Company indicated that its employees receive appropriate rights and authorisations to access particular IT systems and databases, and such access is supervised by a team of administrators. Furthermore, the Company indicated that the IT team of the Company monitors the functioning of [...] on an ongoing basis and adapts solutions to market standards and threats, and that the solutions applied in the Company [...] enabled the detection of unusual behaviours.<br />
<br />
<br />
<br />
In the opinion of the President of the Office for the Protection of Personal Data, due to [...]. As it results from the material collected in the course of the audit, the Company used external security auditors (Annex B11 and B12 to the audit protocol) and implemented their recommendations regarding the identified vulnerabilities in the software code used for personal data processing. In the opinion of the supervisory authority, the ability to ensure continuous confidentiality was insufficiently assessed and the risks associated with obtaining unauthorised access were not taken into account [...]. As the Company indicated in its response to the notice of initiation of administrative proceedings, 'it is not the aim of this regulation to eliminate the risk in full, which cannot be done, but only to implement technical and organisational solutions which are appropriate and proportionate, taking into account the criteria assessed' and that Regulation 2016/679 'imposes on controllers the obligation of adequate (to the risks) safeguards, not safeguards effective in all circumstances'.<br />
<br />
<br />
<br />
It should be pointed out here that access control and authentication are essential security measures to protect against unauthorised access to the IT system used to process personal data. Providing access to authorised users and preventing unauthorised access to systems and services is one of the exemplary elements of security, which is indicated, among others, by the PN-EN ISO/IEC 27001:2017-06 standard. As follows from Article 32(1) of Regulation 2016/679, one of the factors to be taken into account when selecting appropriate technical and organisational measures is the state of technical knowledge, which should be assessed taking into account market conditions, in particular the availability and market acceptability of a given technical solution. Specific guidance in this respect is provided by existing standards and norms, in particular ISO standards, which are also subject to constant review and development in line with technological progress.<br />
<br />
<br />
<br />
The European Network and Information Security Agency (ENISA), in its guidelines for the security of processing of personal data issued in 2016[1], taking into account the above mentioned standard (in the 2013 version) and the provisions of Regulation 2016/679, recommends the use of a two-stage authentication mechanism for systems involving access to personal data as part of access control and authentication.<br />
<br />
<br />
<br />
In accordance with the risk-based approach, resulting, inter alia, from Article 25(1) of Regulation 2016/679, the choice of the appropriate means of authentication should be based on a risk assessment of the underlying transaction or service. Standard PN-ISO/IEC 29115:2017-07 ('Information technology - Security techniques - Framework for reasonable assurance of authentication levels'), as well as recitals 75 or 85 of Regulation 2016/679 indicate the possible consequences and consequences of an authentication failure depending on the level used, including unauthorised disclosure of confidential information or financial loss.<br />
<br />
<br />
<br />
The validity of properly selected technical measures for access control and authentication is also demonstrated by other information security organisations.<br />
<br />
<br />
<br />
The OWASP Foundation, an international non-profit organisation which aims to develop and disseminate good practices addressed to software developers, in its document "OWASP Top 10 - 2017"[2], presents a list of the greatest threats to Internet applications together with methods of their prevention. One of them is to break the authentication measure (usually one-step). As a preventive measure, it is recommended to use multi-stage authentication as a way to significantly minimise the risk of security breaches.<br />
<br />
<br />
<br />
This document, as well as the above mentioned standard, also refers to the development of the American federal agency - the National Institute of Standards and Technology (NIST) document - "NIST 800-63B: Digital Identity Guidelines: Authentication and Application Life Cycle Management". (Digital Identity Guidelines: Authentication and Lifecycle Management)[3].<br />
<br />
<br />
<br />
Both PN-ISO/IEC 29115:2017 07, document NIST 800-63B and OWASP studies indicate that the selection of an appropriate means of authentication should be preceded by a risk analysis and be subject to continuous review.<br />
<br />
<br />
<br />
The risk, in the actual state of affairs of the case in question, concerned the risk of using a method called phishing, aimed at fraudulent use of data, among other things, credentials to the bank account by impersonating the Company in SMS messages and using the fact of making an order by the customer. As it is indicated in the literature, among phishing attacks one can distinguish attacks targeted at specific groups of people (so called spearphishing) and a person attacking devotes time to obtaining information about the target and creating a personalized message, related to the situation of a given person (in the case in question - a person who made a purchase transaction), which makes such messages (in the case in question - a text message calling for an additional fee of 1 PLN, in order to complete the order with a link to a fake DotPay electronic payment gateway) may be difficult to detect and defend.<br />
<br />
<br />
<br />
According to the annual reports on the activity of CERT Polska for 2016, 2017 and 2018, phishing is one of the most common types of incidents and the most distinctive category in comparison with other attacks, and the percentage of incidents of this type is still at a similar level (in 2018 about 44 percent). As CERT Polska indicates, the most common motive for criminals is the desire to obtain credentials for various websites, including banks. Moreover, the scenarios of impersonating payment intermediaries, which took place in the facts of the case, became in 2018 the most popular attack on e-banking users, causing significant financial losses. CERT Polska indicates that the first such practices took place as early as 2017, which is also confirmed by press reports.<br />
<br />
<br />
<br />
In the facts of the case in question, in the opinion of the President of the Office for Personal Data Protection, ineffective monitoring of potential threats to the rights and freedoms whose data are processed by the Company contributed to an event consisting in gaining unauthorised access to clients' data from the Company's database system.<br />
<br />
<br />
<br />
As the Company indicates in its letter of [...] July 2019, the indication by the President of the Office for the Protection of Personal Data in the notice of initiation of administrative proceedings that the potential risks are not being monitored on an ongoing basis 'does not find (...) confirmation in any evidence gathered during the inspection'. Moreover, the Company indicated that "contrary to the claims of the President of the Office for the Protection of Personal Data Protection concerning the selection of ineffective measures", it monitors network traffic and indicated the adopted technical security measures in this respect, among others [...].<br />
<br />
<br />
<br />
In the opinion of the President of the Data Protection Office, despite the application of such a solution, the Company was not able to react to an unusual event in the monitoring system consisting of increased data transfer. In the document "Report after database stealing" (Annex B10 to the inspection report) indicates that [...].<br />
<br />
<br />
<br />
The presented facts indicate that the Company, from October 2018 to January 2019, had no knowledge of the reasons for the increased data transmission. […]. In the opinion of the President of the Office for Personal Data Protection, the measures adopted by the Company could be effective if they were properly adapted and a procedure for responding to adverse events such as abnormal network traffic was implemented. ENISA, in its guidelines on the security of personal data processing, also indicates that the monitoring of events in IT systems is an important element enabling the identification of potential internal or external threats. This task should be performed in the form of appropriate implemented procedures and a notification system for adverse events.<br />
<br />
<br />
<br />
As emphasised in recital 76 of Regulation 2016/679 (the recitals contain a justification for the provisions of the operative part (articles) of the act, which is a regulation), the risks should be assessed on the basis of an objective assessment of whether there are risks or high risks associated with the processing operations. At the same time, account should be taken of the reasons for the risks related to the nature of the data, the scope of the processing, the context and the purposes, as well as of the other elements referred to in recital 75 of Regulation 2016/679, taking into account Article 32 of Regulation 2016/679, including in particular the relation between these reasons and data security and the consequences of failure to ensure such security (Article 32(2)).<br />
<br />
<br />
<br />
In accordance with Article 32(2) and having regard to recital 83 of Regulation 2016/679, when assessing whether the degree of security is adequate, account shall be taken in particular of the risks associated with the processing (in particular those arising from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed) and which may in particular result in physical harm or damage to property or nonmaterial property (recital 83).<br />
<br />
<br />
<br />
In the facts of the case, the Company, when processing personal data of more than 2 200 000 users, which is to be considered a large-scale processing of personal data and taking into account the scope of the data and context of the processing, was obliged to assess and monitor potential threats to the rights and freedoms of persons whose data it processes more effectively on an ongoing basis.<br />
<br />
<br />
<br />
Regular testing, measurement and evaluation of the effectiveness of technical and organisational measures to ensure the security of processing is the responsibility of each controller and processor under Article 32(1)(d) of Regulation 2016/679. The controller is therefore obliged to verify both the selection and the level of effectiveness of the technical measures applied. The complexity of this verification should be assessed in terms of its adequacy to risks and proportionality in relation to the state of technical knowledge, implementation costs and the nature, scope, context and objectives of the processing.<br />
<br />
<br />
<br />
In the facts of the case, the Company fulfilled this obligation by partially verifying only the level of effectiveness of the implemented security measures in terms of known vulnerabilities in the implemented software - as indicated by security audits of already functioning IT systems used for processing data of the Company's customers [...] . In the opinion of the President of the Office for Personal Data Protection, the Company did not undertake any actions aimed at assessing the selection of technical and organisational measures from the perspective of their adequacy to the risks. Reviewing and updating the implemented solutions are also a requirement formulated directly in Article 24(1), second sentence, of Regulation 2016/679, as well as resulting from Article 24(1), second sentence, of Regulation 2016/679. 25(1) of Regulation 2016/679, which creates the obligation to ensure privacy by design and imposes an obligation on the controller to implement appropriate technical measures both in the phase of determining the methods of processing and in the phase of the processing itself. In doing so, taking into account the nature, scope, context and purpose of the processing and the resulting risks to the rights and freedoms of individuals, the controller is obliged to implement appropriate technical and organisational measures.<br />
<br />
<br />
<br />
It should be indicated that an earlier application implemented [...] December 2018. [...] and implemented [...] would significantly reduce the risk of unauthorised access by an unauthorised person, and thus minimise the risk of infringing the rights or freedoms of natural persons whose data are processed by the Company, i.e. making the data available to unauthorised recipients.<br />
<br />
<br />
<br />
To sum up, in the opinion of the President of the Office for the Protection of Personal Data, the Company applied technical and organisational measures, which contributed to a limited extent to meeting the requirements of Article 32 of Regulation 2016/679, as the foreseeable risks were not adequately minimised and limited during the processing.<br />
<br />
<br />
<br />
The requirement in Article 5(1)(a) of Regulation 2016/679 requires the controller to process the data lawfully, fairly and transparently to the data subject. The requirement to ensure the lawfulness of data processing operations implies, inter alia, the need to meet at least one of the conditions for the lawfulness of data processing laid down in Article 6 of Regulation 2016/679 and the need to ensure compliance with other provisions on personal data protection.<br />
<br />
<br />
<br />
According to Article 6(1)(a) of Regulation 2016/679, processing is lawful where the data subject has consented to the processing of his or her personal data for one or more specified purposes. As it follows from Article 4(11) of Regulation 2016/679, the data subject's consent shall mean the freely given specific, informed and unambiguous indication of his wishes by way of a statement or explicit affirmative action to which the data subject gives his consent to the processing of personal data concerning him.<br />
<br />
<br />
<br />
However, from the content of Article 7(1) of Regulation 2016/679, where processing is based on consent, the controller must be able to demonstrate that the data subject has consented to the processing of his/her personal data. The controller should implement organisational or technical measures which make it possible to prove the data subject's consent, in particular, in a way which makes it possible to consolidate the fact of obtaining consent.<br />
<br />
<br />
<br />
The collection and recording of information on who gave consent and what content it contained, when it was given, what information was given to the data subject when he gave his statement of consent, what information was given on the manner in which consent was given, and whether consent was withdrawn and, if so, when, shall be considered to be correct for the purposes of proof, in accordance with Article 7(1) of Regulation 2016/679. The controller's possession of the above mentioned information on the data subject's consent shall constitute a specification of the general principle of accountability formulated in Article 5 paragraph 2 of Regulation 2016/679. In case the controller is not able to prove that and what consent to data processing was given by the data subject, such consent may be questioned.<br />
<br />
<br />
<br />
As established during the audit, the Company obtained data from installment applications, which was to make it easier for customers to apply for subsequent installment purchases (auto-filling of the installment form). As indicated in the explanations, these data were not used by the Company for any other purpose. The Company is not able to accurately indicate the date on which the functionality of saving data from installment applications was launched (probably in 2016) and does not have a documented analysis of the data processing in this respect. The evidence suggests that around [...] December 2018. The company, on an oral recommendation of [...], deleted the customer database from the so-called 'instalment applications'. No detailed analysis was carried out in this respect and the deletion was not documented.<br />
<br />
<br />
<br />
With regard to the explanations concerning the violation of the principle of lawfulness, reliability and accountability in the processing of personal data from installment applications, it should be strongly emphasized that the Company has not been able to demonstrate since when it collected personal data in order to facilitate the fulfilment of future applications [...] and in this respect has not provided any statement of consent to such processing. The [...] printout only indicates that it is only in the context of the amendment of the data protection legislation ("in connection with TODO") that two consents should be added on [...] .<br />
<br />
<br />
<br />
This is because approvals were obtained after the entry into force of Regulation 2016/679, and the process itself continued from 2016. (Company's explanation), it should be assumed that the deleted database contained data collected without a legal basis. […].<br />
<br />
<br />
<br />
In the course of the audit, the Company did not present any clauses or templates of applied consents collected prior to the application of Regulation 2016/679, therefore it should be stated that the controller did not demonstrate that it obtained appropriate consents from persons whose data it collected in the period from 2016 (as indicated in the explanatory notes - the period from which the Company started to collect data from instalment applications) to May 2018 for processing of data from instalment applications.<br />
<br />
<br />
<br />
For these reasons, the Company's explanations concerning the completed processing of the data, in the absence of other evidence, are not sufficient to consider that the processing itself was carried out in accordance with the law, including on the basis of a properly formulated ground of consent.<br />
<br />
<br />
<br />
Such an approach of the Company to the data processing process, although the process itself is considered to be closed (the data has been erased), undermines the basic principles of data processing, including the principle of lawfulness and reliability indicated in Article 5(1)(a) of Regulation 2016/679, as the controller must always be able to demonstrate that personal data are processed lawfully. However, the principle of accountability (Article 5(2) of Regulation 2016/67) requires the controller to be able to demonstrate that he or she complies with his or her obligations under the provisions on personal data protection. These requirements apply to all stages of data processing, which also applies to situations where there are data protection violations or substantial changes in the processing. However, accountability applies not only at the time of the collection of personal data, but at all times during the processing, regardless of the information or method of communication provided. The Company has sent the customers a notice of unauthorised access to the customers' database in which it informed them that the unauthorised access did not concern the information provided in the instalment applications because it does not collect such data, which could mislead the customers. For these reasons, the administrator's decision to delete the data, which was not preceded by a well-established analysis, proves that the basic principles of personal data protection referred to above were not respected.<br />
<br />
<br />
<br />
In view of the foregoing, the President of the Office for the Protection of Personal Data, in exercising his power under Article 58(2)(i) of Regulation 2016/679, according to which each supervisory authority has the power to impose, in addition to or instead of the other remedies provided for in Article 58(2)(a) to (h) and (j) of that Regulation, an administrative penalty payment pursuant to Article 83 of Regulation 2016/679, has concluded, in view of the circumstances set out in that procedure, that in the present case there are grounds for imposing an administrative penalty payment on the Company.<br />
<br />
<br />
<br />
When deciding to impose an administrative fine on the Company, the President of the Office for Personal Data Protection, pursuant to Article 83(2)(a-k) of Regulation 2016/679, has taken into account the following circumstances of the case, which are aggravating and affect the level of the financial penalty imposed:<br />
<br />
<br />
<br />
a) The Company has not complied with the obligation to apply appropriate technical and organisational measures to ensure a level of security corresponding to the risk of unauthorized access to the personal data of its customers, which resulted in the access to [...] twice by an unauthorized person or persons, and consequently to access the database of all the Company's customers in the total number of approximately 2,200,000 (approximately two million two hundred thousand) persons; thus, the Company's actions aimed at ensuring the security of data processing prior to the occurrence of a breach should be considered ineffective, as they did not contribute to eliminating the risk of damage;<br />
<br />
<br />
<br />
(b) the infringement of Article 5(1)(f) in conjunction with Article 32(1)(b) and (d) in conjunction with Article 32(1)(b) and (d) in this case has been established. (b) the infringement of Article 5(1)(f) in conjunction with Article 32(1)(b) and (d) in conjunction with Article 32(2) of Regulation 2016/679, consisting in unauthorised access to the Company's employee panel by an unauthorised person or persons, and consequently also access to the Company's customer database, is of considerable importance and serious nature, as it poses a high risk of negative legal consequences for approximately 2 200 000 (approximately two million two hundred thousand) persons whose data were accessed by an unauthorised person or persons; Significantly, if the confidentiality of the Company's IT system is breached twice, the risk is proportionally higher in the case of 600 (six hundred) persons; the Company's breach of its obligations to apply measures to ensure the security of the processed data, before it is made available to unauthorised persons, entails a potential but real possibility of using the data by third parties without the knowledge and against the will of the data subjects, contrary to the provisions of Regulation 2016/679, e.g. the Act on the Protection of Individuals with regard to the Processing of Personal Data (Journal of Laws of 2009, No. 153, item 259, as amended). The fact that the Company, which processes personal data in a professional manner as part of its business activity, is more responsible and more demanding than the entity processing personal data as a secondary, incidental or small-scale activity, also has a significant impact on the gravity of the breach; when conducting commercial activities, and at the same time collecting data via the Internet, the Company, as the controller of such data, should take all necessary actions and exercise due diligence in the selection of technical and organisational measures to ensure the security and confidentiality of data; the factual findings made by the President of the Office for Personal Data Protection prove that the Company did not meet this requirement at the time of the occurrence of the identified violations;<br />
<br />
<br />
<br />
(c) infringement of Article 5(1)(f), Article 32(1)(b) and (d) and Article 32(1)(c). The fact that the Company, despite the declaration of network system monitoring and response in the 24/7 system (twenty-four hours, seven days a week), did not find any real time, i.e. between 07.10.2018 and 14.10.2018, deserves a particularly reprehensible assessment, increased traffic on the server's network gateway and did not take any remedial action at that time to prevent access to the data of approximately 2,200,000 (approximately two million two hundred thousand) individuals who are the Company's clients. In this state of affairs, the Company's negligence must be regarded as gross;<br />
<br />
<br />
<br />
(d) the breach by not ensuring the security and confidentiality of the data continued at least from [...] November 2018. (when the Company's clients informed about the receipt of text messages calling for an additional fee of 1 PLN, in order to complete the order with a link to the false DotPay electronic payment gateway) until [...] December 2018. (i.e. the introduction by the Company of additional technical security measures) - which should be considered a relatively short period of time; however, this circumstance cannot have a mitigating effect on the decision of the supervisory authority, as the infringement concerned a significant number of natural persons; a data leak of 2,200,000 (approximately two million two hundred thousand people) - even if it is a short-term or one-off event - should be assessed strictly, due to its nature and high importance and scope, as well as its possible long-term consequences for data subjects.<br />
<br />
<br />
<br />
When determining the amount of the administrative fine, the President of the Office for the Protection of Personal Data also took into account mitigating circumstances affecting the final penalty, i.e:<br />
<br />
<br />
<br />
(a) the Company takes all possible measures to remedy the infringement; as established in the course of the proceedings, the Company has introduced, inter alia, [...];<br />
<br />
<br />
<br />
(b) good cooperation on the part of the Company, which has cooperated with the President of the Office for Personal Data Protection both during the inspection and during the present procedure in order to remedy the breach and mitigate its possible negative effects; the Company has sent explanations and responded to the speech of the President of the Office for Personal Data Protection within the prescribed time limit, so the degree of cooperation should be assessed as complete;<br />
<br />
<br />
<br />
(c) there is no evidence that data subjects have suffered material damage, but the breach of confidentiality of the data itself constitutes non-pecuniary damage (harm); natural persons whose data have been unlawfully accessed may at least be afraid of losing control over their personal data, of identity theft or identity fraud, or of financial loss;<br />
<br />
<br />
<br />
(d) it has not been established that the Company has previously committed an infringement of the provisions of Regulation 2016/679 that would be relevant to this proceeding.<br />
<br />
<br />
<br />
The fact that a fine was imposed, as well as the administrative fine itself, was not affected by the fact that it was imposed:<br />
<br />
<br />
<br />
(a) The company shall not apply approved codes of conduct under Article 40 of Regulation 2016/679 or approved certification mechanisms under Article 42 of Regulation 2016/679,<br />
<br />
<br />
<br />
(b) on the same subject, the measures referred to in Article 58(2) of Regulation 2016/679 have not previously been applied to the Company,<br />
<br />
<br />
<br />
(c) there is no evidence to suggest that the Company has obtained a financial advantage as well as to avoid losses due to the infringement.<br />
<br />
<br />
<br />
Taking into account all the circumstances discussed above, the President of the Office for Personal Data Protection decided that the imposition of an administrative fine on the Company is necessary and justified by the gravity and nature and scope of the alleged infringements. It should be stated that the application to the Company of any other remedy provided for in Article 58(2) of Regulation 2016/679, and in particular the application of a warning (Article 58(2)(b)), would not be proportionate to the irregularities found in the processing of personal data and would not guarantee that the Company will not in the future commit similar omissions as in this case.<br />
<br />
<br />
<br />
With regard to the amount of the fine imposed on the administrative company, the President of the Office for the Protection of Personal Data considered that, in the established circumstances of this case - i.e. in view of the finding of a breach of the principle of confidentiality of data expressed in Article 5(1)(f) of Regulation 2016/679 (and reflected in the form of the obligations laid down in Articles 24(1), 25(1) and 32(1)(b) and (d), 32(2) of Regulation 2016/679), and in addition, a breach of the principles of legality, reliability and transparency expressed in Article 5(1)(b) and (c) of Regulation 2016/679, the principle of proportionality and the principle of proportionality and the principle of proportionality. Article 83(5)(a) of Regulation 2016/679, according to which breaches of the basic principles of processing, including the conditions of consent referred to in Article 5(2) (further specified in Articles 6 and 7 of Regulation 2016/679) shall apply.Articles 5, 6 and 7 of that Regulation shall be subject to an administrative fine of up to EUR 20 000 000 and, in the case of an undertaking, of up to 4 % of its total annual worldwide turnover in the preceding business year, the higher amount being applicable.<br />
<br />
<br />
<br />
At the same time, in view of the fact that the Company has found an infringement within the same or related processing operations of several provisions of Regulation 2016/679, pursuant to Article 83(3) of Regulation 2016/679, the President of the Office for Personal Data Protection has determined the total amount of the administrative fine in the amount not exceeding the penalty for the most serious infringement.<br />
<br />
<br />
<br />
In the facts presented, the most serious should be considered a breach by the Company of the principle of confidentiality set out in Article 5(1)(f) of Regulation 2016/679. This is supported by the serious nature of the breach and the circle of people affected by it (approximately 2 200 000 - about two million two hundred thousand users of online shops administered by the Company). What is important is that in relation to the above mentioned number of people, there is still a high risk of illegal use of their personal data, because the purpose for which the unauthorised person took steps to gain access to this information is unknown.<br />
<br />
<br />
<br />
The infringement by the Company of the principles of legality and reliability expressed in Article 5(1)(a) and the principle of accountability in Article 5(2) of Regulation 2016/679 should be considered a minor infringement. In the case of the second of the identified infringements, the circle of affected persons is much smaller (about 35 thousand - about thirty-five thousand users submitting applications in instalments). The company also deleted these data on the grounds that their further processing involves greater risks. The collection of data from applications [...] without a legal basis, i.e. the consent of the data subject, took place before the application of Regulation 2016/679, and after the amendment of the regulations, the Company collected data on the basis of consent, which it proved during the inspection and during the proceedings.<br />
<br />
<br />
<br />
Pursuant to Article 103 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2018, item 1000, as amended), the equivalent of the amounts expressed in euro referred to in Article 83 of Regulation 2016/679 shall be calculated in PLN according to the average euro exchange rate announced by the National Bank of Poland in the exchange rate table as at 28 January of each year, and if in a given year the National Bank of Poland does not announce the average euro exchange rate as at 28 January - according to the average euro exchange rate announced in the table of exchange rates of the National Bank of Poland closest after that date.<br />
<br />
<br />
<br />
In view of the foregoing, the President of the Office for the Protection of Personal Data, pursuant to Article 83(3) and Article 83(5)(a) of Regulation 2016/679, in conjunction with Article 103 of the Personal Data Protection Act of 2018, imposed on the Company - applying the average euro exchange rate of 28 January 2019 - for the infringements described in the operative part of this decision. (1 EUR = 4,2885 PLN) - an administrative fine in the amount of 2,830,410 PLN (equivalent to 660,000 EUR).<br />
<br />
<br />
<br />
In the opinion of the President of the Office for the Protection of Personal Data, the administrative fine applied shall, in the circumstances of this case, fulfil the functions referred to in Article 83(1) of Regulation 2016/679, i.e. it shall be effective, proportionate and dissuasive in that particular case.<br />
<br />
<br />
<br />
In the opinion of the President of the Office for Personal Data Protection, the penalty imposed on the Company will be effective, because it will lead to a state in which the Company will apply such technical and organisational measures which will ensure a level of security for the data processed which corresponds to the risk of infringement of the rights and freedoms of the data subjects and the seriousness of the threats accompanying the processing of these personal data. Therefore, the effectiveness of the penalty is equivalent to a guarantee that from the moment of completing this procedure the Company will approach the requirements set forth in the regulations on personal data protection with the utmost care.<br />
<br />
<br />
<br />
The financial penalty payment applied shall also be proportionate to the infringement found, including in particular the seriousness of the infringement, the circle of individuals concerned and the risks they run. According to the President of the Office for Personal Data Protection, the financial penalty imposed on the Company is also proportional to its financial situation and will not be excessive for it. The amount of the penalty has been set at such a level that, on the one hand, it constitutes an adequate response of the supervisory authority to the degree of the controller's breach of duties, but, on the other hand, it does not cause a situation in which the necessity to pay the financial penalty will result in negative consequences, in the form of a significant reduction in employment or a significant decrease in the Company's turnover. In the opinion of the President of the Office for Personal Data Protection, the Company should and is able to bear the consequences of its negligence in the area of data protection, hence the imposition of a penalty of PLN 2,830,410 is fully justified.<br />
<br />
<br />
<br />
In the opinion of the President of the Office for the Protection of Personal Data, the administrative fine will fulfil a repressive function in these specific circumstances, as it will be a response to the Company's breach of Regulation 2016/679, but also a preventive one, as the Company itself, as well as other administrators, will be effectively discouraged from violating personal data protection regulations in the future.<br />
<br />
<br />
<br />
In the opinion of the President of the Office for the Protection of Personal Data, the financial penalty applied meets, in the circumstances of the present case, the conditions referred to in Article 83(1) of Regulation 2016/679 because of the seriousness of the infringements found in the context of the basic requirements and principles of Regulation 2016/679, in particular the principle of confidentiality expressed in Article 5(1)(f) of Regulation 2016/679.<br />
<br />
<br />
<br />
The purpose of the penalty imposed is to ensure the proper performance of the obligations provided for in Article 5(1)(f), Article 24(1), Article 25(1) and Article 32(1)(b) and (d), Article 32(2) of Regulation 2016/679 and, consequently, to carry out data processing in accordance with the applicable law.<br />
<br />
<br />
<br />
In view of the above, the President of the Office for the Protection of Personal Data has decided as in the operative part of this decision.<br />
<br />
<br />
<br />
The decision is final. The party has the right to lodge a complaint against the decision with the Provincial Administrative Court in Warsaw, within 30 days of its delivery, through the President of the Office for Personal Data Protection (address: ul. Stawki 2, 00 - 193 Warsaw). A relative entry must be made against the complaint in accordance with Article 231 in conjunction with Article 233 of the Act of 30 August 2002. Law on proceedings before administrative courts (Journal of Laws of 2018, item 1302, as amended). A party has the right to apply for a right of assistance, which includes exemption from court costs and appointment of an advocate, legal adviser, tax adviser or patent attorney. The right of assistance may be granted at the request of a Party made before or during the proceedings. The application shall be free of court fees.<br />
<br />
<br />
<br />
Pursuant to Article 105(1) of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2018, item 1000, as amended), an administrative fine shall be paid within 14 days from the expiry of the time limit for lodging a complaint with the Voivodship Administrative Court, or from the date on which the decision of the administrative court becomes final, to the bank account of the Office for the Protection of Personal Data in the National Bank of Poland (NBP O/O Warszawa) No. 28 1010 1010 0028 8622 3100 0000.<br />
<br />
<br />
<br />
[1] Guidelines for SMEs on the security of personal data processing - https://www.enisa.europa.eu/publications/guidelines-for-smes-on-the-security-of-personal-data-processing<br />
<br />
<br />
<br />
[2] https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf<br />
<br />
<br />
<br />
[3] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf<br />
<br />
<br />
</pre></div>
Hk
https://gdprhub.eu/index.php?title=VG_Mainz_-_1_K_584/19.MZ&diff=12373
VG Mainz - 1 K 584/19.MZ
2020-11-23T22:11:32Z
<p>Hk: /* English Machine Translation of the Decision */</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Germany<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=VG Mainz <br />
|Court_With_Country=VG Mainz (Germany)<br />
<br />
|Case_Number_Name=1 K 584/19.MZ<br />
|ECLI=ECLI:DE:VGMAINZ:2020:0924.1K584.19.00<br />
<br />
|Original_Source_Name_1=landesrecht.rlp.de<br />
|Original_Source_Link_1=http://www.landesrecht.rlp.de/jportal/portal/t/7qe/page/bsrlpprod.psml?pid=Dokumentanzeige&showdoccase=1&doc.id=MWRE200004115&doc.part=L<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
|Original_Source_Name_2=openjur.de<br />
|Original_Source_Link_2=https://openjur.de/u/2304348.html<br />
|Original_Source_Language_2=German<br />
|Original_Source_Language__Code_2=DE<br />
<br />
|Date_Decided=24.09.2020<br />
|Date_Published=<br />
|Year=2020<br />
<br />
|GDPR_Article_1=Article 9(1) GDPR<br />
|GDPR_Article_Link_1=Article 9 GDPR#1<br />
|GDPR_Article_2=Article 58(2) GDPR<br />
|GDPR_Article_Link_2=Article 58 GDPR#2<br />
<br />
<br />
|National_Law_Name_1=§ 20(5) BDSG<br />
|National_Law_Link_1=https://www.gesetze-im-internet.de/bdsg_2018/__20.html<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Philipp<br />
|<br />
}}<br />
<br />
Even if it is possible that a camera records special categories of personal data the requirements of Art. 9 GDPR do not apply if the processor does not seek to process that kind of data. The legality is thus determined by Art. 6 GDPR.<br />
On the basis of Art. 58(2)(f) GDPR, the DPA was not entitled to order the removal of a CCTV camera but only the shutdown.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The plaintiff owns a LED billboard on his private property next to a shopping mall. The billboard is monitored by four CCTV cameras to protect it against vandalism.<br />
The DPA (Landesbeauftragter für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz) ordered to remove camera 1 that filmed a public street and to shut down camera 2 during opening hours of the shopping mall because it filmed the parking lot. Cameras 3 and 4 had to be repositioned so they do not capture the public street, the parking lot and adjacent residential building.<br />
<br />
=== Dispute ===<br />
<br />
<br />
=== Holding ===<br />
The correct defendant is the DPA itself according to § 20(5)(2) and § 20(4) BDSG. <br />
<br />
The Court held that even if it is possible that a camera records personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership the requirements of Art. 9 GDPR do not apply because the plaintiff did not seek to process that kind of data. <br />
The legality is thus determined by Art. 6 GDPR. In the absence of consent under Art. 6(1)(a) GDPR, a balance of interests according to Art. 6(1)(f) GDPR is required. <br />
<br />
The legitimate interests pursued by the plaintiff (protection of his property) are overridden by the fundamental rights and freedoms of the data subjects who are filmed by camera 1 on a public street. The DPA was allowed to issue a reprimand, Art. 58(2)(b) GDPR. On the basis of Art. 58(2)(f) GDPR, the DPA was not entitled to order the removal of camera 1 but only the shutdown. <br />
<br />
According to Art. 58(2)(d) GDPR the DPA was entitled to order the shutdown camera 2 during the opening hours of the shopping mall and to reposition cameras 3 and 4. <br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
Tenor<br />
<br />
Paragraph 2 of the decision of 23 November 2018 concerning the order to dismantle Camera 1 and paragraphs 4 and 9 of the decision of 23 November 2018 are annulled. The remainder of the action is dismissed.<br />
<br />
The applicant is ordered to pay the costs.<br />
<br />
The judgment is provisionally enforceable as regards costs.<br />
<br />
Facts<br />
<br />
The plaintiff objects to a warning under data protection law and further orders of the State Commissioner for Data Protection and Freedom of Information of Rhineland-Palatinate - LfDI - requiring him to partially discontinue or modify the camera surveillance of his advertising board.<br />
<br />
The applicant is the owner of the property A. in B. The property is located at the access road to the federal road XXX in an industrial estate outside the town of B. The property includes a shopping centre (...), a car park and a large double-sided advertising board with LED display. The billboard had a purchase value of approx. 200,000 €. To protect his billboard, the plaintiff installed two static video cameras on each side (see Annexes 1 to 5 to the plaintiff's statement of 19 December 2018). Two cameras each essentially capture the billboard (cameras 3 and 4); the other cameras are directed at the area in front of the billboard, so that one of the cameras captures the car park and the adjacent shopping centre (camera 2) and the other camera captures the area where road A. joins federal road XXX (camera 1). All four cameras are in operation around the clock and capture their respective fields of vision in a resolution that is accurate to the number of the car number and the number of persons. The recordings are stored for 48 hours in a recording device located between the two billboards and are then automatically deleted. Only the plaintiff has access to the locked recording device and the recordings. Video surveillance is indicated by a pictogram in the car park.<br />
<br />
Following various communications between the parties concerned and after the plaintiff had been heard on the measures envisaged by the defendant, the defendant, by decision of 23 November 2018 (served on 26 November 2018), ordered measures on the basis of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (basic data protection regulation) - DSGVO. With regard to Camera 1, the defendant issued a warning (point 1 of the decision) and asked the applicant to cease data processing by that camera and to dismantle it (point 2 of the decision) and to prove that it had been dismantled by producing a photograph (point 4 of the decision). According to point 3 of the decision, camera 2 is to be set so that it does not take any pictures during the opening hours of the shopping centre. This is to be proved by submitting a printout or a photograph of the corresponding settings (clause 5). Cameras 3 and 4 are to be aligned in such a way that the street, the car park and an adjacent residential building previously visible on them no longer fall within the camera's angle of coverage (Figure 6). This must also be verified by a screen printout (Figure 7). A deadline of 15 December 2018 was set for the implementation of the orders (paragraph 8); this deadline was extended to 4 January 2019 at the request of the plaintiff. In addition, periodic penalty payments of €1,000, €2,500 and €5,000 were threatened in the event of non-compliance with the orders (paragraph 9).<br />
<br />
The applicant brought an action on 26 June 2019. The decision of 23 November 2018 is unlawful because the video surveillance on his billboard is lawful. It serves to safeguard his domestic rights and to protect his legitimate interests, since he wishes to protect his billboard from damage. He has a legitimate interest in protecting his property and in preventing unauthorised persons from entering his premises and in preventing or in any event being able to prosecute offences against his property. In the past, crimes have repeatedly been committed on the site, as was reported several times and also in 2020 in the food discounter .... and the ... (shopping centre), graffiti and hit-and-run cases had been committed and waste oil had been disposed of on the premises. It was to be expected that crimes would continue to be committed there in the future. Video surveillance was also necessary as the objective of deterring and identifying troublemakers and criminals could be achieved by this measure. The monitoring of the LED advertising installation was successful, as the installation had not been attacked or damaged so far. There is no other equally effective means which is less restrictive of the fundamental right of informational self-determination of the persons concerned. In principle, shopping centres are a potentially endangered area which should be monitored by camera as a typical danger point. In particular, the use of security personnel is not reasonable. A fence was also unsuitable because stones could be thrown over the fence onto the billboard. The cameras would have to cover the area in front of the boards, as the LED boards could be damaged by stones being thrown or drones being used. The junction area on the federal road XXX would have to be monitored for licence plate recognition and thus identification of perpetrators. Only a complete, unrestricted surveillance without time restrictions would be effective, as cases of hit-and-run driving had already occurred during the day and crimes could be prepared during the day. At the same time, only the interaction of all four cameras could ensure effective protection of billboards. Finally, when weighing up the interests involved, it must also be taken into account that video surveillance is omnipresent today and that the recordings in question are only viewed when an incident has occurred; moreover, the recordings are automatically deleted if not viewed. The order to dismantle camera 1 is unlawful because even one switch-off is sufficient to prevent further data processing. It was not possible to take action against a camera which had been switched off on the basis of the Basic Data Protection Regulation. The warning with regard to camera 1 is unlawful because it was issued at the same time as the order to stop operation of the camera and to dismantle it. It is only when a warning has been disregarded that it can be followed up with a more severe remedy. Furthermore, there was no hearing in respect of the warning.<br />
<br />
The applicant claims that the Court should<br />
<br />
set aside the orders or measures prescribed in points 1 to 7 of the defendant's decision of 23 November 2018 and the threats of coercive measures prescribed in point 9 of that decision<br />
<br />
The defendant claims that the Court should<br />
<br />
dismiss the action.<br />
<br />
The data processing carried out by the plaintiff infringes Article 6(1), first subparagraph, letter (f) of the DSGVO. The warning and the order to dismantle Camera 1 are lawful. The legal basis for the warning is Article 58(2)(b) of the DSGVO. The camera covers public traffic areas, namely Federal road XXX and road A., as well as the adjacent cycle and pedestrian path and a railway line. The surveillance of public road traffic is a task of the State and does not have to be carried out by the applicant. Furthermore, it affects the rights of road users to a considerable extent and is unlawful without reference to specific criminal conduct. Nor can the threat scenario drawn up by the applicant, which is not sufficiently substantiated, be effectively countered by video surveillance. In any event, the rights of the persons concerned prevail: A large number of passers-by are filmed, although they do not enter the car park and, moreover, behave in an unobjectionable manner. The warning had to be issued because Camera 1 was manifestly illegal and therefore had to be sanctioned in the interests of effective enforcement. Furthermore, since a significant number of unlawful processing operations took place, it was necessary to order the cessation and dismantling of video camera 1. Furthermore, it should be noted that if camera 1 were merely switched off, it would then generate an impermissible surveillance pressure as a de facto dummy. Furthermore, only by removing the camera could it be ensured that the impermissible video surveillance would not be resumed. As regards camera 2, the recording times had to be limited to the period outside the opening hours of the adjacent retail outlets. It is true that the criminal incidents reported by the plaintiff were not sufficiently serious, frequent and substantiated on the premises. However, surveillance of the car park outside opening hours could still be regarded as proportionate. In this respect, it must also be taken into account that a large number of people, including children, are present on the car park during opening hours and that their fundamental rights and freedoms outweigh the interests of the plaintiff as the person responsible. Cameras 3 and 4 would have to be positioned in such a way that they would only cover the billboard, since, according to the plaintiff, these cameras only served to monitor the LED billboard. In order to fulfil that purpose, it is not necessary to monitor parts of the public traffic area and an adjacent residential building and the car park. The requests for information on the fulfilment of the ordered measures were necessary, according to Article 58(1)(a) of the DSGVO, in order to ensure control of future data processing.<br />
<br />
By order of 24 June 2019, the proceedings were transferred from the Administrative Court of Koblenz to the Administrative Court of Mainz.<br />
<br />
For further details of the facts of the case and the dispute, reference is made to the defendant's court file (2 volumes) and administrative file (1 booklet), which were before the Chamber and were the subject of the hearing.<br />
<br />
Reasons<br />
<br />
The admissible (I.) action is successful on the merits only to the extent shown by the operative part (II.)<br />
<br />
I. The action is admissible.<br />
<br />
Pursuant to § 42 (1) Var. 1 of the Administrative Court Rules - VwGO - an action for rescission is admissible, since the contested warning is an administrative act - at least a declaratory one - within the meaning of § 35 sentence 1 of the Administrative Procedure Act - VwVfG - in conjunction with § 35 sentence 1 of the Administrative Procedure Act - VwVfG. § Paragraph 1 of the Landesverwaltungsverfahrensgesetz - LVwVfG. Finally, the warning states that the addressee has infringed Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (Basic Data Protection Regulation) - DSGVO. It is true that the warning does not create a specific, direct legal obligation. However, it does implicitly state that the addressee should act in conformity with data protection rules in the future. Furthermore, the warning is a remedial measure by the data protection authority, which punishes a - albeit regularly rather minor - breach of data protection (see Körffer, in: Paal/Pauly, DS-GVO/BDSG, 2nd edition 2018, Art. 58, marginal 18; Selmayr, in: Ehmann/Selmayr, 2nd edition 2018, Basic Data Protection Regulation, Art. 58, marginal 20). The other orders imposing certain duties on the plaintiff to act are also administrative acts.<br />
<br />
The plaintiff is the addressee of incriminating administrative acts and is therefore entitled to bring an action within the meaning of Paragraph 42(2) of the VwGO.<br />
<br />
Preliminary proceedings were dispensable under Section 68 (1) sentence 2 no. 1 VwGO and Section 20 (6) of the Federal Data Protection Act - BDSG.<br />
<br />
The one-month deadline of § 74 (1) sentence 1 VwGO was complied with.<br />
<br />
The correct defendant is, according to § 20 paragraph 5 No. 2 BDSG, the State Commissioner for Data Protection and Freedom of Information of Rhineland-Palatinate - LfDI -. Pursuant to § 20 (4) BDSG, the LfDI is entitled to participate in disputes between a natural person or legal entity and a federal or state supervisory authority concerning rights under Art. 78 (1) and (2) DSGVO and § 61 BDSG. Pursuant to Section 1 (1) sentence 2 of the BDSG, the Federal Data Protection Act is also applicable in this case, since the plaintiff processes the personal data of third parties and is a non-public body. Although the plaintiff had initially cited the Land of Rhineland-Palatinate as the defendant in the action, it was established beyond doubt by interpretation that the plaintiff intended to bring the action against the LfDI, which issued the contested decision. Applying mutatis mutandis the second half of Paragraph 78(1)(1) of the VwGO, it follows that the incorrect designation of the defendant is irrelevant if it is possible to identify against whom the action should correctly be directed. This is the case, for example, if - as here - the action is initially directed against the legal entity, even if (exceptionally) the authority is the defendant (cf. OVG NRW, judgment of 13 March 1991 - 22 A 871/90 -, juris, marginal nos. 5 et seq.; Kintz, in: BeckOK VwGO, 54th Ed. 1 July 2020, § 78, marginal no. 43). The Chamber has therefore amended the rubric ex officio to state that the defendant is the LfDI. The parties, who were informed of this at the hearing on 24 September 2020, did not object to the change of heading.<br />
<br />
The Administrative Court of Mainz is, in accordance with § 20 (1) and (3) BDSG - in conjunction with Art. 78 para. 1 DSGVO, the Administrative Court of Mainz has local jurisdiction. In addition, the Administrative Court of Mainz is bound by the referral order of the Administrative Court of Koblenz dated 24 June 2019 pursuant to Article 83 sentence 1 VwGO in conjunction with § Section 17a (2) sentence 3 GVG.<br />
<br />
II The action is only partially successful on the merits. The orders challenged by the plaintiff under items 1, 3, 5, 6 and 7 of the defendant's decision of 23 November 2018 are lawful and do not infringe the plaintiff's rights (§ 113.1 sentence 1 VwGO). However, the orders under items 4 and 9 and, in part, the order under item 2 of the defendant's decision are unlawful and infringe the plaintiff's rights, so that they had to be revoked.<br />
<br />
1. the warning issued in respect of Camera 1 (point 1 of the decision of 23 November 2018) is lawful Camera 1 films the area where road "A." joins the federal road XXX as well as a bicycle path, a footpath and a railway line.<br />
<br />
The basis for issuing a warning is Article 58 paragraph 2 letter b DSGVO. This allows the supervisory authority to issue a warning to a controller or a processor if he has infringed the basic data protection regulation by processing operations. The fact that the defendant cited Article 58 (1) (b) DSGVO as the legal basis in its ruling is obviously due to an editorial oversight. In the course of the proceedings, the defendant made it clear that the warning should be based on Article 58(2)(b) DSGVO.<br />
<br />
The present warning is formally lawful; in particular, the defendant LfDI was responsible for issuing the order pursuant to Art. 51 (1), 55 (1) DSGVO, Art. 40 (1) BDSG, Art. 15 (2) LDSG. If a hearing error could be identified in the fact that the plaintiff was not made aware of the possible pronouncement of a warning at the hearing on 10 August 2018 - but only measures pursuant to Article 58 (2) (d) DSGVO were announced - this error would in any case have been remedied pursuant to Article 45 (1) no. 3 VwVfG by the fact that the hearing was made up for. Finally, in the course of the legal proceedings, the defendant dealt intensively with the plaintiff's arguments and, in particular, commented on the content of the plaintiff's submissions regarding the warning.<br />
<br />
Whether a data processing infringes the basic data protection regulation depends on Art. 5 ff. DSGVO. Under Article 5(1)(a) DSGVO, personal data must be processed in a lawful manner. The warning is also materially lawful, as the surveillance by camera 1 was carried out unlawfully in this case. Video surveillance constitutes data processing (a), in which personal data are also processed (b). Even though the Chamber is of the opinion that the processed data is not particularly sensitive data and thus there is no processing prohibition under Art. 9 DSGVO in the present case (c), video surveillance by camera 1 violates the Basic Data Protection Regulation, as it is not justified under Art. 6 DSGVO (d).<br />
<br />
(a) The plaintiff is a data processor by using his camera to make video recordings of third parties. Camera surveillance is the processing of data within the meaning of Article 4 No. 2 of the DSGVO. Accordingly, data processing is any operation carried out with or without the aid of automated procedures in connection with personal data. The term processing covers all handling of personal data (see BVerwG, judgement of 27 March 2019 - 6 C 2/18 -, juris, marginal 43; SaarlOVG, judgement of 14 December 2017 - 2 A 662/17 - juris, marginal 38; Schild, in: BeckOK Datenschutzrecht, 33 Ed. 1 August 2020, DS-GVO, Art. 4, marginal 34).<br />
<br />
b) Personal data are also processed in the case of camera surveillance. The image of a person recorded by a camera falls under the term "personal data" if it enables the identification of the person concerned (cf. BVerwG, judgement of 27 March 2019 loc. cit, juris, marginal 43; SaarlOVG, judgement of 14 December 2017 loc. cit., juris, marginal 38; OVG Nds, judgement of 29 September 2014 - 11 LC 114/13 - juris, marginal 28 f.; Schild, in: BeckOK Datenschutzrecht, 33 Ed. 1 August 2020, DS-GVO, Art. 4, marginal 14b). The camera used here captures persons and vehicles in licence plate and person-specific resolution.<br />
<br />
c) The increased requirements imposed by Art. 9 DSGVO on the processing of special categories of personal data did not have to be complied with in the present case. According to Art. 9 para. 1 DSGVO, the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data uniquely identifying a natural person, health data or data concerning the sexual life or sexual orientation of a natural person is in principle prohibited.<br />
<br />
It is true that it is generally possible that special categories of personal data may be recorded if the camera shots are person-specific. After all, the external appearance of the persons filmed may possibly reveal their racial and ethnic origin (skin colour, hair), their political opinion (e.g. "Palestinian scarf"), their religious or ideological conviction (e.g. religious items of clothing such as headscarves or kippas), health data (e.g. glasses, wheelchair) or sexual orientation (e.g. homosexual couple).<br />
<br />
However, the plaintiff is not interested in collecting precisely these personal data of special categories. The plaintiff's intention with video surveillance is to prevent and prosecute crimes. During surveillance, he receives a mixed data set of particularly sensitive and non-sensitive data, whereby he has no intention of evaluating the sensitive data. In the absence of such an evaluation intention, there are no particular risks for the data subjects, so that the scope of application of Art. 9(1) DSGVO is not opened up (cf. Schulz, in: Gola, DS-GVO, 2nd ed. 2018, DS-GVO, Art. 9, marginal no. 13; Schneider/Schindler, Video surveillance as processing of special categories of personal data, ZD 2018, 463, beck-online).<br />
<br />
d) However, video surveillance by camera 1 is illegal under Art. 6 DSGVO. According to this provision, data processing is only lawful if at least one of the conditions set out in Art. 6 (1), first subparagraph, letters a to f DSGVO is fulfilled. In this case, however, there is neither consent of the data subjects within the meaning of Article 6 (1), first subparagraph, letter a, DSGVO (aa) nor was video surveillance carried out in accordance with Article 6 (1), first subparagraph, letter f, DSGVO in the overriding interest of the plaintiff or a third party (bb).<br />
<br />
(aa) A data processing operation is lawful under Article 6(1), first subparagraph, first sentence, point (a), of the DPA if the data subject has given his consent to the processing of personal data relating to him for one or more specific purposes. According to the legal definition in Art. 4 No. 11 FADP, consent is any freely given, informed and unequivocal expression of will in the specific case, in the form of a declaration or any other unequivocal affirmative act by which the data subject indicates his or her consent to the processing of personal data relating to him or her.<br />
<br />
The persons concerned by video surveillance have not given their consent, either in writing or orally, to the processing of their data, if they have even taken note of the fact that camera surveillance is taking place. An (implied) declaration of intent is also not recognisable by reading the sign (pictogram) on the advertising board. Even in the case of clearly visible signs, it cannot be assumed that the persons concerned have consented to surveillance when they enter the monitored area (see BVerwG, judgment of 27 March 2019 loc. cit., juris, marginal no. 23; BVerfG, Statutory Chamber Order of 23 February 2007 - 1 BvR 2368/06 -, juris, marginal no. 40). In addition, those affected may lack the necessary ability to consent, for example children up to the age of 14 (cf. OVG Nds, judgment of 29 September 2014, loc. cit., juris, marginal no. 33).<br />
<br />
(bb) Nor is video surveillance justified under Article 6(1), first subparagraph, point (f) of the DSGVO. According to that provision, data processing is lawful if it is necessary in order to safeguard the legitimate interests of the controller or of a third party, unless the interests or fundamental rights and freedoms of the data subject which require the protection of personal data outweigh those of the controller, in particular where the data subject is a child. In a two-stage examination programme, the necessity of the data processing must first be established (1) and then the interests of the data controller or of a third party must be weighed against the data subject's right to informational self-determination (2).<br />
<br />
(1) The camera surveillance arranged here by the plaintiff is already not necessary if it is in operation and takes pictures during the opening hours of the shopping centre.<br />
<br />
Data processing is necessary if the person responsible needs it in order to safeguard legitimate interests, i.e. interests that are worthy of protection and objectively justifiable. According to Recital 47 to the Basic Data Protection Regulation, one of the relevant factors here is whether data processing is absolutely necessary for the prevention of criminal offences, whether it is foreseeable, i.e. customary in the industry, or whether the data subjects must reasonably expect their data to be processed in the specific situation (cf. BVerwG, judgment of 27 March 2019 loc. cit.)<br />
<br />
It is up to the person responsible to explain the reasons for which he considers video surveillance of his rooms to be necessary. On the basis of this information, it must be assessed whether and to what extent the measure is necessary. The authorities and courts must, in the context of their duty to clarify the facts, endeavour to ensure that the person responsible explains or supplements the reasons given. According to the generally accepted understanding of the term, necessity is to be assumed if a reason, such as a hazardous situation, is sufficiently substantiated by facts or general life experience and cannot be taken into account just as well by another equally effective but more gentle measure. More gentle than video surveillance are in particular measures that do not affect the informational self-determination rights of visitors to publicly accessible rooms (cf. BVerwG, judgement of 27 March 2019 loc. cit., juris, marginal 26; SaarlOVG, judgement of 14 December 2017 loc. cit., juris, marginal 46).<br />
<br />
It is therefore in principle a legitimate interest of the person responsible to use camera surveillance for the prevention and investigation of criminal offences. However, such a surveillance measure is only necessary if there is a risk situation that goes beyond the general life risk. Such a threat can only arise from actual findings; subjective fears or a feeling of insecurity are not sufficient (cf. BVerwG, judgement of 27 March 2019 loc. cit., juris, marginal no. 28; SaarlOVG, judgement of 14 December 2017 loc. cit;)<br />
<br />
Applying the legal standard described above, a particular risk situation for the billboard, the protection of which the plaintiff seeks to protect by means of video surveillance, is to be recognised in the present case only outside the opening hours of the shopping centre. Moreover, there is no evidence of a particular risk situation which must relate to the object to be protected - in this case: the billboards - in order to justify its video surveillance.<br />
<br />
When assessing whether there is a particular risk situation for the advertising installation, it must first be taken into account that the installation has not been damaged by third parties to date. The advertising installation at issue is protected against vandalism to an above-average extent by its height and the closed access to the operating space between the two advertising boards, since neither the boards nor the operating space are accessible to third parties. The plaintiff himself therefore assumes that damage to the advertising installation could occur solely from the outside or from the ground - for example, by throwing objects or using drones. Nor has the plaintiff convincingly argued that advertising installations are generally exposed to an increased risk of damage to property. To the extent that he states that he has become aware of incidents in which advertising installations were fired upon, no generally increased risk of damage to advertising installations can be inferred from these incidents - which, incidentally, have not been further substantiated or substantiated. It cannot be assumed with sufficient certainty whether the surveillance cameras installed by the plaintiff on the advertising installation have such a deterrent effect that potential perpetrators refrain from causing damage to property and that this is the only reason why the particular risk of danger has not materialised to date. Finally, the adjacent shopping centre is also monitored by camera 2 and - as the plaintiff stated in the oral hearing - other cameras at the shopping centre and burglary offences have nevertheless been committed.<br />
<br />
If the plaintiff further submits - albeit unsubstantiated and without corresponding evidence - that there have already been several cases of hit and run on the car park, this does not constitute a circumstance that would justify a particular risk situation either, but rather a general risk to life. Also his fear that trucks could graze and damage the advertising panel only constitutes a general risk, but not a special danger situation justifying video surveillance. Moreover, the photograph submitted by the plaintiff in Annex 2 to his pleadings of 19 December 2018 shows that there are large stones underneath the advertising installation at the edge of or at the transition to road "A.", which should prevent trucks from driving over the kerbstone and grazing the advertising panel. In so far as no corresponding "bollards" have yet been installed at the edge of Federal Highway XXX, there is no apparent reason why such protection could not be used here as well, protecting the advertising board and at the same time making video surveillance unnecessary.<br />
<br />
However, the Board recognises that, in view of the particular circumstances of the present individual case, the threat to the environment has at least a partial effect on the vulnerability of the advertising installation. It is open to question whether shopping centres - possibly also in their vicinity - can generally be assumed to be particularly vulnerable, as the plaintiff apparently believes. Finally, in the present case, criminal offences have actually been committed in the area of the shopping centre. The plaintiff has reported various criminal incidents in the vicinity of the advertising complex: There had been break-ins, graffiti and offensive graffiti in the area of the shopping centre and at a neighbouring warehouse, which he partly proved by submitting relevant photographs, but which, moreover, was not substantiated by the defendant. Although it can be assumed in principle that theft offences promise a certain direct benefit from the perspective of the perpetrator (stolen goods) and that wall graffiti with spray paints is, on the one hand, associated with an expression of opinion and, on the other hand, can in principle be committed very easily and quickly and without a particularly high risk of discovery, it cannot simply be assumed that the same groups of perpetrators would also damage the plaintiff's advertising plant. However, the plaintiff has explained in a credible and comprehensible manner that he is a well-known businessman in B. and that the offences committed are at least partly connected with an attack on his person. In that regard, he refers in particular to graffiti on a neighbouring warehouse, with which he was personally insulted and threatened, and of which he submitted photographs to the file. He therefore had to fear that he might be harmed, with the result that his property was endangered and he was justified in protecting it. On account of the various offences committed in the vicinity of the advertising installation on the plaintiff's property, some of which constituted a direct attack on the plaintiff's person, the plaintiff's understandable concern about damage, even to his high-priced advertising installation, is in principle not only a subjective fear, but a particular risk situation can be inferred from actual findings.<br />
<br />
However, the Chamber considers that the applicant's advertising installation is particularly vulnerable only outside the opening hours of the shopping centre. In this respect, it must be taken into account to a large extent that the installation is located in an exposed position on the - as the parties concerned have stated - busy Bundesstrasse XXX and on the access road to the industrial estate directly next to the car park of the shopping centre. It must therefore be assumed that damage to the advertising board - the protection of which the plaintiff is concerned about with the video surveillance - is not likely during the opening hours of the shopping centre, because during this time some through traffic and customers of the shopping centre parking and packing goods can be expected. Possible perpetrators who wanted to damage the advertising installation would run a high risk of detection during the opening hours.<br />
<br />
Video surveillance is also fundamentally suitable for fulfilling the purpose of surveillance - here: the protection of the plaintiff's property. After all, it is general life experience that the higher the risk of being discovered and held responsible, the lower the probability of such acts being committed. However, this risk has become greater after the installation of video cameras from the perspective of potential perpetrators, as they cannot know when they are detected by the camera and cannot rule out being observed on screen by an employee of the plaintiff when committing possible infringements (cf. SaarlOVG, judgement of 14 December 2017 loc. cit., juris, para. 46). It is also possible for the camera to take pictures of a possible offence so that the offender in particular can be identified and criminal prosecution can be facilitated. The Chamber is convinced, however, that video surveillance is not suitable for possible threats to the cameras by drones, as these can easily be controlled from areas that lie outside the camera's angle of detection.<br />
<br />
In the Board's view, the applicant cannot be referred to milder means, that is to say, measures which are equally effective in protecting billboards but which affect fewer rights of third parties. The plaintiff has stated that the insurance of the advertising installation at issue would cost € 10,000 per annum, which, in the opinion of the Board, is not economically reasonable for the plaintiff. The use of security guards would also be associated with high, unreasonable costs (cf. SaarlOVG, judgment of 14 December 2017 loc. cit., juris, para. 47; OVG Nds, judgment of 29 September 2014 loc. cit., juris, para. 57). As the billboard is located directly at the road, an enclosure of the site would not promise sufficient protection either, as objects could also be thrown onto the site from outside the fence. Physical protection, such as a Plexiglas panel in front of the billboard, is also out of the question, since according to the - comprehensible - information provided by the plaintiff, the billboard heats up during operation and the heat must be dissipated. In addition, drivers could be dazzled by sun reflections or the display of the advertisement could be disturbed.<br />
<br />
(2) However, the interests worthy of protection of the persons affected by video surveillance with camera 1 outweigh the interests of the plaintiff in protecting his property.<br />
<br />
The balancing of interests is carried out according to the situation and context. The intensity of the encroachment on fundamental rights resulting from the monitoring must not be disproportionate to the weight of the reasons justifying it. The weight of the interference is determined to a large extent by the nature and scope of the information collected, the reason and circumstances of the collection, the group of persons concerned, the existence of possibilities for evasion and the nature and scope of the use of the data collected. When weighing up the matter, all the (basic) legal positions in question must be taken into account and a balance must be struck that is as gentle as possible. These are those defined by Article 2 (1) of the Basic Law in conjunction with These are the right of the persons recorded by the cameras to informational self-determination and protection of their personal data, which is protected by Article 1 (1) of the Basic Law, while the plaintiff can primarily invoke his right of ownership under Article 14 (1) of the Basic Law, which would be impaired by damage to his advertising installation and which he would like to protect preventively by the surveillance measure and, in the event of damage to property, to reveal the person responsible (cf. SaarlOVG, judgement of 14 December 2017 loc. cit, juris, marginal 48 et seq.; OVG Nds, judgement of 29 September 2014 loc. cit., juris, marginal 63).<br />
<br />
In the present case, the fact that the cameras record statically and do not have a zoom or panning option must be taken into account in the weighing of interests in favour of the plaintiff. Moreover, according to the plaintiff, the video recordings are viewed solely in the event of damage and only by the plaintiff and are automatically deleted after 48 hours. Furthermore, the traffic areas monitored by camera 1 are not intended to be used for longer periods of time and, in particular, there is no insight into highly personal areas of intimacy or privacy.<br />
<br />
However, the interests of the persons concerned by the surveillance outweigh these. Finally, the targeted, clandestine surveillance of persons who are on public roads, paths or squares is in principle not permitted. It is the public task of the road traffic authorities and the police to ensure road traffic in conformity with the law and to prosecute administrative offences and criminal offences (cf. VG Göttingen, judgement of 31 May 2017 - 1 A 170/16 -, juris, marginal nos. 46 f.; LG München I, judgement of 21 October 2011 - 20 O 19879/10 -, juris, marginal no. 26). In this case, the surveillance of the traffic areas by camera 1, which is accurate with regard to persons and number plates, is carried out regularly and without any reason and is not easily recognisable for the persons concerned - mainly motorists - when driving past. The surveillance thus affects a large number of predominantly uninvolved persons who obviously do not want to impair the plaintiff's property (cf. Federal Supreme Court, ruling of 15 May 2018 - VI ZR 233/17 -, juris, marginal no. 26). In particular, the pictogram referring to the video surveillance cannot be perceived by passers-by. However, clandestine surveillance measures interfere with the rights of the persons concerned in a particularly serious way (cf. OVG Nds, judgement of 29 September 2014 loc. cit., juris, marginal no. 64). This is also an important difference to camera 2 (see below), which essentially films the car park: On the one hand, the video surveillance is more easily recognisable for people who are in the car park than for passing motorists. On the other hand, people who are on the car park area outside the opening hours of the shopping centre - and only during this time, according to the Chamber's conviction, is there any particular danger situation at all which makes video surveillance necessary - are more likely to be "suspected" of committing a criminal offence than people who are driving on the main road or access road and pass the billboard by chance.<br />
<br />
(e) The warning therefore does not raise any serious concerns on the legal consequences side either. The defendant has issued the warning in a manner free of discretionary errors. Pursuant to Art. 58 para. 2 DSGVO, the supervisory authority has a discretionary power of decision and selection with regard to the exercise of its supervisory powers.<br />
<br />
The defendant took the view, in an unobjectionable manner, that he was entitled to issue a warning on account of the infringement of the basic regulation on data protection which he had established. The supervisory authority may, pursuant to Art. 58 para. 2 DSGVO, make use of a remedial power if it has established a violation of data protection provisions or at least expects such a violation. If such a case exists, the authority is granted discretionary powers on the legal consequences side. In exercising this discretion, it must in particular observe the principle of proportionality (cf. VGH BW, decision of 22 January 2020 - VGH 1 S 3001/19 -, BA p. 18 with further references). If violations are identified, the supervisory authority is generally required to take action to remedy the violation (cf. Federal Constitutional Court of BW, decision of 22 January 2020 loc. cit., BA p. 15 m.w.n.). With regard to the scope of the resolution, an intentional discretion must therefore be assumed if the supervisory authority - as in this case - has established a violation of law (cf. Mundil, in: BeckOK Datenschutzrecht, 33 Ed. 1 February 2020, DSGVO Art. 77, marginal no. 15; assuming a reduction of discretion to zero, VG Ansbach, judgement of 8 August 2019 - AN 14 K 19.00272 -, juris, marginal no. 46).<br />
<br />
There is also no evidence of any error in the exercise of the discretionary power of selection. When selecting the appropriate remedial measure under Article 58 para. 2 DSGVO, the supervisory authority must observe the principle of proportionality and in this respect also take the intensity of intervention into account (cf. VGH BW, decision of 22 January 2020 - VGH 1 S 3001/19 - BA p. 18 with further details). The warning issued by the defendant here is a rather "mild" remedy and can be applied even in the event of a first data protection breach (cf. Selmayr, in: Ehmann/Selmayr, DSGVO, 2nd ed. 2018, DS-GVO Art. 58, marginal no. 18; 20).<br />
<br />
The warning could also be issued in addition to another order. In the present case, the defendant not only warned the plaintiff pursuant to Article 58(2)(b) of the DSGVO, but also ordered, pursuant to Article 58(2)(d) of the DSGVO, that the operation of camera 1 be stopped and the camera dismantled (point 2 of the decision). Contrary to the opinion of the plaintiff, it cannot be assumed that there is a graduated system of - differently far-reaching - remedial powers in the sense that after a warning, it would first have to be waited to see whether the person responsible would act in conformity with data protection in future in order to order further measures - for example on the basis of Article 58 (2) (d) DSGVO. Rather, the warning constitutes a sanction by means of which unlawful conduct in the past is subsequently established. As the "little sister of the fine", a warning is generally considered to be appropriate if the infringement of data protection regulations is rather simple and the threshold for the imposition of a fine has not yet been exceeded (cf. Selmayr, in: Ehmann/Selmayr, DSGVO, 2nd ed. 2018, DS-GVO Art. 58, marginal no. 20). Accordingly, recital 148 explains that in the case of a minor infringement or if a fine to be imposed would impose a disproportionate burden, a warning may be issued instead of a fine. It follows from this that a warning and a fine may be imposed only as alternatives. A warning may therefore be a preliminary step to a fine. However, since measures under Article 58(2)(d) of the DSGVO, such as the adjustment and dismantling of the camera ordered here, are intended to eliminate an existing unlawful situation for the future and thus serve the purpose of security, they may also be ordered cumulatively to form a warning.<br />
<br />
2) The order under point 2 of the decision of 23 November 2018 is partly unlawful (a)). Therefore, the order in paragraph 4 of the decision is also unlawful (b)).<br />
<br />
(a) The cessation of data processing by camera 1 ordered under point 2 of the decision is lawful (aa)). By contrast, the order to dismantle Camera 1 is unlawful and infringes the rights of the plaintiff (§ 113 (1) sentence 1 of the German Rules of the Administrative Courts (VwGO) (bb)).<br />
<br />
Article 58 paragraph 2 letter f of the DSGVO is to be used as the basis for authorising these orders. In so far as the defendant referred to Article 58(1)(f) of the DPA as the legal basis in the notice, this was clearly an editorial error which the defendant corrected in the course of the proceedings (see above with regard to the legal basis for the warning). Under Article 58(2)(f) of the DPA, the supervisory authority may impose a temporary or definitive restriction on processing, including a ban.<br />
<br />
aa) Since video surveillance by camera 1 constitutes unlawful data processing (see above), the defendant was able to order the cessation of data processing by camera 1 on the basis of Article 58(2)(f) DSGVO. This will ensure that no more illegal data processing is carried out in future. In this respect, no error of discretion is apparent; in particular, this order could be ordered in addition to a warning (see above). There is also no milder, equally effective measure apparent, since even a realignment of camera 1 at its current position is hardly possible without continuing to monitor a large number of uninvolved drivers.<br />
<br />
bb) However, the defendant's instruction that camera 1 must be removed is unlawful. In this respect, there is already a lack of a basis for authorisation. Article 58 paragraph 2 letter f) DSGVO allows the supervisory authority to restrict or even prohibit data processing temporarily or permanently. However, this legal basis does not include the order to dismantle the processing plant. The prohibition of data processing relates to a specific act, but not to the presence of a - switched off - data processing system (cf. also on the earlier legal situation, VG Oldenburg, judgement of 12 March 2013 - 1 A 3850/12 -, juris, marginal no. 21 f.; Selmayr, in: Ehmann/Selmayr, DSGVO, 2nd ed. 2018, Art. 58, marginal no. 20).<br />
<br />
Admittedly, it is understandable to the Board that without dismantling camera 1, the defendant can only check to a limited extent whether the camera is actually switched off, which may cause difficulties for effective enforcement. In this respect, however, it is the task of the (German) legislator to endow the supervisory authority with additional powers under Article 58 (6) sentence 1 DSGVO by means of legislation (cf. Selmayr, in: Ehmann/Selmayr, DSGVO, 2nd ed. 2018, Article 58, marginal no. 20).<br />
<br />
Irrespective of this, no personal data are processed by a switched-off camera, so that the scope of application of the basic data protection regulation is not opened up and no complaints can be made about violations of data protection law. If an existing but switched off camera causes surveillance pressure on third parties, they must be referred to civil law to protect their personal rights (cf. VG Oldenburg, judgement of 12 March 2013 - 1 A 3850/12 -, juris, marginal no. 24 f.).<br />
<br />
b) Thus, the order under item 4 of the decision of 23 November 2018, by which the plaintiff is to prove the dismantling of camera 1, is also unlawful.<br />
<br />
The basis for this instruction is Article 58 (1) (a) DSGVO. According to this provision, each supervisory authority has all investigative powers enabling it to instruct the person responsible, the processor and, if applicable, the representative of the person responsible or the processor to provide all information required for the performance of its duties. However, since the order for dismantling (point 2 of the decision) is unlawful, the - in addition ancillary - order to provide proof of dismantling is also unlawful.<br />
<br />
3) The order of the defendant in paragraph 3 of the decision of 23 November 2018, according to which the plaintiff must limit data processing by camera 2 to the period outside the opening hours of the adjacent retail establishments, is lawful (a)). The Board also considers that there are no concerns (b)) regarding the order in paragraph 5 of the decision of 23 November 2018, which is intended to prove the limited recording times to the defendant. Camera 2 captures a part of the car park and the exterior façade of ....<br />
<br />
a) The order that camera 2 be operated only outside the opening hours of the adjacent shopping centre (point 3 of the decision) is lawful.<br />
<br />
The order may be assigned to the power to take remedial action under Art. 58 para. 2 letter d DSGVO. Accordingly, the supervisory authority may instruct the controller to bring processing operations into conformity with the Ordinance in a specific manner and within a specific period of time. This power should in principle cover any breach of the basic data protection regulation, i.e. any processing of personal data contrary to EU law (cf. BVerwG, judgement of 27 March 2019 loc.cit., juris, marginal no. 42 with further references).<br />
<br />
Video surveillance by camera 2 constitutes unlawful data processing insofar as it takes pictures during the opening hours of the adjacent retail businesses. To that extent, it does not constitute lawful data processing within the meaning of Article 6(1), first subparagraph, letter (f) of the DSGVO. Video surveillance by camera 2 is not required during the opening hours of these shops. During that period, there is no need to recognise a particular risk to the billboard which the applicant seeks to protect by means of video surveillance. In this respect, the above comments on camera 1 regarding the risk situation for the advertising boards apply accordingly. Moreover, during the opening hours of the shopping centre, the interests worthy of protection of the persons affected by the video surveillance with camera 2 outweigh the plaintiff's interest in the protection of his property. In this respect, it must be noted that a large number of very predominantly uninvolved persons who do not wish to impair the plaintiff's property are affected.<br />
<br />
Insofar as a special danger situation for the advertising boards outside the opening hours is to be recognised, however, the interests of the plaintiff in protecting his property outweigh this, so that camera surveillance is then to be regarded as lawful. In the case of persons who are on the car park premises outside the opening hours of the shopping centre, legitimate interests, such as the completion of purchases, are not obviously recognisable. There are therefore no compelling reasons, which outweigh the protection of the plaintiff's property, to stay on the plaintiff's premises during this time. At the same time, someone who is on the car park outside business hours - and thus mainly during night hours - is more likely to commit crimes than someone who uses the car park during opening hours.<br />
<br />
Discretionary errors are not evident. In particular, the defendant has complied with the principle of proportionality by limiting the time of camera surveillance to take account of the fact that a particular risk situation can only be recognised here outside the opening hours of retail establishments.<br />
<br />
b) The order under point 5 of the decision of 23 November 2018, according to which the applicant must provide evidence of the limited periods of admission, is lawful.<br />
<br />
On the basis of Art. 58 (1) (a) DSGVO, the supervisory authority may, in order to effectively control its - lawful (see above) - basic decision (item 3 of the notice), demand that the plaintiff provide evidence of the limited operating and recording times of camera 2.<br />
<br />
4. the orders relating to cameras 3 and 4 to realign them (point 6 of the decision of 23 November 2018) (a)) and to prove this to the defendant (point 7 of the decision) (b)) are lawful Camera 3 essentially captures the billboard and a small section of Federal Highway XXX, the railway line and a residential building. Camera 4 mainly films the other side of the billboard and a small section of the car park.<br />
<br />
(a) The order under point 6, according to which cameras 3 and 4 are to be aligned in such a way that the road, the car park and the residential building, which were previously partially filmed, no longer fall within the angle of coverage of the video cameras, is lawful.<br />
<br />
The order to align the camera in such a way that it no longer covers the street, the car park and the residential building can be assigned to the power of remedy under Article 58(2)(d) DSGVO (cf. BVerwG, judgement of 27 March 2019 loc. cit., juris, marginal no. 42).<br />
<br />
Illegal data processing exists if the angle of coverage of cameras 3 and 4 does not only cover the billboard. If only the billboard is filmed, no personal data is processed, so that data processing is unproblematic in terms of data protection. If, however, the street, the car park and the residential building are captured at the edge of the image section of the two cameras, personal data can be processed. This data processing is not justified under Art. 6 (1) subparagraph 1 letter f DSGVO.<br />
<br />
In this respect too, the need for video surveillance to protect the plaintiff's ownership of the billboard is already lacking. A special situation of danger can also be assumed here, at best outside the opening hours of the shopping centre. Furthermore, in view of the only very small picture section with which personal data can be recorded, it is doubtful to what extent the camera recordings are at all suitable to serve the protection of the plaintiff's advertising installation as intended by the plaintiff. Above all, however, the plaintiff himself declared at the hearing that he did not wish to record these peripheral areas with his camera surveillance at all. It was only for technical reasons that the two cameras could not be directed solely at the advertising boards. The plaintiff therefore does not intend to use cameras 3 and 4 either to process personal data or to protect his advertising installation. He therefore does not himself consider video surveillance by cameras 3 and 4 to be necessary to protect his advertising installations.<br />
<br />
Discretionary errors are not evident. In particular, the defendant exercised its discretionary power in accordance with the principle of proportionality. With regard to camera 3, a time limitation of the recording times to the opening hours of the retail outlets - in accordance with the order under no. 3 with regard to camera 2, which also films the car park - would also not be regarded as a milder means, since the plaintiff with camera 3 is primarily concerned with recording the advertising installation - for an unlimited period of time.<br />
<br />
b) The order under point 7 of the decision of 23 November 2018, according to which the plaintiff must prove the reorientation of camera 3 and camera 4, is lawful.<br />
<br />
On the basis of Article 58(1)(a) of the DSGVO, the supervisory authority may, in order to effectively control its - lawful (see above) - basic decision (point 6 of the decision), require the applicant to provide evidence of the reorientation of the two cameras.<br />
<br />
5) The threat of penalty payments in the event that the plaintiff does not implement the various orders by 15 December 2018 (item 9 of the decision of 23 November 2018) is unlawful and infringes the plaintiff's rights (§ 113 (1) sentence 1 VwGO).<br />
<br />
Pursuant to § 66 (1) sentence 3 of the Landesverwaltungsvollstreckungsgesetz - LVwVG - the threat of enforcement must specify a reasonable period of time to fulfil the obligation. Since the basic administrative acts under points 1 to 7 of the notice have not been declared immediately enforceable, an action has suspensive effect. Nor does the suspensive effect cease to apply for other (legal) reasons. In this case, the setting of a time limit must be linked to the date on which the basic ruling becomes final or enforceable; it is not permissible, however, to base the setting of a time limit on fixed dates determined by calendar (cf. OVG Berlin-Brandenburg, judgement of 22 April 2010 - OVG 11 B 9.09 -, juris, marginal no. 16 f.).<br />
<br />
The threat of coercive measures in this case is unlawful because the decision of 23 November 2018, in paragraph 8, set the plaintiff a deadline of 15 December 2018 to implement the various measures ordered. This deadline, which is fixed by calendar, is not based on the date on which the company's viability is established. Moreover, on 15 December 2018 the period for appeal had not even expired. Even the extension of the time-limit to 4 January 2019 by the defendant does not remedy that error. The setting of that time-limit was not based on the date on which it became definitive either.<br />
<br />
The decision on costs follows from § 155 (1) sentence 3 VwGO.<br />
<br />
The ruling on the provisional enforceability of the judgment on account of costs is based on § 167 VwGO in conjunction with §§ Sections 708 et seq. Code of Civil Procedure - ZPO -.<br />
<br />
B e s c h l u s s i o n<br />
<br />
the 1st Chamber of the Administrative Court of Mainz<br />
<br />
of 24 September 2020<br />
<br />
The value of the subject matter of the dispute is set at € 25,000.00 (§ 52 (1) and (2) of the Gerichtskostengesetz - GKG -).<br />
<br />
Reasons<br />
<br />
For the warning (item 1 of the decision of 23 November 2018) and the order of cessation and dismantling (item 2) with regard to camera 1, a sum in dispute of € 5,000 each (total € 10,000) was to be assessed. With regard to the orders under item 2, the Chamber assumed that € 3,750 (i.e. ¾ of the amount in dispute of € 5,000 for item 2) was to be set for the cessation of camera operation and € 1,250 (i.e. ¼ of € 5,000) for dismantling. For cameras 2, 3 and 4 and the associated further injunctions, an amount in dispute of € 5,000 (i.e. € 15,000 in total) was to be assessed for each camera. The threat of coercive measures did not increase the amount in dispute (cf. item 1.7.2 of the catalogue of amounts in dispute for administrative jurisdiction).<br />
</pre></div>
Hk
https://gdprhub.eu/index.php?title=OVG_L%C3%BCneburg_-_2_ME_426/20&diff=12372
OVG Lüneburg - 2 ME 426/20
2020-11-23T22:04:42Z
<p>Hk: /* English Machine Translation of the Decision */</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Germany<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=OVG Lüneburg<br />
|Court_With_Country=OVG Lüneburg (Germany)<br />
<br />
|Case_Number_Name=2 ME 426/20<br />
|ECLI=ECLI:DE:OVGNI:2020:1109.2ME426.20.00<br />
<br />
|Original_Source_Name_1=Niedersächsisches Landesjustizportal<br />
|Original_Source_Link_1=http://www.rechtsprechung.niedersachsen.de/jportal/portal/page/bsndprod.psml;jsessionid=D06B1CC9C4EB2AA0194CF0D1410561CD.jp11?doc.id=MWRE200004328&st=ent&doctyp=juris-r&showdoccase=1&paramfromHL=true#focuspoint<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
<br />
|Date_Decided=09.11.2020<br />
|Date_Published=<br />
|Year=2020<br />
<br />
|GDPR_Article_1=Article 9(2)(e) GDPR<br />
|GDPR_Article_Link_1=Article 9 GDPR#2e<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=VG Osnabrück <br />
|Appeal_From_Case_Number_Name=6 B 73/20<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Agnieszka Rapcewicz<br />
|<br />
}}<br />
<br />
The Superior Administrative Court Lüneburg found that [[Article 9 GDPR #2e|Article 9(2)(e) GDPR]] allows the processing of personal data, which the data subject has expressly made public. In this case the Court held that the General Students' Committee (AStA) is authorised to critically examine in public any views of a university employee which were made public by this employee.<br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
The complainant, as a private individual, is engaging in a citizens' movement in his city which, among other things, demands an immediate end to all coronavirus-related activities. At the meetings of the citizens' movement, the complainant has been a speaker. In addition, he made numerous contributions to the citizens' movement's chat group, which was critical of the topics of masks, vaccination, 5G radiation, and the detection and threat of the Sars-CoV2 virus. The applicant also took part in a demonstration on 1 August 2020 in Berlin under the slogan 'End of the pandemic - Freedom Day'. In this context, he appeared on the same day as a guest on a talk show broadcast on YouTube, mentioning his employer (the university).<br />
<br />
As an answer to the above activities of the complainant, the university has published on the internet, on its main page, an article criticising the attitude of the complainant (an employee of the university) to the coronavirus pandemic. The article points out, among other things, that there is no place at the university for a person who is hostile to science and publicly speaks out against all scientific knowledge about the existing pandemic and denies its threat, and thus, through the convergence of conspiracy theories and in accordance with his declarations, supports the AfD and the nationalist party.<br />
<br />
The applicant demanded that the publication of the above statements be discontinued under threat of financial consequences. The General Student Commission (AStA) did not act in accordance with the above request, so the applicant filed a complaint with the administrative court.<br />
<br />
Before considering the complaint, the defendant has slightly changed the content of the information provided in the article. The Administrative Court Osnabrück dismissed the complaint and found that there was no unlawful infringement of the applicant's personal rights or of the provisions on personal data protection. The complainant filed an appeal to the Superior Administrative Court Lüneburg.<br />
<br />
===Dispute===<br />
Did the General Student Commission have the right to publicly criticise its employee's actions? Has there been defamation of the complainant or a breach of data protection legislation?<br />
<br />
===Holding===<br />
The Court found the appeal to be unfounded and pointed out, that the General Students' Committee (AStA) is authorised to critically examine in public any views of a university employee which are assessed as conspiracy-theoretical - in this case on the coronavirus pandemic. This applies in any case if the university employee has made public statements with reference to his or her activities at the university itself.<br />
<br />
==Comment==<br />
The Court pointed out that the applicant's behaviour is undoubtedly covered by freedom of expression in accordance with the Constitution. These fundamental rights, however, do not prevent the applicant from being criticised by student bodies and discussed in public. Anyone seeking publicity with controversial positions regarding their own membership of a university must, for their part, face criticism from the university committees set up for this purpose by law. <br />
<br />
In addition to stating that the allegations of the defamatory nature of the statements contained in the article are unfounded, the court found that there is no infringement of the provisions on personal data protection either. The applicant was unable to demonstrate that the processing of his personal data by the defendants may have been unlawful. The reason would have been, in particular, to take a closer look at [[Article 9 GDPR #2e|Article 9(2)(e) GDPR]]. This provision excludes the processing of personal data, which the data subject has expressly made public, from the basic prohibition of processing under [[Article 9 GDPR#1|Article 9(1) GDPR]]. The Court stated that [[Article 9 GDPR #2e|Article 9(2)(e) GDPR]] shall be for the benefit of the defendants. They shall use only information which the applicant has himself distributed in publicly available sources. GDPR regulates the protection of personal data. It does not protect the fact that data made public by the data subject himself and of his own free will are publicly discussed and used as a basis for drawing conclusions from the evaluation. <br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
PROCEDURE<br />
VG Osnabrück, 9 October 2020, Ref: 6 B 73/20, decision<br />
<br />
<br />
TENOR<br />
The applicant's appeal against the order of the Administrative Court of Osnabrück - 6th Chamber - of 9 October 2020 is dismissed.<br />
<br />
The applicant is ordered to pay the costs of the appeal proceedings.<br />
<br />
The value of the subject matter of the dispute is set at EUR 10 000 for the appeal procedure.<br />
<br />
REASONS<br />
I.<br />
<br />
1<br />
The applicant objects to an internet contribution on the homepage of the AStA of the University A-City, which critically examines his attitude to the Corona pandemic.<br />
<br />
2<br />
The applicant is head of the G. of the University and the Hochschule A-Stadt. As a private person, he is committed to the citizens' movement A-Stadt, which, according to his own account, is "an association of citizens* with their own opinions without party-political affiliation" and which, among other things, demands the immediate end of all corona measures. At meetings of the citizens' movement, the applicant appeared as a speaker; in addition, he posted numerous contributions in the telegram group of the citizens' movement, which critically deal with the topics of masks, vaccinations, 5G radiation as well as the detection and the danger of the Sars-CoV2 virus, among others. The applicant also took part in the demonstration on 1 August 2020 in Berlin under the motto "The end of the pandemic - Freedom Day". In this context, he appeared on the same day, naming his employer, as a guest on a talk show broadcast on YouTube.<br />
<br />
3<br />
On 1 September 2020, the General Students' Committee of the University of A-City took these activities as an opportunity for the student body, the respondent to 1, to publish a critical internet article about the applicant on its homepage. The article entitled "Corona Leugner & Conspiracy Ideologies at University and College", which continues to be publicly accessible, states that, according to the facts of the case, among other things<br />
<br />
4<br />
"A person who, according to his own statements made in the telegram group of the citizens' movement, sympathises with the AfD and thus supports a völkisch nationalist party - allegedly of course only because of coincidental similarities in the chosen conspiracy theory - has no place in a scientific establishment. A person who is hostile to science and publicly speaks out against all scientific findings on the existing pandemic and denies its danger; someone who roams through Berlin and A-City together with esoterics, right-wing extremists, anti-Semitics and Holocaust deniers belongs neither to a university nor to a college. Someone who obviously spreads or at least accepts anti-Semitic, right-wing and conspiracy ideological ideas can by no means possess the skills necessary to mediate between science and society".<br />
<br />
5<br />
This statement prompted the applicant to call upon the defendant (1) and the defendant (2), the financial officer of the AStA, to submit a declaration of cease and desist and a declaration of commitment subject to penalty by means of a lawyer's letter dated 10 September 2020. The defendants rejected this request.<br />
<br />
6<br />
On 18 September 2020, the applicant filed an application with the Administrative Court for a temporary injunction with the aim of prohibiting the defendants from repeating the following statements<br />
<br />
7<br />
1) "A person who, according to his own statement made in the telegram group of the citizens' movement, sympathises with the AfD and thus supports a national party of the people...",<br />
<br />
8<br />
2 "Someone who travels through Berlin and A-City together with esoterics, right-wing extremists, anti-Semitics and Holocaust deniers...",<br />
<br />
9<br />
3) "Someone who is obviously spreading, or at least accepting, anti-Semitic, right-wing and conspiracy ideological ideas<br />
<br />
10<br />
The defendants opposed this, but amended the first sentence of the contribution as follows under 21 September 2020<br />
<br />
11<br />
"A person who, according to his own statements made in the telegram group of the Citizens' Movement, sympathises with positions of the AfD and believes that the AfD is "the only German party" that does what he feels "as an absolute duty" and concludes with the words "Thank you AFD", thus thanking a völkisch nationalist party - allegedly of course only because of coincidental similarities in the chosen conspiracy theory - has no place in a scientific establishment.<br />
<br />
12<br />
The Administrative Court rejected the application by the challenged order of 9 October 2020. In any event, there was no claim for an injunction - in this case in the form of a public-law right of injunction - because there was no unlawful violation of the applicant's general right of personality. The defendants had neither asserted untrue facts nor made value judgments, they had presented themselves as inadmissible formal insults or abusive criticism. To that extent, the statements made by the applicant had to be accepted. Nor did data protection provisions constitute a basis for the claim. The applicant objects to this by lodging the complaint.<br />
<br />
II.<br />
<br />
13<br />
The admissible complaint is unsuccessful.<br />
<br />
14<br />
The reasons set out above, which the Senate is limited to examining under Paragraph 146(4), sixth sentence, of the VwGO, do not justify a change in the administrative court's decision. The fundamental reasons for the decision, in particular the assumption that the right to make an order required under § 123.1 VwGO is lacking, do not effectively call into question the appeal.<br />
<br />
15<br />
(1) Whether the legal principles derived from the case-law of the Federal Constitutional Court on freedom of expression under Article 5(1), first sentence, of the Basic Law, according to which the Administrative Court, following a decision of the Higher Administrative Court for the Land of North Rhine-Westphalia (Oberverwaltungsgericht für das Land Nordrhein-Westfalen) (judgment of 23 March 2003 in Case C-243/99), is to be regarded as having been complied with is not clear.4.1999 - 21 A 490/97 -, juris marg. no. 19) between admissible and inadmissible statements made by the defendants authorised to make statements in matters of higher education policy under Article 20(1) sentences 4 to 6 of the Higher Education Act, the Senate leaves open the question of whether this is the case for two independent reasons. Firstly, the applicant has not challenged these principles with his complaint, which alone is relevant under section 146(4) sentence 6 VwGO. Secondly, the challenged statements of the respondent in 1. prove to be correct even if a stricter standard is applied, according to which an official statement must firstly remain within the scope of competence of the party making the statement and secondly be subject to the requirement of objectivity (see BVerwG, decision of 11 November 2010 - 7 B 54.10 -, juris para. 14; judgment of 13.9.2017 - 10 C 6.16 -, jurisprudence, marginal no. 16 et seq.<br />
<br />
16<br />
2 The applicant submits first of all that the first statement ("A person who, according to his own statement made in the telegram group of the citizens' movement, sympathises with the AfD and thus supports a national party of the people...") is, contrary to the opinion of the Administrative Court, not an expression of opinion but an untrue assertion of fact. This is not true - irrespective of the fact that a claim for injunction with regard to the original statement does not exist, even in the absence of a continuing act of infringement, due to the much clearer differentiation by the defendants. As the Administrative Court has convincingly demonstrated, the statement that the applicant sympathises with the AfD and thus supports a national party of a nation-state is an evaluative statement. Its core of facts - the support for the position of this party on compulsory masks at schools, expressed by the applicant in a telegram group and concluded with the words "In this case: Thank you, AfD" - is demonstrably correct. From this, the respondent deduces that the applicant sympathises with the AfD, i.e. shows affection or support for this party. This is not defamatory, disparaging or no longer appreciating the core facts in an appropriate and justifiable manner (see BVerwG, decision of 11 November 2010 - 7 B 54.10 -, juris para. 14). Insofar as the applicant argues that by saying "in this case" he had incidentally distanced himself from the political content of the AfD, this conclusion is by no means compelling. On the contrary, the very fact that the applicant not only emphasises the position that compulsory masks should be rejected in schools, but also emphasises the position of the AfD on this and mentions the party by name and praises it, means that the defendants' assessment appears to be justifiable. Not sufficiently explained in terms of § 146.4 sentence 3 VwGO are concerns with regard to the defendants' assessment that the AfD is nationally oriented in a völkisch way.<br />
<br />
17<br />
3 The applicant challenges the finding of the Administrative Court that the second statement ("Someone who travels through Berlin and A-City together with esotericists, right-wing extremists, anti-Semitic persons and Holocaust deniers") is, at least in essence, a true statement of fact. The Administrative Court has stated in detail and with concrete evidence that the applicant appeared at rallies of the A-Stadt citizens' movement. It further stated that members of that movement were appending crude conspiracy theories - contrary to the applicant's view, there was no need for a broader definition of that generally accepted and sufficiently clear-cut term - and disseminating them on the internet. In addition, the Court referred to the applicant's participation in the rally in Berlin on 1 August 2020 and examined the circle of participants at that event in more detail. Against this background, the objection that the Administrative Court overlooked that the alleged fact must be proven to be true is beside the point. On the contrary, the Administrative Court has convincingly convinced itself of the truth of the core of the facts within the scope of its duty of official investigation; the Senate joins in this statement pursuant to § 122 (2) sentence 3 VwGO to avoid repetition.<br />
<br />
18<br />
Without success, the applicant submits that the telegram group of the citizens' movement also shares information that is not conspiracy theoretical. This may be true, but it does not change the fact that - the DVD submitted by the defendants provides a large amount of additional evidence - conspiracy theories or positions that could be described as "esoteric" are attached to a considerable extent. In this respect, the applicant's telegram contributions on the "causation of corona" by 5G radiation (forwarded mail of 23.7.2020) and on vaccines disguised as corona test smears (forwarded mail of 25.7.2020) speak for themselves. The defendants have not claimed that all members of the citizens' movement share such positions.<br />
<br />
19<br />
Alongside the substance of the case are the applicant's abstract considerations concerning the legal significance of the "sharing" of third party information. The fact that conspiracy-theoretical ideas occupy a large part of the telegram group of the citizens' movement was decisive for the assessment of the Administrative Court. That this could happen in a distancing way is neither demonstrated nor evident.<br />
<br />
20<br />
The fact that members of the telegram group of the citizens' movement, which acted as organiser and called for the demonstrations in A-city, took part in the demonstrations is obvious in a way that makes further explanations by the Administrative Court unnecessary. Moreover, the applicant does not state in a manner sufficient to satisfy § 146.4 sentence 3 VwGO that this could have been otherwise.<br />
<br />
21<br />
With regard to the demonstration in Berlin on 1 August 2020, the article quoted by the Administrative Court on the ARD website (https://www.tagesschau.de/inland/corona-demo-polizei-101.html, last accessed on 5 November 2020) clearly shows that right-wing extremists marched there. The carrying of Reich war flags and the wearing of T-shirts with relevant imprints casually suggests a right-wing extremist attitude, which is regularly accompanied by denial of the Holocaust and anti-Semitic attitudes. Whether the applicant has noticed this is irrelevant; the Administrative Court rightly held that the defendants had not made an allegation to that effect.<br />
<br />
22<br />
It is justifiable that the defendant's statement, which is probably connected with his statement and which he understood to be so after his statement in the appeal proceedings, states that one has a responsibility for whose society one is entering. Even before the demonstration in Berlin, there was a broad discussion about the fact that the protests against the corona-induced restrictions on freedom were accompanied, supported and possibly also instrumentalised by right-wing extremists. In a democratic constitutional state, this need not prevent anyone from attending such a demonstration nonetheless. At the same time, however, no one can claim that this is not publicly discussed by third parties.<br />
<br />
23<br />
4) The attacks on the classification of the third statement ("Someone who is obviously spreading or at least accepting anti-Semitic, right-wing and conspiracy ideological ideas...") as a valuation based on a core of facts are also mistaken. The Administrative Court pointed out that the applicant had advertised in the Telegram Group for an "Express Newspaper", the lead of which is headed by the words "Corona hysteria without evidence". The court also referred to the splitting of a contribution on the effects of 5G radiation, which takes up conspiracy myths of the QAnon movement. The fact that the applicant disseminated that content, that is to say, drew the attention of third parties, is an obvious fact. There is no other way to characterise the reproduction and linking of the contributions in own posts.<br />
<br />
24<br />
According to the Administrative Court, the defendants' assessment that the applicant had at least accepted these statements is based on this. The applicant submits that that conclusion is inadmissible because he did not make any observations to that effect. With regard to the "Express-Zeitung", this is manifestly not true; the applicant advertised for the newspaper with the words: "Absolutely watch and disseminate", thereby expressing a positive attitude. Moreover, the very selection of the articles disseminated shows that the applicant considers them to be relevant and worth reading.<br />
<br />
25<br />
To the extent that the applicant further claims that the Administrative Court had to prove to him an anti-Semitic attitude and his own postings with right-wing and conspiracy ideological content, this is not true. The defendants have not made any such allegations.<br />
<br />
26<br />
5) The applicant also does not effectively question the assessment of the Administrative Court that the statements objected to are not to be considered as defamatory criticism due to their material relevance. It is true that conspiracy theorists, right-wing extremists, Holocaust deniers and anti-Semites are ostracised in society, albeit to varying degrees. Against this background, it is objectively all the more justified that the respondent to 1. on the basis of its mandate under § 20.1 NHG, which follows from § 20.1 NHG, takes a critical look at the fact that an employee of a public university, i.e. an academic institution, at least in one case, consciously or unconsciously enters the society of such a group of people with reference to his or her activities and spreads the positions of such people. Nor does such a critical statement exceed the framework set by the requirement of objectivity. The applicant's conduct is without doubt covered by the freedom of opinion under Article 5 (1) sentence 1 of the Basic Law and the freedom of assembly under Article 8 (1) of the Basic Law. However, these fundamental rights do not protect him or her from his or her conduct being viewed critically by the student bodies and publicly discussed. Anyone who seeks publicity with controversial positions with reference to his or her own affiliation to a university must, for his or her part, face criticism from the university committees appointed for this purpose under the statutory regulations.<br />
<br />
27<br />
6. data protection legislation does not help the complaint to succeed either. In so far as the applicant relies on Article 17 in conjunction with Article 9(1) of the Basic Data Protection Regulation (DSGVO), which is applicable here (only) by virtue of Paragraph 2(2)(c) of the NDSG, it fails, contrary to Paragraph 146(4), third sentence, of the VwGO, to substantiate that the data processing by the defendants could have been unlawful. There would have been grounds, in particular, for a more detailed examination of Article 9(2)(e) of the DSGVO. This provision exempts the processing of personal data which the data subject has manifestly made public from the fundamental prohibition on processing under Article 9(1) DPA.<br />
<br />
28<br />
Irrespective of the lack of explanation, Art. 9 para. 2 lit. e) DSGVO intervenes in favour of the defendants. They only use information which the applicant has itself disseminated in generally accessible sources. Insofar as the applicant merely states that he has not accused himself of sympathising with the AfD, of associating with esoterics, right-wing extremists and anti-Semitic persons or even Holocaust deniers, or of disseminating or at least accepting obviously anti-Semitic, right-wing and conspiracy ideological ideas, this does not go far enough. The basic data protection regulation regulates the protection of personal data; it does not therefore protect the fact that data made public by the data subject himself or herself and of his or her own free will are publicly discussed and used as the basis for evaluative conclusions. In view of this, the question of whether - as the defendants submit - Article 17(3)(a) of the DPA also precludes the claim being asserted is irrelevant.<br />
<br />
29<br />
7 Finally, in so far as the applicant raises a 'procedural complaint' alleging that he was not aware of the DVD sent by the defendants as part of the administrative procedure before the decision of the administrative court, it can be left open whether there was an infringement of the right to be heard. In the appeal proceedings, the Senate granted access to the file, thus giving the applicant the opportunity to present the content of the DVD.<br />
<br />
30<br />
8) Against this background, the other questions - in particular the existence of a ground for an order and the highly questionable passive legitimacy of the applicant under 2) - are no longer relevant.<br />
<br />
31<br />
The decision on costs is based on § 154 (2) VwGO.<br />
<br />
32<br />
The determination of the amount in dispute follows from Sections 53 (2) No. 1, 52 (1) of the Basic Law; just like the Administrative Court, the Senate also follows the applicant's proposal, which does justice to the importance of the case.<br />
<br />
33<br />
This decision is unappealable (§§ 152 (1) VwGO, 68 (1) sentence 5, 66 (3) sentence 3 GKG).<br />
</pre></div>
Hk
https://gdprhub.eu/index.php?title=Datatilsynet_(Norway)_-_17/01281&diff=12371
Datatilsynet (Norway) - 17/01281
2020-11-23T22:02:20Z
<p>Hk: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Norway<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoNO.png<br />
|DPA_Abbrevation=Datatilsynet<br />
|DPA_With_Country=Datatilsynet (Norway)<br />
<br />
|Case_Number_Name=17/01281<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Personvernnemda (in NO)<br />
|Original_Source_Link_1=https://pvn.no/pvn-2020-11<br />
|Original_Source_Language_1=Norwegian<br />
|Original_Source_Language__Code_1=NO<br />
<br />
|Type=Other<br />
|Outcome=<br />
|Date_Decided=16.09.2020<br />
|Date_Published=16.09.2020<br />
|Year=2020<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 6(1)(f) GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR#1f<br />
|GDPR_Article_2=Article 58(2)(b) GDPR<br />
|GDPR_Article_Link_2=Article 58 GDPR#2b<br />
<br />
<br />
<br />
|Party_Name_1=Datatilsynet<br />
|Party_Link_1=https://www.datatilsynet.no/<br />
|Party_Name_2=Privacy Appeals Board<br />
|Party_Link_2=https://pvn.no/<br />
|Party_Name_3=Community missionary organization (anonymized)<br />
|Party_Link_3=https://www.datatilsynet.no/<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Appealed - Overturned<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Rie Aleksandra Walle<br />
|<br />
}}<br />
<br />
The Norwegian Privacy Appeals Board (Personvernrådet) overturned the Norwegian DPA's (Datatilsynet) decision to reprimand a local missionary organization's use of private camera surveillance footage under Article (6)(1)(f).<br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
The Norwegian DPA (Datatilsynet) had issued a reprimand to a local missionary organization for what the DPA said was unlawful use of private camera surveillance footage (i.e. lacking legal grounds for processing under Article (6)(1)(f)). The Norwegian Privacy Appeals Board (Personvernrådet) overturned this decision, as they concluded that the missionary organization had indeed legal grounds as per Article (6)(1)(f) to process the personal data in question.<br />
<br />
The case revolved around neighbours A and B, who had a conflict. B had installed camera surveillance on her property and some footage revealed A's seemingly harassing behaviour towards B. B shared this footage with C, a deputy member of the board of a local missionary organization, where A was a board member. C further involved D, the chairman of the organization. Based on the footage they'd viewed, C and D questioned if A was suited to be a member of the board. They presented the footage to A and her husband (whom A had requested to be there), and following some discussions, A withdrew from the board. A then submitted a complaint to the DPA, for what she felt was unjust and unlawful processing of her personal data in the surveillance footage. <br />
<br />
The question here was consequently: did the missionary organization have legal grounds to process the footage, based on Article (6)(1)(f)?<br />
<br />
The DPA held that they didn't, after their review of the three necessary elements of legitimate interest: 1) First, the DPA concluded the missionary organization had a legitimate interest to process the personal data. 2) Second, the DPA held, however, that the processing was *not* necessary to achieve this interest, and therefore, 3) the balancing test should go in favor of the data subject (in this case "A"). Thus, the DPA concluded that the conditions for relying on Article (6)(1)(f) was not fulfilled.<br />
<br />
On the contrary, the Norwegian Privacy Appeals Board considered that the second condition of legitimate interest was indeed fulfilled, as it was deemed necessary to view the footage. In addition, they considered that there were little harm to A, as the footage was only viewed by C, D, A herself and her husband (on her request). <br />
<br />
===Dispute===<br />
Was the DPA's conclusion to reprimand the missionary organization for lack of legal grounds, correct?<br />
<br />
===Holding===<br />
The Norwegian Privacy Appeals Board (Personvernrådet) held that the missionary organization had legal grounds under Article (6)(1)(f) to process the personal data in question.<br />
<br />
==Comment==<br />
In this case, 6 out of 7 members of the Norwegian Privacy Appeals Board (Personvernrådet), agreed to overturning the DPA's decision, while the last member argued in favor of the DPA's decision.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.<br />
<br />
<pre><br />
Decision of the Privacy Board 16 September 2020 (Mari Bø Haugstad, Bjørnar Borvik, Gisle Hannemyr, Line Coll, Hans Marius Graasvold, Ellen Økland Blinkenberg, Hans Marius Tessem)<br />
<br />
The case concerns an appeal from X Mission Assembly on the Data Inspectorate's decision of 19 March 2020, where the Authority gave the mission assembly a reprimand for having processed personal data from camera recordings illegally, cf. Article 58 no. 2 letter b.<br />
<br />
Background to the case<br />
<br />
The case has its background in a neighbor conflict (border dispute) between A and her former neighbor B. B felt harassed by A and when in 2016, after three years, she sold the house and moved from the place, she contacted a deputy (C) on the board of the missionary assembly, of which A was a board member. B informed the person in question about what she perceived as harassing behavior from A. B also sent five camera recordings where A was pictured and which B thought showed the harassing behavior. C then involved D in the case, because he was chairman of the missionary assembly.<br />
<br />
D and C had several meetings with A in November and December 2016 where the camera footage was a topic. One of the film clips allegedly shows A where she pulls up a plant in the neighbor's garden, twists the roots of the plant, and puts it back in the soil. D and C questioned A's suitability to sit on the mission assembly board based on what the footage showed. A resigned from the board after what she perceived as pressure from the members of the management, when they announced that they would bring the matter before the entire board.<br />
<br />
The parties disagree on the facts of the case, including who harassed whom.<br />
<br />
A contacted the Data Inspectorate in November 2018 and asked for help for what she perceived as very unfair treatment of her from the mission assembly. She stated that B had sent several recordings from his private camera surveillance where A is pictured to the mission assembly, and that the mission assembly stored these recordings.<br />
<br />
The Data Inspectorate asked the mission assembly to report on the reception, storage and use of the relevant camera recordings on 22 August 2019 and urged the inquiry on 22 October 2019. The mission assembly, through Chairman D, gave an e-mail report to the audit on 1 November 2019. The Data Inspectorate also has had telephone contact with both parties after this to get the case adequately informed.<br />
<br />
For its decision, the Norwegian Data Protection Authority has assumed that the film footage was sent to, and received by C and D, on behalf of the mission assembly. The recordings were stored and viewed by the mission assembly chairman (D) and another board member (C) of the mission assembly, as well as shown to A and her husband. The camera footage was not shown to other members and was deleted, most recently during 2017.<br />
<br />
The Data Inspectorate sent the mission assembly a notice of a decision on reprimand on 21 January 2020.<br />
<br />
The Mission Assembly submitted its comments on the notification by e-mail to the Norwegian Data Protection Authority on 2 March 2020. A submitted its comments by e-mail to the Authority on 17 March 2020.<br />
<br />
The Data Inspectorate informed the mission assembly of such reprimand on 19 March 2020:<br />
<br />
«1. The mission assembly has illegally processed A's personal information by collecting and storing recordings from private camera surveillance that depicts her. The business lacked a legal basis under the Privacy Ordinance Article 6 No. 1 letter f for this processing.<br />
<br />
Our legal basis for decisions on reprimands is the Privacy Ordinance, Article 58, No. 2, letter b. ».<br />
<br />
The Mission Assembly appealed the decision on 6 April 2020. The Authority assessed the appeal, but upheld its decision. The case was sent to the Privacy Board on 9 June 2020. The parties were informed of the case in a letter from the board, and were given the opportunity to comment. Neither party has submitted any comments.<br />
<br />
In a letter dated 4 August 2020, the Tribunal requested the Data Inspectorate for an additional statement related to the Authority's assessment of what a reprimand pursuant to the Privacy Ordinance, Article 58, No. 2, letter b, shall be assessed as administrative law. The Norwegian Data Protection Authority issued such an additional report in a letter on 18 August 2020.<br />
<br />
The case was discussed at the tribunal's meeting on 7 September 2020. The privacy tribunal had the following composition: Mari Bø Haugstad (chair), Bjørnar Borvik (deputy chair), Gisle Hannemyr, Line Coll, Hans Marius Graasvold, Ellen Økland Blinkenberg and Hans Marius Tessem. Secretariat leader Anette Klem Funderud was also present.<br />
<br />
The Missionary Assembly's views on the matter in brief<br />
<br />
It is C and D who must be responsible in this matter, not the missionary assembly.<br />
<br />
C, who was then a deputy member of the board, was contacted in the summer of 2016 by B, who thought he was being harassed by his neighbor A. C then involved D because he was chairman of the mission assembly. D contacted B who sent him five footage showing some of what B accused A of. D watched the footage.<br />
<br />
D and C did not want to involve the board and therefore contacted A directly to hear her version of the case. They met A several times on November 20, 2016 and showed the footage that A and her husband wanted to see. The purpose of using the films was to show A what she was accused of, and how this was documented, in the most gentle way possible. It was then necessary to meet A and show her the films. Apart from this, the films have not been treated in any way, nor have they been used "repeatedly in confrontation with complaints", as the Data Inspectorate assumes. It was never threatened to show the film footage to the board. A's privacy is therefore not violated. The Norwegian Data Protection Authority used incorrect information as a basis for assessing the reprimand. D and C never threatened A to show the recording to the rest of the mission board.<br />
<br />
D and C also met A on December 12, 2016, where they asked if she could see this case in connection with her role as a board member in the mission assembly. D experienced that A did not tell the whole truth and they eventually saw themselves forced to take up the matter in the board. Then A resigned as a board member.<br />
<br />
The e-mail correspondence between D and A shows that there has always been a good tone between them.<br />
<br />
The films were not shown or distributed to others. C deleted the e-mail with the camera footage towards the end of 2016 or early 2017. D deleted the e-mail with the film footage during 2017.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The Norwegian Data Protection Authority has processed the case in accordance with the Privacy Ordinance, which became part of Norwegian law from 20 July 2018, ie approximately 20 months after the alleged breach of A's privacy took place. Questions are asked about the Authority's choice of law.<br />
<br />
In the decision, the Norwegian Data Protection Authority errs in its assessment of the regulations. The audit first concludes that the mission assembly had a legitimate interest in obtaining the information, but then states that the purpose could have been achieved in a less intrusive way than by obtaining and storing the footage from the private camera surveillance. There is a mutual contradiction between the sentences.<br />
<br />
In any case, the rules of error of law are invoked. D and C acted in good faith, with the best intentions for all parties and were not aware that the actions could be in violation of applicable Norwegian law.<br />
<br />
A view of the matter in brief<br />
<br />
B sent the private film footage to D and C after B had moved from the home. She made false allegations about A, which D and C adopted. D and C then used the film footage against her and questioned her suitability to sit on the board and threatened to show the film clips to the rest of the board. She was pushed out of the board in the mission meeting by the board chairman and deputy, who came to her door. She felt compelled to watch the footage that D and C brought. The showing of the footage to her and her husband constituted the unlawful disclosure of her personal information.<br />
<br />
A himself brought the matter before the board, which the minutes from the board meeting on 4 September 2017 confirm.<br />
<br />
A and her husband know that the footage was shown to others and spread throughout the local community, something she holds C, D and the missionary assembly accountable for.<br />
<br />
D also used the content of the footage against her in a meeting with the top leaders of the mission organization, without the films being shown.<br />
<br />
D and C present the case in a completely different way, and the attempt to embellish what they have done is offensive, intrusive and destructive. She and her husband were squeezed out of a Christian community and community and are considering moving, even though they have lived at X all their lives. They experience being put in a public gauntlet in the small community where everyone knows everyone. After this, she experiences that life is ruined.<br />
<br />
The Data Inspectorate's assessment<br />
<br />
A reprimand is a corrective measure The Data Inspectorate has the authority to decide in accordance with the Privacy Ordinance Article 58 no. 2 letter b. The reprimand given in this case is to be regarded as an individual decision that gives the parties a right of appeal under the Public Administration Act.<br />
<br />
The collection, storage and deletion of the five film recordings took place before the Privacy Ordinance entered into force on 20 July 2018. The case will be assessed in accordance with the Privacy Ordinance as this was valid at the time of decision on 19 March 2020, and this case is not a decision on infringement fees. This presumably follows from the transitional rules in the Personal Data Act 2018 § 33, cf. the Privacy Board's decision PVN-2018-14. This also has support in the preparatory work for a new Personal Data Act.<br />
<br />
Collecting and storing film clips in which individuals are depicted constitutes a processing of personal data, cf. the Privacy Ordinance, Article 4, No. 2.<br />
<br />
The Data Inspectorate assumes that D and C acted as chairman of the board and board member, respectively, on behalf of the mission assembly in the case, as the purpose was to assess the complainant's suitability to sit on the board. The mission meeting is therefore responsible for processing, cf. Article 4 (7) of the Privacy Ordinance.<br />
<br />
It is further assumed that the films have not been distributed to anyone other than D and C, and that they have only been shown to A and her husband during one of the meetings between the four.<br />
<br />
The relevant basis for processing in this case is the Privacy Ordinance, Article 6 (1) (f), which stipulates that an undertaking may process personal data if this is necessary to safeguard a legitimate interest that outweighs the interests of the individual's privacy.<br />
<br />
The question is whether the missionary assembly had a legal basis for processing under the Privacy Ordinance, Article 6, paragraph 1, letter f, when they obtained and stored the clips from B's private camera surveillance.<br />
<br />
The first condition that must be met for processing to be lawful is that the missionary assembly had a "legitimate interest" in processing the information. The mission assembly has reported that the clips were used for the purpose of assessing A's suitability for his position on the board. Board positions presuppose trust in the organization in question, and it will be an important interest for companies to be able to obtain relevant personal information in order to assess the suitability of board members. The missionary assembly thus had a "legitimate interest" in obtaining the information.<br />
<br />
The next condition is whether the relevant processing of the complainant's personal data was "necessary" to achieve the purpose. The mission assembly obtained and stored clips from private surveillance cameras that, among other things, depict A in a difficult situation characterized by a long-term neighbor conflict. The film clips were then referred to complainants once on 20 November 2016. The content of the films was then discussed between the representatives of the mission assembly and A during a meeting later in the day on 20 November, and then at the meeting on 12 December 2016 which ended with A withdrawing from the board.<br />
<br />
The Data Inspectorate believes that the mission assembly could have achieved its purpose in a less intrusive way than by obtaining and storing the recordings. The film clips originate from private camera surveillance without connection to the mission assembly's activities, and A therefore had no reasonable expectation that the mission assembly would process this personal information about her. The information is of such a private nature that it would have been sufficient to document the content in writing, and then discuss this with C before any consideration by the board. The mission meeting's collection and storage of the film clips therefore constituted a more intrusive processing of personal data than was necessary to assess A's suitability.<br />
<br />
Regardless of whether the requirement of necessity is met or not, the consideration of the complainant's privacy will outweigh the company's need to collect and store the recordings due to their private nature, cf. Article 6 no. Letter f (balancing of interests).<br />
<br />
There is no "mutual contradiction" in the Authority's assessment, as the Mission Assembly claims.<br />
<br />
The conditions for a valid basis for processing pursuant to Article 6 (1) (f) of the Privacy Ordinance are not met.<br />
<br />
The Missionary Assembly cannot be heard with its allegation of error of law.<br />
<br />
On the basis that the information has now been deleted and the conduct from the mission board has ceased, the Data Inspectorate finds it most appropriate to issue a reprimand to the mission meeting, cf. the Privacy Ordinance Article 58 no. 2 letter b.<br />
<br />
The Privacy Board's assessment<br />
<br />
The collection, storage and deletion of the five film recordings took place before the Privacy Ordinance entered into force on 20 July 2018 and the Mission Assembly has stated that the case shall be processed in accordance with the Personal Data Act as it stood at the time of action.<br />
<br />
The Personal Data Act 2018 has transitional rules in § 33. It follows from this provision that the rules on the processing of personal data that applied at the time of action shall be used as a basis when a decision on infringement fees is made, unless the legislation at the time of the decision leads to a more favorable result for the data controller. . In this case, there is no question of imposing an infringement fee, and it then presupposes from the Personal Data Act 2018 § 33 that it is the law, as it reads at the time of decision, that shall be the basis for the Privacy Board's decision.<br />
<br />
This is also discussed in the preparatory work for the Personal Data Act 2018, Prop. 56 LS (2017-2018)<br />
<br />
page 196, where the Ministry states, among other things, the following:<br />
<br />
"There will be a number of cases pending before the supervisory authority and the Privacy Board at the time of the entry into force of the new Personal Data Act. The regulation does not contain any transitional provisions that regulate the processing of such cases. The starting point will be that decisions by the Data Inspectorate and the Privacy Board will have to be made on the basis of the substantive rules in force at any given time ».<br />
<br />
For the sake of clarity, it is noted that when it came to receiving, storing and using recordings from camera surveillance, this was under the 2000 Act regulated by § 8 letter f. The same substantive rules are now given in the Privacy Ordinance Article 6 No. 1 letter f.<br />
<br />
Like the Data Inspectorate, the tribunal assumes that the mission assembly is responsible for the use and storage of the private camera footage they received from B and which contained footage of A, cf. the Privacy Ordinance, Article 4, No. 2 and No. 7. As the tribunal understands the fact was not the actual collection of camera footage initiated by the missionary assembly. B itself initiated the disclosure of its camera recordings and is thus responsible for the processing of personal data that it represents. The processing of personal data that the disclosure of the camera footage entails does not form part of this case. The tribunal assumes that D and C acted on behalf of the missionary assembly and also had the authority to do so by virtue of their positions on the board. The tribunal refers to the Data Inspectorate's justification which is accepted.<br />
<br />
The next question is what a "reprimand", cf. Article 58 (2) (b) of the Privacy Ordinance, is to be regarded as, from a legal point of view. If the reprimand is to give the mission assembly the right to appeal, the reprimand must be regarded as an individual decision, cf. the Personal Data Act § 22 second paragraph, cf. the Public Administration Act § 2.<br />
<br />
Individual decisions are defined in the Public Administration Act § 2, first paragraph, letters a and b. After letter a, a decision is «a decision made in the exercise of public authority and which in general or specifically determines the rights or obligations of private persons». The question is therefore whether a decision ("reprimand") from the Data Inspectorate where it is established that there has been a violation of the Personal Data Act, but no order is imposed or an infringement fee is imposed, partly because the illegal processing has ceased, is a reaction that determines rights and duties for the data controller.<br />
<br />
<br />
<br />
In Prop. 62 L (2015-2016) «Amendments to the Public Administration Act, etc. (administrative sanctions, etc.) »section 15.5.1, the Ministry of Justice discusses formal warnings:<br />
<br />
«Some administrative bodies have the authority to issue formal warnings on the basis of an explicit law or regulation. Such warnings are referred to in the legislation mainly as warnings, but other terms are also used, for example «written reprimand» (the Execution of Sentences Act § 40 second paragraph letter a). Such warnings can be divided into two main categories, but there can be smooth transitions between the categories.<br />
<br />
First, there are provisions where the warning appears as a condition for a (possible) later reaction. Secondly, there are provisions where the warning appears as an independent reaction to offenses. That the warning is intended as a more independent reaction is often apparent from the context in the legislation, and will often be emphasized in the preparatory work for the law »<br />
<br />
Furthermore, the ministry states:<br />
<br />
"As mentioned, the term formal warning does not have an unambiguous definition in current legislation. Whether something that is called a warning by the administration or with related terms must be regarded as an individual decision according to the definition in the Public Administration Act § 2 first paragraph letter b, cf. letter a, depends on a closer assessment of the warning's content and effects. As far as one builds on the definition of formal warning that has been used as a basis, the starting point must be that formal warnings are regarded as individual decisions. The Ministry points out in particular that such warnings imply a finding that the law has been violated. Often, there will also be a legal basis for sanctions against the type of offense in question, either in the form of administrative sanctions or penalties. Thus, it could be a significant burden to have a formal warning directed at you. In some cases, the special legislation explicitly decides whether the warning is to be regarded as an individual decision, cf. for example on the one hand the Dog Act § 18 fifth paragraph last sentence (not individual decision) and on the other hand the Health Personnel Act § 56 last paragraph and the Pharmacy Act § 8-4 second paragraph (individual decision).<br />
<br />
Even if a warning should not be regarded as an individual decision, certain requirements may apply to the case processing. For example, in some cases concerning non-binding statements, the Civil Ombudsman has set certain requirements for adversarial proceedings, see Somb-2008-48. "<br />
<br />
Article 58 (2) of the Privacy Regulation distinguishes between various "corrective measures". According to letter a, the supervisory authority may issue warnings that a planned processing activity is likely to be in breach of the regulation. According to letter b, the supervisory authority may issue reprimands and in the other letters c - j, authority has been given to issue various orders, as well as the imposition of infringement fines. It is the supervisory authority that in the first instance decides which corrective measure is appropriate, when the supervisory authority finds that personal data has been processed in violation of the regulation. When the Data Inspectorate in this case has concluded that the data controller did not have a processing basis for its use of the received camera recordings, the Data Inspectorate could choose an appropriate response; reprimand or infringement fine. The fact that the reprimand entails a formal finding that the mission assembly has processed personal data illegally, indicates that the reprimand is considered an individual decision so that the mission assembly is given the right to have the basis for the reprimand tried in the appeal body.<br />
<br />
Previously found violations of the Privacy Ordinance may also be relevant for the imposition of infringement fines for repeated offenses, cf. the Privacy Ordinance Article 83 no. 2 letter e. considered as an individual decision.<br />
<br />
The burden of a formal reprimand entails and considerations of the legal security of the data controller indicate that the data controller is given the opportunity to appeal against a reprimand issued. This is also supported by the fact that the Data Inspectorate itself has regarded the reprimand as a decision and has provided information to those responsible for processing on the right to appeal.<br />
<br />
Following this, the tribunal assumes that the Data Inspectorate's reprimand issued to the data controller is an individual decision that gives a right of appeal under the Public Administration Act.<br />
<br />
The tribunal then proceeds to assess whether the mission assembly's processing of personal data, collected through the use of camera surveillance, has taken place in accordance with the rules in the Privacy Ordinance.<br />
<br />
Initially, the tribunal notes that the Data Inspectorate refers to the mission assembly's receipt of the camera footage as the collection of personal information. In that case, it will presuppose that the mission assembly is also responsible for processing the collection of the recordings. The tribunal does not consider this an apt description, cf. the tribunal's assessment above where it is assumed that the handover of the recordings was initiated by B. In any case, the mission assembly's storage and use of recordings from camera surveillance, where identifiable individuals are depicted, will be a treatment of personal data, cf. the Privacy Ordinance Article 4 no. 2. For this processing of personal data, the mission assembly is responsible for processing.<br />
<br />
Article 6 (1) of the Privacy Regulation requires that all processing of personal data has a legal basis for processing. The tribunal agrees with the Norwegian Data Protection Authority that the only possible basis for processing the mission association's processing of personal data in this case is Article 6 no. 1 letter f (necessary to safeguard a legitimate interest).<br />
<br />
Article 6 (1) (f) authorizes the processing of information on the basis of a balance of interests. The law's requirement that the processing must be necessary for purposes related to the data controller's legitimate interest, means that the interest safeguarded by the data controller must be legal and actually justified in the business. Both legal, financial and non-material interests may be justified, cf. the Privacy Council's "Guidelines 3/2019 on processing of personal data through video devices", section 18. The necessity condition further entails a requirement that the purpose cannot be achieved in a less privacy-intrusive manner. .<br />
<br />
The legitimate interest of the data controller shall then be weighed against the interests of the data subject and fundamental rights and freedoms. If these interests are considered to take precedence and demand protection of the personal data, the legitimate interest of the data controller will have to give way.<br />
<br />
As also pointed out by the Data Inspectorate in the Authority's decision, the Data Inspectorate's, and thus also the Privacy Board's, task is to exercise control in accordance with the Personal Data Act and the ordinance. This means that it is the mission assembly's use of the footage received from the camera surveillance that is being considered in this case, not the conflict between A and B, or the conflict between A and the mission assembly, including whether there was sufficient grounds to ask A to withdraw. the board of the missionary assembly.<br />
<br />
The tribunal assumes that the purpose of using the sent film footage was to clarify the correctness of the content of the notification the mission assembly had received about harassing behavior on A's part. The mission meeting considered it necessary to investigate the actual circumstances related to the notice in order to assess A's suitability for his position on the board. Board positions presuppose trust in the organization in question, and it is in principle a legitimate interest to obtain and use personal information that can say something about the board members' suitability for the position. In this case, the chairman and a deputy member of the board had been made aware of serious allegations of harassment made by one of the board members of the assembly. It was therefore necessary to investigate these allegations in more detail and the tribunal agrees with the Norwegian Data Protection Authority that the mission assembly therefore had a legitimate interest in clarifying whether the description of the harassing behavior was correct.<br />
<br />
The question for the tribunal is whether the mission assembly's storage and use of the received film footage was necessary to safeguard this legitimate interest of the mission assembly or whether the consideration of A and her right to privacy takes precedence and requires protection of the information.<br />
<br />
In this balancing of interests, the tribunal has been divided into a majority and a minority.<br />
<br />
The majority of the tribunal consisting of the members Haugstad, Borvik, Graasvold, Coll, Blinkenberg and Tessem has come to the conclusion that the mission assembly had a basis for processing in the Privacy Ordinance article 6 no. 1 letter f to store and view the received film footage.<br />
<br />
In the majority's view, it was a prudent assessment by the head of the mission assembly and deputy board member that they chose to watch the sent footage after receiving notice of harassing behavior from one of the board members. It represents a proper treatment of the notice received that they make sure to clarify whether the recording shows actions that there was reason to record with A. In the majority's opinion, this was a necessary clarification before D and C decided what to do next. with the notice. The majority understands that this was an unpleasant situation for A, but the situation would most likely not have been less unpleasant if she had been presented with completely undocumented accusations. Since the film recording was then only shown to A and her husband (who participated at A's own request), there has been no further dissemination of the information to anyone other than those who were already familiar with the content of the recordings. The breach of privacy this represents for A is therefore considered to be small, which must be given weight for the balance of interests to be made in accordance with Article 6, paragraph 1, letter f.<br />
<br />
In the majority's view, the mission assembly's storage and use of the received film footage was necessary to safeguard the legitimate interest of the mission assembly and the consideration for A's privacy does not take precedence over a balance of the various interests.<br />
<br />
As the treatment was, in the majority's view, legal, there is no basis for issuing any reprimand.<br />
<br />
The tribunal's minority consisting of member Hannemyr agrees with the Norwegian Data Protection Authority that the mission assembly's storage and use of the transmitted camera footage had no basis for processing in the Privacy Ordinance Article 6 no. 1 letter f and thus represented an illegal processing of personal data.<br />
<br />
The provision in the Privacy Regulation, Article 6 (1) (f), contains three cumulative conditions, all of which must be met in order for the processing of personal data on this basis to be lawful. The processing must be "necessary", the data controller must have a "legitimate interest" in the processing and a final balance of interests must be struck between the data controller's interests and the data subject's "interests or fundamental rights and freedoms".<br />
<br />
The minority believes that the condition of necessity must be understood strictly. The preamble to the Privacy Ordinance, section 39, states that "personal data should be processed only if the purpose of the processing cannot reasonably be fulfilled in another way". This means that the treatment is only necessary if the treatment manager has no other reasonable alternatives. That is not the case here. Such an interpretation of "necessary" corresponds to the principle of data minimization expressed in Article 5 (1) (c) of the Regulation, which states that the processing of personal data shall be "limited to what is necessary for the purposes" for which it is processed ". The wording "necessary" is used here as well, but is supplemented with "limited to" which suggests that treatment is only legal where this is the only way to achieve the purpose.<br />
<br />
PVN-2015-13 was about a taxi center that recorded telephone conversations between the taxi driver and the taxi center with the aim of preventing inappropriate and harassing calls from the driver to the center. In the assessment of necessity, the tribunal emphasized whether other and less intrusive measures could have been implemented to overcome the problem, and concluded that the treatment was not "necessary".<br />
<br />
Like the Norwegian Data Protection Authority, the minority believes that the mission assembly could have achieved the same purpose in a less intrusive way than receiving and using the private film footage. They could have requested a written statement of allegations from B and this statement could then have been submitted to A for comment. The film footage should not have been used by anyone other than B, without first being reviewed by A, who may then have consented to being shown to others.<br />
<br />
The data controller naturally has a vested interest in the fact that the result of the balance of interests that must be made leads to the personal data being processed. If there is no clear framework for how the balancing of interests is to be carried out, the data controller's self-interest may therefore result in personal data being processed to a greater extent or in a more intrusive manner than is lawful. It is therefore important that the framework for balancing interests follows from law, case law and other relevant legal sources.<br />
<br />
The Article 29 Working Party (Opinion WP 217, p. 30) writes this about the balancing of interests ("legitimate interest" is in English "legitimate interest"):<br />
<br />
«Finally, it is important to note that unlike the case of the controller's interests, the adjective‘ legitimate ’is not used here to precede the‘ interests ’of the data subjects. This implies a wider scope to the protection of individuals ’interests and rights. Even individuals engaged in illegal activities should not be subject to disproportionate interference with their rights and interests. "<br />
<br />
It is therefore not a question of a pure balance exercise. Even if the data subject has behaved reprehensibly, this is not in itself a legitimate interest that authorizes overriding of the data subject's rights and interests.<br />
<br />
With regard to the nature of the personal data, the European Court of Justice has stated that the balance in the balancing of interests depends, among other things, on "the nature of the information in question and its sensitivity to the data subject's private life" (cf. C-131/12). In this case, it was personal information that is of a private and personal nature. The bitter neighborly conflict between A and B had nothing to do with A's board position in the missionary assembly. It also appears that the two parties to the conflict mutually accused each other of harassment. It is impossible for others to know who actually did what and when, but it seems that the mission board gave the documentation in the form of the surveillance videos they received from B a lot of weight when they asked her to resign from the board in the mission assembly. Although the surveillance video was only seen by a few people, the treatment of it apparently led to popular talk and exclusion from the Christian community in the village. This too is a significant disadvantage for A.<br />
<br />
In the Waste Service judgment (Rt-2013-143, section 60), the Supreme Court stated that “in assessing what disadvantages the personal data has had for A, it must also be considered whether the reuse of the information was within his reasonable expectations of what the information could be used for. to". A had hardly expected that private recordings collected by B's surveillance camera would be used in a process internal to the missionary assembly. The Mission Assembly's use of the recordings also constitutes for this reason a great disadvantage for A.<br />
<br />
The fact that the mission assembly was not aware that their use of the film footage was illegal under the Privacy Ordinance is not a factor that makes the act excusable in the minority's opinion. The data controllers should familiarize themselves with the rules before choosing to use private surveillance recordings in this way.<br />
<br />
The Norwegian Data Protection Authority has sanctioned the illegal processing of A's personal data by giving a reprimand, cf. the Privacy Ordinance Article 58 no. 2 letter b. This is a very mild form of reaction. The minority wants the Data Inspectorate's decision to be upheld.<br />
<br />
The decision is made in line with the majority's view.<br />
<br />
Decision<br />
<br />
The Data Inspectorate's decision on reprimand is reversed. The Mission Assembly had a basis for processing in the Privacy Ordinance Article 6 No. 1 letter f to store and view the received film footage.<br />
<br />
<br />
<br />
<br />
<br />
Oslo, 16 September 2020<br />
<br />
Mari Bø Haugstad<br />
<br />
Manager<br />
</pre></div>
Hk
https://gdprhub.eu/index.php?title=Datatilsynet_(Norway)_-_17/01281&diff=12370
Datatilsynet (Norway) - 17/01281
2020-11-23T21:55:58Z
<p>Hk: /* English Machine Translation of the Decision */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Norway<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoNO.png<br />
|DPA_Abbrevation=Datatilsynet<br />
|DPA_With_Country=Datatilsynet (Norway)<br />
<br />
|Case_Number_Name=17/01281<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Personvernnemda (in NO)<br />
|Original_Source_Link_1=https://pvn.no/pvn-2020-11<br />
|Original_Source_Language_1=Norwegian<br />
|Original_Source_Language__Code_1=NO<br />
<br />
|Type=Other<br />
|Outcome=<br />
|Date_Decided=16.09.2020<br />
|Date_Published=16.09.2020<br />
|Year=2020<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 6(1)(f) GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR#1f<br />
|GDPR_Article_2=Article 58(2)(b) GDPR<br />
|GDPR_Article_Link_2=Article 58 GDPR#2b<br />
<br />
<br />
<br />
|Party_Name_1=Datatilsynet<br />
|Party_Link_1=https://www.datatilsynet.no/<br />
|Party_Name_2=Privacy Appeals Board<br />
|Party_Link_2=https://pvn.no/<br />
|Party_Name_3=Community missionary organization (anonymized)<br />
|Party_Link_3=https://www.datatilsynet.no/<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Appealed - Overturned<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Rie Aleksandra Walle<br />
|<br />
}}<br />
<br />
The Norwegian Privacy Appeals Board (Personvernrådet) overturned the Norwegian DPA's (Datatilsynet) decision to reprimand a local missionary organization's use of private camera surveillance footage under Article (6)(1)(f).<br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
The Norwegian DPA (Datatilsynet) had issued a reprimand to a local missionary organization for what the DPA said was unlawful use of private camera surveillance footage (i.e. lacking legal grounds for processing under Article (6)(1)(f)). The Norwegian Privacy Appeals Board (Personvernrådet) overturned this decision, as they concluded that the missionary organization had indeed legal grounds as per Article (6)(1)(f) to process the personal data in question.<br />
<br />
The case revolved around neighbours A and B, who had a conflict. B had installed camera surveillance on her property and some footage revealed A's seemingly harassing behaviour towards B. B shared this footage with C, a deputy member of the board of a local missionary organization, where A was a board member. C further involved D, the chairman of the organization. Based on the footage they'd viewed, C and D questioned if A was suited to be a member of the board. They presented the footage to A and her husband (whom A had requested to be there), and following some discussions, A withdrew from the board. A then submitted a complaint to the DPA, for what she felt was unjust and unlawful processing of her personal data in the surveillance footage. <br />
<br />
The question here was consequently: did the missionary organization have legal grounds to process the footage, based on Article (6)(1)(f)?<br />
<br />
The DPA held that they didn't, after their review of the three necessary elements of legitimate interest: 1) First, the DPA concluded the missionary organization had a legitimate interest to process the personal data. 2) Second, the DPA held, however, that the processing was *not* necessary to achieve this interest, and therefore, 3) the balancing test should go in favor of the data subject (in this case "A"). Thus, the DPA concluded that the conditions for relying on Article (6)(1)(f) was not fulfilled.<br />
<br />
On the contrary, the Norwegian Privacy Appeals Board considered that the second condition of legitimate interest was indeed fulfilled, as it was deemed necessary to view the footage. In addition, they considered that there were little harm to A, as the footage was only viewed by C, D, A herself and her husband (on her request). <br />
<br />
===Dispute===<br />
Was the DPA's conclusion to reprimand the missionary organization for lack of legal grounds, correct?<br />
<br />
===Holding===<br />
The Norwegian Privacy Appeals Board (Personvernrådet) held that the missionary organization had legal grounds under Article (6)(1)(f) to process the personal data in question.<br />
<br />
==Comment==<br />
In this case, 6 out of 7 members of the Norwegian Privacy Appeals Board (Personvernrådet), agreed to overturning the DPA's decision, while the last member argued in favor of the DPA's decision.<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
The Norwegian Data Protection Authority has processed the case in accordance with the Privacy Ordinance, which became part of Norwegian law from 20 July 2018, ie approximately 20 months after the alleged breach of A's privacy took place. Questions are asked about the Authority's choice of law.<br />
In the decision, the Norwegian Data Protection Authority errs in its assessment of the regulations. The audit first concludes that the mission assembly had a legitimate interest in obtaining the information, but then states that the purpose could have been achieved in a less intrusive way than by obtaining and storing the footage from the private camera surveillance. There is a mutual contradiction between the sentences.<br />
In any case, the rules of error of law are invoked. D and C acted in good faith, with the best intentions for all parties and were not aware that the actions could be in violation of applicable Norwegian law.<br />
A view of the matter in brief<br />
B sent the private film footage to D and C after B had moved from the home. She made false allegations about A, which D and C adopted. D and C then used the film footage against her and questioned her suitability to sit on the board and threatened to show the film clips to the rest of the board. She was pushed out of the board in the mission meeting by the board chairman and deputy, who came to her door. She felt compelled to watch the footage that D and C brought. The showing of the footage to her and her husband constituted the unlawful disclosure of her personal information.<br />
A himself brought the matter before the board, which the minutes from the board meeting on 4 September 2017 confirm.<br />
A and her husband know that the footage was shown to others and spread throughout the local community, something she holds C, D and the missionary assembly accountable for.<br />
D also used the content of the footage against her in a meeting with the top leaders of the mission organization, without the films being shown.<br />
D and C present the case in a completely different way, and the attempt to embellish what they have done is offensive, intrusive and destructive. She and her husband were squeezed out of a Christian community and community and are considering moving, even though they have lived at X all their lives. They experience being put in a public gauntlet in the small community where everyone knows everyone. After this, she experiences that life is ruined.<br />
The Data Inspectorate's assessment<br />
A reprimand is a corrective measure The Data Inspectorate has the authority to decide in accordance with the Privacy Ordinance Article 58 no. 2 letter b. The reprimand given in this case is to be regarded as an individual decision that gives the parties a right of appeal under the Public Administration Act.<br />
The collection, storage and deletion of the five film recordings took place before the Privacy Ordinance entered into force on 20 July 2018. The case will be assessed in accordance with the Privacy Ordinance as this was valid at the time of decision on 19 March 2020, and this case is not a decision on infringement fees. This presumably follows from the transitional rules in the Personal Data Act 2018 § 33, cf. the Privacy Board's decision PVN-2018-14. This also has support in the preparatory work for a new Personal Data Act.<br />
Collecting and storing film clips in which individuals are depicted constitutes a processing of personal data, cf. the Privacy Ordinance, Article 4, No. 2.<br />
The Data Inspectorate assumes that D and C acted as chairman of the board and board member, respectively, on behalf of the mission assembly in the case, as the purpose was to assess the complainant's suitability to sit on the board. The mission meeting is therefore responsible for processing, cf. Article 4 (7) of the Privacy Ordinance.<br />
It is further assumed that the films have not been distributed to anyone other than D and C, and that they have only been shown to A and her husband during one of the meetings between the four.<br />
The relevant basis for processing in this case is the Privacy Ordinance, Article 6 (1) (f), which stipulates that an undertaking may process personal data if this is necessary to safeguard a legitimate interest that outweighs the interests of the individual's privacy.<br />
The question is whether the missionary assembly had a legal basis for processing under the Privacy Ordinance, Article 6, paragraph 1, letter f, when they obtained and stored the clips from B's private camera surveillance.<br />
The first condition that must be met for processing to be lawful is that the missionary assembly had a "legitimate interest" in processing the information. The mission assembly has reported that the clips were used for the purpose of assessing A's suitability for his position on the board. Board positions presuppose trust in the organization in question, and it will be an important interest for companies to be able to obtain relevant personal information in order to assess the suitability of board members. The missionary assembly thus had a "legitimate interest" in obtaining the information.<br />
The next condition is whether the relevant processing of the complainant's personal data was "necessary" to achieve the purpose. The mission assembly obtained and stored clips from private surveillance cameras that, among other things, depict A in a difficult situation characterized by a long-term neighbor conflict. The film clips were then referred to complainants once on 20 November 2016. The content of the films was then discussed between the representatives of the mission assembly and A during a meeting later in the day on 20 November, and then at the meeting on 12 December 2016 which ended with A withdrawing from the board.<br />
The Data Inspectorate believes that the mission assembly could have achieved its purpose in a less intrusive way than by obtaining and storing the recordings. The film clips originate from private camera surveillance without connection to the mission assembly's activities, and A therefore had no reasonable expectation that the mission assembly would process this personal information about her. The information is of such a private nature that it would have been sufficient to document the content in writing, and then discuss this with C before any consideration by the board. The mission meeting's collection and storage of the film clips therefore constituted a more intrusive processing of personal data than was necessary to assess A's suitability.<br />
Regardless of whether the requirement of necessity is met or not, the consideration of the complainant's privacy will outweigh the company's need to collect and store the recordings due to their private nature, cf. Article 6 no. Letter f (balancing of interests).<br />
There is no "mutual contradiction" in the Authority's assessment, as the Mission Assembly claims.<br />
The conditions for a valid basis for processing pursuant to Article 6 (1) (f) of the Privacy Ordinance are not met.<br />
The Missionary Assembly cannot be heard with its allegation of error of law.<br />
On the basis that the information has now been deleted and the conduct from the mission board has ceased, the Data Inspectorate finds it most appropriate to issue a reprimand to the mission meeting, cf. the Privacy Ordinance Article 58 no. 2 letter b.<br />
The Privacy Board's assessment<br />
The collection, storage and deletion of the five film recordings took place before the Privacy Ordinance entered into force on 20 July 2018 and the Mission Assembly has stated that the case shall be processed in accordance with the Personal Data Act as it stood at the time of action.<br />
The Personal Data Act 2018 has transitional rules in § 33. It follows from this provision that the rules on the processing of personal data that applied at the time of action shall be used as a basis when a decision on infringement fees is made, unless the legislation at the time of the decision leads to a more favorable result for the data controller. . In this case, there is no question of imposing an infringement fee, and it then presupposes from the Personal Data Act 2018 § 33 that it is the law, as it reads at the time of decision, that shall be the basis for the Privacy Board's decision.<br />
This is also discussed in the preparatory work for the Personal Data Act 2018, Prop. 56 LS (2017-2018)<br />
page 196, where the Ministry states, among other things, the following:<br />
"There will be a number of cases pending before the supervisory authority and the Privacy Board at the time of the entry into force of the new Personal Data Act. The regulation does not contain any transitional provisions that regulate the processing of such cases. The starting point will be that decisions by the Data Inspectorate and the Privacy Board will have to be made on the basis of the substantive rules in force at any given time ».<br />
For the sake of clarity, it is noted that when it came to receiving, storing and using recordings from camera surveillance, this was under the 2000 Act regulated by § 8 letter f. The same substantive rules are now given in the Privacy Ordinance Article 6 No. 1 letter f.<br />
Like the Data Inspectorate, the tribunal assumes that the mission assembly is responsible for the use and storage of the private camera footage they received from B and which contained footage of A, cf. the Privacy Ordinance, Article 4, No. 2 and No. 7. As the tribunal understands the fact was not the actual collection of camera footage initiated by the missionary assembly. B itself initiated the disclosure of its camera recordings and is thus responsible for the processing of personal data that it represents. The processing of personal data that the disclosure of the camera footage entails does not form part of this case. The tribunal assumes that D and C acted on behalf of the missionary assembly and also had the authority to do so by virtue of their positions on the board. The tribunal refers to the Data Inspectorate's justification which is accepted.<br />
The next question is what a "reprimand", cf. Article 58 (2) (b) of the Privacy Ordinance, is to be regarded as, from a legal point of view. If the reprimand is to give the mission assembly the right to appeal, the reprimand must be regarded as an individual decision, cf. the Personal Data Act § 22 second paragraph, cf. the Public Administration Act § 2.<br />
Individual decisions are defined in the Public Administration Act § 2, first paragraph, letters a and b. After letter a, a decision is «a decision made in the exercise of public authority and which in general or specifically determines the rights or obligations of private persons». The question is therefore whether a decision ("reprimand") from the Data Inspectorate where it is established that there has been a violation of the Personal Data Act, but no order is imposed or an infringement fee is imposed, partly because the illegal processing has ceased, is a reaction that determines rights and duties for the data controller.<br />
In Prop. 62 L (2015-2016) «Amendments to the Public Administration Act, etc. (administrative sanctions, etc.) »section 15.5.1, the Ministry of Justice discusses formal warnings:<br />
«Some administrative bodies have the authority to issue formal warnings on the basis of an explicit law or regulation. Such warnings are referred to in the legislation mainly as warnings, but other terms are also used, for example «written reprimand» (the Execution of Sentences Act § 40 second paragraph letter a). Such warnings can be divided into two main categories, but there can be smooth transitions between the categories.<br />
First, there are provisions where the warning appears as a condition for a (possible) later reaction. Secondly, there are provisions where the warning appears as an independent reaction to offenses. That the warning is intended as a more independent reaction is often apparent from the context in the legislation, and will often be emphasized in the preparatory work for the law »<br />
Furthermore, the ministry states:<br />
"As mentioned, the term formal warning does not have an unambiguous definition in current legislation. Whether something that is called a warning by the administration or with related terms must be regarded as an individual decision according to the definition in the Public Administration Act § 2 first paragraph letter b, cf. letter a, depends on a closer assessment of the warning's content and effects. As far as one builds on the definition of formal warning that has been used as a basis, the starting point must be that formal warnings are regarded as individual decisions. The Ministry points out in particular that such warnings imply a finding that the law has been violated. Often, there will also be a legal basis for sanctions against the type of offense in question, either in the form of administrative sanctions or penalties. Thus, it could be a significant burden to have a formal warning directed at you. In some cases, the special legislation explicitly decides whether the warning is to be regarded as an individual decision, cf. for example on the one hand the Dog Act § 18 fifth paragraph last sentence (not individual decision) and on the other hand the Health Personnel Act § 56 last paragraph and the Pharmacy Act § 8-4 second paragraph (individual decision).<br />
Even if a warning should not be regarded as an individual decision, certain requirements may apply to the case processing. For example, in some cases concerning non-binding statements, the Civil Ombudsman has set certain requirements for adversarial proceedings, see Somb-2008-48. "<br />
Article 58 (2) of the Privacy Regulation distinguishes between various "corrective measures". According to letter a, the supervisory authority may issue warnings that a planned processing activity is likely to be in breach of the regulation. According to letter b, the supervisory authority may issue reprimands and in the other letters c - j, authority has been given to issue various orders, as well as the imposition of infringement fines. It is the supervisory authority that in the first instance decides which corrective measure is appropriate, when the supervisory authority finds that personal data has been processed in violation of the regulation. When the Data Inspectorate in this case has concluded that the data controller did not have a processing basis for its use of the received camera recordings, the Data Inspectorate could choose an appropriate response; reprimand or infringement fine. The fact that the reprimand entails a formal finding that the mission assembly has processed personal data illegally, indicates that the reprimand is considered an individual decision so that the mission assembly is given the right to have the basis for the reprimand tried in the appeal body.<br />
Previously found violations of the Privacy Ordinance may also be relevant for the imposition of infringement fines for repeated offenses, cf. the Privacy Ordinance Article 83 no. 2 letter e. considered as an individual decision.<br />
The burden of a formal reprimand entails and considerations of the legal security of the data controller indicate that the data controller is given the opportunity to appeal against a reprimand issued. This is also supported by the fact that the Data Inspectorate itself has regarded the reprimand as a decision and has provided information to those responsible for processing on the right to appeal.<br />
Following this, the tribunal assumes that the Data Inspectorate's reprimand issued to the data controller is an individual decision that gives a right of appeal under the Public Administration Act.<br />
The tribunal then proceeds to assess whether the mission assembly's processing of personal data, collected through the use of camera surveillance, has taken place in accordance with the rules in the Privacy Ordinance.<br />
Initially, the tribunal notes that the Data Inspectorate refers to the mission assembly's receipt of the camera footage as the collection of personal information. In that case, it will presuppose that the mission assembly is also responsible for processing the collection of the recordings. The tribunal does not consider this an apt description, cf. the tribunal's assessment above where it is assumed that the handover of the recordings was initiated by B. In any case, the mission assembly's storage and use of recordings from camera surveillance, where identifiable individuals are depicted, will be a treatment of personal data, cf. the Privacy Ordinance Article 4 no. 2. For this processing of personal data, the mission assembly is responsible for processing.<br />
Article 6 (1) of the Privacy Regulation requires that all processing of personal data has a legal basis for processing. The tribunal agrees with the Norwegian Data Protection Authority that the only possible basis for processing the mission association's processing of personal data in this case is Article 6 no. 1 letter f (necessary to safeguard a legitimate interest).<br />
Article 6 (1) (f) authorizes the processing of information on the basis of a balance of interests. The law's requirement that the processing must be necessary for purposes related to the data controller's legitimate interest, means that the interest safeguarded by the data controller must be legal and actually justified in the business. Both legal, financial and non-material interests may be justified, cf. the Privacy Council's "Guidelines 3/2019 on processing of personal data through video devices", section 18. The necessity condition further entails a requirement that the purpose cannot be achieved in a less privacy-intrusive manner. .<br />
The legitimate interest of the data controller shall then be weighed against the interests of the data subject and fundamental rights and freedoms. If these interests are considered to take precedence and demand protection of the personal data, the legitimate interest of the data controller will have to give way.<br />
As also pointed out by the Data Inspectorate in the Authority's decision, the Data Inspectorate's, and thus also the Privacy Board's, task is to exercise control in accordance with the Personal Data Act and the ordinance. This means that it is the mission assembly's use of the footage received from the camera surveillance that is being considered in this case, not the conflict between A and B, or the conflict between A and the mission assembly, including whether there was sufficient grounds to ask A to withdraw. the board of the missionary assembly.<br />
The tribunal assumes that the purpose of using the sent film footage was to clarify the correctness of the content of the notification the mission assembly had received about harassing behavior on A's part. The mission meeting considered it necessary to investigate the actual circumstances related to the notice in order to assess A's suitability for his position on the board. Board positions presuppose trust in the organization in question, and it is in principle a legitimate interest to obtain and use personal information that can say something about the board members' suitability for the position. In this case, the chairman and a deputy member of the board had been made aware of serious allegations of harassment made by one of the board members of the assembly. It was therefore necessary to investigate these allegations in more detail and the tribunal agrees with the Norwegian Data Protection Authority that the mission assembly therefore had a legitimate interest in clarifying whether the description of the harassing behavior was correct.<br />
The question for the tribunal is whether the mission assembly's storage and use of the received film footage was necessary to safeguard this legitimate interest of the mission assembly or whether the consideration of A and her right to privacy takes precedence and requires protection of the information.<br />
In this balancing of interests, the tribunal has been divided into a majority and a minority.<br />
The majority of the tribunal consisting of the members Haugstad, Borvik, Graasvold, Coll, Blinkenberg and Tessem has come to the conclusion that the mission assembly had a basis for processing in the Privacy Ordinance article 6 no. 1 letter f to store and view the received film footage.<br />
In the majority's view, it was a prudent assessment by the head of the mission assembly and deputy board member that they chose to watch the sent footage after receiving notice of harassing behavior from one of the board members. It represents a proper treatment of the notice received that they make sure to clarify whether the recording shows actions that there was reason to record with A. In the majority's opinion, this was a necessary clarification before D and C decided what to do next. with the notice. The majority understands that this was an unpleasant situation for A, but the situation would most likely not have been less unpleasant if she had been presented with completely undocumented accusations. Since the film recording was then only shown to A and her husband (who participated at A's own request), there has been no further dissemination of the information to anyone other than those who were already familiar with the content of the recordings. The breach of privacy this represents for A is therefore considered to be small, which must be given weight for the balance of interests to be made in accordance with Article 6, paragraph 1, letter f.<br />
In the majority's view, the mission assembly's storage and use of the received film footage was necessary to safeguard the legitimate interest of the mission assembly and the consideration for A's privacy does not take precedence over a balance of the various interests.<br />
As the treatment was, in the majority's view, legal, there is no basis for issuing any reprimand.<br />
The tribunal's minority consisting of member Hannemyr agrees with the Norwegian Data Protection Authority that the mission assembly's storage and use of the transmitted camera footage had no basis for processing in the Privacy Ordinance Article 6 no. 1 letter f and thus represented an illegal processing of personal data.<br />
The provision in the Privacy Regulation, Article 6 (1) (f), contains three cumulative conditions, all of which must be met in order for the processing of personal data on this basis to be lawful. The processing must be "necessary", the data controller must have a "legitimate interest" in the processing and a final balance of interests must be struck between the data controller's interests and the data subject's "interests or fundamental rights and freedoms".<br />
The minority believes that the condition of necessity must be understood strictly. The preamble to the Privacy Ordinance, section 39, states that "personal data should be processed only if the purpose of the processing cannot reasonably be fulfilled in another way". This means that the treatment is only necessary if the treatment manager has no other reasonable alternatives. That is not the case here. Such an interpretation of "necessary" corresponds to the principle of data minimization expressed in Article 5 (1) (c) of the Regulation, which states that the processing of personal data shall be "limited to what is necessary for the purposes" for which it is processed ". The wording "necessary" is used here as well, but is supplemented with "limited to" which suggests that treatment is only legal where this is the only way to achieve the purpose.<br />
PVN-2015-13 was about a taxi center that recorded telephone conversations between the taxi driver and the taxi center with the aim of preventing inappropriate and harassing calls from the driver to the center. In the assessment of necessity, the tribunal emphasized whether other and less intrusive measures could have been implemented to overcome the problem, and concluded that the treatment was not "necessary".<br />
Like the Norwegian Data Protection Authority, the minority believes that the mission assembly could have achieved the same purpose in a less intrusive way than receiving and using the private film footage. They could have requested a written statement of allegations from B and this statement could then have been submitted to A for comment. The film footage should not have been used by anyone other than B, without first being reviewed by A, who may then have consented to being shown to others.<br />
The data controller naturally has a vested interest in the fact that the result of the balance of interests that must be made leads to the personal data being processed. If there is no clear framework for how the balancing of interests is to be carried out, the data controller's self-interest may therefore result in personal data being processed to a greater extent or in a more intrusive manner than is lawful. It is therefore important that the framework for balancing interests follows from law, case law and other relevant legal sources.<br />
The Article 29 Working Party (Opinion WP 217, p. 30) writes this about the balancing of interests ("legitimate interest" is in English "legitimate interest"):<br />
«Finally, it is important to note that unlike the case of the controller's interests, the adjective‘ legitimate ’is not used here to precede the‘ interests ’of the data subjects. This implies a wider scope to the protection of individuals ’interests and rights. Even individuals engaged in illegal activities should not be subject to disproportionate interference with their rights and interests. "<br />
It is therefore not a question of a pure balance exercise. Even if the data subject has behaved reprehensibly, this is not in itself a legitimate interest that authorizes overriding of the data subject's rights and interests.<br />
With regard to the nature of the personal data, the European Court of Justice has stated that the balance in the balancing of interests depends, among other things, on "the nature of the information in question and its sensitivity to the data subject's private life" (cf. C-131/12). In this case, it was personal information that is of a private and personal nature. The bitter neighborly conflict between A and B had nothing to do with A's board position in the missionary assembly. It also appears that the two parties to the conflict mutually accused each other of harassment. It is impossible for others to know who actually did what and when, but it seems that the mission board gave the documentation in the form of the surveillance videos they received from B a lot of weight when they asked her to resign from the board in the mission assembly. Although the surveillance video was only seen by a few people, the treatment of it apparently led to popular talk and exclusion from the Christian community in the village. This too is a significant disadvantage for A.<br />
In the Waste Service judgment (Rt-2013-143, section 60), the Supreme Court stated that “in assessing what disadvantages the personal data has had for A, it must also be considered whether the reuse of the information was within his reasonable expectations of what the information could be used for. to". A had hardly expected that private recordings collected by B's surveillance camera would be used in a process internal to the missionary assembly. The Mission Assembly's use of the recordings also constitutes for this reason a great disadvantage for A.<br />
The fact that the mission assembly was not aware that their use of the film footage was illegal under the Privacy Ordinance is not a factor that makes the act excusable in the minority's opinion. The data controllers should familiarize themselves with the rules before choosing to use private surveillance recordings in this way.<br />
The Norwegian Data Protection Authority has sanctioned the illegal processing of A's personal data by giving a reprimand, cf. the Privacy Ordinance Article 58 no. 2 letter b. This is a very mild form of reaction. The minority wants the Data Inspectorate's decision to be upheld.<br />
The decision is made in line with the majority's view.<br />
Decision<br />
The Data Inspectorate's decision on reprimand is reversed. The Mission Assembly had a basis for processing in the Privacy Ordinance Article 6 No. 1 letter f to store and view the received film footage.<br />
<br />
<br />
Oslo, 16 September 2020<br />
Mari Bø Haugstad<br />
Manager</div>
Hk
https://gdprhub.eu/index.php?title=Rb._Noord-Nederland_-_C/18/194754_/_HA_RK_19-64_and_C/18/197707_/_HA_RK_20-22&diff=12369
Rb. Noord-Nederland - C/18/194754 / HA RK 19-64 and C/18/197707 / HA RK 20-22
2020-11-23T21:49:42Z
<p>Hk: /* English Machine Translation of the Decision */</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Netherlands<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=Rb. Noord-Nederland<br />
|Court_With_Country=Rb. Noord-Nederland (Netherlands)<br />
<br />
|Case_Number_Name=C/18/194754 / HA RK 19-64 and C/18/197707 / HA RK 20-22<br />
|ECLI=ECLI:NL:RBNNE:2020:3897 <br />
<br />
|Original_Source_Name_1=de Rechtbank<br />
|Original_Source_Link_1=https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBNNE:2020:3897<br />
|Original_Source_Language_1=Dutch<br />
|Original_Source_Language__Code_1=NL<br />
<br />
|Date_Decided=05.11.2020<br />
|Date_Published=16.11.2020<br />
|Year=2020<br />
<br />
|GDPR_Article_1=Article 17(1)(c) GDPR<br />
|GDPR_Article_Link_1=Article 17 GDPR#1c<br />
|GDPR_Article_2=Article 21(1) GDPR<br />
|GDPR_Article_Link_2=Article 21 GDPR#1<br />
<br />
<br />
<br />
|Party_Name_1=Google LLC<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The District Court of First Instance of the Northern Netherlands rejected the claimants’ requests to delete Google search results that lead to pages with negative information about claimants’ businesses. Those publications were not found completely inaccurate. They also have a warning function and are part of an important public debate about the rental market (a sector claimant are or have been active in).<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Claimants 1 and 2 are entrepreneurs who are or have been active in the real estate market. They are married. Claimant 1 still operates at least one company that does development and sales of new buildings. Claimant 2 used to run a house rental agency, but not anymore. <br />
When the names of claimant 1 and claimant 2 are entered in Google search, the search results show links to sites and TV shows featuring both claimants and their way of running business in the negative light. In July 2019, during the preliminary relief proceedings the producer of one of the shows was ordered by the Court to add a rectification notice because some statements in the show did not have enough factual support. The Court, however, did not agree with the claimants that the removal of the show was justified. Similarly, the Netherlands Press Council also partially agreed with the claimants, finding that the reporting published on one of the sites did contain unsubstantiated accusations, hurtful language and insufficient consideration of the claimants’ side of the story. However, the Council found that careless journalistic conduct did not take place. <br />
Claimants submitted several “right to be forgotten” requests to Google to have specific links removed from the search results. Google rejected those requests. <br />
Claimants brought two cases before the Court. According to claimant 1, 18 URLs must be forgotten in case 19-64 and 24 URLs in case 20-22. Claimant 2 is asking to de-list 21 URLs in case 20-22. The Court considers both cases jointly. <br />
<br />
<br />
=== Dispute ===<br />
Claimants are of the opinion that a data subject in principle has a right to have his or her personal data deleted from search engine. It is then up to the search engine provider to prove that there are valid reasons for not deleting the information. According to the claimants, the balance of interests is in their favor in this case as the links they would like to have de-listed contain a lot of inaccuracies. Moreover, the information published on those pages is incomplete, irrelevant and excessive. <br />
Google’s position is that the requests for erasure submitted by the claimants do not satisfy the conditions in Article 17(1)(c) and Article 21(1) of the GDPR and Google’s internal policy. The information the claimants would like to de-list has an important warning function and is part of an important public debate, in which claimants are public figures. Making this information unavailable would have a disproportionate effect that is not unjustified. Also, the previous decisions of the Court and the Press Council were not about the content published via the contested URLs. And finally, Google argues that the decisions to reject the de-listing request were in line with the Costeja judgement. <br />
<br />
<br />
=== Holding ===<br />
The Court considered the following:<br />
• neither the preliminary proceeding judge nor the Press Council agree with the claimants that the contested pieces of information are to be fully rectified and that the claimants are largely in the right;<br />
• the reports published on the contested sites have a warning function and are part of an important public debate;<br />
• the deletion requests have not been sufficiently substantiated by the claimants;<br />
• the contested URLs contain information about the professional activities of the claimants, meaning that their private lives are less affected;<br />
• the fact that complainant 2 is no longer active in the rental business is irrelevant since nothing prevents claimants 2 from re-entering this market again;<br />
• claimants 1 and 2 have been involved in previous Court proceedings where their actions as landlords were called into question. They or their legal entities have been ruled against several times. <br />
<br />
The Court ruled that under these circumstances, the public interest of becoming informed outweighs the claimants’ interest of having the URLs de-listed. The “right to be forgotten” requests are to be rejected. <br />
<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.<br />
<br />
<pre><br />
available at<br />
COURT OF THE NORTH OF THE NETHERLANDS<br />
Private law department<br />
Location Groningen<br />
Order in joined cases of 5 November 2020<br />
in the case with case number / petition number: C/18/194754 / HA RK 19-64 of<br />
plaintiff 1] ,<br />
residing at [address] ,<br />
The applicant,<br />
Attorney at law R.P. de Vries, Amsterdam, the Netherlands,<br />
by<br />
the legal person under foreign law<br />
GOOGLE LLC,<br />
located at Mountain View, CA 94043, United States,<br />
defendant,<br />
Lawyer Mr D. Verhulst in Amsterdam,<br />
and in the case with case number / reel number C/18/197707 / HA RK 20-22 of<br />
1 [Claimant 1] ,<br />
residing at [address] ,<br />
2. plaintiff 2] ,<br />
residing at [address] ,<br />
the applicants,<br />
Attorney at law R.P. de Vries, Amsterdam, the Netherlands,<br />
by<br />
the legal person under foreign law<br />
GOOGLE LLC,<br />
located at Mountain View, CA 94043, United States,<br />
defendant,<br />
Lawyer Mr D. Verhulst in Amsterdam.<br />
1 The proceedings in the case 19-64<br />
1.1.<br />
The course of the procedure is evident:<br />
-<br />
the petition with productions,<br />
-<br />
the defence with productions,<br />
-<br />
further productions 11 to 13 on the part of [plaintiff 1] ,<br />
-<br />
the oral procedure,<br />
-<br />
the pleadings of [plaintiff 1] ,<br />
-<br />
Google's pleadings.<br />
1.2.<br />
Finally, judgment has been given today.<br />
<br />
2 The proceedings in Case 20-22<br />
2.1.<br />
The course of the procedure is evident:<br />
-<br />
the petition with productions,<br />
-<br />
the defence with productions,<br />
-<br />
the further production 34 of [Claimant 1] and [Claimant 2] ,<br />
-<br />
the oral procedure,<br />
-<br />
the pleadings of [plaintiff 1] and [plaintiff 2] ,<br />
-<br />
Google's pleadings.<br />
2.2.<br />
Finally, judgment has been given today.<br />
<br />
The parties will hereinafter be referred to as [plaintiff 1] , [plaintiff 2] and Google.<br />
3 The facts<br />
3.1.<br />
plaintiff 1] and [plaintiff 2] are entrepreneurs who are or have been active on the real estate market in Groningen. Claimant 1] and [Claimant 2] are married.<br />
<br />
3.2.<br />
Claimant 1] operates (inter alia) the company Pex Real Estate BV. The main activities of the company are the development of new construction projects and the sale and rental of housing in various municipalities in the Netherlands, including the city of Groningen. Claimant 2] has operated the leasing agency Spot IN. The latter company has ceased to exist.<br />
<br />
3.3.<br />
Google is the operator of the internet search engine Google Search. This search engine helps users to find information on the internet. Users can enter one or more search terms, after which the search engine displays search results. The search results contain references (so-called hyperlinks) to internet addresses of web pages, or Uniform Resource Locators (abbreviated to: URLs). The selection and arrangement of search results and their presentation to the user are the dynamic product of an automated, algorithmic process. The algorithm selects and arranges search results on the basis of more than 200 factors, such as the internet address and title, the content and hierarchical structure of the page concerned, whether and how often one or more of the specified search terms appear on it, the publication date of the page and the quality and popularity of the website on which it appears, as well as the number and origin of the hyperlinks to that page. Google Search is offered worldwide via the website www.google.com. Local versions adapted to the national language exist in several countries, such as www.google.nl in the Netherlands.<br />
<br />
3.4.<br />
When the names " [plaintiff 1] " or " [plaintiff 2] " are entered as search terms in Google Search, search results will become visible that contain references to publications on web or also source pages concerning, among other things, articles on the website www.sikkom.nl and www.wikipedia.org and references to an episode of the programme "Fout Boel" on SBS and an episode of the programme #BOOS on BNNVARA in which [plaintiff 1] and/or [plaintiff 2] are mentioned.<br />
3.5.<br />
Claimant 1] and Spot IN have been elected on 2 March 2018 by RED (youth organisation of the Socialist Party, SP) as "Huisjesmelker van het Jaar 2018" (House Milker of the Year 2018). According to the underlying jury report, there were 42 complaints from tenants. The complaints related to, among other things, illegal mediation costs, excessive rents, overdue maintenance, non-reimbursement of the deposit, as well as intimidation, housebreaking and threats against tenants who have gone to the rent assessment commission or the courts.<br />
<br />
3.6.<br />
plaintiff 1], after BNNVARA announced that it would not remove the delivery of #BOOS, instituted interlocutory proceedings against BNNVARA and claimed the removal of the delivery of the programme #BOOS and a rectification. By judgment of 11 July 2019 of the Interim Injunction Judge of the District Court of Midden-Nederland it was ruled that the delivery in question as such does not have to be removed. Furthermore, the claims for rectification of - in brief - everything discussed in that delivery with respect to [plaintiff 1] and [plaintiff 2] were rejected. However, the subsidiary claim for partial rectification was upheld, in the sense that BNNVARA was ordered to make the following corrigendum:<br />
<br />
"This episode shall state, inter alia, that:<br />
- Mr [plaintiff 1] has been involved in the mediation fees charged by Spot IN to the hirer [name 1];<br />
- Spot IN would have gone bankrupt and that Mr [plaintiff 1] and Mrs [plaintiff 2] would have done so intentionally in order to avoid creditors;<br />
- Pex Real Estate B.V. would have been set up to fall under the rules;<br />
- I Property Management B.V. would have been a relaunch of Spot IN .<br />
These statements are insufficiently supported by facts".<br />
3.7.<br />
On 14 February 2019, on behalf of [plaintiff 1] and [plaintiff 2] and the companies operated by them, a complaint was filed with the Dutch Press Council (Raad voor de Journalistiek, hereinafter: the Raad) against [name 2] (journalist and editor-in-chief of Sikkom.nl) and NDC Mediagroep BV. By decision of 16 January 2020, the Council found in part in favour of [plaintiff 1] and [plaintiff 2]. The Council has ruled that reports about them contain unsubstantiated accusations in which an unnecessarily hurtful tone of grievances has been used and insufficient hearing has been conducted. However, according to the council, no incidents were provoked to create news on the basis of which careless journalistic conduct was allegedly involved.<br />
<br />
3.8.<br />
In this court, [plaintiff 1] and [plaintiff 2], whether or not through their companies, have been regularly involved for several years in proceedings with, among others, their (former) tenants. The same applies to [plaintiff 1] in proceedings before the Rent Commission. Plaintiff 1] and [plaintiff 2] have often been unsuccessful in these proceedings.<br />
<br />
3.9.<br />
Google has created an online form to request the removal of URLs from Google Search's search results. Via this form, a user can specify one or more URLs which he no longer wants to be shown as search results when searching on his own name. The request must be explained per URL on the form. Google assesses each deletion request and each URL mentioned in that context manually. The applicant will then receive a reply from Google with either a request for further information or a (summary) reasoned decision on the request for deletion.<br />
3.10.<br />
3.10. On 29 August 2019, [claimant 1] requested, through his lawyer using the online form, the removal of 18 URLs from the search results page displayed during a search in his name. Google rejected that request and notified its decision by email of 30 August 2019.<br />
<br />
3.11.<br />
plaintiff 1] lodged a request on 10 October 2019 in Case 19-64 in which it asks the court to order Google to remove the 18 URLs after all.<br />
<br />
3.12.<br />
On 3 February 2020, [Claimant 1] again requested, through his lawyer, the removal of 24 URLs using the online form. Google also rejected this request and notified its decision on 5 February 2020.<br />
<br />
3.13.<br />
On 12 February 2020, plaintiff 2] requested Google, through its lawyer and also using the online form Google, to remove 21 URLs from the search results page displayed in a search result on its callsign. Google decided against [plaintiff 2]'s request and notified its lawyer of that decision by email of 21 February 2020.<br />
<br />
3.14.<br />
On 12 March 2020, [plaintiff 1] and [plaintiff 2] lodged a request in Case 20-22 requesting that Google be ordered to delete the URLs they requested from Google on 3 and 12 February 2019.<br />
<br />
4 The requests<br />
4.1.<br />
In case 19-64, [plaintiff 1] requests the court, by order enforceable in stock, to remove and keep removed, within one week after service of this decision, or at least a reasonable period of time to be determined by the court, the reference to the URLs appearing in the search query " [plaintiff 1] " as described under I in the petition, on pain of forfeiture of a penalty of € 5.000, or at least an amount to be determined by the court, for each day or part of a day that Google fails to do so, with an order that Google pay the costs of the proceedings, including an amount in arrears, together with interest.<br />
<br />
4.2.<br />
Google concludes in this case that the application should be dismissed, with an order that [plaintiff 1] should pay the costs of the proceedings, enforceable on a provisional basis.<br />
<br />
4.3.<br />
In Case 20-22, [plaintiff 1] requests that the court, by order enforceable in stock, within one week after service of this decision, or at least a reasonable period of time to be determined by the court, remove and keep removed the reference to the URLs that appear in the search query " [plaintiff 1] " as described under I in the petition, on pain of forfeiture of a penalty of € 5,000, or at least an amount to be determined by the court, for each day or part of a day that Google fails to do so.<br />
In Case 20-22, plaintiff 2 requests the court, by order enforceable in stock, to remove and keep removed the reference to the following URLs from the search query "[plaintiff 2] " as described under II in the petition, also on pain of forfeiture of a penalty of € 5,000, or at least an amount to be determined by the court, for each part of the day or day that Google fails to do so. Finally, [plaintiff 1] and [plaintiff 2] seek an order that Google pay the costs of the proceedings, including an amount in arrears, together with interest.<br />
4.4.<br />
Also in this case, Google claims that the application should be rejected, with an order that [Claimant 1] and [Claimant 2] should pay the costs of the proceedings, enforceable on a provisional basis.<br />
<br />
5 The position of [Claimant 1] and [Claimant 2]<br />
5.1.<br />
Claimant 1 and Claimant 2 shall base their above claims, in summary, on the following. According to settled case law, a data subject has, in principle, the right to have his personal data deleted from search results. According to [plaintiff 1] and [plaintiff 2], it is for the data processor to prove that there are special circumstances under which the data should not be deleted. According to [Claimant 1] and [Claimant 2], the web and source pages referred to in the relevant URLs contain an excess of inaccuracies and inaccuracies. For that reason too, a balancing of interests in favour of removal should be in favour of [Claimant 1] and [Claimant 2]. In addition, [Claimant 1] and [Claimant 2] claim that the information on the pages is incomplete, irrelevant and excessive.<br />
<br />
6 Google's position<br />
6.1.<br />
In a nutshell, Google's defence boils down to the following. Google rejected the requests for removal on the grounds that they do not meet the conditions for application of Article 17(1)(c) in conjunction with Article 21(1) of the General Data Protection Regulation ('the AVG') and its internal policy rules. The messages to which the relevant URLs refer have an important warning function and are part of a (local) public debate in which [plaintiff 1] and [plaintiff 2] are public figures. Making these publications untraceable offers the possibility of preventing the public from finding them through the back door and would have a disproportionate effect that is in no way justified or intended. Moreover, according to Google, the content of the source pages has in no way been affected by the judgments in preliminary relief proceedings or the judgement of the Council. Finally, Google argues that the decision not to proceed with removal is in line with the case-law on requests for removal based on the Costeja judgment.<br />
<br />
7 The assessment<br />
The scope of the requests<br />
7.1.<br />
In view of the close link between the joined cases, these cases will be discussed jointly.<br />
<br />
7.2.<br />
The District Court will discuss the 14 (eight for "[plaintiff 1] " and six for "[plaintiff 2] ") URLs displayed by Google in its pleadings under marginal 5. The fact that these 14 URLs are now the search results that actually still appear in a search for the name "[plaintiff 1] " or "[plaintiff 2] " of the URLs from which they have requested removal has not been disputed, or at least not sufficiently, by [plaintiff 1] and [plaintiff 2]. The screenshot included by [plaintiff 1] and [plaintiff 2] in the pleadings under marginal 42. does not make this any different now that this document - undisputedly - dates from 9 February 2018 and is therefore not an accurate representation of the search results that are currently being displayed. In addition, not only the (call) names of [plaintiff 1] and [plaintiff 2] were used to find those search results, but also the addition "Sikkom" was specified.<br />
<br />
7.3.<br />
The assessment therefore focuses on the following URLs whose deletion has been requested and where the search is carried out on " [Claimant 1] ":<br />
1. https://nl.wikipedia.org/wiki/ [internet address]<br />
2. https://player.fm/series/boos/ [internet address]<br />
3. https://tros.tvgids.nl [internet address]<br />
4. https://viralstat.com [internet address]<br />
5. https://www.sikkom.nl/tag [internet address]<br />
6. https://www.sikkom.nl [internet address]<br />
7. https://www.sikkom.nl [internet address]<br />
8. https://www.facebook.com/sikkom [internet address]<br />
and searched for "[plaintiff 2]":<br />
1. https://www.sikkom.nl/tag [internet address]<br />
2. https://www.sikkom.nl [internet address]<br />
3. https://www.sikkom.nl [internet address]<br />
4. https://www.sikkom.nl [internet address]<br />
5. https://twitter.com [internet address]<br />
6. https://www.youtube.com [internet address] .<br />
The court will take over the designation of the URLs used by Google. This means that the URLs referring to [plaintiff 1] will be designated C 1 to 8 and the URLs referring to [plaintiff 2] will be designated K 1 to 6.<br />
7.4.<br />
In the run-up to the oral hearing, Google deleted three search results from which [Claimant 1] and [Claimant 2] requested deletion (C 2 and 3 and K 2). With regard to those search results, [Claimant 1] and [Claimant 2] now no longer have any interest in removal for which reason that part of the application will be rejected.<br />
<br />
Legal framework<br />
7.5.<br />
The General Data Protection Regulation (AVG) entered into force on 25 May 2018. As an EU regulation, the AVG is binding in its entirety and directly applicable in the Member States. The applications of [plaintiff 1] and [plaintiff 2] became pending after 25 May 2018, so the application will also be assessed under the rules of the AVG.<br />
<br />
7.6.<br />
Google is to be regarded as the controller within the meaning of Article 4 sub 7 of the GTC of the personal data that it indexes with its search engine. Google's processing of personal data is in principle justified on the basis of Article 6(1)(f) of the AVG (cf. paragraphs 73 et seq. of the judgment of the Court of Justice of the European Union (CJEU 13 May 2014, case C-131/12, ECLI:EU:C:2014:317) ('the Costeja judgment').<br />
<br />
7.7.<br />
The assessment of the deletion request concerns the search engine search results found and not primarily the content of the web pages to which a link in the search results refers. As the Costeja judgment shows, it must be emphasised that the processing of personal data carried out by a search engine differs from the processing of personal data carried out by a web editor. The latter processing consists of placing data on a web page. The processing carried out by a search engine is in addition to that. To the extent that the processing of personal data by a search engine differs from the processing of personal data carried out by web editors and, in addition, affects the fundamental rights of a data subject, Google, as the operator of a search engine, has its own responsibility within the framework of the AVG (cf. paragraphs 34 et seq. of the judgment of the Court of Justice (ECJ EU 24 September 2019, Case C-136/17 GC, AF, BH, ED v. Commission nationale l'informatique et des libertés) ('the GC and Others v. CNIL judgment'). Although, in the case of Google, those are search results found in the search engine, the balance of interests cannot, in principle, entirely disregard the content of the contested web pages, to which reference is made in the search results.<br />
<br />
7.8.<br />
Article 17 introductory wording and paragraph 1 of the AVG provides that the data subject has the right, in summary and to the extent relevant in this case, to obtain the deletion of personal data concerning him/her (the "right to oblivion") when the personal data are no longer necessary for the purposes for which they were collected or otherwise processed (sub a), when the data subject objects to the processing in accordance with Article 21 paragraph 1 of the AVG and there are no overriding compelling legitimate grounds for processing (sub c) or when the personal data have been unlawfully processed (sub d). It follows from paragraph 3 of this Article that this right of deletion does not apply (inter alia) to the extent that processing is necessary for the exercise of the right to freedom of expression and information.<br />
<br />
7.9.<br />
Article 21 paragraph 1 of the AVG stipulates, insofar as relevant in this case, that the data subject may object to the processing of personal data concerning him or her on the basis of Article 6 paragraph 1 sub f of the AVG for reasons related to his or her specific situation. The controller shall cease processing the personal data unless he or she invokes compelling legitimate grounds for processing which outweigh the interests, rights and freedoms of the data subject.<br />
<br />
7.10.<br />
When interpreting article 6 opening words and sub f in connection with articles 17 and 21 of the AVG and the balancing of interests to be carried out on the basis of these provisions, it is relevant that the Court of Justice in the Costeja judgment and in the judgment of the Supreme Court of 24 February 2017 (HR 24 February 2017, ECLI:NL:HR:2017:316, hereinafter "the X/Google judgment") held that the fundamental rights of a natural person referred to in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (hereinafter "for brevity's sake": "the Charter") - in Articles 7 and 8, respectively, the right to respect for private life and the right to protection of personal data - generally outweigh, and thus take precedence over, the economic interest of the search engine operator (compare Google's freedom to conduct its business, Article 16 of the Charter) and the legitimate interest of internet users who may be able to access the search results in question (see the right to freedom of expression and freedom of information for the public, while respecting the freedom of the media, as enshrined in Article 11 of the Charter; further compare Article 10 ECHR, Article 7 Constitution and Article 17(3)(a) AVG. This may be different in particular cases, depending on the nature of the information concerned and its sensitivity to the private life of the person concerned and on the interest of the public in having that information at their disposal, which is determined in particular by the role played by that person in public life (compare Court of Justice, paragraph 81 of the Costeja judgment and Supreme Court, paragraph 3.5.5. X/Google judgment). The lawfulness of a publication on source pages cannot prevent a search engine operator from being required to delete search results if the conditions for doing so are met (Court of Justice, paragraph 88 of the Costeja judgment). It also follows from the case law that, within the balance of interests, guiding (but not independent) considerations may be the fact that the search results are factually inaccurate or, given all the circumstances of the case, are incomplete, irrelevant or excessive in relation to the purpose of the processing. Furthermore, the interest of archiving for public benefit or for scientific or historical research and the like, as referred to in Article 17(3)(d) of the AVG, may also play a role in a weighing up of interests.<br />
<br />
7.11.<br />
In the GC and Others v. CNIL judgment, the Court of Justice held that the prohibition on processing special personal data and personal data under criminal law relates only to Google's own processing of special personal data as operator of the search engine, in particular the display of a reference to a source page containing special personal data in the list of search results in the case of a search in the name of the data subject. The operator is not responsible for the fact that special or criminal personal data appear on those source pages (GC et al. /CNIL judgment, paragraphs 45-47).<br />
<br />
7.12.<br />
It also follows from this judgment that, with regard to a deletion request in connection with search results which refer to web pages containing special or criminal personal data, where the infringement of the fundamental rights of the data subject may be particularly serious because of the sensitivity of those data, a balance of interests must always be struck between, on the one hand, the right to respect for private life and the right to the protection of the data subject's special or criminal data and, on the other hand, the right of access to public information and the freedom of expression of the person from whom that information originates. Having regard to the seriousness of the infringement of the fundamental rights of the data subject, it should be considered whether the inclusion of a link in the list of results displayed following a search in that person's name is strictly necessary in order to protect the right to freedom of information, enshrined in Article 11 of the Charter, of Internet users who may be interested in accessing that webpage by means of such a search (GC and Others v. CNIL judgment, paragraphs 66-69). The right to the protection of personal data is therefore not an absolute right but must be considered in relation to its function in society and weighed against other fundamental rights (JC et al. /CNIL judgment, paragraph 57).<br />
<br />
Verification against the legal framework<br />
7.13.<br />
It is assumed that the search result and not the source information, i.e. the publications, is submitted for assessment. Although the content of articles and issues cannot be completely disregarded when weighing up interests, this does not in any case mean that a request such as this one can be used to combat the content of a publication. The present procedure therefore does not lend itself to a full review of the criticisms of the articles and issues made by [Claimant 1] and [Claimant 2].<br />
<br />
7.14.<br />
In accordance with the main rule of Article 150 of the Dutch Code of Civil Procedure, it is up to [plaintiff 1] and [plaintiff 2] to state facts and circumstances and, in the event of a substantiated dispute, to prove that, with regard to a particular search result from which they request removal, the conditions of Article 6 opening words and sub f in conjunction with Article 17 and/or Article 21 of the AVG have been met.<br />
<br />
7.15.<br />
Plaintiff 1] and Plaintiff 2] base their requests - in reasonably general terms - on the fact that the publications referred to in the URLs are annoying and burdensome for them and that they are predominantly negative. According to [Claimant 1] and [Claimant 2], this has consequences, inter alia, for the business operations of their affiliates. In support of their claim that the publications are full of inaccuracies, [plaintiff 1] and [plaintiff 2] refer to the decision in preliminary relief proceedings of the Interim Injunction Judge in the District Court of Midden-Nederland and the decision of the Council.<br />
<br />
7.16.<br />
In the opinion of the District Court, contrary to the statements of [plaintiff 1] and [plaintiff 2], the judgment in preliminary relief proceedings does not show that the broadcasting of #BOOS had to be fully rectified and that [plaintiff 1] and [plaintiff 2] were largely in the right. On the contrary, the Court in preliminary relief proceedings held that only a few parts of the broadcast had to be rectified, but that there was no reason to remove the delivery as such and to rectify everything relating to [plaintiff 1] and [plaintiff 2]. The Council's decision also concerns a formal decision as described in paragraph 3.7. and on that ground is in favour of [plaintiff 1]. In the aforementioned decisions, the court sees no substantiation for the position of [plaintiff 1] and [plaintiff 2] that the relevant publications are full of inaccuracies. In other respects, too, insufficient attention has been paid to this.<br />
<br />
7.17.<br />
The Court further considered that the reporting by Sikkom, BNNVARA and SBS has a warning function and this reporting is part of a (local) social debate about, among other things, the rental sector and that [plaintiff 1] (and previously [plaintiff 2] ) are public figures on the real estate market in Groningen (which the Court also knows ex officio). In the opinion of the District Court, [plaintiff 1] and [plaintiff 2], against the background described above, are therefore in principle able to tolerate that their actions in the media should be open to discussion. The fact that [Plaintiff 1] and [Plaintiff 2], in requesting the removal of the URLs from the search result, are seeking the same result as they did in the interlocutory proceedings and before the Council was refuted by them on insufficient grounds. In addition, Google denied that such an effect of removing search results and thus rendering publications untraceable has a disproportionate effect which is not justified.<br />
<br />
7.18.<br />
In addition, the reports on [plaintiff 1] and [plaintiff 2] mainly concern acting as lessor or rental agent. Infringement of the right to respect for private life is therefore at issue to a lesser extent. The fact that [Claimant 2] is no longer active in that market does not make that any different now that it may again be able to operate in the same market. In addition, the Court is also aware of its own motion that [plaintiff 1] or the legal entities it operates and Spot IN have been involved in proceedings in this Court on several occasions in which their actions as lessor or landlord or landlord agent were often at issue. Plaintiff 1] and Plaintiff 2] , or the legal entities affiliated with them, were also ruled against several times. Under these circumstances, the Court is of the opinion that the interest of the public in being informed about [plaintiff 1] and [plaintiff 2] outweighs the interest that [plaintiff 1] and [plaintiff 2] have in removing the URLs. The current or future tenant of [plaintiff 1] (a generally weaker party in relation to [plaintiff 1] as landlord) may become aware of the background of [plaintiff 1] and the (political) discussions concerning [plaintiff 1] through this notice, which may be relevant for the consideration of whether one wants to rent (even longer) from [plaintiff 1].<br />
<br />
7.19.<br />
The URLs that refer to Sikkom articles when searching on the names " [Claimant 1] " and " [Claimant 2] " therefore do not need to be deleted in the light of the foregoing (C 5-8 and K 1, 3 and 4).<br />
<br />
7.20.<br />
With regard to URL C 4, Google has stated that this search result now appears as the 60th result on page 7 and that this URL no longer has any significant influence on the profile created by [plaintiff 1] on the basis of the search results page. Plaintiff 1] has rebutted this assertion insufficiently substantiated, with the result that its removal is also rejected for lack of (sufficient) interest.<br />
<br />
7.21.<br />
The last URL from which [Claimant 1] requests deletion (C 1) refers to a Wikipedia page about [Claimant 1] . The Court is of the opinion that, against the background of Google's reasoned defence to removal, [plaintiff 1] did not sufficiently explain why this URL should be removed.<br />
<br />
7.22.<br />
The Court also follows Google in its defence of not having to remove URL K 6. Plaintiff 2 has not explained why precisely this URL should be made untraceable. This too, just like URL C 1, has been ignored.<br />
</pre></div>
Hk
https://gdprhub.eu/index.php?title=Court_of_Appeal_of_Brussels_-_2019/AR/1600&diff=12211
Court of Appeal of Brussels - 2019/AR/1600
2020-11-12T07:15:22Z
<p>Hk: /* English Machine Translation of the Decision */</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
! colspan="2" |Hof van beroep Brussel - 2019/AR/1600<br />
|-<br />
|<br />
|-<br />
|Court:||[[:Category:Cour des marchés de la cour d'appel de Bruxelles/Market Court of the Brussels appeal court (Belgium)|Cour des marchés de la cour d'appel de Bruxelles/Market Court of the Brussels appeal court (Belgium)]]<br />
[[Category:Cour des marchés de la cour d'appel de Bruxelles/Market Court of the Brussels appeal court (Belgium)]]<br />
|-<br />
|Jurisdiction:||[[Data Protection in Belgium|Belgium]]<br />
[[Category:Belgium]]<br />
|-<br />
|Relevant Law:||[[Article 5 GDPR#1c|Article 5(1)(c) GDPR]] <br />
[[Category: Article 5(1)(c) GDPR]]<br />
<br />
[[Article 6 GDPR#1|Article 6(1) GDPR]] <br />
[[Category: Article 6(1) GDPR]]<br />
<br />
[[Article 13 GDPR#1c|Article 13(1)(c) GDPR]] <br />
[[Category: Article 13(1)(c) GDPR]]<br />
<br />
[[Article 13 GDPR#1e|Article 13(1)(e) GDPR]] <br />
[[Category: Article 13(1)(e) GDPR]]<br />
<br />
[[Article 13 GDPR#2a|Article 13(2)(a) GDPR]] <br />
[[Category: Article 13(2)(a) GDPR]]<br />
|-<br />
|Decided:||19. 2. 2020<br />
[[category:2020]]<br />
|-<br />
|Published:||n/a<br />
|-<br />
|Parties:||Liquor store v. [https://www.gegevensbeschermingsautoriteit.be/ Belgian DPA]<br />
|-<br />
|Case Number:||2019/AR/1600<br />
|-<br />
|European Case Law Identifier:||<small>n/a</small><br />
|-<br />
|Language:||[[Category:Dutch]]<br />
Dutch<br />
|-<br />
|Original Source:||[https://www.autoriteprotectiondonnees.be/publications/arret-du-19-fevrier-2020-de-la-cour-des-marches-disponible-en-neerlandais.pdf Hof van beroep Brussel (in NL)]<br />
|}<br />
<br />
The Court of Appeal of Brussels annulled Belgian DPA's decision which had lead to a 10,000 EUR fine against a liquor store. The Court ruled that the DPA's decision was insufficiently reasoned and based on legislation that was not applicable at the time of the complaint. The DPA was ordered to pay back the fine.<br />
<br />
==English Summary==<br />
<br />
===Facts=== <br />
In August 2018, the DPA received a complaint from a customer of a liquor store. According to the complaint, the store had required this person to let them scan her electronic ID in order to issue a customer card. The investigated the complaint and concluded that the complainant had breached the GDPR. More specifically, according to the DPA the liquor store:<br />
1. Did not have a valid legal basis for processing: consent was not freely given because no alternative was offered to the complainant (Article 6(1) GDPR);<br />
2. Did not provide the complainant with enough information prior to the processing (Article 13 GDPR);<br />
3. Processed more personal data than necessary, including national ID number, date of birth and gender (Article 5(1)(c) GDPR).<br />
<br />
===Dispute=== <br />
The appeal against the DPA's decision was based on 9 points, among which was the claim that the DPA violated Articles 52(1), 54(2) and 82(2) of the GDPR (independence of the DPA, professional secrecy and damage liability for controllers). Most importantly, the appellant challenged two of the three findings of the DPA, which had led to the fine: the absence of a valid legal basis for personal data processing and the breach of the data minimization principle. They did not contest the lack of information.<br />
<br />
===Holding===<br />
The Court annulled the DPA’s decision as insufficiently reasoned and based on a legislation that was not applicable at the time of the complaint. The Court did not have the power to order the DPA to pay back the fine, as that falls outside of its jurisdiction, but it did quash the decision imposing the fine.<br />
<br />
As for the breach of the data minimization principle:<br />
1. The DPA had no evidence to support the finding that the Appellant was actually processing the national ID number of the complainant;<br />
2. The appellant was not obliged to give the complainant an alternative way of creating a discount card: the relevant provision of the e-ID law was not applicable at the time; <br />
3. No personal data processing took place because the complainant had refused to have her e-ID scanned;<br />
4. The DPA’s finding that the complainant’s birth date was not used to verify her age is a mere assumption;<br />
5. The DPA should not have assumed that the complainant would suffer an undeniable disadvantage by missing out on discounts available via the client card. This is not a disadvantage because only potential benefit was lost in this case.<br />
<br />
The Court upheld the appeal against the DPA’s decision also as regards the absence of legal basis for processing: the legislation that requires giving people alternatives to the processing of the e-ID was not applicable at the time of complaint.<br />
<br />
==Comment==<br />
Analyses of the judgment:<br />
<br />
*[https://www.nautadutilh.com/en/information-centre/news/your-id-for-a-loyalty-card-no-data-protection-fine-in-the-end Your ID for a loyalty card: no data protection fine in the end?] (5 March 2020)<br />
*[https://www.timelex.eu/en/blog/loyalty-cards-and-schemes-can-eid-be-used-belgium Loyalty cards and schemes: can the eID be used in Belgium?] (11 March 2020)<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
<br />
The decision below is a machine translation of the original. Please refer to the Dutch original for more details.<br />
<br />
<pre><br />
Brussels Court of Appeal -2019/1 600-p. 2<br />
<br />
<br />
<br />
<br />
ABOUT<br />
<br />
APPELLANT, represented by its director Mr _____________ with KBO no.<br />
<br />
_______________, having its registered office at ______________________________, below<br />
"appelant",<br />
appellant,<br />
<br />
<br />
represented by its counsel Mr. VANDENDRIESSCHE Gerrit and Mr. CLINC:K Jan,<br />
lawyers, both with offices at ________________________________<br />
<br />
<br />
<br />
against a decision6/2019 of 17 September 2019 of the Chamber of Disputes of the<br />
Data protection;<br />
<br />
<br />
<br />
<br />
AGAINST<br />
<br />
<br />
The DATA PROTECTION AUTHORITY, independent public body (supervisory authority)<br />
authority) with legal personality, with CDE No 04694.67 having its registered office at<br />
<br />
1000BRUSSEL, rue de la Pression 35, hereinafter referred to as "GBA".<br />
intimate,<br />
<br />
<br />
represented by its advisers Mr. CLOOTS Elke, Mr. SOTTIAUX Stefan and Mr. ROETSJoos,<br />
advocaten, alien kantoorhoudende te 2018 ANTWERPEN, Oostenstraat 38bus 201<br />
<br />
<br />
<br />
<br />
1. Court of Justice.<br />
<br />
The Court's jurisdiction is derived from an appeal lodged by the appellant on 18 December 2010.<br />
October 2019 was deposited at the Registry of the Court of Appeal, and a<br />
redress pursuant to Article 108 § 1 of the Law of 3 December 2017 establishing it<br />
<br />
of the Data Protection Authority (hereinafter referred to as the "GBA Act") is brought against the decision on<br />
ground 6/9 of 17 September 2019 (notification dated 19 September 2019) adopted<br />
by the Disputes Chamber of the Data Protection Authority (hereinafter "GBA").<br />
<br />
<br />
2. Disputed decisions the facts.<br />
The Chamber of Disputes ruled:<br />
<br />
to impose sanctions in connection with the violation of article/and 5.1. c); 6.1.; 13.1.<br />
<br />
(c);13.1(e) and13.2(a)AVG:<br />
<br />
<br />
<br />
r PAGE 01-00001582885-0002-0033-01- □1-� r<br />
<br />
<br />
<br />
L _JCourt of Appeal Brussels - 2019/AR/1600- p. 3<br />
<br />
<br />
<br />
<br />
- • °<br />
on grand art. 100, Si, 9 WOG, order the defendant to order that the processing in<br />
be brought into line with Articles 5(1)(c), 6(1); 13(1)(c), 13(1)(e).<br />
and 13.2. a)AVG<br />
<br />
- on the grand of art. 101 of the WOG, an administrative fee of 10,000.<br />
<br />
EUR as a result of the infringement of°art.5.1. c)and art. 6.1.AVG.<br />
- on grand of art. 100, 51, 16 WOG, to publish this decision on the<br />
website of the Data Protection Authority, albeit after anonymisation.<br />
<br />
<br />
The appellant gives the following factual account:<br />
<br />
1. The Appellant, the applicant, is a beverage company established at __________. It is a<br />
<br />
family business with more than 40 years of experience. It has offices at ______, _____ and<br />
_____.<br />
<br />
<br />
2. In the past, the Apellant used paper loyalty cards in order to obtain benefits.<br />
know to customers. Recently, the appellant has switched to an electronic<br />
<br />
Cash register software system that also allows the electronic identity card (elD card}<br />
of a customer to be read electronically using the barcode and on this basis<br />
<br />
granting advantages on purchases.<br />
<br />
The present case concerns the administrative procedure launched by the GBA.<br />
<br />
against the appellant following the complaint of a (1} client of the appellant. The name of<br />
this customer is otherwise irrelevant and is therefore not mentioned. The customer is hereinafter referred to as<br />
<br />
referred to as 'person concerned'.<br />
<br />
<br />
3. On 28 August 2018, the party concerned lodged a complaint with the<br />
Data protection authority because she did not want her elD card to be read in<br />
to grant discounts on its purchases (section A.1}. The complaint was as follows:<br />
<br />
<br />
Presentation of the facts<br />
On Friday 8 June, I went to buy drinks from the appellant,___________.<br />
<br />
__________________________. With a few bottles of spirits it was a high<br />
amount. At the checkout - arrived they asked me if I would not like a loyalty card.<br />
I wish. I''ia "They asked my identity card to read it in. l<br />
replied that I didn't want to give my identity card, but that I would feel free to give the<br />
the data needed to create a loyalty card on paper for a short while<br />
wanted to put. I was refused the loyalty card - they only make<br />
<br />
customer cards by reading the identity card.<br />
<br />
This/this scenario happened again on Saturday 30 June - this time in the shop<br />
of drinks trade appellant at ________________________. Because that day we<br />
having a BBQ with a grate group, the bill for booze was again a hefty<br />
<br />
amount. When I arrived at the checkout they asked me if I would not like a loyalty card.<br />
<br />
�<br />
I PAGE 01-00001582885-0003-0033-01-01-<br />
<br />
<br />
<br />
L _JCourt of Appeal Brussels -2019/AR/1600- p. 4<br />
<br />
<br />
<br />
<br />
I said 'yes'. They asked me to read my identity card and I answered.<br />
<br />
dot I didn't want to give my identity card, but dot I feel free to give the data that I need<br />
wanted to put the goods on paper before creating a loyalty card. The<br />
customer card was refused to me - one creates enke/ k/anten cards by<br />
of reading the identity card. At dot moment there were<br />
different people at the deck mass. One of them also made the remark<br />
dot it cannot dot for a customer's card the identity card must be read in/receive<br />
warden. The lady at the checkout said dot she had nothing to do with this and now dot this<br />
<br />
was a mani�on of work.<br />
<br />
Maybe a k/eine remark: I'm 51 years old and I really don't look like a/s anyone<br />
of 16 years of age:)<br />
<br />
In other words, the person concerned agreed to the processing of her personal data<br />
<br />
information by the appellant to receive a loyalty card. However, it did not wish these<br />
Processing took place by means of reading her elD card.<br />
<br />
4. On 26 September 2018 Mr. Willem De Beuckelaere of<br />
<br />
the GBA the message that its complaint was declared "admissible/complainant" and for further action<br />
treatment has been referred to the competent service which will inform you about<br />
the vrderever/oop of your k/acht" (piece)B.2<br />
<br />
<br />
The first-line service apparently decided not to initiate mediation.<br />
<br />
5. On 29 October 2018 Mr Van Der l<elen, in his capacity of<br />
<br />
President of the GBA Dispute Settlement Chamber, the Inspector General of the<br />
ln section of the GBA as follows:<br />
<br />
<br />
Pursuant to Article 96, §1 of the Law of 3 December 2017 establishing the<br />
Data Protection Authority, you hereby become the request of the Dispute Chamber<br />
<br />
from today to the conduct of an investigation, together with the k/eacht<br />
and the judgment of the court or tribunal. (document B.3)<br />
<br />
<br />
De Geschillenkamerveprovided no further details on what aspects of the processing<br />
the lnspectorate had to investigate.<br />
<br />
On the same day, Mr van der Kelen also informed the person concerned of the decision of the<br />
<br />
Disputes Chamber to have the lnspection Service carry out further investigation of the complaint<br />
(stuB.4).<br />
<br />
<br />
6. On 7 February 2019, the appellant received a letter from Mr Frank<br />
Schuermans, Inspector General of the Inspectorate of the GBA (stu k B.6). The<br />
lnspection Service requested the appellant to provide information and documents in order to<br />
<br />
"to gain a better understanding of your practice for the acquisition of personal data from your<br />
<br />
<br />
I PAGE □ 1-00001582885- □ 4-0033- □1-□ 1-;i<br />
<br />
<br />
<br />
L _JCourt of Appeal Brussels - 2019/AR/1600-p. 5<br />
<br />
<br />
<br />
<br />
customers, the internal use of this personal information in your company and the possible use of this personal information in your company.<br />
<br />
distribution of these obtained personal data to third parties in accordance with the terms of the agreement.<br />
AVG obligations (...)".<br />
<br />
<br />
7. On 12 April 2019, the appellant's counsel d: replied to the<br />
questionnaire of the lnspection Service, together with additional documents (document B.7).<br />
<br />
<br />
8. On 10 May 2019, the Inspector General of the GBA's Inspectorate,<br />
in the meantime, Mr van den Eynde, his report of the enquiry to the chairman of the<br />
Dispute Chamber, meanwhile Mr. Hielke Hijmans (piece B.8). This report contained the following,<br />
<br />
on the one hand, "findings (within the scope of the k/eight seriousness indications)" and,<br />
on the other hand, 'additional findings (outside the scope of the k/eight or serious<br />
<br />
indications'.<br />
<br />
9. On 28 May 2019, the Disputes Chamber decided to hear the substance of the case.<br />
<br />
(part B.9).<br />
<br />
10. On 3 June 2019, the Disputes Chamber informed the appellant of the decision to withdraw the<br />
<br />
deal with the substance of the case (document 8.10). The Appellant was also informed<br />
on its possibilities such as requesting a copy of the file as well as the<br />
submission of defences. It was only at this point that the appellant was given the opportunity to<br />
<br />
to take note of the content of the Complainant's complaint against the processing of<br />
personal data by the appellant.<br />
<br />
<br />
On the same day, the GBA Oak sent a registered letter to the person concerned. This<br />
immediately received a copy of the inspection report (document B.11).<br />
<br />
<br />
On 27 July 2011, the appellant submitted her defences (documents C.1 and C.2).<br />
<br />
On 17 September 2019, the Disputes Chamber took a decision on the merits, hereinafter referred to as the<br />
<br />
"Contested Decision" (document D.1).<br />
<br />
For its part, the Data Protection Authority (hereinafter "GBA") shall explain the facts as .<br />
follows:<br />
<br />
1. On _28 August 2018, the GBA received a complaint from a person ('the<br />
<br />
person concerned' or 'the complainant') who is a customer of the appellant, a beverage business with<br />
Various branches at _____________________. In the complaint form, the person concerned stated that they were,<br />
in order to be able to obtain a loyalty card from the beverage trade, it was obliged to offer its<br />
<br />
to have an electronic identity card read into the computer system of the beverage trade.<br />
However, the person concerned did not wish her identity card to be read electronically. -Herring<br />
propose, as an alternative, that the personal data needed to establish a<br />
<br />
<br />
<br />
I PAGE 01-00001582885-0005-0033-01-01-�<br />
<br />
<br />
<br />
L _JCourt of Appeal Brussels - 2019/AR/1600-p. 6<br />
<br />
<br />
<br />
<br />
<br />
to create a loyalty card in any other way was rejected. As a result,<br />
the person concerned was refused a loyalty card from the beverage trade, although they would like to<br />
<br />
wished for a loyalty card. This was done on two occasions, both in the branch at the<br />
_________ (on 8 June 2018) as in the establishment at ____ (on 30 June 2018).<br />
<br />
In particular, the person concerned described the facts as follows in the complaint form which she submitted to<br />
submitted the GBA (part 1):<br />
<br />
<br />
On Friday 8 June, I went to buy drinks from the drinks trade appellant,___________ __________________________________--appella,t<br />
appellant's address: ________. With a few bottles of spirits it was a high amount.<br />
At the checkout - arrived they asked me if I didn't want a loyalty card. I said<br />
''ia''. I was asked to read my identity card and I replied that<br />
<br />
I did not want to give my identity card, but that I would feel free to give the data that I needed<br />
wanted to put the goods on paper before creating a loyalty card. The<br />
loyalty card was refused to me - one only creates loyalty cards by means of<br />
of reading the identity card.<br />
This/this scenario happened again on Saturday 30 June - this time in the shop of<br />
<br />
beverage trade appellant in _____ address address address address address address address address . Because we<br />
day had a BBQ with a grate group, the bill for booze was again a<br />
considerable amount. When I arrived at the checkout they asked me if I would not like a loyalty card.<br />
I said 'la'. They asked me to read my identity card. Yk<br />
<br />
replied that I did not want to give my identity card, but that I would be happy to give the<br />
data needed to create a loyalty card on<br />
wanted to make paper. The loyalty card was refused to me - they only make<br />
customer cards by reading the identity card. On that<br />
moment ston_ den er different/ende people behind me at the checkout. A v them<br />
<br />
made the comment that it is not possible for a loyalty card to have the<br />
Identity card must be read in. The lady at the checkout said that she was here<br />
had nothing to do with it and that this was their way of doing things.<br />
Perhaps a small remark: I am 51 years old and I really do not look like someone<br />
of 16 years @."<br />
<br />
<br />
2. On 26 September 2018, the GBA declared the complaint admissible on grand of the<br />
Articles 58 and 60 of the Act establishing the Data Protection Authority (hereinafter referred to as 'the Act'):<br />
1<br />
"GBA Act") (document 2). The complaint was subsequently submitted to the Disputes Chamber of<br />
the GBA, in accordance with Article 62(1) of the GBA Act. The admissibility decision was<br />
also notified to the complainant on 26 September 2018, in accordance with Article<br />
<br />
61 GBA Act (document3).<br />
<br />
°<br />
3. On 23 October 2018, the Chamber of Disputes ruled on grand of article 63(2) , and<br />
article94, °,GBA law honor:, investigated questions to the lnspectiedienst van de GBA (document4).<br />
<br />
<br />
4. On 29 October 2018, the request of the Disputes Chamber to carry out<br />
submitted an investigation to the lnspectorate, in accordance with Article 96(1) of the GBA-<br />
<br />
1<br />
Law 3 December 2017 establishing the Data Protection AuthorityB.S.10 January 2018.<br />
<br />
<br />
I PAGE 01-00001582885-0006-0033-01-01-�<br />
<br />
<br />
<br />
L _JCourt of Appeal Brussels - 2019/AR/1600- p. 7<br />
<br />
<br />
<br />
<br />
law. The complaint and the minutes of the decision of the Dispute Chamber of 23<br />
<br />
October 2018 was attached to this request. The person concerned was referred to the Dispute Chamber<br />
informed cle by letter dated 29 October 2018 of the transfer to the<br />
lnspection service (document 5).<br />
<br />
<br />
5. In order to examine the file, the lnspection Service sent an<br />
written questioning of the person responsible for processing (document 6). As he or she is<br />
written questioning was not initially answered, sent by the lnspectorate on 4 April<br />
<br />
2019 a reminder by registered letter (piece 7). On 12 April 2019, the<br />
The appellant, through her counsel, finally gave an answer to the<br />
lnspection service (document 8).<br />
<br />
<br />
6. On 10 May 2019, following the completion of its investigation, the lnspection's Office issued an<br />
report and attach it to the dossier in accordance with Article 91 § 1 GBA Act (document 9).<br />
<br />
The inspection report mentioned in particular the following findings (p. 1-2):<br />
"The k/acht [...] concerns the automatic /healing of the e/D for the creation of an<br />
<br />
loyalty card at a drinkshande/. At the consecutive/ordinary visits of the k/side<br />
the barcode is linked to the customer's data [...].<br />
- The customer data stored in this way are: name, first names, address,<br />
date of birth, date of birth/eight, from which the person concerned is a customer, amount of purchases.<br />
- The dispute/en-su Chamber did not provide any additional indications that should have been given.<br />
examined by the inspectorate [...], soa/s concerning an examination of the<br />
<br />
privacy statement of the processing responsible/ijke.<br />
- The Commission has previously accepted that some traders may disclose to their customers<br />
identify these customers if they register in a strictly personal<br />
fidelity system allowing the c/anten to benefit from a price reduction or for the/and<br />
received in the gout of purchases made (marginal 17 recommendation<br />
03/2011).<br />
-However, the Commission also considered it belong dot the consent of the client.<br />
<br />
is obtained at the /reading of the e / D in the framework of a loyalty system,<br />
and dot the customer 'an a/ternative for the use of his identity card'.<br />
proposed' (recommendation 6 at the end of recommendation 03/2011).<br />
-The e-D legislation has been adapted by article 27 of the law of 25 November 2018.<br />
containing various provisions relating to the National Register and the<br />
humidification/registers. Artike/ 6 § 4 of the law of 19 July 1991 provides a new framework.<br />
for the use of the e/D dot data as from 23 December 2018<br />
<br />
must have been checked/checked by the person responsible for processing. This article ste/t o.a.<br />
The electronic identity card may only be read or used with the free one,<br />
specific and informed consent of the holder of the electronic<br />
identity card'.<br />
When a benefit or service is offered to a citizen through his<br />
electronic identity card in the context of an IT application, must<br />
also an alternative that the use of the electronic identity card does not<br />
<br />
required, be introduced to the person concerned'.<br />
<br />
<br />
<br />
r PAGE □ 1-□□□□ 1582885-0007-0033- □1-i;-i<br />
<br />
<br />
<br />
L _J Hof van beroep Brussel - 2019/AR/1600- p. 11<br />
<br />
<br />
<br />
<br />
<br />
The Chamber of Disputes took note that the defendant admitted that this method of proceeding was inconsistent.<br />
with the AVG and indicated that additional measures would be taken in the short term in order to strengthen the<br />
bring data processing in line with the AVG.<br />
<br />
15. In accordance with Article 100, § 1, 9 , GBA Act, the Dispute Settlement Chamber ordered the<br />
<br />
Respondent to bring the data processing in conformity with Article 5.1(c),<br />
article 6.1 and article 13 AVG. In addition, the Disputes Chamber decided the following sanctions on<br />
to be laid:<br />
<br />
- an administrative fine of EUR 10 000 as a result of the infringement of an article<br />
<br />
5.1.c) and Article 6.1 AVG (on the basis of Article 101 of the GBA Act);<br />
the publication of the decision on the website of d°<br />
Data protection authority, after rendering anonymous (on the basis of Article 100(1)(a), 16)<br />
GBA Act).<br />
<br />
In order to justify its decision to impose an administrative fine of that amount on<br />
<br />
the Chamber of Disputes referred in particular to the seriousness and nature of the<br />
infringements of Article 5.1.c) and Article 6.1 AVG. In particular, the Disputes Chamber found that<br />
relevant that:<br />
- the infringed Article 5.1.c) AVG contains a fundamental principle;<br />
- the infringement of Article 6.1 of the AVG is such that there is no valid legal basis at all<br />
is for data processing.<br />
<br />
<br />
Non-compliance with the relevant provisions of the GCG must, in accordance with the<br />
Litigation chamber was considered to be "grossly negligent with a far-reaching impact<br />
not all/one on the data processing of the k/ager, but on that of a/le customers of the<br />
defendant''.<br />
<br />
<br />
16. On 19 September 2019, the Chamber of Disputes informed the parties of its<br />
decision and of the possibility of applying for reprimand within a time limit of thirty days<br />
days, as from the notification, before the Market Court (Article 108(1)(1) of the GBA Act) (doc.<br />
<br />
18).<br />
<br />
<br />
17. By petition of 18 October 2019, the appellant made the following amendments<br />
Your Court appealed against the decision of the Dispute Chamber of 17 September.<br />
2019. That decision is hereinafter referred to as the 'contested decision'.<br />
<br />
<br />
<br />
<br />
3. The claims before the Court.<br />
<br />
3.1.<br />
By Summary Conclusion lodged at the Court Registry on 20 December 2019, the<br />
appellant:<br />
<br />
"to declare the appellant's appeal admissible and well-founded,<br />
<br />
<br />
<br />
<br />
I PAGE 01-00001582885-0011-0033-01-01-�<br />
<br />
<br />
<br />
L _JCourt of Appeal Brussels -2019/AR/1600- p. 12<br />
<br />
<br />
<br />
<br />
<br />
the decision 06/2019 of 17 September 2019 of the Chamber of Disputes of the<br />
Destroy the data protection authority and the data protection authority to<br />
recommend the administrative fine of EUR 10 000 already paid by the appellant<br />
<br />
appellantterugte beta/en,<br />
do justice again:<br />
<br />
o in main order, that is to say, before entitlement to dot the complaint of the person concerned dated 28 August 2018 by<br />
<br />
the data protection authority was unfounded in relation to the appellant, and<br />
to dismiss this k/eight, or<br />
<br />
<br />
o subordinate, if your court is of the opinion that the Complainant's complaint dated 28 August<br />
<br />
2018 at the Data Protection Authority in respect of the appellant's breach of<br />
constitutes a reprimand on the appellant's right to data protection.<br />
<br />
formulate.<br />
<br />
In each case, order the data protection authority to pay a/le<br />
court costs to the appellant, including the procedural indemnity for the appellant<br />
<br />
of EUR 1,440.00.<br />
<br />
3.2.<br />
The GBA concludes as follows by conclusion deposited on January 1, 2020:<br />
<br />
<br />
Declare that the appellant's claim is/is outside the jurisdiction of<br />
Your Court is falling;<br />
Declare the appellant/ante's claim to be unfounded;<br />
In any event, order the appellant to pay the costs, including the costs of the proceedings.<br />
<br />
basic amount of the legal claim/legal allowance.<br />
<br />
3.3.<br />
All these conclusions have been laid down in accordance with the final calendar.<br />
<br />
<br />
<br />
4. The legal framework.<br />
<br />
<br />
The appellant's claim is based on the following articles:<br />
- Art. 5 AVG<br />
<br />
Principles governing the processing of personal data.<br />
Personal data must be:<br />
<br />
[...]<br />
<br />
<br />
3 Regulation (EU) 2016/679 of 27 April 2016 of the European Parliament and of the Council<br />
on the protection of individuals with regard to the processing of<br />
personal data and on the free movement of such data and repealing<br />
Directive 95/46/EC (general data protection regulation).<br />
<br />
<br />
<br />
IPAGE 01-00001582885-0012-0033-01- �<br />
<br />
<br />
<br />
<br />
L _Jourt of Appeal Brussels - 2019/AR/1600- p. 15<br />
<br />
<br />
<br />
<br />
- Article 63:<br />
<br />
"Referral to the inspectorate may be made:<br />
<br />
1° when the executive committee establishes serious indications of the existence of a<br />
practices which may give rise to a breach of the fundamental principles of protection<br />
of the personal data, within the framework of this law and of the laws that provide for it<br />
contain provisions on the protection of the privacy of personal data;<br />
2° when the dispute/en-su Chamber has decided on the basis of a k/acht a<br />
<br />
investigation by the inspectorate is necessary;<br />
3° by the Disputes Chamber within the framework of a request for the performance of a<br />
additional research;<br />
4 at the request of the Management Committee, with a view to cooperating with a<br />
<br />
g°data protection authority of another stoat;<br />
5 request from the management committee in the event that the data protection authority is caught<br />
by a judicial authority or an administrative supervisor;<br />
6 on its own initiative where it finds serious indications of the existence of a<br />
<br />
practices which may give rise to a breach of the fundamental principles of protection<br />
of the personal data, within the framework of this law and of the laws that provide for it<br />
contain provisions on the protection of the processing of personal data.<br />
<br />
Article 108 § 1:<br />
<br />
<br />
"The Arbitration Chamber shall inform the parties of the court's decision and of the decision.<br />
may/can appeal within a period of thirty days from [...] the date of receipt of the letter of appeal.<br />
notification, at the Court of Justice of the European Communities.<br />
<br />
<br />
Subject to the exceptions laid down by law or unless the dispute/court with<br />
special reasons for decision/commissioning otherwise the decision/commission is enforceable in the case of<br />
stock, notwithstanding an appeal.<br />
<br />
°<br />
The decision to delete data in accordance with Article 100(1)(10) is not<br />
workable stockpiles'.<br />
<br />
<br />
<br />
5. Discuss admissibility.<br />
<br />
The admissibility ratione materiae and ratione temporis have not been disputed.<br />
<br />
<br />
The GBA concludes {page 8, No 16 with reference to its document 18) that the notification -<br />
dates from 19 September 2019.<br />
<br />
The appellant is the party in respect of whom the decision has been taken and the recourse is by<br />
within a period of 30 days from notification of the decision, and<br />
<br />
in accordance with the legal form requirements.<br />
<br />
The appeal is admissible.<br />
<br />
<br />
<br />
<br />
�<br />
I PAGE 01-00001582885-0015-0033-01-01-<br />
<br />
<br />
<br />
L _JCourt of Appeal Brussels - 2019/AR/1600- p. 16<br />
<br />
<br />
<br />
<br />
6. Discussion - the means invoked.<br />
<br />
<br />
6.1.<br />
<br />
The appellant puts forward the following pleas in law:<br />
<br />
1. The GBA shall not establish at a/s a full/full independent/several supervisory authority within the meaning of this Directive.<br />
of Article 52(1) of the General Data Protection Regulation (hereinafter referred to as the "GSA") (First<br />
<br />
midde/J;<br />
2. The GBA violated art. 54.2 AVG and art. 48, §1 GBA Act, because the guard / hats did not comply with the<br />
<br />
ve respected the obligation to preserve the confidentiality of the facts,<br />
acts or information coming to their knowledge in the course of their duties<br />
<br />
(Second midshipman J;<br />
3. The GBA violated art. 96, §1 of the GBA Act because the request of the Geschi/lenkamer for<br />
<br />
do not carry out an investigation by the lnspection service within thirty days<br />
<br />
after the k/eight was brought before the Dispute Chamber by the<br />
First line service was transferred to the inspector-generaa/of the /nspection service<br />
<br />
(Third midshipman J;<br />
4. The GBA violated Article 63 of the GBA Act by the fact that the Inspectorate carried out an investigation.<br />
<br />
for aspects not brought before the Court of Justice (Fourth mids;<br />
5. The GBA violated the rights of defence and the principles of good administration<br />
<br />
(Fifth amendment);<br />
6. The Appellant respected the beginning/of minimum data processing and starting point.<br />
<br />
no infringement of Article 5(1)(c) AVG (Sixth VAT Directive);<br />
7. The processing of the appellant was not unlawful and did not infringe<br />
<br />
artike/ 6.1 AVG from (Seventh midde/J;<br />
8. The GBA / imposed the administrative fine without taking into account the Jijst<br />
<br />
of criteria from article 83.2 AVG (Eighth plea in law).<br />
9. NINE MEASUREMENT: THE RESPONSIBILITY OF THE COURT<br />
<br />
<br />
<br />
<br />
6.2.<br />
<br />
The GBA will use the following means:<br />
o Principally, that the appellant's claim is in part outside the jurisdiction of<br />
<br />
the Court falls.<br />
<br />
She is subordinate:<br />
<br />
o With regard to the appellant's first plea in law: Article 52.1 and Article 53.1 of the AVG are not<br />
violated;<br />
<br />
<br />
<br />
5 Regulation (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data, and<br />
on the free movement of such data and repealing Directive 95.4Pub L119/1 Data Protection Directive)<br />
<br />
<br />
IPAGE 01-00001582885-0016-0033-01- �<br />
<br />
<br />
<br />
<br />
Court of Appeal Brussels - 2019/AR/1600-p. 24<br />
<br />
<br />
<br />
<br />
of a rule of procedure or consultation prior to the adoption of the contested decision.<br />
decision was necessary).<br />
<br />
<br />
However, in the exercise of that voile jurisdiction, the -Markthof must not exceed the limits of its jurisdiction.<br />
respect judicial debate. Within the limits of the rules of public order and within the<br />
limits of the interpretation to be given to the pleas in law relied on before the Court,<br />
the Court must carry out its assessment, that is to say - the possible substitution of its own<br />
<br />
decision - limited to the grounds and pleas in law put forward by the applicant<br />
defence of the rebellion17-<br />
<br />
In short, the Market Court may substitute its decision for that annulled by the Court.<br />
judgment under appeal, provided that the Court does not give rise to any challenge which is not contradictory<br />
<br />
were subject to the same conditions in the course of proceedings before the Court of Justice, and in so far as no decision has been given<br />
shall be affected where the parties to the proceedings have been unable to defend themselves in the<br />
proceedings before the Court of Justice.<br />
<br />
The GBA's criticism where it says:<br />
<br />
In addition to "ordinary" councillors, there are also a number of18 councillors in the Market Court with<br />
"specific/advanced knowledge of economic, financial/ or market law Well, the rules<br />
in the field of data protection, cannot immediately be dealt with in one of those areas of law<br />
be caught. On the other hand, these are rules to ensure that an individual<br />
human rights and therefore a so-called transversa/jurisdiction, which in many aspects<br />
19<br />
of society (similar to the law of discrimination, for example).<br />
overlooks the fact that (also) the !eden of the Market Court, which show the specialized<br />
knowledge (see above) are, at the same time, legal advisers in the Brussels Court of Appeal who satisfy the following requirements<br />
meet the legal requirements to which each magistrate of the court is subject and that their appointment<br />
<br />
shall be made on the proposal of the Supreme Judicial Council and that any interested party shall have the opportunity to<br />
has a claim to annul the appointment before the Council of State.<br />
<br />
A "critique" by a party to proceedings of the alleged or alleged (in)competence of one or more of the following<br />
in the light of the foregoing, the Court's reasoning is considered to be of little pertinence or relevance.<br />
<br />
over.<br />
<br />
The Court of Justice of the European Communities therefore has jurisdiction to give the contested decision.<br />
destroy and, where appropriate, replace the sanction by another sanction such as that imposed by the<br />
Appellant in a minor capacity, a plea which the GBA was able to rely on<br />
<br />
defend.<br />
<br />
8. Discussion of the grounds for destruction.<br />
<br />
8.1. Infringement of Article 5.1. clAVG<br />
<br />
The appellant is asserting himself:<br />
<br />
17<br />
18 Compare Cour °es marches 22 January 2020, 2019 AR 1470, no. 26.<br />
19A rt. 207, § 3, 4 , Ger. W.<br />
These were the subject of various comments in the parliamentary debates on<br />
the draft that led to the GBA Act. See Par/. St. Kamer 2017-2018, no. 54-2648/6, 10, 13, 48, 50,<br />
57, 59, 61-62, 69-70 and 77.<br />
<br />
<br />
r PAGE 01-00001582885-0024-0033-01-01-�<br />
<br />
<br />
<br />
L _JCourt of Appeal Brussels - 2019/AR/1600 - p. 25<br />
<br />
<br />
<br />
<br />
44. The Dispute Chamber ruled that the infringement of the principle of minimum<br />
data processing would include the use made by the appellant<br />
<br />
have the riiksreqisternumber by reading in the e/D card to create<br />
a loyalty card:<br />
<br />
<br />
"For the Dispute Chamber, the following is paramount, Data processing<br />
implies the use of the national registry number, included in the barcode of the<br />
e/ektronic identity card, which is irrelevant. The<br />
<br />
Geschillenkamer het van belong dat er bijzonder rege/s ge/den voor het gebruik van<br />
the National Register number (oak already ge/dend v66r 23 December 2018), which has a very high number of<br />
prescribe restrained roaring of this National Register number. Because the<br />
barcode before/when the lnspection service is used to identify the customer<br />
to be found in the client database, the Disputes Chamber assumes that the<br />
<br />
become a national registration number or at least a dee/ of the identity card bucket<br />
used contrary to the principle of minima/e<br />
data protection". (emphasis added by the appellant)<br />
<br />
In other words, the Chamber of Disputes 'assumes' that the appellant has not received the<br />
<br />
would process the national register number. The Inspectorate's report mentions this in the following terms<br />
However, no enke/e report was made. The lnspectorate requested we/<br />
the appellant's written information. She asked the appellant "more<br />
information about the specific data your company reads and uses from the<br />
<br />
eDs of your customers". The Appellant replied: "the data that<br />
saved are [...] Surname, first names, address, date of birth, age, customer since,<br />
turnover and the latest 10 purchase amounts and the number of points". (document 8.8) The<br />
The national register number was not given.<br />
<br />
<br />
De Geschil/enkamer ha d bijgevo/g geen enke/e grand om appellant een inbreuk op het<br />
principle of minimum data processing at Jaste te Jeggen because of the<br />
Alleged use of the national registration number to create a loyalty card.<br />
She was not allowed to "assume", without any document in the file, that the appellant's<br />
State registry number used.<br />
<br />
<br />
The Disputes Chamber was not allowed to take the national register number into account in order to<br />
to withhold an infringement of the AVG and to impose an administrative fine.<br />
Soa/s your court noted in previous appeal proceedings against decisions of the GBA can<br />
reasons invoked by the GBA "only support a decision where it is apparent from the<br />
<br />
documents of the case on which the authority {GBA} deems s/a20 to be murdered and holds "the<br />
subject matter/justification of the fact that it is required to support the administrative act.<br />
for reasons of which the fact/factual existence has been duly proven and which have been the subject of legal proceedings.<br />
may have taken into account the justification for that act" 21 The motives<br />
<br />
of the Contested Decision on the infringement of the principle of minimum standards for the protection of legitimate expectations.<br />
data processing in connection with the national register number did not find any enke/e support in the<br />
documents of the file.<br />
<br />
20<br />
21Brussels (Sectie Marktenhof) 23 October 2012, FOO Public Health t. GBA, 2019/AR/1234, 24.<br />
Brussels (Sectie Marktenhof) 23 October 2019, ING Be/gie NV t. GBA, 2019/AR/1006, 19.<br />
<br />
<br />
I PAGE 01-00001582885-0025-0033-01-01-�<br />
<br />
<br />
<br />
L _JCourt of Appeal Brussels - 2019/AR/1600- p. 26<br />
<br />
<br />
<br />
<br />
<br />
<br />
The GBA argues in this regard:<br />
"74. Furthermore, the GBA notes that the Disputes Chamber infringed Article 5(1)(c) AVG<br />
derived, not al/one from the use of the national register number, but oak from the<br />
save the date of birth and the date of birth of the k/sides. That the /aatste<br />
personal data were kept by the appellant, does not contest the appeal/ante, so that the<br />
<br />
Infringement of article 5.1.c) AVG how oak remains. It is indeed impossible to see<br />
how the gender and date of birth could be relevant for the act/<br />
of data processing, namely the creation of a loyalty card. The fact that there is<br />
other do(s) could exist for the purpose of which such data we/<br />
lawfully processed, such as the verification of compliance with legal requirements.<br />
minimum age for the purchase of alcohol is irrelevant in this context. To be superfluous<br />
<br />
reminds me that, following the ruling of the Constitutional Court of 19 June 2019 on<br />
the law on transgender persons22 the registration of the sex/esteem of persons in any case not<br />
is no longer taken for granted, not by the government and therefore certainly not by a private company.<br />
person, soa/s a drinkhande/.<br />
75. Finally, it is clear that the e/ektronic identity card does not show how oak cattle/ more<br />
<br />
data is then required for the creation of a loyalty card. It is precisely for this reason that<br />
the complainant is/are willing to provide the specific information required<br />
for the creation of a loyalty card, but not agreeing to read hoar<br />
<br />
e/ektronic identity card, where he or she loses control over which data was on him or her.<br />
read and kept by the processing responsible/keeper.<br />
<br />
76. Conclusion: The Dispute Chamber led the infringement of Article 5.1.c}. AVG on the basis of proven facts".<br />
<br />
<br />
The contested decision is under consideration:<br />
The lnspectiedienst thus confirms the k/acht in the sense that no alternative is offered<br />
to customers who want a k/s edge card, but not their electronic identity card<br />
<br />
the defendant wishes to use /have used /aten for the creation of a third party /ijke<br />
customer card, while obtaining the consent and offering an<br />
a/terative ffor the lnspection servicewe/ is required.<br />
<br />
The Inspectorate also refers to Article 6(4) of the Act of 19 July 1991.<br />
on population registers, identity cards, aliens' identity cards and aliens' identity documents<br />
<br />
verb/ive documents, as applicable from 23 December 2018, containing<br />
that the e/ektronic identity card may be read or used enke/ with the<br />
free, specific and informed consent of the holder. When a forement/<br />
or service is offered to a citizen through his e/ektronial identity card within the framework of<br />
of an informatics application, an alternative should also be proposed that the<br />
use of the e/ektronic identity card is not required. In addition, the lnspection Service<br />
<br />
with regard to oak, to Recommendation No 03/2011 in order to meet the consent requirement and the<br />
support the offer of an a/terative.<br />
<br />
<br />
<br />
<br />
22GwH, No 99/2019, 19 June 2019.<br />
<br />
<br />
r PAGE 01-00001582885-0026-0033-01-01-�<br />
<br />
<br />
<br />
L _JCourt of Appeal Brussels - 2019/AR/1600- p. 27<br />
<br />
<br />
<br />
<br />
<br />
The Law of 19 July 1991 on population registers, identity cards, the<br />
Alien cards and residence documents now state in Article 6 § 4 second and third<br />
Member:<br />
The National Register number and the Joto of the holder may only be used if<br />
is authorised to do so by. or by virtue of a law, a decree or an ordinance. The<br />
e/ektronic identity card may be enkeed/ read or used with the free, specific<br />
<br />
and informed consent of the holder of the electronic identity card.<br />
When a benefit or service is offered to a citizen through his e/ektronial<br />
identity card in the context of an IT application, should also provide an alternative<br />
dot require the use of the e/ektronic identity card, proposed/d were added to the<br />
person concerned.<br />
<br />
This text was added by the law of 25 November 2018 and entered into force on 23 December.<br />
<br />
2018. This law is therefore not applicable to the facts giving rise to the current dispute.<br />
since the complaint dates from 28 August 2018.<br />
<br />
At the time of the complaint, the text was as follows:<br />
"Any automated check of the card by optical or other/eesprocessing means must<br />
be the subject of a royal decree, no opinion of the sectoral committee of the<br />
<br />
National Register referred to in section 15 of the Act of 8 August 1983 on the regulation of an<br />
National Register of Natural Persons, ..,<br />
<br />
The motives of the inspectorate - which the GBA states serve as a basis for the<br />
decision - are unlawful. A law that was absolutely inapplicable at the time of the complaint and<br />
a "recommendation" which has no legal force cannot serve as a basis for the<br />
<br />
assessment of conduct as contrary to the legislation in force.<br />
<br />
It has not been demonstrated, nor has it been conclusively proven, that at the time of the complaint a<br />
The alternative had to be offered.<br />
<br />
The contested decision is also under consideration:<br />
<br />
"The Chamber of Disputes also notes the processing of customer data.<br />
(surname, first names, address, date of birth, gender, date of birth, date from which the person concerned is a customer)<br />
and the amount of purchases) the starting/of minimum data processing not<br />
respects, as the given 'gender and date of birth' is also irrelevant<br />
are. In this case, the Dispute Resolution Chamber does not use the loyalty card for<br />
check/erendage the minimum age for alcohol sales.<br />
<br />
<br />
The fact that the defendant's hand/method in relation to the creation of loyalty cards<br />
the beginning/of minimum data processing does not n,,eeft, the Dispute/Chamber is consequently<br />
of the opinion that the infringement of Article 5.1. c)AVG has been proven.<br />
<br />
No EID card was offered by the complainant in this case, so there is no processing at all<br />
of its data. Therefore, the GBA does not show any actual infringement in relation to<br />
<br />
personal data.<br />
<br />
<br />
<br />
<br />
<br />
I PAGE 01- 00001582885-0027-0033-01-01-�<br />
<br />
<br />
<br />
L _JCourt of Appeal Brussels 2019/AR/1600-p. 28<br />
<br />
<br />
<br />
<br />
<br />
At that time, the complainant was not (yet) legally obliged to offer alternatives. This is different since<br />
23 December 2018, but that regulation could not have been applied retroactively by the GBA.<br />
<br />
In addition, the Dispute Carner is wrongly based on a number of unsubstantiated assumptions:<br />
- that a loyalty card of a beverage company would not have been used to check the<br />
<br />
a ban on the sale of alcohol to minors;<br />
- that the complainant would suffer an undeniable disadvantage as a result of the creation of a<br />
<br />
loyalty card, discounts would run riot. This is not a disadvantage because only a<br />
possible additional advantage is lost (the Court emphasises). The situation is different when the EID card<br />
request a legal or contractual right (e.g. the right to a guarantee) to<br />
<br />
to be shortened or retained.<br />
<br />
<br />
A breach of Article 5.1. c)AVG has not been proven in this specific case.<br />
<br />
<br />
The appellant's sixth plea is well-founded on this point.<br />
<br />
8.2. Infringement opart. 6.1. AVG:<br />
<br />
The GBA shall further base its decision on a breach of Article 6.1. AVG, namely that the<br />
<br />
the lawfulness of the processing is subject to the data subject's consent for the<br />
softening of his personal data for one or more specific purposes or the processing thereof<br />
is necessary in order to safeguard the legitimate interests of the<br />
controller or of a third party, except where interests or fundamental rights<br />
and fundamental freedoms of the data subject which require the protection of personal data,<br />
<br />
outweigh those interests, especially when the person involved is a single child.<br />
<br />
The GBA states:<br />
"Contrary to what the defendant argues, there can be no<br />
there is consent a/s legal basis for the processing, as the consent<br />
<br />
within the defendant's current modus operandi, cannot in any way be regarded as a<br />
free consent within the meaning of Article 4.11. AVG, in the absence of an alternative system dot<br />
Allow/allows the creation of a loyalty card without the use of the electronic identity card,<br />
which makes it possible for the person concerned to benefit from discounts even in such cases.<br />
<br />
<br />
In this context, the Dispute Settlement Chamber also refers to the Group 29 Guidelines on<br />
authorisation in accordance with Regulation 2016/6792 stating that the element<br />
implies "free" work/rich choice and control for those involved. As a general rule, the<br />
AVG for the fact that if a person concerned has no work or choice, he or she is compelled to<br />
to give his or her consent as to whether it will have negative consequences for him or her if he or she does not<br />
<br />
consent, the consent is not valid. lndien consent shall be merged as a<br />
non-negotiable/negotiable part of terms and conditions, it is presumed not free<br />
to be given. Accordingly, authorisation shall not be deemed to have been granted if the<br />
cannot refuse the person concerned or hoar consent_ without adverse consequences, or<br />
withdraw. Because, in the present case, the complainant, and by extension a/le customers, only of<br />
<br />
can benefit from discounts by m_ ddel of their electronic identity card, and by the<br />
the defendant is not offered any alternative to the creation of a loyalty card<br />
<br />
<br />
IPAGE □1- □0001582885-0028-0033- □1- □1-�<br />
<br />
<br />
<br />
Court of Appeal Brussels - 2019/AR/1600- p. 29<br />
<br />
<br />
<br />
<br />
In order to benefit from this advantage, it is clear/seemly that there is no free<br />
consent.<br />
<br />
Although the defendant did not rely on it, the Litigation Chamber examined in<br />
<br />
to what extent the processing could be based on Article 6.1. f). AVG and the<br />
processing necessity/justification could be necessary for the protection of his legitimate interest.<br />
De Geschil/enkamer observes that in order to do so, it is necessary to weigh up the following issues with the<br />
the importance of the end of the chain concerned to be assessed/and to be given more weight. Oak for<br />
As far as this legal basis is concerned, the Dispute Settlement Chamber states that such a weighing-up should be carried out,<br />
in the present case, /decides that it is in the complainant's interest, and extends to<br />
a/le customers of the defendant, takes precedence.<br />
<br />
<br />
The Dispute / Chamber rules that the infringement of Article 6.1. AVG has been proven"<br />
<br />
To the extent that the GBA again refers to the lack of an alternative, it refers again (see<br />
point 8.1 above) to a secondary legislation which is not applicable.<br />
<br />
The Market Court refers to what was stated above under point 8.1.<br />
The infringement of Article 6.1. AVG has therefore not been proven. The seventh ground of appeal of the<br />
<br />
The appellant is well-founded on this point.<br />
<br />
<br />
8.3. Decision of points 8.1 and 8.2:<br />
<br />
To the extent that the contested decision does not contain an adequate statement of reasons on the grounds that certain<br />
reasons for the contested decision are incompatible with the documents in the file and with the<br />
legal provisions in force at the time of the complaint and cannot be verified by the Market Court<br />
<br />
what motive or motives, if any, were de facto decisive for the contested decision?<br />
In order to justify its decision, the Market Court must find that the GBA cited<br />
grounds for declaring the infringements to be proven (and, as a consequence, imposing<br />
sanctions because of these alleged infringements).<br />
The decision was therefore taken unlawfully and should be annulled.<br />
warden.<br />
<br />
<br />
<br />
8.4. Infringement of Articles 13.1. c), 13.1. e) and 13.2. a)AVG:<br />
<br />
With regard to the other findings of the lnspection Service, that is:<br />
<br />
(a) the contradiction between the defendant's assertion that there has been no communication of<br />
data to third parties, while the privacy statement states that transfer is possible within the<br />
European Economic Area for associated companies.<br />
<br />
<br />
(b) The lack of clear information for the person concerned, in particular on the<br />
the legal basis and the storage period.<br />
<br />
<br />
<br />
<br />
<br />
r PAGE 01-00001582885-0029-0033-01-01-�<br />
<br />
<br />
<br />
L _JCourt of Appeal Brussels - 2019/AR/1600- p. 30<br />
<br />
<br />
<br />
<br />
the Clerk of Disputes takes note that the appellant admits that he is right to submit as<br />
shortcomings in the AVG may have been considered and indicates that in the short term<br />
additional measures will be taken to ensure that the data processing complies with<br />
<br />
with the requirements of the AVG.<br />
To the extent that these elements fall outside the scope of the complaint and do not give rise to a sanction,<br />
should not be assessed separately.<br />
<br />
The order in accordance with Article 100 § 1, 9 of the GBA Act, to the effect that the appellant must submit the processing in<br />
brings it into line with Art. 5.1. c), Art. 6.1, Art. 13.1. c), Art. 13.1. e) and 13.2. a) AVG makes<br />
<br />
is not in itself the object of the story. The appellant does not develop any<br />
only means.<br />
<br />
<br />
9. The sanction<br />
<br />
<br />
In addition to the fact that the contested decision does not contain an adequate statement of reasons (see point 8.3.<br />
for this), the penalty imposed, namely a fine of €10,000, is in turn inadequate<br />
motivated.<br />
<br />
lndien with the GBA may have argued that it is not every possible sanction of Article 83.2 AVG<br />
it should be overflowing and it should not justify why some sanctions were not considered,<br />
<br />
this does not detract from the fact that the choice of the sanction imposed is adequate<br />
must be substantiated. When determining the sanction in concrete terms, the following should be taken into account<br />
general criteria should be leading:<br />
<br />
the seriousness of the infringement;<br />
the duration of the infringement;<br />
<br />
the necessary deterrent effect to prevent further infringements.<br />
<br />
The GBA shall determine the manner in which it considers that a sanction is appropriate.<br />
<br />
However, as stated above, a decision of the GBA with regard to (the amount of) an<br />
financial penalty is not binding on the Market Court.<br />
<br />
<br />
The Market Court shall assess the extent of a possible sanction in such a way that, on the one hand, in<br />
is appropriate to the circumstances and proportionate to the infringement found<br />
and to the capacity of the party committing the infringement.<br />
<br />
<br />
The mere statement that the infringement relates to a fundamental legal principle of<br />
Data protection is not enough. The nature and seriousness of the infringements constitute a<br />
of the appreciation characteristics for determining the sanction and its budget if there are<br />
a fine is opted for, but these elements must be assessed against 'all'.<br />
elements of the dossier (e.g. whether it is a one-off infringement or not,<br />
what the impact is generally considered to be in legal life, or any intention or intent by virtue of<br />
<br />
of the il'.l offender is demonstrated,.....) and where - in the absence of a clear<br />
Qualification and quantification of the possible sanctions through a publicly accessible tool<br />
document (guideline or scale transparently communicated by the GBA) before a<br />
<br />
<br />
□ 1-□□□□1582885-0030-0033- □1-□ 1-;i<br />
I PAGE<br />
<br />
<br />
<br />
L _JCourt of Appeal Brussels - 2019/AR/1600- p. 31<br />
<br />
<br />
<br />
<br />
concrete facts - at least a justification must be given as to why a sanction less far-reaching than<br />
the imposition of a fine of€ 10 000 could not be of such a nature as to deter the infringements<br />
to put an end to it. Only if these requirements of sufficient, clear and transparent<br />
Article 83 AVG, which states that the sanction shall be effective in every case,<br />
<br />
must be proportionate and dissuasive, effectively enforced. In this respect, the<br />
criteria of effectiveness and proportionality<br />
<br />
Where the GBA once again retains as a motive "a gross negligence with a far-reaching impact<br />
not all/one on the data processing of the k/ager, but on that of a/le customers of the<br />
defendant in the absence of an a/ternative for the creation of the c/antic file on grand of the<br />
<br />
e/ektronic identity card absence of valid consent and excessive<br />
data processing" and from . the data of the dispute it appears that the plaintiff has never given her<br />
has made identity information available to her, so that she cannot suffer any personal disadvantage<br />
and the fact that no alternative was available was not a valid legal basis on<br />
the moment of the complaint, it follows that oak is the sanction in itself (oak even if infringements have been proven)<br />
have been) illegal.<br />
<br />
<br />
For that reason alone, the contested decision should be annulled. Oak the Eighth<br />
middeI of the appellant is well-founded.<br />
<br />
The reasons currently put forward by the GBA in conclusion (No 106) to post factum the imposed and<br />
sanctions implemented cannot be taken into account. The<br />
<br />
the offender must be informed of the nature of the sanction before the imposition of a sanction<br />
which is under consideration and of its scale (where a fine is contemplated). The<br />
the offender must be warned (with a view to avoiding unnecessary sanctioning)<br />
and have the opportunity to defend themselves on the issues proposed by the Dispute Settlement Chamber<br />
amounts of the fine, before the sanction is effectively imposed and executed.<br />
<br />
<br />
<br />
10. The publication.<br />
<br />
To the extent that the sanctioning of infringements of the AVG and the GBA Act should be of a nature to<br />
should be partly dissuasive, the Market Court recommends that the GBA recommends that the present judgment<br />
publish on its website omitting the identification details of the person concerned<br />
<br />
parties.<br />
<br />
<br />
11. Decision,<br />
<br />
The appeal is admissible and well founded.<br />
<br />
<br />
The contested decision 06/2019 of 17 September 2019 of the Chamber of Disputes of the<br />
Data protection authority concerning the appellant is destroyed.<br />
<br />
It will belong to the Data Protection Authority those already paid by the appellant.<br />
administrative fine of€ 10,000 to be refunded to the appellant. The Market Court may<br />
<br />
<br />
<br />
<br />
I PAGE 01-00001582885-0031-0033-01- �<br />
<br />
<br />
<br />
<br />
L _J Court of Appeal Brussels19/AR/1600p. 32<br />
<br />
<br />
<br />
<br />
However, the Court of Justice of the European Communities and the Court of Justice of the European Communities were not seized of a claim for payment of a subjective right.<br />
cannot, therefore, condemn it.<br />
<br />
<br />
<br />
<br />
.12. The costs,<br />
<br />
<br />
in accordance with the law of 21 apri! 2007 and the Royal Decree of 26 October 2007 shall become the<br />
nursing care allowance budgeted at the basic fee of€ 1,440.<br />
<br />
<br />
<br />
<br />
For these reasons,<br />
The court,<br />
<br />
<br />
<br />
<br />
Having regard to Article 24 of the Law of 15 June 1935 on the use of languages in court proceedings,<br />
<br />
Declares the higher beroepontvankelijken grorn;l;<br />
<br />
<br />
<br />
Annuls the contested decision 06/2019 of 17 September 2019 of the Chamber of Disputes of<br />
the data protection authority collapsed appellant;<br />
<br />
<br />
<br />
Orders the Data Protection Authority to pay the costs of the appeal, settled on<br />
1,860.00 euro (being € 400.00 rolling right, € 20.00 contribution Budgetary Fund and € 1440.00<br />
procedural indemnity).<br />
<br />
<br />
<br />
Condemns the Data Protection Authority, in accordance with Article 269/2 of the Belgian Data Protection Code<br />
registration, mortgage and court registry fees for the payment to the Belgian State, Federal Public Service Finance, of the<br />
an appeal in the amount of EUR 400.00, and until such time as the final charge is borne by the<br />
<br />
contribution of€20.00Budgetary Fund;<br />
<br />
* * *<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
IPAGE 01- □□□□ 1582885-0032- □033-01-01-�<br />
<br />
<br />
<br />
<br />
_J<pre></div>
Hk
https://gdprhub.eu/index.php?title=Commissioner_(Cyprus)_-_11.17.001.007.220&diff=12135
Commissioner (Cyprus) - 11.17.001.007.220
2020-11-10T17:10:16Z
<p>Hk: /* English Machine Translation of the Decision */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Cyprus<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoCY.jpg<br />
|DPA_Abbrevation=Commissioner<br />
|DPA_With_Country=Commissioner (Cyprus)<br />
<br />
|Case_Number_Name=11.17.001.007.220<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Office of the Commissioner for Personal Data Protection<br />
|Original_Source_Link_1=http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/B64595978C98EFCEC2258606003EC47E/$file/%CE%91%CE%9D%CE%9F%CE%9D%CE%A5%CE%9C%CE%9F%CE%A0%CE%9F%CE%99%CE%97%CE%9C%CE%95%CE%9D%CE%97%20%CE%91%CE%A0%CE%9F%CE%A6%CE%91%CE%A3%CE%97%20%CE%95%CE%9D%CE%A4%CE%9F%CE%9B%CE%97%CE%A3%20%CE%95%CE%9D%CE%91%CE%9D%CE%A4%CE%99%CE%9F%CE%9D%20%CE%9A%CE%95%CE%9F%20PLC.pdf<br />
|Original_Source_Language_1=Greek<br />
|Original_Source_Language__Code_1=EL<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=06.08.2020<br />
|Date_Published=22.10.2020<br />
|Year=2020<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 7(4) GDPR<br />
|GDPR_Article_Link_1=Article 7 GDPR#4<br />
|GDPR_Article_2=Article 35(9) GDPR<br />
|GDPR_Article_Link_2=Article 35 GDPR#9<br />
<br />
<br />
<br />
|Party_Name_1=ΚΕΟ PLC<br />
|Party_Link_1=https://keogroup.com/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Panayotis Yannakas<br />
|<br />
}}<br />
<br />
A Company decides to modernise their employee time tracking system. Among other features, the new swipe-card terminal included a camera too. Cypriot DPA decided and asked that the Company shall suspended the new ERP system, due to lack of compatibility with General Personal Data Regulation. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
KEO PLC decided to upgrade their ERP system, which upgrade was related with the module of recording when an employee started and ended their swift work. Until then, the card-swipe terminal only recorded an id number, as well as arriving and departing time, to and from the premises of the Company. <br />
<br />
The new terminal included a tiny camera as a measure of the employees who swiped the cards of their colleagues too. Grounded on the concerns of the principle of proportionality, the right of privacy, as well as the right of public life, two trade unions submit a complaint against KEO PLC and before the Cypriot DPA. <br />
<br />
=== Dispute ===<br />
The main questioning was if the particular data-processing is reasonable and consist a minimised processing under the meaning of what is absolutely necessary in order to achieve the aim pursued.<br />
<br />
Starting with complainers, they argued on an enlarged general line of argument and points of law. Firstly, claimed on the poor accompanying documentation for the impending upgrade system, including the privacy policy and specific information on the changes between the old and new ERP system. Secondly, they were of the opinion that before any changes, the Company should have sought for less intrusive methods of employee time tracking. Thirdly, complainers stated that the resolution of the camera is irrelevant; it’s enough the produced data concerning an identifiable natural person. <br />
<br />
KEO Public Company alleges that upon receiving legal advice, they expanded the duration of processing and storage of these data which are tracked, inputted to or created by the new terminal. KEO’s intension of that change was the harmonisation with the limitation period for bringing an action to the court. Also, the KEO Public Company claimed that under the GDPR, there is no right which a trade union can exercise. They thought that the justiciability of GDPR is limited only limited to the natural persons who are the direct possess of the personal data. <br />
<br />
=== Holding ===<br />
Cypriot DPA totally dismisses the argument of the duration of storage of personal should be linked with the time-barred which someone is allowed to brings an action to the court. The DPA commented that if any other law could set a minimum duration for the storage of personal data, then the letter and the spirit of GDPR would be overlooked. The only eligible criteria shall satisfy the initial reason for collecting these personal data, which in the present case was ensuring that employees do not violate their employment contract. <br />
<br />
The DPA hold that the Company could milder adopted measures of getting control over contravened the traditional swipe-card tracking system. Otherwise, the Company at least should had asked for the employees (or the representer of them) for their opinion and/or for their suggestion. Asking of the personal-data’s subject opinion is also a requirement of the Cypriot. For example, Article 35(9) of GDPR provides the possibility that impact assessment may include such an investigation. <br />
<br />
The Cypriot DPA considered Article 7(4), which refers to a clear and explicit consent. As a more in-depth insight, we can state that if the consent gained through the performance of a service or other contract, the examination of the necessity of the personal data processing is an inseparable criterion. Due to an employment contract, the employer shall be considered hold a dominant position and any such consent de fact can be characterised explicitly agreement. <br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.<br />
<br />
<pre><br />
No. Fax: 11.17.001.007.220 August 6, 2020<br />
<br />
<br />
<br />
Decision in the form of an Order in accordance<br />
<br />
with the provisions of Article 58 (2) (d) of the GCC<br />
<br />
<br />
SUBJECT: Complaint by OVIEK - Σ.Ε.Κ and Σ.Ε.Β.Ε.Τ.Τ.Υ.Κ. - PEO of employees<br />
of KEO PLC, for possible violation of GKPD<br />
<br />
Bearing in mind the provisions:<br />
<br />
<br />
(a) Articles 55 (1), 56 (2), 57 (1) (a) and 58 (2) (d) of General Regulation (EU) 2016/679; and<br />
<br />
(b) of article 19 (5) of Law 125 (I) / 2018,<br />
<br />
<br />
the following Order is issued:<br />
<br />
A. Facts:<br />
<br />
1. On 14/10/2019, a complaint was submitted to my Office by representatives of OVIEK - S.E.K and<br />
<br />
Σ.Ε.Β.Ε.Τ.Τ.Υ.Κ. - PEO (hereinafter Complainants) on behalf of the employees in the company KEO PLC<br />
(hereinafter referred to as the complaint), in connection with the replacement and upgrade of the system<br />
so that it is compatible with modern technology and software systems.<br />
<br />
1.1. Specifically, the representatives of the employees of OVIEK - S.E.K and S.E.V.E.T.Y.K. - ΠΕΟ<br />
in the Complaint, claim that both the content of the Policy Statement and its<br />
<br />
Information leaflet entitled Upgrade of entry / exit time recording system, does not comply with<br />
the provisions of General Regulation (EU) 2016/679 (hereinafter GCC).<br />
<br />
1.2. In the form submitted to my Office, they were briefly mentioned as issues to<br />
investigation of the use and duration of data retention, processing of personal data,<br />
as well as the fact that the entry / exit card is an excessive measure.<br />
<br />
<br />
2. On 17/10/2019, an Officer of my Office sent an email to his XXXXXXXX<br />
Defendant's staff's complaint, asking for its position on their allegations<br />
Complainants, until 11/11/2019, as well as a) Impact Assessment conducted for the<br />
implications / risks of using such a System (Article 35 of the GIP), b) Activity Archive,<br />
c) Posted Protection Policy and d) Details of the Data Protection Officer of KEO PLC.<br />
<br />
<br />
Positions At the complaint represented by a lawyer and annexes:<br />
<br />
3. The lawyer of the Defendant on the complaint, on 11/18/2019 sent a letter with her positions and views.<br />
On 12/30/2019 my Office raised various issues that arose from the letter and<br />
The attachments sent by the Defendant in the complaint are also listed below. On 14/02/2020, o<br />
<br />
Defendant's lawyer sent a second reply letter to the complaint. Along with the two letters that<br />
sent, attached a) the Employees' Personal Data Protection Statement and / or<br />
Dealers, b) the Input / Output Time Recording System Upgrade Notice, c) the<br />
Impact Assessment, the Activity Archive, d) the Privacy Statement in<br />
relation with Job Applicants and e) the form KEO GENERAL DATA PROTECTION PRIVACY<br />
POLICY, as Annexes.<br />
<br />
<br />
3.1. The two letters of the Defendant, dated 18/11/2019 and 14/02/2020, refer to<br />
including the following: 3.1.1. the union complaint does not appear to have been filed by an organization to which<br />
includes in its statutory purposes the protection of personal data or has<br />
submitted by the data subjects themselves. Therefore, this is not a legitimate complaint and<br />
<br />
To this end, the Defendant reserves all its rights,<br />
<br />
3.1.2. Defendant complained for the purpose of cooperating with my Office,<br />
answer the Questionnaire dated 17/10/2019. In the case in which it is submitted<br />
complaint in a lawful manner in the future or if it is informed in the future that such complaint<br />
formally investigated, then the Defendant reserves the right to challenge the complaint<br />
<br />
additional comments and positions in defense of its rights.<br />
<br />
3.2. The Defendant on 3/10/2019, for the purposes of compliance with the GCC, sent via<br />
e-mail and / or handed over to the Employees (Complainants) Statement<br />
Privacy Policy.<br />
<br />
<br />
3.3. He did the same on 9/10/2019, where for the purposes of implementing the mentioned measure, he sent<br />
and / or delivered a separate notice regarding the replacement and installation of the new one<br />
card swipe system.<br />
<br />
3.3.1. In that notice, the Defendant informed its staff that through<br />
new devices will collect, store and use the employee card number, the date<br />
<br />
entry / exit, entry / exit time and low resolution photo of the employee to<br />
in order to comply with working hours and compliance with contractual obligations<br />
ultimate goal is time management and dealing with any complaints and disciplinary measures<br />
misdemeanors.<br />
<br />
3.4. For the information of my Office, attach the Privacy Statement<br />
<br />
Employees and / or Agents and the Time Logging System Upgrade Notification<br />
entry / exit, sent and / or delivered to employees, respectively.<br />
<br />
3.5. Defendant's position is that the replacement and installation of this system<br />
as well as the processing of such data is necessary for the execution of an agreement between it<br />
The Complainant and the Complainants as well as for the satisfaction of the legal interest<br />
<br />
sought by the controller (in this case the Defendant). In the sub<br />
report processing applies, as stated, to at least one of the following cases<br />
Article 6 of the GCC:<br />
<br />
“B) The processing is necessary for the execution of a contract of which the subject of<br />
data is a contracting party [] ..]<br />
<br />
(f) the processing is necessary for the purposes of the legitimate interests pursued by<br />
<br />
controller or third party ”<br />
<br />
3.6. For the information of my Office, it has attached the Impact Assessment.<br />
<br />
<br />
3.7. It is the position of the Defendant that the replacement and installation of the new system<br />
A card can not be considered a faulty, unjustified or disproportionate action. THE<br />
During the complaint, he had previously used the card flipping system while collecting<br />
via this device the employee card number, date and time of entry / exit. The only<br />
substantial change with the replacement and installation of the new system, is the collection and<br />
save a low resolution photo of the employee and in this regard the Defendant<br />
has reduced the retention time of the photo to one month in contrast to other data which<br />
it is necessary, as he claims, to be kept for a longer period of time. In the past they had<br />
<br />
cases where individuals used another employee's card for purposes<br />
circumvention of schedule rules.<br />
<br />
<br />
<br />
23.8. The retention period of the remaining data was set at 7 years after they were received<br />
take into account the limitation periods that apply to contractual disputes under the Cyprus issue<br />
Law. The Impact Report states that this issue will be re-evaluated and amended<br />
<br />
if deemed necessary.<br />
<br />
3.9. The range of data stored is limited to what is absolutely necessary, the number<br />
employee card, the date and time of entry / exit and his low resolution photo<br />
employee. In addition, access to these data has been restricted.<br />
<br />
<br />
3.10. According to the Defendant, the present case does not concern video surveillance<br />
and use of biometric systems but in the low resolution photo collection of the employee.<br />
However, it considers it appropriate to refer by analogy to the following report of Opinion 2/2018 which<br />
issued on 19/10/2018 based on Article 58 (3) (b) of the GCC for Video Surveillance in the area<br />
work and the use of biometric systems,<br />
<br />
<br />
"Therefore, the use of biometric systems (facial recognition or facial recognition or<br />
fingerprinting) by employers, for arrival time control purposes and<br />
departure of employees to their place of work is prohibited. The controller<br />
must choose other means less intrusive / burdensome to human dignity than<br />
<br />
what the collection and use of fingerprints entails. As such means are for<br />
For example, the card ticking system, frequent / unannounced checks by<br />
Manager / Head in the card system, the presence of a supervisor in the area where<br />
the system works or alternatively the placement of a surveillance camera over it<br />
card machine ”.<br />
<br />
<br />
3.11. The collection and editing of the low resolution photo of the employee in combination<br />
with the card machine as a whole as applied by the Defendant, can not<br />
to be considered an excessive measure. On the contrary it is a less burdensome and proportionate measure (unlike<br />
surveillance camera which would continuously videotape the specific points and would not<br />
was limited to the moments when an employee beats his card). It concludes that this measure<br />
<br />
in line with the provisions of the GCP.<br />
<br />
3.12. The Defendant complains when choosing the features of the mentioned system<br />
card, had extensive conversations and consultations with the provider of that system with a view to<br />
the best possible compliance with the GPA. For this purpose they requested and received legal<br />
tips.<br />
<br />
<br />
3.13. For the information of my Office, it has attached the Activity Archive of the Defendant<br />
complaint.<br />
<br />
3.14. At the time of the implementation of the GCP, there was a team, which consisted of its members<br />
Management and the Personnel Department and which took all the necessary steps and measures for<br />
<br />
Defendant's compliance with the GCC. At this stage the debts of the Protection Officer<br />
Data (hereinafter referred to as DPA), is executed by XXXXXXXXXX<br />
<br />
4. In a letter of the Office, dated 30/12/2019, to the lawyer of the Defendant, the<br />
content of which is not an exhaustive list of the findings of my Office as well<br />
several issues have emerged that need to be corrected in the forms submitted, the<br />
<br />
the complaint sent a reply letter on 14/2/2020, stating the following:<br />
<br />
4.1. Notes the position of my Office regarding the legality of the complaint and clarifies that the<br />
report on whether the Employees in the Defendant made the assignment<br />
in accordance with the Directive, "Complaints Procedure".<br />
<br />
<br />
4.2. Wants to clarify that the low resolution photo associated with the reported<br />
system is not biometric data. In other words, this system does not collect biometrically<br />
characteristics which are unique, measurable, physical features used<br />
3in order to identify an individual. Therefore, they do not need to be found<br />
other ways as the system used is not a collection and processing system<br />
biometric data.<br />
<br />
<br />
4.3. Considers the system in question, which includes taking low resolution photography<br />
at the time of card entry and stroke, instead of biometric data or continuous<br />
video recording, which will videotape the data subject for a few seconds during<br />
attendance at work is a measure that takes into account the principle of proportionality.<br />
<br />
<br />
4.3.1. The replacement and implementation of this system was deemed necessary for the better<br />
implementation of the agreement between the Defendant and the Complainants (their subjects<br />
and the satisfaction of the legitimate interest pursued by the controller<br />
(Article 6 (b) and (f) of the GCC).<br />
<br />
<br />
4.3.2. The placement of a camera that takes low resolution photos (keeping them for only<br />
period of one month) and consequently their collection and processing is not an excessive measure<br />
but it is a measure which takes into account the principle of proportionality.<br />
<br />
4.3.3. The data collected by this system is necessary for the intended<br />
purposes of processing, ie the monitoring and evaluation of compliance with labor<br />
and compliance with contractual obligations with the ultimate goal of time management and<br />
<br />
dealing with any complaints and disciplinary misconduct. Preserving photos for<br />
a period of one month is a proportionate measure. Relevant, as he states, the reports in relation to<br />
Opinion 2/2018 of my Office on page 3 of the letter dated 18/11/2019.<br />
<br />
4.4. In relation to the Employees' Personal Data Protection Declaration form and / or<br />
Delegates (hereinafter Statement) and other sub-issues, notes the following:<br />
<br />
<br />
4.4.1. In no case has the Defendant's complaint been based on Article 6 (1) (a) of the GIP which<br />
concerning securing the consent of data subjects (in this case<br />
of the Complainants). The Defendant sent the complaint and / or delivered the Statement to its subjects<br />
and what he was asking for was confirmation of receipt of those documents and assurance<br />
compliance with the Transparency Principle.<br />
<br />
<br />
4.4.2. On page 7 of the Declaration, it clarifies that consent is not a condition of the contract<br />
employment, nor even for the special categories.<br />
<br />
4.4.3. Page 4 of the Declaration clearly lists the cases concerning the conditions<br />
<br />
of Article 6 with the relevant legal bases for elaboration and while there are specific legal bases<br />
in that part of the Declaration, however, it lacks any reference to the consent that<br />
provided for in Article 6 (1) (a) of the GCC.<br />
<br />
4.5. The individual issues listed in the letter of my Office dated 30/12/2019 and<br />
which as I have already mentioned do not constitute an exhaustive list of the findings of my Office as well<br />
<br />
Several issues have emerged in the forms submitted, they are the following:<br />
<br />
to make clearer and more specific the way in which information is collected and<br />
for what reason. Generality, for example, we collect information about whether you have declared<br />
bankruptcy is not sufficient. White criminal record information should be relevant<br />
directly with the nature of the work.<br />
<br />
- there is confusing information, for existing employees and for potential ones<br />
employees. They need to be separated and specified as to whom.<br />
- the publication refers to protection policy and in general to the policy of the Defendant<br />
complaint. Is this policy published somewhere? Is it easily accessible?<br />
- the term particularly sensitive personal data is not testable, there is a special<br />
<br />
data category.<br />
- if the service provider is from a country within the EU it does not mean a third party.<br />
4 - if it is from a non-EU country then an Assignment Agreement must be concluded under Article<br />
28 ΓΚΠΔ.<br />
- The Knowledge Need Principle should be observed for all (employees and non-employees).<br />
<br />
procedures have been put in place for the exercise of access rights, deletion and<br />
restriction? Are they easily accessible?<br />
- data collection is done for a specific purpose and the necessary things are requested.<br />
- who is the Data Protection Officer of the Company? Contact info;<br />
<br />
4.5.1. The Defendant gives her own position on the above, as follows:<br />
<br />
<br />
- considers that the Statement under the circumstances is quite clear, but is ready to proceed to<br />
further control it so as to consider the possibility of making changes to<br />
become even more understandable, especially on the point of how and why<br />
to whom the data are collected,<br />
with regard to the criminal record, clarifies that the provision existed for cases where for<br />
<br />
any reason an employee or agent voluntarily decides to provide it either<br />
such information shall be sent by a third party to the Defendant,<br />
- Recently, the External Auditors of the Complainant suggested that<br />
certificate where the nature of the subject's work requires the production of blank<br />
criminal record,<br />
- for the same reason there was the provision concerning whether someone would go bankrupt, such<br />
notification to be sent to the Defendant.<br />
<br />
- as provided in the Bankruptcy Law notification of any decree declaring the<br />
the debtor in bankruptcy is notified, inter alia, to the employer of the bankrupt,<br />
indeed in the Statement there are references to information collected at the stage before<br />
hiring someone. This is there to cover cases where such information is<br />
necessary to maintain and later, ie at the stage where one will become<br />
employed,<br />
- for people who simply remain "potential employees" there is a separate statement of protection<br />
<br />
data, which was attached as Annex A to the letter dated 14/2/2020. As a million<br />
therefore, no further separation should be made in the Declaration, which concerns<br />
people who have become employees,<br />
- there is a more general and concise document on personnel protection policy<br />
of the Defendant in relation to all employees / Complainants,<br />
as well as a form which can be given by the DPO of the Defendant in case<br />
requested by anyone (Annex B of the letter dated 14/2/2020). The<br />
This document will also be posted on the Defendant's website, where it already exists<br />
<br />
specific data protection policy for the use of the website.<br />
- the reason the term "sensitive personal data" was used is because it is used<br />
widely, such as for example by the European Commission itself on its website when<br />
provides explanations for the legal reasons for processing with reference to the GCC itself. also<br />
Such references also exist in the recitals (recitals) 10 & 51 of the GCP.<br />
- in any case it is clarified that the Defendant does not send information about<br />
non-EU employees.<br />
<br />
- the only service provider of the Defendant who personally processes the complaint<br />
data of its employees (Complainants) is the company that provides the SAP system<br />
ERP. A relevant award contract has been prepared between the Defendant and him<br />
provider, to be signed by 29/2/2020,<br />
- Defendant aims and seeks to establish and implement procedures and<br />
workplace culture that restrict access to information that concerns them<br />
employees (Complainants) in such a way that access is only available to persons who<br />
need to have access,<br />
<br />
- the Defendant has established procedures for exercising access rights,<br />
deletion and restriction, contained in a form which may be given by the DPO to<br />
case requested by any employee.<br />
<br />
<br />
<br />
5 - The Defendant understands that any information she collects and maintains about them<br />
subjects is why this has become necessary for employment purposes.<br />
<br />
That, after all, is the main purpose of the Defendant's compliance with the complaint,<br />
- The Defendant understands that full compliance with this principle in one<br />
workplace requires a change of culture from all parties involved and from all<br />
without exception,<br />
- until recently the DPO was XXXXXXXXXX, but which leaves the Defendant on<br />
complaint, therefore procedures for the appointment of a new DPO.<br />
<br />
<br />
4.6. Further, in the entry / exit time recording system Upgrade form, which consists of<br />
from almost three pages, all the necessary information regarding the replacement has been given<br />
and installation of the new system so that staff can receive the necessary information about it<br />
system.<br />
<br />
<br />
4.7. In relation to the concern that arises as to whether the low resolution of the photo will exist<br />
any special processing, the Defendant states that the low resolution photos<br />
which will be collected by the input / output recording system, will not be transferred nor will<br />
are stored in the SAP ERP software but on the Defendant's server with a limited complaint<br />
access. The input / output time recording system is a completely separate system from SAP<br />
ERP. Defendant confirms the complaint that no special treatment will be given to<br />
<br />
low resolution photos.<br />
<br />
4.8. The people of SAP ERP are employees of a third independent company, which provides the system<br />
to the Defendant. This system stores all the data collected with<br />
new devices, except for low resolution photos, and only the<br />
individuals of the Personnel Department and the IT Department.<br />
<br />
<br />
4.9. As stated in the Impact Assessment form that was conducted, SAP ERP individuals have<br />
access to the software, only after the Defendant has authorized the complaint for purposes<br />
software upgrade or repair of any software malfunction, the<br />
which cannot be remedied by Defendant's IT department.<br />
<br />
<br />
4.10. The Defendant considers that the time of one month for keeping the photos low<br />
analysis, is accordingly legitimate.<br />
<br />
4.10.1. With regard to the retention of data concerning the time and date of entry and<br />
exit from the workplace, the retention period is currently set at 7 years,<br />
provided that limitation periods under Cypriot law have been taken into account in relation to<br />
<br />
contractual disputes (6 years) and civil offenses (3 years).<br />
<br />
4.10.2. A legal dispute may arise in relation to an employee (Complainant)<br />
concerning matters for which the limitation period of the transferable rights in accordance with<br />
Cypriot Law amounts to 6 years and the entry / exit data to be a relevant testimony<br />
in such cases.<br />
<br />
<br />
4.10.3. It is possible for a case to arise with an employee (Complainant) and the Defendant<br />
complaint, other than those contained in the jurisdiction of the Labor Disputes Tribunal,<br />
for which the limitation period is shorter. For this reason, the Defendant received the complaint<br />
legal advice, as to maintain such data for a period of 7 years, except of course in cases<br />
where a case arises, where the case-related information will be retained for as long as<br />
<br />
the case is pending.<br />
<br />
4.10.4. The retention of these data for a period of 7 years is not excessive<br />
period as the input / output elements in the workplace are not of such a nature as to<br />
poses a serious threat to the rights and freedoms of data subjects<br />
(Complainants). At the same time, it remains at the disposal of my Office to discuss and<br />
<br />
<br />
We will adjust this detail accordingly in the future as the system has just been set up<br />
in application.<br />
<br />
<br />
5. Then, on 12/3/2020, an Officer of my Office sent an e-mail to<br />
DPO of the Complainants, making aware of the allegations of the Defendant, requesting<br />
his positions and views until 13/4/2020.<br />
<br />
Positions of Complainants represented by a lawyer:<br />
<br />
<br />
6. On 13/4/2020, the Complainants' lawyer sent a letter with the positions and views of the<br />
of its customers, as follows:<br />
<br />
6.1. To answer the question of whether the Defendant is entitled to photograph them<br />
<br />
Complainants / employees upon entering / leaving employment, the<br />
legal framework within which the Defendant may make such a complaint<br />
processing.<br />
<br />
6.1.1. In accordance with the Principles set out in Article 5 of the GIP and concludes that the adoption of<br />
measure of taking a photograph of the employee during his entry / exit procedure may be allowed,<br />
only when the employer is able to justify the legality and necessity of the control and<br />
<br />
monitoring and when there is no other less intrusive way of doing it<br />
of the purposes it pursues.<br />
<br />
6.1.2. The positions and the reasons put forward by the Defendant in the Complaint for its installation<br />
upgraded card system with photo capture, can be satisfied with both<br />
existing card system as well as the adoption of other methods, such as frequent unannounced<br />
<br />
checks by a Chief in the card system or even in the presence of a supervisor at the place where<br />
the card system works.<br />
<br />
6.1.3. Further, the complaint was not indicated by the Defendant what the reasons were<br />
it is necessary and / or necessary to upgrade the card system. Defendant complained to<br />
merely stating the aims without substantiating the necessity which led her to it<br />
<br />
decision.<br />
<br />
6.1.4. As long as the photo that is taken identifies the employee, even though it is low<br />
analysis falls within the interpretation of the term "personal data".<br />
<br />
<br />
6.1.5. Given the Principle of Proportionality, taking a photograph of the employee is recommended<br />
an intervention measure that restricts the right to privacy and does not serve either<br />
the purposes for which the Defendant stated that she wanted to serve.<br />
<br />
6.1.6. He expected the Defendant to file the complaint, as Processor, before upgrading the<br />
card system, would try to strike a balance between its legitimate interest and<br />
protection of its rights and the fundamental right to privacy<br />
<br />
of its employees.<br />
<br />
6.2. Regarding the data retention period, the retention time is defined as<br />
necessary period of time to satisfy the purposes for which it is collected by the person in charge<br />
data processing.<br />
<br />
<br />
6.2.1. In this case, the Defendant informed the complainant that the data concerned<br />
at the time and date of entry and exit to the workplace is 7 years. In his calculation<br />
during this period, the limitation periods provided by Peri were taken into account<br />
Limitation Law, ie 6 for contracts and 3 years for civil offenses.<br />
<br />
<br />
6.2.2. The reasoning is correct but the calculation by the Defendant is wrong with<br />
given that any difference arises in relation to the entry / exit hours of this employee<br />
7 will be reduced to a labor dispute and therefore the limitation period of the<br />
labor disputes, amounting to 12 months.<br />
<br />
<br />
6.3. In the SEP ERP software system, employee data is entered correctly. It must<br />
but for the Defendant to explain and justify the complaint as to whether there is a reason to<br />
data is stored on a KEO PLC server. In addition, the issue of a signatory is raised<br />
award agreement between the Defendant and the company operating the SEP system<br />
ERP.<br />
<br />
<br />
6.4. Concluding, in the positions of the Complainants' side, he stated that the taking of a photograph of them<br />
is not necessary to protect the legitimate interests of the Defendant<br />
complaint, since it can be secured in less burdensome ways, while in any case the<br />
The entry / exit card data retention period should be limited to a maximum of 2<br />
years.<br />
<br />
<br />
B. Legal analysis:<br />
<br />
7. The photograph of a natural person, in so far as his identity is immediately or indirectly revealed,<br />
constitute "personal data" as defined in Article 4 thereof<br />
GPA, which states that "personal data" is "any information that concerns<br />
identified or identifiable natural person (data subject) ".<br />
<br />
7.1. The same article also defines as processing "any act or series of acts performed<br />
with or without the use of automated media, in personal data or in sets<br />
<br />
personal data, such as the collection, registration, organization, structure, h<br />
storage, adaptation or modification, retrieval, retrieval of information, use,<br />
transmission by disclosure, dissemination or any other form of distribution, association or combination,<br />
restriction, deletion or destruction ".<br />
<br />
7.2. Furthermore, the controller is defined as anyone (the natural or legal person, the<br />
public authority, service or other body) which, ‘alone or jointly with another,<br />
<br />
and how personal data is processed ".<br />
7.3. In addition, it defines it as an "archiving system": any structured set of personnel data<br />
<br />
which are accessible based on specific criteria, or as a whole<br />
centralized or decentralized or distributed on a functional or geographical basis ".<br />
<br />
8. Article 5 of the GPA sets out the Principles governing the processing of personnel data<br />
character, as follows: '1. Personal data: '… (c) is appropriate, relevant and<br />
limited to what is necessary for the purposes for which they are processed<br />
("Data minimization");… (e) are kept in a form which allows them to be identified<br />
<br />
data subjects only for the period required for the purposes of their processing<br />
personal data; personal data can be stored for<br />
longer intervals if personal data is processed<br />
only for archiving purposes in the public interest, for scientific or historical purposes<br />
for statistical purposes, in accordance with Article 89 (1) and provided that<br />
<br />
appropriate technical and organizational measures required by this Regulation to ensure<br />
rights and freedoms of the data subject ("restriction of the period<br />
2. The controller is responsible and is able to prove the<br />
compliance with paragraph 1 ("accountability") ".<br />
<br />
8.1. Based on the Data Minimization Principle established by Article 5 (1) (c) of the GIP,<br />
Defendant, in any case, must ensure that, personnel data<br />
<br />
appropriate, relevant and limited to what is necessary for the purposes for which they are made<br />
processed and based on the Principle of limitation of the storage period, which<br />
Article 5 (1) (e) of the GIP, the data must be kept in a form which allows the<br />
identification of data subjects only for the time required to achieve them<br />
<br />
purposes of processing.<br />
88.2. Recital 39 of the GCP Preface explains, inter alia, that “The data<br />
should be adequate and relevant and limited to what is necessary for them<br />
<br />
purposes of their processing. This requires in particular to ensure that storage space<br />
personal data to be kept to a minimum. Staff data<br />
should only be processed if the purpose of the processing cannot<br />
achieved by other means ".<br />
<br />
8.3. Recital 4 of the Preamble to the IGC explains that, “the right to protection of<br />
personal data is not an absolute right; it must be valued in relation to<br />
<br />
its function in society and be weighted with other fundamental rights, in accordance with its principle<br />
proportionality ".<br />
<br />
8.4. Further, Recital 47 explains that, “The legitimate interests of the<br />
including those of a controller to whom they may<br />
disclose personal or third party data may provide the legal basis for the<br />
provided that they do not outweigh the interests or fundamental rights and<br />
<br />
freedoms of the data subject, taking into account the legitimate expectations of the subjects<br />
data on the basis of their relationship with the controller ".<br />
<br />
8.5. Related to the issue are also, (a) Opinion no. 06/2014 on the meaning of law<br />
interests of the controller issued on 9/4/2014 by the Working Group of Article 29<br />
on data protection, (b) the Opinion of the Article 29 Working Party on GATT entitled<br />
"Opinion 2/2017 on data processing at work", (c) paragraph 9 of Article 35 of the GCP, in which<br />
<br />
It is stated that "Where appropriate, the controller shall consult the<br />
data or their representatives for the intended processing, subject to protection<br />
commercial or public interests or the security of processing operations "(d) Opinion 2/2018<br />
issued by the Commissioner for Personal Data Protection under Article<br />
58 (3) (b) of the GCC for Workplace Video Surveillance and the Use of Biometric<br />
<br />
systems and (e) Directive 1/2011 issued by the Hellenic Data Protection Authority<br />
Personal Use for the use of video surveillance systems to protect persons and<br />
goods.<br />
<br />
9. Article 35 (9) of the GPA concerning the Impact Assessment on data protection<br />
stating that "Where appropriate, the controller shall consult the<br />
data or their representatives for the intended processing, subject to protection<br />
<br />
commercial or public interests or the security of processing operations ".<br />
10. The Law on Limitation of Inviolable Rights of 2012, as amended (hereinafter N.<br />
<br />
66 (I) / 2012).<br />
<br />
11. In Article 12. (10A) of the Law on Annual Leave with Remuneration of 1967 (hereinafter Law 8/1967)<br />
states that “An application to the Labor Disputes Tribunal shall be submitted within twelve months of<br />
the date on which the right to apply arose or within nine months of<br />
Fund response for redundant staff… »<br />
<br />
C. Commentary:<br />
<br />
12. It is the position of the Defendant's lawyer that the complaint that for his replacement and installation<br />
card system as well as for data processing, at least one of the<br />
the following cases of Article 6 of the GCC:<br />
<br />
“B) The processing is necessary for the execution of a contract of which the subject of<br />
<br />
data is a contracting party [] ..]<br />
<br />
(f) the processing is necessary for the purposes of the legitimate interests pursued by<br />
controller or third party… ”.<br />
<br />
12.1. In order for Article 6 (1) of the GIP to be used as a legal basis,<br />
explicit provision should be included in the employment contract signed between the Defendant<br />
<br />
9 the complaint and the data subjects (employees). Such data were not presented<br />
in front of me.<br />
<br />
12.1.1. But even if there was explicit provision in the employment contract this would be considered under<br />
<br />
in the light of Article 7 (4) of the GIP and whether the consent of the data subject<br />
(employee) is given freely. As mentioned in my Office letter dated<br />
30/12/2019, the employer is considered to have a dominant position in the employment relationship, therefore the<br />
employee consent is not considered free.<br />
<br />
12.2. With regard to Article 6 (1) (f) of the GBER, I accept that it could be used as<br />
legal basis, provided, however, that the processing of the data of the subjects (employees), ie the<br />
taking and storing their photo obeys the Principles of Proportionality, Restriction<br />
<br />
of the storage and accountability period and in any case does not take precedence over interests or<br />
fundamental rights and freedoms of data subjects.<br />
<br />
13. In the present case, therefore, I am called upon to consider<br />
<br />
(a) whether the installation of a camera by the Defendant in order to receive the complaint<br />
low resolution photograph of the data subject (employee) to identify<br />
that the employee who beats the card is the holder and not a third party, as a measure<br />
control, obeys the Data Minimization Principle and<br />
<br />
(b) whether the retention time of employees' entry / exit data (number<br />
<br />
employee card, date and time of entry / exit) for a period of seven years, for purposes<br />
for the settlement of labor disputes or for the exercise of legal rights, obeys its Principle<br />
Limit the Storage Period.<br />
<br />
14. With regard to Question 13 (a), I take note of the following:<br />
<br />
14.1. In the Impact Assessment carried out by the Defendant on page 5,<br />
in the paragraph entitled STEP 3: Consultation process, it is stated that:<br />
<br />
"The advice of the subjects was not sought, nor of their representatives as the<br />
Recording and time data management has always existed as part of Management<br />
<br />
Staff ".<br />
<br />
14.2. In the letter of the lawyer of the Defendant the complaint dated 18/11/2019, on page 2,<br />
it is referred that:<br />
«…. In any case, KEO used to use the card flipping system in the past<br />
collecting through this device the employee card number, date and time<br />
input / output. That is, the only substantial change in the card flip system is<br />
<br />
collecting and storing the employee's low resolution photo and so on<br />
KEO has reduced the retention time of the photo to one month in contrast to others<br />
data which need to be retained for a longer period of time… "<br />
<br />
14.3. In the Impact Assessment carried out by the Defendant on the complaint, on pages 5<br />
and 6, in the paragraph entitled STEP 4: Proportionality and Necessity Assessment, states that:<br />
<br />
«1. Time recorders are necessary for the Company to be able to perform the<br />
contract with its employees and for the protection of its legal interest or<br />
<br />
third. Given the conditions of the Company there seems to be no other way<br />
processing with which the Company can adequately monitor and evaluate the<br />
observing working hours and detecting any disciplinary violations. It is noted that<br />
in the past there have been incidents where people have beaten another colleague's card. In every<br />
In this case, we consider that only the data are collected and stored through the devices<br />
<br />
which are necessary to serve the stated purposes ".<br />
<br />
14.4. In addition, in the letter of the lawyer of the Defendant the complaint, date. 11/18/2019, on page 3,<br />
it is referred that:<br />
<br />
10 "επίσης We also consider it appropriate to refer to Opinion 2/2018 issued by the<br />
Office of the Personal Data Protection Commissioner pursuant to Article 58 (3) (b)<br />
<br />
of the General Regulation on Data Protection (Regulation (EU) 2016/679) on Video<br />
workplace monitoring and the use of biometric systems. Although the<br />
This case does not concern video surveillance and the use of biometric systems but<br />
concerns collection of low resolution photo of the employee we consider appropriate to<br />
refer by analogy to the following reference contained in this document: “As ex<br />
<br />
therefore, the use of biometric systems (facial recognition or<br />
fingerprinting) by employers, for arrival time control purposes and<br />
departure of employees to their place of work is prohibited. The controller<br />
must choose other means less intrusive / burdensome to human dignity than<br />
what the collection and use of fingerprints entails. As such means are for<br />
<br />
For example, the card ticking system, frequent / unannounced checks by<br />
Manager / Head in the card system, the presence of a supervisor in the area where<br />
the system works or alternatively the placement of a surveillance camera over it<br />
card machine ”. Therefore, we consider the collection and processing of the photo low<br />
<br />
analysis of the employee in conjunction with the card machine as a whole as it is<br />
implemented by our customers, can not be considered an excessive measure (in contrast<br />
for example with a surveillance camera that would continuously videotape the specifics<br />
points and would not be limited to the moments when an employee beats his card) to<br />
achievement of the above mentioned objectives of KEO. This measure is therefore consistent with<br />
<br />
provisions of the General Regulation on Data Protection… ".<br />
14.5. In addition, in the letter dated. 14/2/2020, the lawyer of the Defendant states that:<br />
<br />
… Or our customers want to clarify that the low resolution photo is related<br />
<br />
with this system is not a biometric data. In other words, it does not collect this system<br />
biometric features which are unique, measurable, physical features which<br />
are used to identify an individual. It is therefore not considered<br />
other ways need to be found as the system used is not a system<br />
collection and processing of biometric data… ".<br />
<br />
14.6. All of the above references contained in the Impact Assessment and its letters<br />
<br />
Defendant's lawyer, explain that taking a low-resolution photo of<br />
was the only practical solution for the purposes pursued by the<br />
complaint to serve. I do not rule out that, in some cases, taking a photo or video,<br />
as I mention in Directive 2/2018, when the card is struck, it may be mandatory.<br />
However, in such cases, under the Accountability Principle, the employer should be in<br />
<br />
able to prove that, there is no other less intrusive way to achieve it<br />
intended purpose, namely the effective control of employees.<br />
<br />
14.7. In the present case, the Defendant has not substantiated the complaint, nor has it arisen in<br />
any stage that other ways and measures were applied by it, e.g. the<br />
frequent / unannounced checks by the Manager / Manager on the card system, the presence of a<br />
supervisor in the area where the system operates or even the camera, which would focus on their hands<br />
<br />
employees at the time they hit the card and not in the face, and be judged as<br />
ineffective or inadequate or insufficient to confirm the choice of<br />
low resolution photography, as the most appropriate measure to serve the purposes set<br />
Defendant seeks the complaint. In the context of employment, the monitoring measures set<br />
reflect the employee's behavior should be proportionate to<br />
<br />
risks faced and implemented in the least intrusive way.<br />
<br />
14.8. Therefore, in relation to question (a) I ask in paragraph 11 above, the position of the Defendant that,<br />
the installation of a camera in order to take a low resolution photo of their subject<br />
(employee) to identify that the employee who beats the card is the holder and<br />
not a third party, as a control measure, obeys the Data Minimization Principle,<br />
<br />
<br />
11 rejected, as the Defendant did not take or consider any other less intrusive measures,<br />
before the application of this measure.<br />
<br />
15. As regards question 13 (b), I have regarded the following:<br />
<br />
15.1. In the Impact Assessment carried out by the Defendant on page 2,<br />
in the paragraph entitled Nature of Processing, it is stated that:<br />
<br />
"… The data in relation to the employee card number, time and date of entry and<br />
<br />
exit to the workplace may be maintained for a period of up to seven (7) years from<br />
date of their collection unless legal proceedings and / or a contractual dispute are pending where<br />
the data will be stored for a longer period for purposes of recommendation, exercise and<br />
advocacy νομ »<br />
<br />
15.2. On page 5 of the same Impact Assessment, in the section entitled STEP 3: Advisory<br />
Consultation process, it is stated that:<br />
<br />
"The advice of the data subjects was not sought, nor of their representatives<br />
as well as recording and managing time data has always existed as part of it<br />
<br />
Personnel Management… ».<br />
<br />
15.3. Additionally, on page 7 of the same Impact Assessment, in the section entitled STEP 4:<br />
Proportionality and Necessity Assessment states that:<br />
<br />
«7. Υπόλοι The remaining data was considered appropriate, at least at this stage, to be retained<br />
for a period of 7 years having regard to the limitation periods applicable to the breach<br />
contractual relationship under Cypriot law. As explained below the question of time<br />
will be re-evaluated in the near future and in particular after the appointment of a DPO ".<br />
<br />
15.4. In the letter of the lawyer of the Defendant the complaint dated 18/11/2019, on page 3,<br />
<br />
it is referred that:<br />
". As for the retention of the remaining data, the retention period is at present<br />
<br />
stage is set at 7 years taking into account the limitation periods applicable under it<br />
Cypriot law regarding contractual disputes. But as explained in the Report<br />
Impact (Annex C) this issue will be re-evaluated and amended if deemed appropriate<br />
necessary. We also note that the range of data retained is limited<br />
<br />
in what is absolutely necessary, ie in the data concerning the employee card number, the<br />
date / time of entry / exit and low resolution photo of the employee.<br />
In addition, we note that, as explained in Annex C, access has been restricted<br />
in the specific data… »<br />
<br />
15.5. In addition, in the letter dated. 14/2/2020, the lawyer of the Defendant states that:<br />
<br />
"… Regarding the retention of data concerning the time and date of entry and<br />
exit to the workplace, it is noted that the retention period is at this stage<br />
determined at 7 years taking into account the limitation periods based on the Cyprus problem<br />
<br />
Law regarding contractual disputes (6 years) and civil offenses (3 years). Of those<br />
we realize it is possible in relation to an employee to arise litigation<br />
disputes concerning matters for which the statute of limitations period<br />
according to Cypriot Law amounts to 6 years. Input details are possible and<br />
to be relevant evidence in such cases. That is, in relation to one<br />
<br />
an employee other than those listed in<br />
jurisdiction of the Labor Disputes Tribunal for which the limitation period is<br />
smaller. It is for this reason that we have advised our customers as they maintain such<br />
data for a period of 7 years except of course in cases where a case arises and<br />
such information should, if relevant, be kept for as long as the trial is pending.<br />
<br />
Finally, on this issue, we consider that objectively speaking the maintenance of such<br />
data for 7 years is not an excessive period as the data containing the time<br />
entry and exit to the workplace is not of such a nature as to create serious<br />
12 danger to the rights and freedoms of subjects (emphasis added).<br />
But at the same time we remain at your disposal to discuss and adapt<br />
<br />
depending on this detail in the future as the system has only recently been put into<br />
application…".<br />
<br />
15.6. In summary, the Defendant claims that the data retention period of its employees<br />
for a period of seven (7) years is absolutely necessary because, it may occur between the Defendant and the<br />
conductive right of its employees, which, based on Law 66 (I) / 2012, as amended, provides<br />
limitation periods of six (6) years for contracts and three (3) years for civil offenses. On the contrary, the<br />
<br />
The complainants' lawyers argue that any dispute between the Defendant and the<br />
its employees will be of a labor nature, which will have to be resolved before the Court<br />
Labor Disputes, meaning, in accordance with the provisions of article 12 (10A) of Law 8/1967, as<br />
amended, which, inter alia, provides that: “Application to the Labor Disputes Tribunal<br />
shall be submitted within twelve months from the date on which it is to be submitted<br />
<br />
application or within nine months of the response of the Fund to redundant staff ".<br />
<br />
15.7. I am of the opinion that both positions suffer because neither Law 66 (I) / 2012 nor Law 8/1967<br />
is a legal basis for determining the storage period of the data in question. And the<br />
two Laws provide for periods during which respective rights can be exercised, however<br />
do not, at the same time, create an obligation to retain certain data in order to exercise them<br />
of rights. After all, if I accepted the positions that, these Laws could constitute<br />
<br />
criterion for determining the storage time of the data in question, I would reach<br />
paradoxical conclusion that, all the data collected by all processors who<br />
falling within the scope of the GGP, should be stored for periods similar to these<br />
provided for in their national laws for the settlement of labor and civil disputes, respectively,<br />
which circumvents both the letter and the spirit of the GCP.<br />
<br />
15.8. The data in question, ie the employee card number, the date and time of entry /<br />
<br />
of each employee, are stored in the system installed by the Defendant, for a long time<br />
specific purposes, namely the control of timetable and payroll and, on the basis of<br />
the Beginning of the Storage Period, the only factor / criterion for determining the period<br />
their storage, in a form that allows the identification of employees, must be the time<br />
required to fulfill these purposes. Storing them for longer periods,<br />
<br />
can only be done for archiving purposes in the public interest or for scientific purposes<br />
or historical research or for statistical purposes. In this case, these purposes do not<br />
are applicable or at least, the Defendant has not brought them before me. Hence her position<br />
Defendant that, the period of storage of the data of its employees for a period of seven (7) years is<br />
absolutely necessary, is rejected.<br />
<br />
16. Furthermore, it should be borne in mind that the decision of the Defendant to establish the complaint<br />
<br />
low resolution camera and its decision to keep the data of its employees for a period<br />
seven (7) years of age, have been obtained without prior consultation with the staff or<br />
their guilds.<br />
<br />
16.1. Defendant's lawyer in the impact assessment assessment he sent states that no<br />
the advice of neither the employees nor their representatives was sought as the recording and<br />
Time data management has always existed as part of Personnel Management. The fact that the<br />
<br />
Prior to the complaint, he previously collected and maintained data without justifying the time<br />
This does not mean that he can continue to do so and that he could<br />
in the context of this system upgrade to consult with stakeholders,<br />
so as to correct any distortions of the past.<br />
<br />
16.2. In addition to the fact that, pursuant to Article 35 (9) of the GIP, the Defendant, during the preparation of the<br />
an impact assessment would be appropriate to seek the views of its officials or their representatives,<br />
<br />
for measures it intended to take, this was also required by the Transparency Authority.<br />
16.3. For transparency purposes, the participation of employee representatives is necessary (e.g.<br />
<br />
trade unions) during the discussions that take place before measures are taken involving him<br />
13control and / or supervision of staff through the processing of their personal data.<br />
Relevant is the following excerpt from the Opinion of the Article 29 Working Party, "Opinion<br />
<br />
2/2017 on data processing at work »:<br />
<br />
«6.3 Transparency<br />
Effective communication should be provided to employees concerning any monitoring that takes<br />
<br />
place, the purposes for this monitoring and the circumstances, as well as possibilities for employees<br />
to prevent their data being captured by monitoring technologies. Policies and rules concerning<br />
legitimate monitoring must be clear and readily accessible. The Working Party recommends<br />
involving a representative sample of employees in the creation and evaluation of such rules and<br />
policies as most monitoring has the potential to infringe on the private lives of employees. ».<br />
<br />
D. Conclusion - Conclusion:<br />
<br />
17. In the light of the above and exercising the powers conferred upon me by the provisions of Article<br />
<br />
58 (1) (d) I inform the Defendant of the complaint that:<br />
17.1. In relation to the question (a) that I ask in par. 13 above, the installation of a camera by<br />
<br />
Each in order to take a low resolution photo of the data subject (employee)<br />
to identify that the employee who beats the card is the holder and not a third party, as<br />
without taking into account or considering other less intrusive measures<br />
before the implementation of this measure, violates the Principle of Data Minimization<br />
<br />
and therefore can not be accepted.<br />
17.2. In relation to question (b) that I ask in par. 13 above, the retention time of the data<br />
<br />
entry / exit of employees (employee card number, date and time of entry / exit) for<br />
period of seven (7) years, for the purposes of exercising legal rights, violates the Principle of<br />
Limit the Storage Period.<br />
<br />
17.3. Pursuant to Article 58 (2) of the GIP, I have the power to impose an administrative sanction on the<br />
above violations, which includes the possibility of imposing an administrative fine on the basis of<br />
Article 83 thereof. However, considering:<br />
<br />
(a) all the factors set out in Article 83 (2) of the GIP;<br />
<br />
(b) that, at all stages of the examination of this complaint, the Defendant had<br />
<br />
working with my Office,<br />
(c) that the case could have been avoided if the Defendant had consulted the<br />
<br />
measures taken by its officials or their representatives,<br />
<br />
(d) that the Defendant in the complaint has taken several measures to comply with the IGC, in particular as regards<br />
concerns the obligation to inform its employees and<br />
<br />
exercising the powers conferred on me by the provisions of Article 58 (2). (d) of the GCC, I consider<br />
more appropriate in the first phase, to give the Defendant the following order:<br />
<br />
(a) suspend the installation of the upgraded card flip system<br />
includes installing the camera and destroying the material collected if the<br />
download this and inform my Office of the actions and<br />
<br />
(b) to choose through transparent procedures, with the participation of their representatives<br />
employees, differentiated measures / solutions that are appropriate and sufficient and<br />
<br />
to ensure guarantees of legality, transparency, preservation, proportionality and<br />
security of personal data and as a draft of the en<br />
due procedures until 4/12/2020.<br />
<br />
17.4. In case the Defendant does not comply with the above order within them<br />
above deadlines, I will consider the need for stricter administrative measures<br />
against her.<br />
<br />
14Irene Loizidou - Nikolaidou<br />
<br />
Commissioner for Protection<br />
<br />
Personal Data<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
15<br />
</pre></div>
Hk
https://gdprhub.eu/index.php?title=ICO_-_Monetary_Penalty_on_Marriott_International_Inc.&diff=12134
ICO - Monetary Penalty on Marriott International Inc.
2020-11-10T17:01:35Z
<p>Hk: /* English Machine Translation of the Decision */</p>
<hr />
<div><blockquote>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=United Kingdom<br />
|DPA-BG-Color=background-color:#023868;<br />
|DPAlogo=LogoUK.png<br />
|DPA_Abbrevation=ICO<br />
|DPA_With_Country=ICO (UK)<br />
<br />
|Case_Number_Name=Monetary Penalty on Marriott International Inc. <br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Information Commissioner's Office<br />
|Original_Source_Link_1=https://ico.org.uk/media/action-weve-taken/mpns/2618524/marriott-international-inc-mpn-20201030.pdf<br />
|Original_Source_Language_1=English<br />
|Original_Source_Language__Code_1=EN<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=30.09.2020<br />
|Date_Published=30.10.2020<br />
|Year=2020<br />
|Fine=18400000<br />
|Currency=GBP<br />
<br />
|GDPR_Article_1=Article 5(1)(f) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1f<br />
|GDPR_Article_2=Article 32 GDPR<br />
|GDPR_Article_Link_2=Article 32 GDPR<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Edda Pernice <br />
|<br />
}}<br />
<br />
The Information Commissioner’s Officer (ICO) imposed a fine of GBP 18.4 million on Marriott International Inc (“Marriott”) for failing to ensure appropriate security when processing its costumers’ personal data, thus violating [[Article 5 GDPR|Article 5(1)(f)]] and [[Article 32 GDPR]]. <br />
<br />
Investigations began following notification of an attack on Marriott’s IT systems that took place over a period of time that includes May 2018 (when the GDPR came into force) to September 2018 . As a result, the attacker(s) had access to vast amounts of costumers’ personal data: Marriot estimated that they accessed 339 million guest records, with 30.1 million being EEA members’ records and 7 million being associated with the UK. <br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
Starwood Hotels and Resorts Worldwide Inc’s (“Starwood”) IT system were first compromised by unknown attackers in 2014. Marriot subsequently acquired Starwood in 2016, but did not detect this attack at any time between that moment and September 2018. Therefore, between 2014 and 2018, the attackers had access to Starwood’s systems through use of Remote Access Trojan malware, and kept extracting Starwood databases. Marriott became aware of potential attacks following an alert from a system applied to one of its most confidential databases on September 2018. After that Marriot found malware installed and proof that databases had been extracted over the years, so they promptly notified both the ICO and relevant data subjects of the breach. The ICO found that the attackers had obtained unencrypted personal data of the likes of: passport numbers, identifying information of the costumers such as name, date of birth and gender, plus credit card details in encrypted form. <br />
<br />
==Dispute==<br />
===Holding===<br />
Although the ICO and the relevant victims were notified promptly of the breach, the ICO found that there were many failures in placing the technical and organizational measures to safeguard personal data in Marriott’s system as required under Article 5(1)(f) and Article 32 GDPR. Marriott’s shortcomings, as outlined by the ICO, were the following: insufficient monitoring of privileged accounts and their user activity, insufficient monitoring of databases, poor control of critical systems and systems that have access to large amounts of personal data, and the fact that only certain type of sensitive data was encrypted (e.g. credit card numbers) but not all (e.g. many passport numbers). The ICO fined Marriott in line of [[Article 83 GDPR]] but also took into account mitigating factors such as the efforts that Marriott made to inform and help the victims of the breach, the $19 million investment it made on security the following year and the financial impacts of the Covid-19 pandemic, lowering the final amount of the fine from £24 million to £18.4 million. <br />
<br />
==Comment==<br />
''Share your comments here!''<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the English original. Please refer to the English original for more details.<br />
<br />
<pre><br />
Information Commissioner's Office<br />
<br />
PENALTY NOTICE<br />
<br />
Section 155, Data protection Act 2018<br />
<br />
<br />
Case ref: COM0804337<br />
Ma10400 Fernwood Roadl Inc<br />
Bethesda<br />
M DUSA0 8 1 7<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
30 October 20201 INTRODUCTION & SUMMARY<br />
<br />
<br />
1.1. This Penalty Notice i given to Marriott International Inc<br />
(“Marriott”) pursuant to section 155 and Schedule 16 of the Data<br />
<br />
Protection Act 2018 (the “DPA”). I relates to infringements of the<br />
General Data Protection Regulation (the “GDPR”), which came to<br />
<br />
the attention of the Information Commissioner (“the<br />
Commissioner”) as a result of an attack on Marriott’s IT systems?<br />
<br />
that took place over a period that included 25 May 2018 to 17<br />
September 2018 (the “Attack”).<br />
<br />
1.2. Insummary, i 2014 the IT systems of Starwood Hotels and Resorts<br />
<br />
Worldwide Inc (“Starwood”) were compromised by an unknown<br />
attacker or attackers (referred to, for ease of reference, as “the<br />
<br />
Attacker”), utilising an unknown attack vector. In 2016, Marriott<br />
acquired Starwood. Marriott did not detect the Attack at any time<br />
between acquiring Starwood and September 2018, including i the<br />
<br />
period after the entry into force of the GDPR i May 2018. During<br />
this latter period, the Attacker continued to traverse through the<br />
<br />
Starwood systems and had gained access to the cardholder data<br />
environment within the Starwood network. This access allowed the<br />
<br />
Attacker to export the personal data of Starwood customers to<br />
“dmp” files on the Starwood systems, potentially with a view to<br />
taking a copy of that data. I was only when the Attacker triggered<br />
<br />
an alert i relation to a table containing cardholder data that the<br />
Attack was discovered and could be mitigated. The personal data of<br />
<br />
a large number of individuals was involved in the Attack, including<br />
cardholder data, although the Commissioner has not seen any<br />
evidence of financial harm to individuals. Following the alert,<br />
<br />
Marriott promptly informed affected data subjects and took<br />
immediate steps to mitigate the effects of the Attack and to protect<br />
<br />
the interests of data subjects by implementing remedial measures.<br />
<br />
1.3. Marriott i an _ international hotel chain, with operational<br />
headquarters i the USA. The provisions of the DPA and the GDPR<br />
<br />
apply to the processing of personal data by Marriot by virtue of<br />
<br />
<br />
1 References i this decision to Marriott’s systems / network / security etc. concern the IT systems<br />
etc. that Marriott acquired from Stai September2016 and retained and continued to use<br />
post-acquisition. section 207(2) DPA and Article 3(1) GDPR. Marriott has confirmed<br />
that Marriott Hotels Limited i Marriott’s main establishment within<br />
<br />
the EU, as defined i Article 4(16) GDPR.<br />
<br />
1.4. The data subjects affected by this breach were customers of<br />
<br />
Starwood, which was at the relevant time owned by Marriott, i the<br />
United Kingdom, elsewhere in the EU, and in the rest of the world.<br />
<br />
1.5. Marriott was the controller i respect of the personal data of its<br />
<br />
customers within the meaning of section 6 DPA and Article 4(7)<br />
GDPR, as i determined the purposes and means of the processing<br />
<br />
of the personal data. By inter alia collecting, recording, organising,<br />
structuring and storing the personal data of its customers, Marriott<br />
was processing that data within the meaning of section 3(4) DPA<br />
<br />
and Article 4(2) GDPR.<br />
<br />
1.6. Marriott has not admitted liability for breach of the GDPR. However,<br />
<br />
for the reasons set out i this Penalty Notice, the Commissioner has<br />
found that Marriott failed to process personal data i a manner that<br />
ensured appropriate security of the personal data, including<br />
<br />
protection against unauthorised or unlawful processing and against<br />
accidental loss, destruction or damage, using appropriate technical<br />
<br />
and organisational measures, as required by Article 5(1)(f) and<br />
Article 32 GDPR.<br />
<br />
1.7. The Commissioner has found that, in all the circumstances, and<br />
<br />
having regard, i particular, to Marriott’s representations and the<br />
matters listed i Article 83(1) and (2) GDPR, the infringements<br />
constitute a serious failure to comply with the GDPR and,<br />
<br />
accordingly, that the imposition of a penalty i appropriate. The<br />
amount of the penalty that the Commissioner has decided to<br />
<br />
impose, having taken into account a range of mitigating factors set<br />
out further below and the impact of the Covid-19 pandemic, i £18.4<br />
million.<br />
<br />
<br />
1.8. Pursuant to Article 56 GDPR, the Commissioner i acting as lead<br />
supervisory authority i respect of the cross-border processing at<br />
<br />
issue i this case.2.LEGAL FRAMEWORK<br />
<br />
GDPR<br />
<br />
<br />
2.1. On 25 May 2018, the GDPR entered into force, replacing the<br />
previous EU law data protection regime that applied under Directive<br />
<br />
95/46/EC (“Data Protection Directive”)*?. The GDPR seeks to<br />
harmonise the protection of fundamental rights i respect of<br />
<br />
personal data across EU Member States and, unlike the Data<br />
Protection Directive, i directly applicable i every Member State.?<br />
<br />
2.2. The GDPR was developed and enacted i the context of challenges<br />
<br />
to the protection of personal data posed by, i particular:<br />
<br />
a. the substantial increase i cross-border flows of personal data<br />
<br />
resulting from the functioning of the internal market;*+ and<br />
<br />
b. the rapid technological developments which have occurred<br />
<br />
during a period of globalisation.> As Recital (6) explains: “.. The<br />
scale of the collection and sharing of personal data has<br />
<br />
increased significantly. Technology allows’ both private<br />
companies and public authorities to make use of personal data<br />
<br />
on an unprecedented scale in order to pursue their activities....”<br />
<br />
2.3. Such developments made i necessary for “a strong and more<br />
<br />
coherent data protection framework in the Union, backed by strong<br />
enforcement, given the importance of creating the trust that will<br />
<br />
allow the digital economy to develop across the internal market...”.®<br />
<br />
2.4. Against that background, the GDPR imposed more stringent duties<br />
on controllers and significantly increased the penalties that could be<br />
<br />
imposed for a breach of the obligations imposed on controllers<br />
(amongst others).’<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
2 Directiv95/46/EC of theEuropean Parliamentand of theCouncil of 24October 1995 on the<br />
protection of individuals with regard to the processing of personal data and on the free movement<br />
of such data.<br />
3 Recital 3.<br />
4 Recital 5.<br />
§ Recital 7.<br />
7 See, i particular, Recitals 11, 148, 150, and Article 5, Chapter IV and Article 83. The relevant obligations<br />
<br />
2.5. Chapter 1 GDPR sets out the general provisions. Article 5 of Chapter<br />
<br />
I GDPR sets out the principles relating to the processing of personal<br />
data. Article 5(1) lists the six basic principles that controllers must<br />
comply with i processing personal data, including:<br />
<br />
<br />
1. Personal data shall be:<br />
<br />
..(f) processed in a manner that ensures appropriate security<br />
of the personal data, including protection § against<br />
<br />
unauthorised or unlawful processing and against accidental<br />
loss, destruction or damage, using appropriate technical or<br />
organisational measures (‘integrity and confidentiality’)<br />
<br />
2.6. Article 5(2) GDPR makes i clear that the “contro/ler shall be<br />
<br />
responsible for, and be able to demonstrate compliance with,<br />
paragraph 1 (‘accountability’)”.<br />
<br />
2.7. Chapter IV, Section 1 addresses the general obligations of<br />
<br />
controllers and processors. Article 24 sets out the responsibility of<br />
controllers for taking appropriate steps to ensure and be able to<br />
<br />
demonstrate that processing i compatible with the GDPR. Articles<br />
28-29 make separate provision for the processing of data by<br />
processors, under the instructions of the controller.<br />
<br />
<br />
2.8. Chapter IV, Section 2 addresses security of personal data. Article 32<br />
GDPR provides:<br />
<br />
<br />
1. Taking into account the state of the art, the costs of<br />
implementation and the nature, scope, context and purposes<br />
of processing as well as the risk of varying likelihood and<br />
severity for the rights and freedoms of natural persons, the<br />
controller and the processor shall implement appropriate<br />
<br />
technical and organisational measures to ensure a level of<br />
security appropriate to the risk, including inter alia as<br />
appropriate:<br />
<br />
(a) the pseudonymisation and encryption of personal data;<br />
(b) the ability to ensure the ongoing confidentiality,<br />
<br />
integrity, availability and resilience of processing<br />
systems and services;<br />
(C)...<br />
(d)a process for regularly testing, assessing and<br />
<br />
evaluating the effectiveness of technical and <br />
organisational measures for ensuring the security of<br />
processing.<br />
<br />
<br />
2. In assessing the appropriate level of security, account shall<br />
be taken in particular of the risks that are presented by<br />
processing, in particular from accidental or unlawful<br />
destruction, loss, alteration, unauthorised disclosure of, or<br />
<br />
access to, personal data transmitted, stored or otherwise<br />
processed.<br />
<br />
2.9, Article 32 GDPR applies to both controllers and processors.<br />
<br />
Penalties<br />
<br />
2.10. Article 83(1) GDPR requires supervisory authorities to ensure that<br />
<br />
any penalty imposed i each individual case i “effective,<br />
proportionate and dissuasive".<br />
<br />
<br />
2.11. The principle that penalties ought to be effective, proportionate and<br />
dissuasive i a longstanding principle of EU law. The Commissioner<br />
<br />
i under an EU law obligation to ensure that infringements of the<br />
GDPR are penalised i a manner that i effective, proportionate and<br />
dissuasive.<br />
<br />
<br />
2.12. Further, Recital 148 emphasises, inter alia, that “in order to<br />
strengthen the enforcement of the rules of this Regulation, penalties<br />
<br />
including administrative fines should be imposed for any<br />
infringement of this Regulation, in addition to, or instead of<br />
appropriate measures imposed by the supervisory authority<br />
<br />
pursuant to this Regulation.” I also records that due regard should<br />
be given to the:<br />
<br />
<br />
. nature, gravity and duration of the infringement, the<br />
intentional character of the infringement, actions taken to<br />
mitigate the damage suffered, degree of responsibility or any<br />
relevant previous infringements, the manner in which the<br />
<br />
infringement became known to the supervisory authority,<br />
compliance with measures ordered against the controller or<br />
processor, adherence to a code of conduct and any other<br />
aggravating or mitigating factor...<br />
<br />
<br />
2.13. Recital 150 provides as follows:<br />
<br />
In order to strengthen and harmonise administrative<br />
penalties for infringements of this Regulation, each<br />
supervisory authority should have the power to impose <br />
administrative fines. This Regulation should indicate<br />
infringements and the upper limit and criteria for setting the<br />
related administrative fines, which should be determined by<br />
<br />
the competent supervisory authority in each individual case,<br />
taking into account all relevant circumstances of the specific<br />
situation, with due regard in particular to the nature, gravity<br />
and duration of the infringement and of its consequences and<br />
<br />
the measures taken to ensure compliance with the obligations<br />
under this Regulation and to prevent or mitigate the<br />
consequences of the infringement. Where administrative<br />
fines are imposed on an undertaking, an undertaking should<br />
be understood to be an undertaking in accordance with<br />
<br />
Articles 101 and 102 TFEU for those purposes. Where<br />
administrative fines are imposed on persons that are not an<br />
undertaking, the supervisory authority should take account of<br />
the general level of income in the Member State as well as<br />
the economic situation of the person in considering the<br />
<br />
appropriate amount of the fine. The consistency mechanism<br />
may also be used to promote a consistent application of<br />
administrative fines. It should be for the Member States to<br />
determine whether and to which extent public authorities<br />
should be subject to administrative fines. Imposing an<br />
<br />
administrative fine or giving a warning does not affect the<br />
application of other powers of the supervisory authorities or<br />
of other penalties under this Regulation.<br />
<br />
2.14. In line with the above, when deciding whether to impose a fine and<br />
<br />
the appropriate amount of any such fine, Article 83(2) GDPR<br />
requires the Commissioner to have regard to the following matters:<br />
<br />
<br />
(a) the nature, gravity and duration of the infringement<br />
taking into account the nature scope or purpose of the<br />
processing concerned as well as the number of data<br />
subjects affected and the level of damage suffered by<br />
them;<br />
<br />
<br />
(b) the intentional or negligent character of the infringement;<br />
<br />
(c) any action taken by the controller or processor to mitigate<br />
<br />
the damage suffered by data subjects;<br />
<br />
(d) the degree of responsibility of the controller or processor,<br />
taking into account technical and organisational measures<br />
implemented by them pursuant to Articles 25 and 32; <br />
<br />
(e) any relevant previous infringements by the controller or<br />
processor;<br />
<br />
<br />
(f) the degree of co-operation with the supervisory authority,<br />
in order to remedy the infringement and mitigate the<br />
possible adverse effects of the infringement;<br />
<br />
<br />
(g)the categories of personal data affected by the<br />
infringement;<br />
<br />
<br />
(h) the manner in which the infringement became known to<br />
the supervisory authority, including whether, and if so to<br />
what extent, the controller or processor notified the<br />
<br />
supervisory authority of the infringement;<br />
<br />
(i) where measures referred to in Article 58(2) have<br />
previously been ordered against the controller or<br />
<br />
processor concerned with regard to the same subject-<br />
matter, compliance with those measures;<br />
<br />
( adherence to approved codes of conduct pursuant to<br />
<br />
Article 40 or approved certification mechanisms pursuant<br />
to Article 42; and<br />
<br />
(k) any other aggravating or mitigating factor applicable to<br />
<br />
the case, including financial benefits gained, or losses<br />
avoided, directly or indirectly from the infringement. ®<br />
<br />
2.15. Article 83(5) GDPR provides that infringements of the basic<br />
<br />
principles for processing imposed pursuant to Article 5 GDPR will, i<br />
accordance with Article 83(2) GDPR, be subject to administrative<br />
<br />
fines of up to €20 million or, i the case of an undertaking, up to<br />
4% of its total worldwide annual turnover of the preceding financial<br />
year, whichever i higher.<br />
<br />
<br />
2.16. Article 83(4) GDPR provides, inter alia, that infringements of the<br />
obligations imposed by Article 32 GDPR on the controller and<br />
<br />
processer will, i accordance with Article 83(2) GDPR, be subject to<br />
administrative fines of up to €10 million or, i the case of an<br />
<br />
<br />
<br />
<br />
8 See also the Article 29 Data Protection WParty Guidelines on the application and setting of<br />
administrative fines for the purposes of Regulation 2016/679, adopted on 3 October 2017, endorsed<br />
by the European Data ProtectionBoard at its first plensession.These providea high-level<br />
overview of the assessment criteria set out i Article 83(2) GDPR i Section ITI (“the Article 29 WP<br />
Guidelines”.<br />
8 undertaking, up to 2% of its total worldwide annual turnover of the<br />
<br />
preceding financial year, whichever i higher.<br />
<br />
2.17. Article 83(3) GDPR addresses the circumstances i which the same<br />
or linked processing operations give rise to infringements of several<br />
<br />
provisions of the GDPR. I provides that “.. the total amount of the<br />
administrative fine shall not exceed the amount specified for the<br />
<br />
gravest infringement”.<br />
<br />
2.18. Article 83(8) GDPR provides that the exercise by any supervisory<br />
authority of its powers to fine undertakings will be subject to<br />
<br />
procedural safeguards, including an effective judicial remedy and<br />
due process.<br />
<br />
Cooperation and consistency<br />
<br />
<br />
2.19. Where, as here, the processing i issue i cross-border, Article 56<br />
GDPR makes provision for the designation of a lead supervisory<br />
<br />
authority. In this case, the Commissioner i acting as the lead<br />
supervisory authority. Chapter VII GDPR establishes the regime for<br />
ensuring cooperation between lead and other concerned supervisory<br />
<br />
authorities, permitting unified decision-making.?<br />
<br />
2.20. Article 60 GDPR provides:<br />
<br />
<br />
1. The lead supervisory authority shall cooperate with the<br />
other supervisory authorities concerned in accordance with<br />
this Article in an endeavour to reach consensus. The lead<br />
supervisory authority and the supervisory authorities<br />
<br />
concerned shall exchange all relevant information with each<br />
other.<br />
<br />
2. The lead supervisory authority may request at any time<br />
other supervisory authorities concerned to provide mutual<br />
<br />
assistance pursuant to Article 61 and may conduct joint<br />
operations pursuant to Article 62, in particular for carrying<br />
out investigations or for monitoring the implementation of a<br />
measure concerning a controller or processor established in<br />
another Member State.<br />
<br />
<br />
3. The lead supervisory authority shall, without delay,<br />
communicate the relevant information on the matter to the<br />
other supervisory authorities concerned. It shall without<br />
<br />
<br />
° The relevant provisions enacting this regime must be read subject to, i particular, Articles 7, 70<br />
and 127-128 and 131 of the Withdrawal Agreebetween the EU and United Kingdom.<br />
9delay submit a draft decision to the other supervisory<br />
authorities concerned for their opinion and take due account<br />
<br />
of their views.<br />
<br />
4. Where any of the other supervisory authorities concerned<br />
within a period of four weeks after having been consulted in<br />
accordance with paragraph 3 of this Article, expresses a<br />
<br />
relevant and reasoned objection to the draft decision, the lead<br />
supervisory authority shall, if i does not follow the relevant<br />
and reasoned objection or is of the opinion that the objection<br />
is not relevant or reasoned, submit the matter to the<br />
consistency mechanism referred to in Article 63.<br />
<br />
<br />
5. Where the lead supervisory authority intends to follow the<br />
relevant and reasoned objection made, i shall submit to the<br />
other supervisory authorities concerned a revised draft<br />
decision for their opinion. That revised draft decision shall be<br />
<br />
subject to the procedure referred to in paragraph 4 within a<br />
period of two weeks.<br />
<br />
6. Where none of the other supervisory authorities concerned<br />
has objected to the draft decision submitted by the lead<br />
<br />
supervisory authority within the period referred to in<br />
paragraphs 4 and 5, the lead supervisory authority and the<br />
supervisory authorities concerned shall be deemed to be in<br />
agreement with that draft decision and shall be bound by i<br />
<br />
7. The lead supervisory authority shall adopt and notify the<br />
<br />
decision to the main establishment or single establishment of<br />
the controller or processor, as the case may be and inform<br />
the other supervisory authorities concerned and the Board of<br />
the decision in question, including a summary of the relevant<br />
<br />
facts and grounds. The supervisory authority with which a<br />
complaint has been lodged shall inform the complainant on<br />
the decision.<br />
<br />
8. By derogation from paragraph 7, where a complaint is<br />
<br />
dismissed or rejected, the supervisory authority with which<br />
the complaint was lodged shall adopt the decision and notify<br />
i to the complainant and shall inform the controller thereof.<br />
<br />
9. Where the lead supervisory authority and the supervisory<br />
authorities concerned agree to dismiss or reject parts of a<br />
<br />
complaint and to act on other parts of that complaint, a<br />
separate decision shall be adopted for each of those parts of<br />
the matter. The lead supervisory authority shall adopt the<br />
decision for the part concerning actions in relation to the<br />
<br />
<br />
10 controller, shall notify i to the main establishment or single<br />
establishment of the controller or processor on the territory<br />
of its Member State and shall inform the complainant thereof,<br />
<br />
while the supervisory authority of the complainant shall adopt<br />
the decision for the part concerning dismissal or rejection of<br />
that complaint, and shall notify i to that complainant and<br />
shall inform the controller or processor thereof.<br />
<br />
10. After being notified of the decision of the lead supervisory<br />
<br />
authority pursuant to paragraphs 7 and 9, the controller or<br />
processor shall take the necessary measures to ensure<br />
compliance with the decision as regards processing activities<br />
in the context of all its establishments in the Union. The<br />
<br />
controller or processor shall notify the measures taken for<br />
complying with the decision to the lead supervisory authority,<br />
which shall inform the other supervisory authorities<br />
concerned. .<br />
<br />
2.21. Article 60(4) refers to the consistency mechanism, which i i<br />
<br />
Section 2 of Chapter VII GDPR. Article 63 provides that: “In order<br />
to contribute to the consistent application of this Regulation<br />
<br />
throughout the Union, the supervisory authorities shall cooperate<br />
with each other and, where relevant, with the Commission, through<br />
the consistency mechanism as set out in this Section.” Article 65<br />
<br />
GDPR provides, insofar as relevant, that:<br />
<br />
Dispute resolution by the Board<br />
<br />
1. In order to ensure the correct and consistent application of<br />
<br />
this Regulation in individual cases, the Board shall adopt a<br />
binding decision in the following cases:<br />
<br />
(a) where, in a case referred to in Article 60(4), a<br />
supervisory authority concerned has raised a relevant<br />
and reasoned objection to a draft decision of the lead<br />
<br />
authority or the lead authority has rejected such an<br />
objection as being not relevant or reasoned. The<br />
binding decision shall concern all the matters which are<br />
the subject<br />
<br />
<br />
2. The decision referred to in paragraph 1 shall be adopted<br />
within one month from the referral of the subject-matter by<br />
a two-thirds majority of the members of the Board. That<br />
period may be extended by a further month on account of the<br />
complexity of the subject-matter. The decision referred to in<br />
<br />
paragraph 1 shall be reasoned and addressed to the lead<br />
<br />
11 supervisory authority and all the supervisory authorities<br />
concerned and binding on them.<br />
<br />
3. Where the Board has been unable to adopt a decision<br />
<br />
within the periods referred to in paragraph 2, i shall adopt<br />
its decision within two weeks following the expiration of the<br />
second month referred to in paragraph 2 by a simple majority<br />
of the members of the Board. Where the members of the<br />
<br />
Board are split, the decision shall by adopted by the vote of<br />
its Chair.<br />
<br />
4, The supervisory authorities concerned shall not adopt a<br />
decision on the subject matter submitted to the Board under<br />
paragraph 1 during the periods referred to in paragraphs 2<br />
<br />
and 3.<br />
<br />
5. The Chair of the Board shall notify, without undue delay,<br />
the decision referred to in paragraph 1 to the supervisory<br />
authorities concerned. It shall inform the Commission<br />
thereof. The decision shall be published on the website of the<br />
<br />
Board without delay after the supervisory authority has<br />
notified the final decision referred to in paragraph 6.<br />
<br />
6. The lead supervisory authority or, as the case may be, the<br />
supervisory authority with which the complaint has been<br />
lodged shall adopt its final decision on the basis of the<br />
<br />
decision referred to in paragraph 1 of this Article, without<br />
undue delay and at the latest by one month after the Board<br />
has notified its decision. The lead supervisory authority or, as<br />
the case may be, the supervisory authority with which the<br />
<br />
complaint has been lodged, shall inform the Board of the date<br />
when its final decision is notified respectively to the controller<br />
or the processor and to the data subject. The final decision of<br />
the supervisory authorities concerned shall be adopted under<br />
the terms of Article 60(7), (8) and (9). The final decision shall<br />
<br />
refer to the decision referred to in paragraph 1 of this Article<br />
and shall specify that the decision referred to in that<br />
paragraph will be published on the website of the Board in<br />
accordance with paragraph 5 of this Article. The final decision<br />
shall attach the decision referred to in paragraph 1 of this<br />
<br />
Article.<br />
<br />
DPA<br />
<br />
The Commissioner<br />
<br />
2.23. Section 115 DPA establishes that the Commissioner i the UK’s<br />
supervisory authority for the purposes of the GDPR. Section 115 DPA<br />
<br />
12 provides, inter alia, that the Commissioner’s powers under Articles<br />
58(2)(i) (the power to impose administrative fines) and 83 GDPR<br />
<br />
are exercisable only by giving a penalty notice under section 155<br />
DPA.<br />
<br />
Penalties<br />
<br />
<br />
2.24. Section 155(1) DPA provides that, i the Commissioner i satisfied<br />
that a person has failed or i failing as described i section 149(2)<br />
DPA, the Commissioner may, by written notice (a “penalty notice”),<br />
<br />
require the person to pay to the Commissioner an amount i sterling<br />
specified i the notice.<br />
<br />
<br />
2.25. Section 149(2) DPA provides:<br />
<br />
(1) The first type of failure is where a controller or processor<br />
has failed, or is failing, to comply with any of the following -<br />
<br />
(a) a provision of Chapter II of the GDPR or Chapter 2 of<br />
<br />
Part 3 or Chapter 2 of Part 4 of this Act (principles of<br />
processing);<br />
(b) .<br />
<br />
(c) a provision of Articles 25 to 39 of the GDPR or section<br />
64 or 65 of this Act (obligations of controllers and<br />
processors)...<br />
<br />
2.26. Section 155 DPA sets out the matters to which the Commissioner<br />
<br />
must have regard when deciding whether to issue a penalty notice<br />
and when determining the amount of the penalty.<br />
<br />
2.27. Section 155(2) DPA provides that, subject to subsection (4), when<br />
<br />
deciding whether to give a penalty notice to a person and<br />
determining the amount of the penalty, the Commissioner must<br />
<br />
have regard to the matters listed i Article 83(1) and (2) GDPR.<br />
<br />
2.28. Schedule 16 includes provisions relevant to the imposition of<br />
penalties. Paragraph 2 makes provision for the issuing of notices of<br />
<br />
intent to impose a penalty, as follows:<br />
<br />
(1) Before giving a person a penalty notice, the Commissioner<br />
must, by written notice (a “notice of intent”) inform the<br />
<br />
person that the Commissioner intends to give a penalty<br />
notice.<br />
<br />
<br />
<br />
13 (2) The Commissioner may not give a penalty notice to a<br />
person in reliance on a notice of intent after the end of the<br />
<br />
period of 6 months beginning when the notice of intent is<br />
given, subject to sub-paragraph (3).<br />
<br />
(3) The period for giving a penalty notice to a person may be<br />
extended by agreement between the Commissioner and the<br />
<br />
person.<br />
<br />
2.29. Paragraph 5 sets out the required contents of a penalty notice, i<br />
accordance with which this Penalty Notice has been prepared.<br />
<br />
Guidance<br />
<br />
<br />
2.30. Section 160 DPA requires the Commissioner to produce and publish<br />
guidance about how she intends to exercise her functions. With<br />
respect to penalty notices, such guidance i required to include:<br />
<br />
<br />
(a) provision about the circumstances in which the<br />
Commissioner would consider i appropriate to issue a penalty<br />
notice;<br />
<br />
<br />
(b) provision about the circumstances in which the<br />
Commissioner would consider i appropriate to allow a person<br />
to make oral representations about the Commissioner's<br />
intention to give the person a penalty notice;<br />
<br />
(c) provision explaining how the Commissioner — will<br />
<br />
determine the amount of penalties;<br />
<br />
(d) provision about how the Commissioner will determine<br />
how to proceed if a person does not comply with a penalty<br />
notice.<br />
<br />
<br />
2.31. Pursuant to section 161 DPA, the Commissioner's first guidance<br />
documents issued under section 160(1) DPA had to be consulted<br />
<br />
upon and laid before Parliament by the Secretary of State i<br />
accordance with the procedure set out i that section. Thereafter, i<br />
issuing any altered or replacement guidance, the Commissioner<br />
<br />
required to consult the Secretary of State and such other persons<br />
as she considers appropriate. The Commissioner must also arrange<br />
<br />
for such guidance to be laid before Parliament.<br />
<br />
<br />
<br />
<br />
<br />
<br />
14The Commissioner’s Regulatory Action Policy<br />
<br />
<br />
2.32. On 4 May 2018, the Commissioner opened a consultation process<br />
on how the Commissioner planned to discharge her regulatory<br />
powers under the DPA. The consultation attracted responses from<br />
<br />
across civil society, commentators, and industry (including the<br />
finance and insurance, online technology and telecoms, and charity<br />
<br />
sectors). The consultation ended on 28 June 2018. Having taken all<br />
the views received during the consultation process into account, the<br />
Regulatory Action Policy (the “RAP”) was submitted to the Secretary<br />
<br />
of State and laid before Parliament for approval.<br />
<br />
2.33. Pursuant to section 160(1) DPA, the Commissioner published her<br />
<br />
RAP on 7 November 2018. Under the hearing “Aims”, the RAP<br />
explains that i seeks to:<br />
<br />
e “Set out the nature of the Commissioner’s various powers in<br />
<br />
one place and to be clear and consistent about when and how<br />
we use them”;<br />
<br />
<br />
e “Ensure that we take fair, proportionate and timely regulatory<br />
action with a view to guaranteeing that individuals’ information<br />
rights are properly protected”;<br />
<br />
<br />
e “Guide the Commissioner and our staff in ensuring that any<br />
regulatory action is targeted, proportionate and effective...”°<br />
<br />
<br />
2.34. The objectives of regulatory action are set out at page 6 of the RAP,<br />
including:<br />
<br />
e “To respond swiftly and effectively to breaches of legislation<br />
<br />
which fall within the ICO’s remit, focussing on [inter alia] those<br />
adversely affecting large groups of individuals”.<br />
<br />
<br />
e “To be effective, proportionate, dissuasive and consistent in our<br />
application of sanctions”, targeting action taken pursuant to the<br />
Commissioner’s most. significant powers on, inter alia,<br />
<br />
“organisations and individuals suspected of repeated or wilful<br />
misconduct or serious failures to take proper steps to protect<br />
personal data”.<br />
<br />
<br />
<br />
<br />
1 RAP, page 5<br />
152.35. The RAP explains that the Commissioner will adopt a selective<br />
<br />
approach to regulatory action.‘ When deciding whether and how to<br />
respond to breaches of information rights obligations she will<br />
consider criteria which include the following:<br />
<br />
<br />
e “the nature and seriousness of the breach or potential breach”;<br />
<br />
e “where relevant, the categories of personal data affected<br />
<br />
(including whether any special categories of personal data are<br />
involved) and the level of any privacy intrusion”;<br />
<br />
e “the number of individuals affected, the extent of any exposure<br />
<br />
to physical, financial or psychological harm, and, where i is an<br />
issue, the degree of intrusion into their privacy”;<br />
<br />
<br />
e “whether the issue raises new or repeated issues, or concerns<br />
that technological security measures are not protecting the<br />
<br />
personal data”;<br />
<br />
e “the cost of measures to mitigate any risk, issue or harm”;<br />
<br />
e “the public interest in regulatory action being taken (for<br />
<br />
example, to provide an effective deterrent against future<br />
breaches or clarify or test an issue in dispute)”.++<br />
<br />
<br />
2.36. The RAP explains that, as a general principle, “more serious, high-<br />
impact, intentional, wilful, neglectful or repeated breaches can<br />
expect stronger regulatory action”.13<br />
<br />
<br />
2.37. Pages 24-25 of the RAP identify the circumstances i which the<br />
issuing of a Penalty Notice will be appropriate. They explain, inter<br />
<br />
alia, that i “ considering the degree of harm or damage we may<br />
consider that, where there is a lower level of impact across a large<br />
<br />
number of individuals, the totality of that damage or harm may be<br />
substantial, and may require a sanction.” The RAP stresses that each<br />
case will be assessed objectively on its own merits. However, i<br />
<br />
explains that, i accordance with the Commissioner’s risk-based<br />
approach, a penalty i more likely to be imposed in, inter alia, the<br />
<br />
following situations:<br />
<br />
<br />
<br />
1 RAP, pages 6-7 and 10.<br />
1 RAP, pages 10-11.<br />
1 RAP, page 12.<br />
16 e “a number of individuals have been affected”;<br />
<br />
e “there has been a degree of damage or harm (which may<br />
<br />
include distress and/or embarrassment)”; and<br />
<br />
e “there has been a failure to apply reasonable measures<br />
(including relating to privacy by design) to mitigate any breach<br />
<br />
(or the possibility of it)”.<br />
<br />
2.38. The process the Commissioner will follow i deciding the appropriate<br />
<br />
amount of penalty to be imposed i described from page 27<br />
onwards. In particular, the RAP sets out the following five-step<br />
process:<br />
<br />
<br />
a. Step 1. An ‘initial element’ removing any financial gain from<br />
the breach.<br />
<br />
b. Step 2. Adding i an element to censure the breach based on<br />
<br />
its scale and severity, taking into account the considerations<br />
identified at section 155(2)-(4) DPA.<br />
<br />
c Step 3. Adding i an element to reflect any aggravating factors.<br />
<br />
A list of aggravating factors which the Commissioner would take<br />
into account, where relevant, i provided at page 11 of the RAP.<br />
<br />
This list i intended to be indicative, not exhaustive.<br />
<br />
d. Step 4. Adding i an amount for deterrent effect to others.<br />
<br />
e. Step 5. Reducing the amount (save that i the initial element)<br />
<br />
to reflect any mitigating factors, including ability to pay<br />
(financial hardship). A list of mitigating factors which the<br />
Commissioner would take into account, where relevant, i<br />
<br />
provided at page 11-12 of the RAP. This list i intended to be<br />
indicative, not exhaustive.<br />
<br />
<br />
3. CIRCUMSTANCES OF THE FAILURE: FACTS<br />
<br />
Marriott’s acquisition of the Starwood network<br />
<br />
<br />
3.1. Marriot acquired Starwood i September 2016. During the<br />
acquisition process, Starwood shareholders received 0.8 shares of<br />
Marriott, as well as $21 per Starwood common stock. After the<br />
<br />
acquisition, the Marriott and Starwood computer systems were kept<br />
<br />
17 separate, and they remained separate throughout the relevant<br />
<br />
period. Marriott did, however, plan on integrating aspects of the<br />
Starwood network into the Marriott network over an 18-month<br />
period i order to create a single, unified network within Marriott’s<br />
<br />
security footprint.<br />
<br />
3.2. Upon acquisition, but prior to decommissioning the Starwood<br />
<br />
network, Marriott made enhancements to the security of Starwood’s<br />
existing IT network.<br />
<br />
3.3. During the acquisition process, Marriott states that i was only able<br />
<br />
to carry out limited due diligence on the Starwood data processing<br />
systems and databases.'* For the avoidance of any doubt, the<br />
<br />
Commissioner i not making any finding of infringement in respect<br />
of the period between Marriott’s acquisition of Starwood and the<br />
<br />
entry into force of the GDPR on 25 May 2018. Accordingly, the<br />
Commissioner has not determined whether or not i was possible for<br />
Marriott to conduct due diligence during a takeover. There may be<br />
<br />
circumstances i which in-depth due diligence of a competitor i not<br />
possible during a takeover.<br />
<br />
<br />
3.4. This Penalty Notice concerns the extent to which, after the GDPR<br />
came into effect on 25 May 2018, Marriott adequately prepared the<br />
Starwood systems to protect personal data. In particular, i i<br />
<br />
necessary to assess whether the Attack disclosed a failure to ensure<br />
compliance with Articles 5.1(f) and 32 of the GDPR following its entry<br />
<br />
into force.<br />
<br />
The planned integration of the Starwood and Marriott networks<br />
<br />
3.5. The integration of Starwood into the Marriott hotels group began<br />
<br />
following the acquisition. While this involved the transferring of data<br />
from the Starwood systems to the Marriott network, the systems<br />
<br />
accessed by the Attacker remained segregated from the Marriott<br />
network.<br />
<br />
<br />
3.6. As a result, the Attack did not involve access to the wider Marriott<br />
network and the Attacker would not have had access to personal<br />
data that was processed only on non-Starwood systems. The<br />
<br />
planned migration and the decommissioning of the Starwood<br />
<br />
<br />
1 See, for example, the representations served by Marriott i response to the Commissioner’s Notice<br />
of Intent (“Marriott's First Representatiopara 1.33.<br />
18 systems was expedited by Marriott after discovery of the Attack and<br />
<br />
the decommissioning of the relevant Starwood systems was<br />
completed on 11 December 2018.<br />
<br />
The Attack<br />
<br />
<br />
3.7. What follows i a summary of the key stages of the Attack.<br />
<br />
Pre-acquisition infiltration of the Starwood IT systems<br />
<br />
3.8. The Attacker installed a web shell on a device within the Starwood<br />
<br />
network on 29 July 2014. This device was used to support an<br />
Accolade software application. That application was used by<br />
Starwood to allow employees to request changes to any content of<br />
<br />
Starwood's website.<br />
<br />
3.9. The installation of a web shell on the server gave the Attacker the<br />
<br />
ability to remotely access the system, therefore allowing for the<br />
accessing and editing of the contents of that system. This access<br />
was exploited i order to install Remote Access Trojans (“RATS”) -<br />
<br />
malware which enables remote administrator control of the system.<br />
Administrator access allows a user to perform actions above that<br />
<br />
permitted by a normal user. As a result, the Attacker would have<br />
had unrestricted access to the relevant device, and any other<br />
<br />
devices on the network to which that administrator account would<br />
have had access.<br />
<br />
3.10. On an undetermined date, the Attacker installed and executed<br />
<br />
“Mimikatz”. This i a post-exploitation tool which allows login<br />
credentials temporarily stored i the system memory to be<br />
<br />
harvested. I scanned the server for all the usernames and<br />
passwords stored i this manner i the system and allowed the<br />
Attacker to continue to compromise user accounts, which were<br />
<br />
secured using a mixture of single and multi-factor authentication.‘<br />
These accounts were then used to perform further reconnaissance<br />
<br />
and, ultimately, to run commands on the Starwood reservation<br />
database, as described below.<br />
<br />
<br />
3.11. On 15 April 2015, a file named “Reservation _Room_sharer.dmp”<br />
was created on a Starwood device. This file could have been created<br />
<br />
<br />
<br />
<br />
1 Marriott’s First Representations, para 1.40 and page 63.<br />
19 by the Attacker with a view to exfiltrating all the data contained i<br />
<br />
the table at once.®<br />
<br />
3.12. On 21 April 2015, a file named “Consumption_Roomtype.dmp” was<br />
created. This file could have been created by the Attacker with a<br />
<br />
view to exfiltrating all the data contained i this table at once.!”<br />
<br />
3.13. On 17 May 2016, a file named “reservation_Room_Sharer.dmp” was<br />
<br />
created. This file could have been created by the Attacker with a<br />
view to exfiltrating all the data contained i this table at once.*®<br />
<br />
3.14. Following Marriott’s acquisition of Starwood, on 31 December 2016<br />
<br />
or 1 January 2017,1° additional malware which searched devices for<br />
payment card data, known as “memory-scraping malware”, was<br />
<br />
installed on multiple Starwood Devices. Marriott believes, but cannot<br />
be certain, that this action was carried out by a different attacker to<br />
<br />
the one responsible for the actions described immediately above.<br />
The memory-scraping malware was executed on 10 January 2017<br />
on eight property management systems, but the malware was not<br />
<br />
successful i collecting payment card data from any of the devices.<br />
The eight properties involved were not in the European Union.<br />
<br />
Continued Attack, post-acquisition and following the GDPR coming<br />
<br />
into force<br />
<br />
3.15. On 7 September 2018, the Attacker performed a “count” on the<br />
“Guest_Master_profile” table, which would have told the Attacker<br />
<br />
how many rows the table contained.<br />
<br />
3.16. This count triggered an alert on the Guardium system placed on the<br />
<br />
database (“the Guardium Alert”). Such alerts were applied to<br />
tables which included card details.2° The other tables mentioned<br />
above did not contain payment card information and were not<br />
<br />
protected by Guardium software. Thus, no alarm could be triggered<br />
by the actions of the Attacker.<br />
<br />
<br />
<br />
<br />
<br />
<br />
1 Marriott’s First Representations, page 63.<br />
1 Marriott’s First Representations, page 63.<br />
1 Marriott’s First Representations, page 63.<br />
1 Marriott has also provided the alternative date of 1 January 2017 for this installation (see Marriott’s<br />
Second Representations, page 37).<br />
2 “Guardium” i a data protection software produced by IBM.<br />
203.17. The Attacker also exported the “Guest_Master_profile” table into a<br />
<br />
“dmp” file (as had previously occurred i relation to the other tables<br />
referred to above).<br />
<br />
Discovery and reporting of the breach<br />
<br />
3.18. On 8 September 2018, Accenture, the company managing the<br />
<br />
Starwood Guest Reservation Base, contacted Marriott’s IT team<br />
regarding the Guardium alert of the previous day. This was the first<br />
<br />
Guardium alert relating to the Attack that Marriott had received<br />
since its acquisition of Starwood.<br />
<br />
3.19. On 10 September 2018, the “PP_Master” table was exported to a<br />
<br />
“dmp” file on the Starwood system.<br />
<br />
3.20. Following the Guardium alert, on 9/10 September 2018, Marriott<br />
<br />
instigated its Information Security and Privacy Incident Response<br />
Plan. On 12 September 2018, Marriott began to deploy real-time<br />
<br />
monitoring and forensic tools on 70,000 legacy Starwood devices.<br />
The purpose of this measure was to monitor the local system and<br />
identify potentially malicious activity i real-time, with findings<br />
<br />
reported back to Marriott’s central monitoring server.<br />
<br />
3.21. On 15/16 September 2018, Marriott identified further unauthorised<br />
<br />
activity from 7 July 2018, specifically the use of credentials of<br />
Accenture employees.<br />
<br />
3.22. On 17 September 2018, the presence of a RAT was identified.<br />
<br />
Marriott took action to contain the RAT, by blocking the command-<br />
and-control IP addresses used by the RAT.<br />
<br />
<br />
3.23. In early to mid-October 2018, the Attacker’s use of Mimikatz ona<br />
number of occasions since 2014 was identified, as was the memory-<br />
<br />
scraping malware, referred to i paragraph 3.14. On 29 October<br />
2018, Marriott contacted the United States Federal Bureau of<br />
Investigation.<br />
<br />
<br />
3.24. On 13 November 2018, two compressed, encrypted and previously<br />
deleted files were identified. These files were named<br />
<br />
“guest_master_profile” and “pp_master”. On 19 November 2018,<br />
the aforementioned files were decrypted, and i was found that they<br />
respectively contained an export of the Guest_Master_Profile table<br />
<br />
and the PP_Master table.<br />
<br />
213.25. On 22 November 2018, Marriott notified the Commissioner of a<br />
personal data breach.<br />
<br />
<br />
3.26. On 25 November 2018, Marriott discovered that a file named<br />
“Reservation_room_sharer.dmp” had been created on a Starwood<br />
<br />
device, and on 26 November 2018, Marriott identified a second file<br />
named “Reservation_room_sharer.dmp” which had been created on<br />
a Starwood device, and _ established that a file mamed<br />
<br />
“consumption_roomtype.dmp” had also been created.<br />
<br />
3.27. On 30 November 2018, Marriott provided a follow-up report to the<br />
<br />
Commissioner regarding further personal data breaches. On the<br />
same day, Marriott issued a press release about the Attack and<br />
established a dedicated Starwood incident website. Marriott also<br />
<br />
began sending email notifications to affected data subjects on 30<br />
November 2018. In the initial email notification to data subjects,<br />
<br />
Marriott informed them that a dedicated call centre had been set up<br />
i order to receive complaints. The email notification did not provide<br />
the telephone number for the call centre, however i did contain a<br />
<br />
link to the dedicated website, which included the telephone number<br />
of the call centre. Following telephone contact between the<br />
<br />
Commissioner’s office and Marriott, the email was updated to<br />
include the telephone number for the call centre, and Marriott sent<br />
the revised version on 9 December 2018.2!<br />
<br />
<br />
4.PERSONAL DATA INVOLVED IN THE FAILURE<br />
<br />
<br />
4.1. The Attacker appears to have obtained personal data i both<br />
encrypted and unencrypted forms. The unencrypted information<br />
included:<br />
<br />
<br />
a. On the “Guest_Master_Profile_table” file: a numerical identifier<br />
to identify the guest, guest name, gender, date of birth,<br />
<br />
whether the guest has been identified as a VIP, whether the<br />
guest i a member of the Starwood loyalty programme and their<br />
account information (“SPG”), mailing address, passport country<br />
<br />
code, phone number, fax number, email address, and credit<br />
card expiration date.<br />
<br />
<br />
<br />
<br />
<br />
2 Marriott First Representations, page 65.<br />
22 On the “reservation_room_sharer_table”: a central reservation<br />
confirmation number, a unique numerical room identifier, guest<br />
<br />
name, SPG account information, whether the guest has been<br />
identified as a VIP, a separate VIP code, 5.25 million<br />
<br />
unencrypted guest passport numbers (935,000 of which were<br />
passports associated with EEA member state records), country<br />
of guest’s passport, arrival time, departure date, address,<br />
<br />
phone and fax numbers, email address, whether the guest has<br />
checked in, flight number and airline code, and the total<br />
<br />
number of guests i the room.<br />
<br />
On the “consumption_room_type_table”: a reservation<br />
<br />
confirmation number, the Guest Master profile ID, a unique<br />
numerical room identifier, room type, number of child guests,<br />
<br />
number of adult guests, number of cribs used i the room,<br />
number of rollaway beds designed for adults and the number of<br />
rollaway beds designed for children, guest arrival date;<br />
<br />
<br />
On the “PP_master_table”: the passport number record specific<br />
<br />
decryption key. Marriott considers that this would not be<br />
sufficient to decrypt the passport numbers as a master<br />
encryption key i also required, and does not appear to have<br />
<br />
been obtained by the attackers.<br />
<br />
4.2. The encrypted information was as follows:<br />
<br />
a. 18.5 million encrypted passport numbers, 4,290,000 of which<br />
<br />
were associated with EEA member state records.<br />
<br />
<br />
9.1 million encrypted payment cards, 873,000 of which are<br />
associated with EEA member state records.2?<br />
<br />
4.3. Marriott’s estimate i that 339 million guest records were affected.<br />
<br />
Of these, 30.1 million were EEA records,** of which 7 million are<br />
associated with the United Kingdom. All data subjects who were<br />
<br />
affected pre-GDPR were also affected by the actions of the Attacker<br />
post-GDPR, as the entire contents of the affected tables were<br />
exported to “dmp” files on the Starwood system each time.<br />
<br />
<br />
2 Marriott’s First Representations, page 65.<br />
2 Marriott’s First Representations, page 65.<br />
2 Marriott’s First Representations, page 65.<br />
<br />
23 However, the specific personal data involved differed between<br />
individual data subjects.<br />
<br />
<br />
5. PROCEDURE<br />
<br />
<br />
5.1. This section summarises the procedural steps the Commission has<br />
taken. The Annex to this Penalty Notice provides a more detailed<br />
chronology.<br />
<br />
<br />
5.2. Marriott notified the Commissioner of the Attack on 22 November<br />
2018. In response, the Commissioner commenced an investigation<br />
<br />
into the incident. That investigation included various exchanges with<br />
Marriott and considering detailed submissions and evidence.<br />
<br />
5.3. On 5 July 2019, the Commissioner issued Marriott with a Notice of<br />
<br />
Intent to impose a penalty, pursuant to section 155(1) DPA and<br />
Schedule 16 of the DPA (the “NOI”). The proposed penalty was<br />
<br />
£99,200,396.00.<br />
<br />
5.4. Marriott made written representations in response to the NOI on 23<br />
August 2019, which are referred to i this Notice as “Marriott’s<br />
<br />
First Representations”. Marriott did not request an opportunity to<br />
make oral submissions.<br />
<br />
<br />
5.5. Between August and October 2019, Marriott and the Commissioner<br />
exchanged correspondence about a number of issues, including (a)<br />
the application of the Commissioner’s Draft Internal Procedure,<br />
<br />
which i discussed further below; (b) the application and/or<br />
operation of the Article 60 GDPR consultation process; and (c)<br />
<br />
Marriott’s request for further opportunities to make submissions or<br />
representations prior to and during the Article 60 process.<br />
<br />
5.6. In a letter dated 6 December 2019, the Commissioner:<br />
<br />
<br />
a. confirmed that she no longer intended to exercise her discretion<br />
to convene the Panel;<br />
<br />
<br />
b. confirmed that the Draft Internal Procedure would not be taken<br />
into account in setting any penalty imposed on Marriott, having<br />
<br />
considered the detailed representations Marriott had made on<br />
this issue i its First Representations. The letter confirmed that<br />
<br />
the Commissioner would continue to apply the EU and domestic<br />
<br />
24 legislative framework i conjunction with the Regulatory Action<br />
Policy;<br />
<br />
<br />
c outlined how the Article 60 consultation process would be<br />
<br />
conducted i this case; and<br />
<br />
d. agreed to give Marriot the opportunity to make _ further<br />
<br />
representations on the Commissioner’s draft decision i Marriott<br />
agreed to extend the six-month period for the issuing of a<br />
<br />
penalty notice prescribed i paragraph 2 of Schedule 16 of the<br />
DPA. The Commissioner proposed a new deadline of 31 March<br />
2020.<br />
<br />
<br />
5.7. The Commissioner’s position on these issues was informed, i<br />
particular, by careful consideration of Marriott’s First<br />
<br />
Representations. Given the length and detail of those<br />
representations and the overall complexity of the case, that<br />
consideration took time and considerable resources. That process<br />
<br />
also resulted in changes and clarifications to the form and content<br />
of the draft decision.<br />
<br />
<br />
5.8. The Commissioner was also especially mindful of the fact that she<br />
acted as lead supervisory authority pursuant to Article 60 GDPR i<br />
this case, and that i was therefore important that her investigation<br />
<br />
and decision be as comprehensive as possible, since the draft<br />
decision must be submitted for the consideration of other<br />
<br />
supervisory authorities pursuant to Article 60(3).<br />
<br />
5.9. Although not required by law, the Commissioner considered that a<br />
further opportunity for Marriott to make representations was<br />
<br />
appropriate, provided that an agreement could be reached on<br />
extending the statutory timetable having regard, i particular, to:<br />
( the complexity of the case, (ii) Marriott’s representations, and<br />
<br />
(iii) the fact that this i one of the first major decisions made under<br />
the new EU data protection regime.<br />
<br />
<br />
5.10. Following further correspondence, Marriott confirmed on 17<br />
December 2019 its agreement to a statutory extension of time to 31<br />
March 2020. On 20 December 2019, the Commissioner provided<br />
<br />
Marriott with a draft decision, and invited i to make further written<br />
representations and to provide any other relevant evidence i wished<br />
<br />
the Commissioner to take into account.<br />
255.11. On 31 January 2020, Marriott provided further detailed written<br />
representations on the Commissioner’s draft decision (“Marriott’s<br />
<br />
Second Representations”).<br />
<br />
5.12. On 12 February 2020, the Commissioner wrote to Marriott<br />
requesting further information and documents which arose from her<br />
<br />
consideration of the Second Representations.<br />
<br />
5.13. In the light of the length and complexity of the Second<br />
<br />
Representations, on 13 February 2020 the parties agreed a further<br />
statutory extension of time until 1 June 2020.<br />
<br />
5.14. Between 28 February 2020 and 28 April 2020, Marriott provided the<br />
<br />
Commissioner with the information she had requested on 12<br />
February 2020.<br />
<br />
5.15. On 3 April 2020 the Commissioner invited Marriott to make further<br />
<br />
representations specifically i respect of the financial impact on its<br />
business caused by the Covid-19 pandemic. Marriott provided a<br />
response to this request on 17 April 2020.<br />
<br />
<br />
5.16. Due to the impact of the Covid-19 pandemic, on 17 April 2020 the<br />
parties agreed a further statutory extension of time for the issuing<br />
<br />
of a penalty notice to 30 September 2020.<br />
<br />
6. CIRCUMSTANCES OF THE FAILURE: BREACHES<br />
<br />
<br />
Marriott’s failures<br />
<br />
6.1. The Commissioner’s conclusion i that between 25 May 2018, when<br />
the GDPR entered into force, and 17 September 2018, Marriott failed<br />
<br />
to comply with its obligations under Article 5(1)(f) and Article 32<br />
GDPR. Marriott failed to process personal data i a manner that<br />
<br />
ensured appropriate security of the personal data, including<br />
protection against unauthorised or unlawful processing and against<br />
accidental loss, destruction or damage, using appropriate technical<br />
<br />
and organisational measures as required by Article 5(1)(f) and<br />
Article 32 GDPR.<br />
<br />
6.2. This section describes the specific failures to comply with the GDPR<br />
<br />
that the Commissioner has found and responds to Marriott’s First<br />
and Second Representations on the Commissioner’s NOI and draft<br />
decision.<br />
<br />
26 The relevant standard<br />
<br />
6.3. As set out above, Article 5 GDPR requires that personal data shall<br />
<br />
be processed in a manner that ensures appropriate security of the<br />
personal data, including protection against unauthorised or unlawful<br />
<br />
processing and against accidental loss, destruction or damage, using<br />
appropriate technical or organisational measures. The data<br />
controller, in this case Marriott, i responsible for, and must be able<br />
<br />
to demonstrate compliance with, that requirement.<br />
<br />
6.4. Article 32 GDPR concerns the security of processing personal data<br />
<br />
and, taking into account the state of the art, the costs of<br />
implementation and the nature, scope, context and purposes of<br />
processing as well as the risk of varying likelihood and severity for<br />
<br />
the rights and freedoms of natural persons, requires a controller to<br />
implement appropriate technical and organisational measures to<br />
ensure a level of security appropriate to the risk. Such measures<br />
<br />
may include encryption of personal data and a process for regularly<br />
testing, assessing and evaluating the effectiveness of such technical<br />
<br />
and organisational measures.2°<br />
<br />
6.5. Not every instance of unauthorised processing or breach of security<br />
will necessarily amount to a breach of Article 5 or Article 32. The<br />
<br />
obligation under Article 5 GDPR i to ensure appropriate security;<br />
the obligation under Article 32 i to implement appropriate technical<br />
<br />
and organisational measures to ensure an appropriate level of<br />
security, taking account of the state of the art, the costs of<br />
implementation and the nature, scope, context and purposes of<br />
<br />
processing, as well as the risk to the rights of data subjects.<br />
<br />
6.6. When considering whether there has been a breach of the GDPR and<br />
<br />
whether to impose a penalty, the Commissioner must therefore<br />
avoid reasoning purely with the benefit of hindsight. The focus<br />
should be on the adequacy and appropriateness of the measures<br />
<br />
implemented by the data controller, the risks that were known or<br />
could reasonably have been identified or foreseen, and appropriate<br />
<br />
measures falling within Article 5 and/or Article 32 GDPR that were<br />
not, but could and should have been, i place.<br />
<br />
<br />
<br />
<br />
<br />
2 See also Recitals 76, 77 and 83 GDPR.<br />
2/6.7. Having carefully examined the available evidence, including the<br />
evidence and submissions from Marriott and Marriott’s<br />
<br />
Representations, the Commissioner i satisfied that there were<br />
multiple failures by Marriott to put i place appropriate technical or<br />
<br />
organisational measures to protect the personal data being<br />
processed on Marriott’s systems, as required by the GDPR<br />
<br />
6.8. The NOI and draft decision identified a number of failures by Marriott<br />
<br />
to put i place appropriate security measures. Following careful<br />
consideration of the detailed representations received from Marriott,<br />
<br />
four principal failures by Marriott are now the subject of this Penalty<br />
Notice, which are outlined below.<br />
<br />
Preliminary issue: revised scope of the findings made<br />
<br />
6.9. In the NOI and the draft decision, concerns were raised in relation<br />
<br />
to the gaps which the Attack identified i the application of multi-<br />
factor authentication (“MFA”) within the relevant Starwood<br />
<br />
network. The Attacker was able to access the Starwood Cardholder<br />
Data Environment (“CDE”) because MFA was not applied to a<br />
accounts and systems with access to the CDE.<br />
<br />
<br />
6.10. Marriott has explained that:<br />
<br />
a. i believed that MFA was i place across the CDE because i had<br />
<br />
received assurances from Starwood’s management to this<br />
effect;2° and<br />
<br />
<br />
b. this belief was corroborated by two Reports on Compliance<br />
(“ROCs”), issued by independent PCI DSS?’ assessors on 29<br />
April 2016 (pre-acquisition) and 23 May 2017 (post-<br />
<br />
acquisition), which stated that MFA was i place for anyone<br />
requiring access into the segmented CDE and was enabled on<br />
<br />
the jump-server v ia 2° Marriott placed<br />
particular reliance i its representations on 23 May 2017 report.<br />
<br />
6.11. Having considered, i particular, Marriott’s Second Representations<br />
<br />
i response to the draft decision,*? the Commissioner i satisfied<br />
that Marriott did not breach its obligations under the GDPR by<br />
<br />
<br />
2 Marriott’s First Representations, para 1.40(a).<br />
2 Payment Card Industry Data Security Standard (“PCI DSS”).<br />
2 Marriott’s First Representations, para 1.40(b).<br />
2 Marriott’s Second Representations, paras 3.2 - 3.7 and 3.20-3.24.<br />
28 relying upon the ROCs (in particular, the ROC issued i May 2017)<br />
issued by the PCI DSS assessors to conclude that access to the CDE<br />
was protected by MFA (albeit erroneously). The incomplete<br />
implementation of MFA i not therefore the subject of this Penalty<br />
<br />
Notice (and consequently was not taken into account i assessing<br />
the appropriate penalty).<br />
<br />
The four principal failures<br />
<br />
6.12. Taking into account the representations made by Marriott,*° the<br />
following four principal failures are the subject of this Penalty Notice.<br />
<br />
(1) Insufficient Monitoring of Privileged Accounts<br />
<br />
6.13. As explained above, the Attacker was able to obtain access to the<br />
<br />
CDE by exploiting an unknown gap i the scope of application of<br />
MFA. This failure to secure the ‘outer ring’ of the CDE i not the<br />
subject of this Penalty Notice. Instead, i i of concern that once the<br />
<br />
Attacker gained access to the CDE, appropriate and adequate<br />
measures were not i place to allow for the identification of the<br />
breach and to prevent further unauthorised activity (including<br />
further unauthorised processing of personal data). This concern<br />
<br />
arises first i respect of Marriott’s failure to put i place appropriate<br />
Ongoing monitoring of user activity, particularly activity by<br />
privileged accounts.<br />
<br />
<br />
6.14. Marriott had itself determined that there was insufficient monitoring<br />
o p rivleged u sr a ccount|<br />
<br />
Whilst Marriott did deploy a Security Operations Centre (“SOC”)<br />
<br />
P E , this was insufficient for the reasons given<br />
at para 6.23 below.<br />
<br />
6.15. The National Cyber Security (“NCSC”) guidance, published on 17<br />
<br />
November 2018, entitled “10 Steps to Cyber Security: Guidance on<br />
how organisations can protect themselves in cyberspace, including<br />
the 10 steps to cybersecurity", lists “monitoring” as one of the<br />
relevant steps. I explains the importance of monitoring to detecting<br />
<br />
<br />
<br />
<br />
3 See,for exampleMarriott’s SecRepresentationparas2.2(b)-(c3.1(b)3.8-3.13and<br />
3.25-3.29.<br />
ee<br />
29 or responding to attacks which have already taken place or<br />
commenced:<br />
<br />
<br />
Detect attacks: Either originating from outside’ the<br />
organisation or attacks as a result of deliberate or accidental<br />
user activity. Attacks may be directly targeted against<br />
technical infrastructure or against the services being run.<br />
<br />
Attacks can also seek to take advantage of legitimate<br />
business services, for example by using stolen credentials to<br />
defraud payment services.<br />
<br />
React to attacks: An effective response to an attack depends<br />
<br />
upon first being aware than an attack has happened or is<br />
taking place. A swift response is essential to stop the attack,<br />
and to respond and minimise the impact or damage caused.<br />
<br />
Account for activity: You should have a complete<br />
understanding of how systems, services and information are<br />
<br />
being used by users. Failure to monitor systems and their use<br />
could lead to attacks going unnoticed and/or non-compliance<br />
with legal or regulatory requirements.?2<br />
<br />
6.16. The NCSC guidance also explains that monitoring activities should<br />
<br />
include, inter alia, the monitoring of network traffic and user<br />
activity. This NCSC guidance builds upon earlier guidance published<br />
by the NCSC which i to similar effect. See, for example, the NCSC<br />
<br />
guidance entitled “Introduction to identity and access management”<br />
published i January 2018? which refers to: (a) “basic principles to<br />
<br />
follow when designing user access management”; and (b) “basic<br />
architectural good practice when designing and administering access<br />
management systems”. Such basic principles and practices include<br />
<br />
“operations and monitoring - the supporting processes and<br />
technology to identify and enable investigation of breaches of policy<br />
<br />
or controls”. The guidance explains that:<br />
<br />
Given the high value to an attacker of compromising your<br />
identity and access management systems they should be<br />
given priority for security maintenance. This means, amongst<br />
<br />
other things, prompt application of security patches across<br />
your estate (or otherwise mitigating security issues),<br />
practicing good user and privileged user management, and<br />
<br />
<br />
<br />
3 https: //www.nesc.gov.uk/collection/10-steps-to-cyber-security ?curPage=/collection/10-steps-<br />
to-cyber-security/the-10-steps/monitoring<br />
3 https: //www.ncsc.gov.uk/quidance/introduction-identity-and-access-management<br />
30 applying appropriate protective monitoring. Additionally, we<br />
recommend:<br />
<br />
<br />
e designing your access control systems to allow for easy<br />
monitoring of account usage and accesses<br />
e being able to tie all user actions in the system to the user that<br />
<br />
performed them...”<br />
<br />
6.17. Both examples of NCSC guidance detail the basic need for multiple<br />
<br />
security techniques, processes and technologies i order to secure<br />
systems. Accordingly, Marriott ought to have been aware of the<br />
<br />
need to have multiple layers of security i place i order to<br />
adequately protect personal data. Although Marriott had assured<br />
itself that i had MFA i place** (which, as explained above, the<br />
<br />
Commissioner accepts that Marriott did), and had certain additional<br />
security measures i place, this was not sufficient. Marriott ought to<br />
<br />
have had i place better monitoring of user activity to aid i the<br />
detection of an attack, as an additional layer of security.<br />
<br />
6.18. A forensic report into the incident, dated 11 April 2019, was<br />
<br />
commissioned by Marriott and prepared by Verizon (the “Verizon<br />
Report”). I notes that Marriott had not configured logging i<br />
<br />
respect of “access to systems and/or applications within the CDE.”?°<br />
Marriott did have the results of the ROCs and its own annual<br />
<br />
penetration tests. However, these did not evaluate’ the<br />
appropriateness of the way i which Marriott monitored (including<br />
through logging) the Starwood system or the configurations used<br />
<br />
for any such monitoring (including logging). Logging configurations<br />
are not within the scope of these tests. This i not a criticism of the<br />
<br />
ROCs or the penetration tests themselves. Rather i reflects the fact<br />
that Marriott ought to have taken steps to irmplement measures<br />
which would identify vulnerabilities which the ROCs and penetration<br />
<br />
tests would not identify. Such steps would include the<br />
implementation of effective monitoring (including logging) and<br />
<br />
alerts as part of Marriott’s wider security measures. This i the gap<br />
identified by the Verizon Report.<br />
<br />
6.19. In this case, appropriate monitoring would have included the<br />
<br />
appropriate logging of user activity, especially i relation to<br />
privileged users. The logging of user activity once within the CDE, i<br />
<br />
<br />
34 Contrary to, for exampara 3.6 of Marriott’s SecRepresentations.<br />
3 Verizon Report, page 18.<br />
31 addition to the logging done by the Guardium software, would have<br />
<br />
aided i the detection of unusual account activity (such as where, i<br />
this case, the Attacker regularly utilised legitimate accounts to<br />
perform unauthorised user activity within the CDE). Marriott's failure<br />
<br />
to log user activity i this way was inconsistent with its obligations<br />
under the GDPR.<br />
<br />
<br />
6.20. Marriott states that “no amount of logging would necessarily have<br />
identified an attacker unless the attacker operated from an identified<br />
suspicious IP address, which is not the case in this matter.’*© I i<br />
<br />
right to say that no security measure “would necessarily” work,<br />
there being no guarantee that any security measure i wholly<br />
<br />
effective. I i also true that i i harder to detect an attacker who i<br />
not operating from a suspicious IP address. However, this i<br />
<br />
precisely why the monitoring of legitimate user accounts (including<br />
through logging) within the network for unusual activity i vital. This<br />
i recognised by the NCSC, which states i relation to monitoring:<br />
<br />
“these solutions should provide both signature-based capabilities to<br />
detect known attacks, and heuristic capabilities to detect unusual<br />
<br />
system behaviour".?’<br />
<br />
(2) Insufficient Monitoring of Databases<br />
<br />
6.21. In addition to the insufficient monitoring of user accounts and the<br />
user activity linked to those accounts, Marriott failed to adequately<br />
<br />
monitor the databases within the CDE. In this respect, the<br />
Commissioner i concerned by the following three failures: (a)<br />
<br />
deficiencies i Marriott’s setup of security alerts on databases within<br />
the CDE; (b) the failure to aggregate logs; and (c) the failure to log<br />
<br />
actions taken on the CDE system, such as the creation of files and<br />
the exporting of entire database tables.<br />
<br />
6.22. Marriott deployed IBM Guardium to monitor activity on the database<br />
<br />
within the CDE. As configured by Marriott, IBM Guardium had two<br />
functions. First, i logged activity (such as efforts to create, read,<br />
<br />
update, or delete data within a database). Secondly, i issued alerts<br />
i certain circumstances. The problems with the approach adopted<br />
are as follows.<br />
<br />
<br />
<br />
<br />
° Marriott’s Second Representations, para 3.39.<br />
3 NCSC “10 Steps to Cyber Security” Guidance, dated2018:ovember<br />
https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security/the-10-steps/monitoring<br />
326.23. With respect to logging, there were two main problems:<br />
<br />
a. First, whilst Marriott had a security incident event management<br />
<br />
system (“SIEM”) and a SOC to collect the logs being generated<br />
by the system, Marriott did not ensure sufficient logging of key<br />
<br />
activities such as user activity or actions taken on a database.<br />
The insufficient logging rendered the SIEM and SOC ineffective.<br />
Marriott also insufficiently logged i other areas of its network,<br />
<br />
such as firewall and access logs.<br />
<br />
<br />
b. Second, Marriott did not engage i server logging of the<br />
creation of files (or alternatively i did not use the IBM<br />
Guardium software i a similar way), which allowed the<br />
<br />
Attacker to export entire databases to ‘dmp’ files undetected.<br />
Such logging i likely to have been feasible for Marriott as such<br />
<br />
mass export of data does not regularly occur within the normal<br />
course of business so as to generate an unhelpful number of<br />
false-positives. This form of logging on the system, and the<br />
<br />
evaluation of the created logs, could have enabled Marriott to<br />
detect unexpected activity within the CDE.<br />
<br />
<br />
6.24. In response to the concerns raised, Marriott has referred to its use<br />
of Proventa and McAfee’s IntruShield (two systems which generate<br />
and aggregate logs).*® These are not, however, sufficient to address<br />
<br />
the risks faced by the Starwood network. McAfee’s Intrushield aids<br />
in the detection of zero-day, DoS attacks, spyware, malware,<br />
<br />
botnets and VoIP threats, while Proventia operated as an intrusion<br />
detection system. Like Proventa, IntruShield does not address the<br />
shortcomings identified above, namely the failure to monitor<br />
<br />
database activity and user actions on network devices.<br />
<br />
6.25. Marriott stated i its First Representations, and the Commissioner<br />
agrees, that such logging would not have prevented the Attack i of<br />
<br />
itself, but “merely informs a response once the system operator is<br />
aware of the malicious activity”.7° However, regular and close<br />
<br />
monitoring and evaluation of logs can assist i the early detection<br />
of attacks, their mitigation, and the prevention of future attacks.<br />
That Marriott did not detect the Attack until alerted by Guardium i<br />
<br />
<br />
<br />
<br />
3 Marriott’s Second Representations, para 3.40.<br />
3 Marriott’s First Representations, para 1.61.<br />
33 indicative of Marriott failing regularly to test, assess, and evaluate<br />
the effectiveness of its security measures.<br />
<br />
<br />
6.26. With respect to the Guardium alerts, the problem was that the<br />
circumstances i which IBM Guardium would issue alerts were<br />
<br />
limited i a way which undermined its ability to detect unauthorised<br />
activity within the databases.<br />
<br />
6.27. In particular, alerts were only placed on tables that contained<br />
<br />
payment card information, and only specific queries (where table<br />
names were directly referenced, such as i a count) triggered<br />
<br />
warnings i the system. Although the database as a whole did have<br />
some protection from Guardium,*2 the known actions of the<br />
Attacker prior to 7 September 2018 did not meet the conditions for<br />
<br />
the triggering of an alert.*4 Marriott has explained that specific<br />
alerting rules and tables were chosen i order to reduce false-<br />
<br />
positives. However, this explanation i insufficient to justify an<br />
approach where only tables including payment card data were<br />
placed within the scope of Guardium rules. Marriott’s focus on<br />
<br />
payment card information illustrates a failure to implement<br />
appropriate technical and organisational measures to ensure an<br />
<br />
appropriate level of overall security for all other personal data.<br />
<br />
6.28. A risk-based approach was required i this case (as acknowledged<br />
i para 1.45 of Marriott's First Representations). Payment card data<br />
<br />
i likely to be the highest risk category, and the tables containing<br />
payment card data could therefore warrant higher security than<br />
<br />
other tables depending on the sensitivity of the other data held.<br />
However, while a risk-based approach may require payment card<br />
data to have additional security alerts, this does not justify a<br />
<br />
complete lack of alerts on tables containing other personal data.<br />
Moreover, the other data held may vary i its sensitivity, requiring<br />
different security measures to be applied to the tables/relevant<br />
<br />
processing.<br />
<br />
6.29. Marriott stated that i reasonably assumed, based upon the PCI DSS<br />
<br />
testing results, that the Guardium alerts i respect of the CDE were<br />
appropriately configured.*2 However, the PCI DSS tests concerned<br />
<br />
<br />
40 Namely i terms of detecting unauthorised access based on IPs or failed login attempts, which the<br />
Attacker i this incident bypassed through comprouser credentials.<br />
+ As confirmed by Marriott in its correspondence dated 20 D2018, page 6.<br />
4 Marriott’s First Representations, paras 1.43-44.<br />
34 the perimeter defences against an attack rather than monitoring<br />
systems concerned with the detection of an attacker who had<br />
<br />
already penetrated the CDE. The tests did not assess the<br />
appropriateness of the discriminatory application of the alerts across<br />
<br />
the CDE segment, nor what this meant for the security of categories<br />
of personal data stored i tables which did not contain payment card<br />
information. They do not, therefore, provide the reasonable<br />
<br />
assurance which Marriott claims.<br />
<br />
6.30. Finally, Marriott suggested that because i believed MFA was<br />
<br />
implemented across the CDE, this rendered its reliance on that<br />
authentication tool and the Guardium alerts as _ configured<br />
reasonable and therefore i compliance with Articles 5(1)(f) and 32<br />
<br />
GDPR. This i not accepted, monitoring (including logging) of the<br />
types discussed i paras 6.13 to 6.29 above are standard security<br />
<br />
measures. Control of access through MFA does not displace the need<br />
for adequate monitoring (including logging) of activities that assist<br />
i detecting a breach once i i i train (see paras 6.15-6.17 above).<br />
<br />
(3) Control of critical systems<br />
<br />
<br />
6.31. As discussed at paragraphs 6.13-6.30 above, Marriott failed to<br />
ensure that the actions taken on its systems were appropriately<br />
<br />
monitored. In addition to the use of monitoring and security alerts,<br />
i would have been appropriate for Marriott to implement a form of<br />
server hardening as a preventative measure, which could have<br />
<br />
prevented the Attacker from gaining access to administrator<br />
accounts and performing reconnaissance before traversing across a<br />
network.<br />
<br />
<br />
6.32. In particular, the implementation of whitelisting i one way in which<br />
Marriott could have performed server hardening. Whitelisting i a<br />
<br />
form of programming which only allows certain users or IP addresses<br />
to access certain systems or software, as required for their specific<br />
role. I i important i reducing attack surfaces and reducing the risk<br />
<br />
of attackers being able to traverse through a network after gaining<br />
entry to a single user account.<br />
<br />
<br />
6.33. Whitelisting should be deployed where appropriate on critical<br />
systems, and those systems which have access to large amounts of<br />
personal data. The NCSC Guidance states that: “you should develop<br />
<br />
a strategy to remove or disable unnecessary functionality from<br />
<br />
35 systems.”*? Whitelisting i also described i NCSC Cyber Essentials<br />
<br />
guidance as a defence against malware.** This supports advice given<br />
i earlier guidance by NIST. In October 2015 NIST published a guide<br />
<br />
to whitelisting which shows how whitelisting can be utilised to<br />
prevent unauthorised software from being installed on a device.*°<br />
In this incident, whitelisting could have aided i halting the<br />
<br />
reconnaissance and privilege escalation stage of the Attack.<br />
<br />
6.34. There are many forms of whitelisting. Binary software whitelisting i<br />
<br />
a form of access control where only authorised software and scripts<br />
can be installed on a given system or user areas. For example, only<br />
<br />
allowing pre-approved software such as Microsoft Word and Outlook<br />
to be installed on work laptops. This can be distinguished from other<br />
forms of whitelisting, such as the process by which only authorised<br />
<br />
IP addresses can gain access to network resources.*© Whilst i i not<br />
possible to list the devices i relation to which whitelisting could<br />
<br />
have been appropriate, at a minimum whitelisting would be<br />
expected on: (a) devices which could be remotely accessed; (b)<br />
<br />
devices which store large amounts or, or sensitive categories of,<br />
personal data; (c) any other systems which Marriott regards as<br />
<br />
‘critical’ to their network operations; (d) any POS terminals at a<br />
property level; and any other devices which process payment card<br />
transactions.*”? The implementation of binary software whitelisting<br />
<br />
would — i correctly implemented - have prevented the installation<br />
and execution of a RAT. While i i true that the RAT was installed<br />
<br />
and executed on the system both pre-acquisition and pre-GDPR, and<br />
was therefore not attributable to Marriott, the continued absence of<br />
<br />
whitelisting post-GDPR left the systems for which Marriott was<br />
responsible vulnerable to further RAT installations and executions.<br />
<br />
6.35. Marriott stated i its First Representations that binary software<br />
<br />
whitelisting was rarely implemented by companies at the time of the<br />
<br />
See https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security/the-10-steps<br />
44 NCSC Cyber Essentials GuidancRequirements for IT infrastructure (dated April 2020):<br />
https ://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-IT-infrastructure.pdf (pages 10-<br />
11, under the heading “MalwaProtection”). This language was also included i the now archived<br />
version of this guidance, which dated from January 2015:<br />
https: //webarchive. nationalarchives. gov.uk/20150605225501/https://www.gov.uk/government/pu<br />
blications/10-steps-to-cyber-security -advice-sheets/10-steps-secure-configuration--11<br />
45 https: //nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-167.pdf (dated October<br />
2015). See, i particular, section 2.1 on page 2.<br />
4 See para 1.52 of Marriott’s First Representations.<br />
47“Protecting Point of Sale Devices from Targeted Attacks” (Microsoft), dated 1 April 2014.<br />
https://download. microsoft.com/documents/en-us/Protecting_Point_of_Sale_Devices-<br />
April_2014.pdf. See, i particular, page 5.<br />
36 incident, because i places a heavy burden on IT systems.*®<br />
<br />
However, binary software whitelisting was a well-recognised and<br />
established security practice for some time before the GDPR came<br />
<br />
into force, and certainly by that date. The NCSC Guidance lists<br />
whitelisting (“prevent unknown software from being able to run or<br />
<br />
install itself...") as a “Cyber Essential”. That guidance was published<br />
in October 2015, and therefore pre-dates the GDPR.*° In addition,<br />
<br />
there i guidance published by the National Institute of Standards<br />
and Technology (“NIST”), which recognises whitelisting as a better<br />
option than anti-malware.°° The NIST Guidance was published i<br />
<br />
2015, and therefore significantly pre-dates the implementation of<br />
the GDPR.<br />
<br />
<br />
6.36. Marriott also stated i its First Representations that binary software<br />
whitelisting could be circumvented by attackers ‘side loading’ RATS<br />
<br />
by using legitimate executable code.>! Whitelisting, like all security<br />
measures, cannot be entirely resistant to attack. However, where<br />
<br />
side-loading did take place i the Attack, that appears to have been<br />
because Marriott’s systems vaguely or improperly specified a<br />
<br />
dynamic-link library (DLL) which allowed such side-loading to take<br />
place.°* Whilst Marriott i right to suggest that these are risks which<br />
cannot be fully eliminated from any third-party software,>? this only<br />
<br />
highlights the fact that Marriott ought to have carried out regular<br />
audits, updates of software and restricted file and directory<br />
<br />
permissions. The existence of outdated/obsolete software i also an<br />
issue noted i both the 2017 and 2018 PCI DSS Reports, and these<br />
<br />
could have been mitigated by properly reacting to issues discovered<br />
i the penetration tests.<br />
<br />
<br />
6.37. In any event, no single security measure can fully protect a system<br />
against attack or compromise. I would have been appropriate for<br />
<br />
Marriott to have implemented a ‘defence i depth’ strategy, of which<br />
whitelisting could play an important role, i order to protect their<br />
systems against attack and monitor activity on their network i<br />
<br />
<br />
<br />
4 Marriott’s First Representations, para 1.53.<br />
4 See: https: //www.ncsc.gov.uk/information/reducing-your-exposure-to-cyber-attack<br />
5 See: https://www.ncsc.gov.uk/information/reducing-your-exposure-to-cyber-attacthend<br />
reference to “whitelisting and execution control - preventsoftware from being able to run<br />
or install itself.”<br />
5 Marriott’s First Representations, para 1.53.<br />
allow side loading to take place.echniques/T1for an explanationof the vulnerabilities that<br />
5 Marriott’s Second Representations, para 3.31.<br />
<br />
37 order to promptly mitigate any unauthorised or malicious actions<br />
<br />
that managed to bypass their security controls.<br />
<br />
6.38. The measures discussed above are readily available and mature<br />
solutions (i.e. solutions that have been known about i the industry<br />
<br />
for a long period of time), which are appropriate and could have<br />
been implemented by Marriott, to the extent necessary, without<br />
<br />
entailing excessive cost or technical difficulties. However, i i only<br />
suggested that whitelisting (or equivalent server hardening<br />
measures which would limit the functionality of systems to only that<br />
<br />
which i required of them) could be appropriately deployed on (a)<br />
critical systems which attackers may target whilst looking to access<br />
<br />
other, sensitive areas of the network, or (b) systems which could<br />
access other (separate) systems containing personal data.<br />
<br />
Therefore, i would be appropriate to implement a server hardening<br />
measure across devices with access to the CDE, the CDE<br />
environment itself and any other network devices that could access<br />
<br />
either large quantities or sensitive categories of personal data.<br />
<br />
(4) Encryption<br />
<br />
6.39. Payment card data and, i some cases, passport numbers, were<br />
<br />
encrypted by Marriott using AES-128, an industry standard<br />
encryption algorithm. Oracle databases (the Starwood reservation<br />
database included tables stored i an Oracle database) provided the<br />
<br />
functionality to encrypt table entries in this way, and i was Marriot’s<br />
responsibility to ensure this was configured correctly.<br />
<br />
<br />
6.40. However, i keeping with Marriott’s focus on PCI DSS compliance,<br />
encryption was not applied to other categories of personal data. The<br />
<br />
Commissioner i particularly concerned that not all passport<br />
numbers were encrypted.<br />
<br />
6.41. In its First and Second Representations, Marriott stated that i had<br />
<br />
adopted a mature and risk-based approach to cyber security by<br />
targeting its security efforts on the tables containing cardholder<br />
<br />
information.** In support of its position, Marriott relied upon a<br />
selective quotation from the NCSC Guidance i its written<br />
<br />
<br />
<br />
<br />
<br />
54 Marriott’Representations,para 1.27 and 1.63,see also para 3.45 of Marriott’Second<br />
Representations.<br />
38 submissions. However, the Commissioner notes that the full quote<br />
provides as follows:<br />
<br />
<br />
In some scenarios, the use of encryption to protect bulk data<br />
should be the norm. For example, where data is transmitted<br />
<br />
over the internet, stored on a laptop, or stored on removable<br />
media. However, encryption relies on good key management,<br />
and in some scenarios i is challenging to engineer a solution<br />
<br />
which makes meaningful use of encryption to protect personal<br />
data. This is sometimes the case in systems which are always<br />
<br />
online, where data needs to be available to query. In these<br />
scenarios, your systems architects and designers will<br />
need to think carefully about how encryption can be used<br />
<br />
in a meaningful way.”<br />
<br />
6.42. However, Marriott has not provided any risk assessments which<br />
<br />
demonstrate the evaluative judgement i arrived at and the rationale<br />
for its approach to the encryption of personal data. On the contrary,<br />
Marriott has taken an inconsistent approach by encrypting some but<br />
<br />
not all passport numbers. In addition, while i may be true that<br />
cardholder information i of higher risk than other categories of<br />
<br />
personal data, this does not vitiate the risk to other categories of<br />
personal data. Thus, while the NCSC guidance quoted above, does<br />
not say that Marriott i required to implement encryption across all<br />
<br />
personal data, i does require Marriott to explain why i chose to<br />
selectively encrypt data.°® Even i Marriott reasonably believed that<br />
<br />
the CDE was protected by MFA, i was aware - or ought to have<br />
been aware - that no system i fully secure.>’<br />
<br />
6.43. Marriott, i its First Representations, also claimed that i would have<br />
<br />
been impractical for i to have encrypted any more personal data<br />
than i did.°° However a number of methods exist to facilitate the<br />
identification of the user to which a piece of data refers, so that<br />
<br />
decryption of personal data can take place quickly and when<br />
necessary. One method i through the use of a unique identifier<br />
<br />
(such as an UUID), which can aid i querying and decrypting<br />
individual pieces of data associated with individual customers where<br />
required i almost real-time. There are also Hardware Security<br />
<br />
<br />
° See: https://www.ncsc.gov.uk/collection/protecting-bulk-pers(emphasis added).<br />
5 Marriott’s Second Representations, para 3.46(c).<br />
5 Marriott’s Second Representations, para 3.46(b).<br />
5 Marriott’s First Representations, para 1.27(b).<br />
39 Modules which Marriott could have utilised, encrypting data i near<br />
real time at its source and decrypting i at its destination.<br />
<br />
6.44. In additionthe level of security that the encrcouldnhave<br />
achievedwas compromisedwithin the Starwooguest reservation<br />
databaseby a script, developby Starwood,which allowedfor<br />
AES-128 encrypted entries i a database table to be dec|ypted. |<br />
ee<br />
ee<br />
ee<br />
ee<br />
a<br />
<br />
e e<br />
SS<br />
6 ee<br />
a<br />
a<br />
ee<br />
a<br />
a<br />
<br />
a<br />
a<br />
ee<br />
ee<br />
6 ee<br />
a<br />
a<br />
<br />
a<br />
a<br />
a<br />
ee<br />
CSC<br />
6 ee<br />
a<br />
<br />
ee<br />
<br />
agrees that i i unlikely that the attacker did run i the attacker sons of times,le the Commissioner<br />
wished, this could have been achieved i very little timeprocess.uld be run as an automated<br />
6 Marriott’s Second Representations, para 3.46(a). 4oOMarriott’s wider arguments<br />
<br />
<br />
6.48. In addition to the arguments referred to above, Marriott’s<br />
Representations raised a number of more general legal and/or<br />
<br />
factual arguments. This section addresses the following submissions<br />
made by Marriott:<br />
<br />
<br />
oy First, that the Commissioner had assessed the issue of breach<br />
without reference to “any clear standards”°! reasoned with the<br />
<br />
benefit of hindsight and regarded the fact that the Attack was<br />
successful as an indicator that the security measures were<br />
<br />
inappropriate.°* Marriott claims that the Commissioner has<br />
applied an “impossibly high standard of care”.°?<br />
<br />
<br />
Ss Second, that the Commissioner failed to apply a holistic<br />
<br />
approach.<br />
<br />
a Third, that the Commissioner impermissibly relied upon<br />
<br />
Marriott’s pre-GDPR conduct, and incorrectly concluded on a<br />
provisional basis that Marriott had failed to carry out sufficient<br />
<br />
and appropriate due diligence.<br />
<br />
<br />
Qo. Fourth, that the Commissioner erred i referring to Article 25<br />
GDPR i the NOI.®<br />
<br />
<br />
@ Fifth, that the Commissioner erred i reaching the provisional<br />
view i the NOI that Marriott had breached the notification<br />
<br />
requirement under Article 33 of the GDPR.°”<br />
<br />
<br />
6 Marriott’s First Representations, paras 1.3-1.7.<br />
6 Marriott’sFirstRepresentations, paras 1.8-1.12. See, to similareffect,Marriott’sSecond<br />
Representations,Executive Summary, para 3, and para 3.1(b), and paras 3.15-3.18.<br />
6 Marriott’s First Representations, Executive Summapara 1; para 1.2, see also Marriott’s Second<br />
Representations, paras 3.14-3.18.<br />
64 Marriott’s First RepresentatioExecutive Summary, paras land 5, and paras 1.13-1.15; and<br />
Marriott’s SecondRepresentations, para 2.2(c).<br />
6 Marriott’s First RepresentatioExecutive Summary, paras 3-4, paras 1.18-1.20 and 1.29-1.37.<br />
6 Marriott’s First Representations, para 1.21.<br />
6 Marriott’s First RepresentatioExecutive Summary, para 7, and paras 2.1-2.10 and 2.16.<br />
At f. Sixth, that the Commissioner was wrong provisionally to find<br />
<br />
i the NOI that Marriott’s notification to data subjects breached<br />
Article 34 of the GDPR.®<br />
<br />
<br />
6.49. In its First and Second Representations, Marriott also advanced a<br />
number of points i relation to: (a) the Commissioner’s approach to<br />
<br />
determining whether to impose a penalty; and (b) her methodology<br />
i calculating the proposed penalty as set out i the Notice of Intent<br />
<br />
and the draft decision. These arguments are addressed i Section 7<br />
below.<br />
<br />
(1) The correct approach/standard<br />
<br />
<br />
6.50. Marriott claims that: (a) the Commissioner’s factual findings were<br />
inaccurate; and/or (b) the Commissioner cannot maintain the<br />
conclusion that appropriate measures were available that Marriott<br />
<br />
failed to take to remove and/or mitigate the risk of an attack of the<br />
kind which occurred i this case because she had applied the<br />
<br />
incorrect standard or approach.®?<br />
<br />
6.51. In the analysis set out above, the Commissioner has clarified certain<br />
<br />
factual findings made i the Notice of Intent i the light of the<br />
submissions made by Marriott i both its First and Second<br />
<br />
Representations, including by, i particular, clarifying her position i<br />
respect of the incomplete application of MFA.<br />
<br />
<br />
6.52. Further, paragraphs 6.3-6.8 above, provide an accurate summary<br />
of the position on the relevant standard and set out the<br />
<br />
Commissioner’s response to Marriott’s argument that she applied an<br />
incorrect, unduly high, inappropriate or unclear standard i the NOI<br />
and/or draft penalty notice. The analysis set out i Section 6 above<br />
<br />
clearly explains the basis for the finding that Marriott failed to put i<br />
place appropriate security arrangements as required by the GDPR<br />
<br />
by reference to the specific facts of this case. Contrary to the claims<br />
made i Marriott’s First Representations, the Commissioner has not<br />
<br />
applied a one-size-fits-all approach to what measures are<br />
appropriate to secure different types of personal data.”°<br />
<br />
<br />
<br />
<br />
<br />
6 Marriott’s First Representations, paras 2.11-2.15 and 2.16.<br />
RepresentationsExecutive Summary,,para 3.1.3—1.5 and 1.39-1.70; and Marriott’sSecond<br />
7 Contrary to, i particular, paras 1.16-1.17 of Marriott’s First Representations.<br />
<br />
426.53. As the Commissioner has set out above, and as she set out in the<br />
<br />
NOI, there were a number of appropriate measure(s) available to<br />
Marriott that an organisation of its scale would be expected to take<br />
to secure its data operations. Contrary to the claims made by<br />
<br />
Marriott, this Penalty Notice (nor the NOI/draft decision) do not<br />
proceed on the basis that simply because the Starwood system was<br />
<br />
the victim of the Attack, i follows that Marriott breached the<br />
GDPR.’! The reasoning supporting this Penalty Notice, and the NOI<br />
and draft decision, does not adopt such a simplistic approach.<br />
<br />
<br />
6.54. For essentially the same _ reasons, contrary to Marriott’s<br />
submissions,’* the Commissioner’s findings do not involve applying<br />
<br />
the benefit of hindsight i an improper manner, or at a (as already<br />
explained above). The Commissioner i satisfied that there were four<br />
<br />
distinct weaknesses i Marriott’s system each of which Marriott<br />
ought to have identified and remedied, using one of the range of<br />
options available to Marriott (as discussed above). The<br />
<br />
Commissioner does not rely on the ‘success’ of the Attack as<br />
evidence that a breach of the GDPR definitely occurred. Instead, the<br />
<br />
Attacker’s ability to exploit deficiencies i Marriott’s security<br />
measures, for which remedies were available, discloses wider<br />
failures to put appropriate measures i place. In particular, the<br />
<br />
failure to encrypt all passport numbers was inadequate. There was<br />
also a failure to place Guardium alerts on tables other than those<br />
<br />
which contained payment information, thereby allowing the attack<br />
to go on undetected for a longer period.<br />
<br />
<br />
6.55. At para 1.12 of its First Representations, Marriott also claims that<br />
there i no basis for the suggestion that, under the GDPR, i ought<br />
to have identified the type of Attack which i the subject of this<br />
<br />
Notice, or carried out any further improvements on the Starwood<br />
systems, because the system was the “victim of a sophisticated<br />
<br />
attacker, which adopted a multi-vectored approach to its attack and<br />
was able to circumvent numerous protections that were in place”.<br />
However, the sophistication or specific vector of the attack i not the<br />
<br />
relevant focus. A controller has to implement appropriate measures<br />
to ensure the security of its systems. The measures mentioned<br />
<br />
above could have been implemented using standard industry tools,<br />
and could have prevented, detected and/or mitigated the impact of<br />
<br />
<br />
7 Marriott’s First Representations, §§1.8-1.9.<br />
7 See, i particular, Marriott’s SRepresentations, paras 3.15-3.18.<br />
43 the Attack. What the Attack disclosed was the failure by Marriott to<br />
put i place appropriate security measures to address attacks of this<br />
<br />
kind and/or other identifiable risks to the system.<br />
<br />
6.56. Furthermore, Marriott was wrong to state’? that the fact that the<br />
<br />
relevant Starwood IT system was due to be retired shortly means<br />
that i was not necessary to put i place the types of appropriate<br />
measures identified above i order to comply with Articles 5(1)(f)<br />
<br />
and/or 32 GDPR.<br />
<br />
6.57. In particular, Marriott relies on the fact that i originally intended to<br />
<br />
decommission the Starwood system i the first quarter of 2018 i<br />
response to the concerns raised about its security measures. I i<br />
important to note that the intended decommissioning was due to<br />
<br />
take place approximately a year and half after the acquisition of<br />
Starwood, a long period of time during which data continued to be<br />
<br />
processed on the system. In fact, the intended decommissioning did<br />
not take place i the first quarter of 2018; the timetable was altered<br />
such that i was only to be achieved by the end of 2018. Whilst the<br />
<br />
Commissioner accepts that Marriott could not have known about the<br />
delay to the decommissioning timetable at the outset,’* i early<br />
<br />
2018 Marriott was aware that the GDPR was coming into force and<br />
that i would be continuing to process data within the Starwood<br />
network for a number of months after that. During this period,<br />
<br />
appropriate monitoring (including logging), and alerting tools could<br />
have been implemented relatively quickly i order to secure the<br />
systems until their decommissioning at the end of 2018.<br />
<br />
<br />
6.58. Many of the measures identified i the discussion of the 4 principal<br />
errors above could have been easily implemented as part of the<br />
<br />
security improvements which Marriott was already making over this<br />
period. With regards to logging, the appropriate changes to what<br />
was i fact being logged could have been made as part of Marriott’s<br />
<br />
SIEM and SOC projects. No additional steps as part of the “general<br />
IT lifecycle process” would have been required.”° Similarly, changes<br />
<br />
to the Guardium alert settings could have been made relatively<br />
quickly and easily when IBM Guardium was deployed. The<br />
appropriate server hardening measures could have been<br />
<br />
<br />
<br />
7 Marriott’s Second Representations, para 3.32-3.36.<br />
7 Marriott’s Second Representations, paras 3.35-3.36.<br />
7 Marriott’s Second Representations, para 3.38.<br />
44 implemented within 6-12 months (depending on which measures<br />
Marriott selected and how i chose to implement them).<br />
<br />
<br />
6.59. The fact that an IT system i due to be retired shortly does not<br />
disapply the GDPR to the data being processed through that system.<br />
<br />
Marriott was still obliged to decide what appropriate measures<br />
should be i place i the light of the continued use of the system.<br />
While the fact that a system i to be decommissioned may be a<br />
<br />
relevant factor i determining what measures would be appropriate<br />
i a given case, this ultimately does not remove the basic obligation<br />
<br />
to put i place security measures appropriate to the risk posed by<br />
the continued processing. This may mitigate against, for example, a<br />
requirement that a controller, even one of the size and scale of<br />
<br />
Marriott, put i place expensive, state-of-the-art measures, where<br />
the system i to be decommissioned i the near future. However,<br />
<br />
where other appropriate measures are available without entailing<br />
disproportionate cost or delay, they should be put i place i they<br />
are required to ensure a level of security appropriate to the risks<br />
<br />
posed by continued processing. As explained above, the specific<br />
measures identified i the discussion of the four principal errors<br />
<br />
above are all ones which could have been put i place i a short<br />
amount of time, and which would not have entailed excessive cost.<br />
<br />
(2) A holistic approach<br />
<br />
6.60. The Commissioner has had regard to Marriott’s detailed submissions<br />
<br />
on the security measures i had i place generally, and those i<br />
implemented after its limited due diligence on the Starwood<br />
systems.’© However, the investigation has identified a number of<br />
<br />
appropriate measures or steps that should have been taken by<br />
Marriott to address the identified security risks within its system.<br />
<br />
The Attack, and/or other attacks which could have occurred as a<br />
result of the deficiencies i Marriott’s systems, identified above,<br />
mean that, even judged holistically, Marriott’s technical and<br />
<br />
organisational data security arrangements cannot be regarded as<br />
sufficient or appropriate.<br />
<br />
<br />
6.61. The Commissioner has also considered Marriott’s submissions about<br />
the improvements made to Starwood’s systems post-acquisition,<br />
which are said to show that i engaged i appropriate due<br />
<br />
<br />
<br />
7 See, i particular, para 1.35 and paras 1.39-1.70 of Marriott’s First Representations.<br />
45 diligence.’”” However, i i notable that none of those steps identified<br />
<br />
the relevant, easily detectable, deficiencies i Marriott’s security,<br />
which could have been easily addressed but were exploited during<br />
the Attack. Marriott’s submissions i this regard focus on<br />
<br />
improvements i made to its own systems, and which the Starwood<br />
systems / data would benefit from when they were migrated to its<br />
<br />
network (paras 1.35(b)-(c) of Marriott’s First Representations). But<br />
this does not meet the concern that Marriott continued to use the<br />
Starwood system without remedying the clear deficiencies i its<br />
<br />
security arrangements. I i clear from Marriott’s Representations’®<br />
that only limited changes were made to the Starwood system<br />
<br />
because i was expected to be decommissioned sometime i the<br />
future. I i apparent that these changes were not sufficient to<br />
<br />
address the failings described above which should have been<br />
addressed given the ongoing processing that was to take place prior<br />
to decommissioning.<br />
<br />
(3) Pre-GDPR conduct and due diligence<br />
<br />
<br />
6.62. Marriott i wrong to argue that the NOI relied upon Marriott’s failure<br />
to appropriately secure its systems and the personal data stored on<br />
<br />
them, prior to the period covered by the GDPR. The fact that no such<br />
reliance was placed on the pre-GDPR conduct was made clear i the<br />
NOI itself.7?<br />
<br />
<br />
6.63. Marriott’s argument i this regard relies on the claim that any duty<br />
to undertake a due diligence process i one which would have to be<br />
<br />
discharged prior to or shortly after acquisition. Marriott submitted<br />
that i i not tenable to proceed on the basis that acquisition due<br />
<br />
diligence i a “seemingly endless” process.®°<br />
<br />
6.64. While the Commissioner accepts that the acquisition of a company /<br />
data processing operations are a trigger for a controller to carry out<br />
<br />
due diligence, either immediately prior to acquisition or shortly<br />
thereafter, this i not the only trigger point for such activity. The<br />
<br />
need for a controller to conduct due diligence i respect of its data<br />
operations i not time-limited or a ‘one-off’ requirement. In<br />
<br />
<br />
7 Marriott’s First Representations, paras 1.15 and 1.30-1.35.<br />
7 See paras 1.34 and 1.35(d) of Marriott’s First Representations and paras 3.35-3.36 of Marriott’s<br />
Second RepresentationsSee also para 6.56 above.<br />
7 Marriott’s First Representatparas 2.4-2.10;see also Marriott’s First Representparans,<br />
1.20.<br />
8 Marriott’s First Representations, para 1.20(a) and (b).<br />
46 particular, the coming into effect of the GDPR was, for a global<br />
business like Marriott, a highly relevant factor.<br />
<br />
<br />
6.65. Controllers such as Marriott would have been aware for some time<br />
that the GDPR was going to come into effect on 25 May 2018. I was<br />
<br />
incumbent on such controllers to ensure that their data processing<br />
complied with the provisions of EU law from that date. However,<br />
after May 2018 Marriott continued to process personal data using a<br />
<br />
system that was deficient i a number of respects, and those<br />
deficiencies only came to light following the discovery of the Attack<br />
<br />
some months later.<br />
<br />
6.66. Given Marriott’s ongoing duty to ensure that the systems i had<br />
acquired from Starwood were GDPR compliant, i i no answer to<br />
<br />
claim that certain due diligence steps were, or only needed to be,<br />
taken i the period immediately after acquisition. Controllers cannot<br />
<br />
process personal data without appropriate security measures being<br />
i place on the basis that the system was deficient prior to May 2018<br />
and has not been remedied. Even i adequate due diligence had been<br />
<br />
undertaken at the point of acquisition, that would not have removed<br />
Marriott’s obligation to ensure, on a continuing basis, that i<br />
<br />
complied with the GDPR, once that Regulation came into force.<br />
<br />
6.67. Marriott recognises this, but relies upon inter alia its PCI DSS<br />
assessment process as the means by which this continuing<br />
<br />
obligation was discharged.®t However, PCI DSS assessments are<br />
limited i their ability to detect and mitigate vulnerabilities within a<br />
<br />
network, for the reasons given at paragraph 6.29 above. Rather,<br />
adequate and appropriate due diligence would have _ included<br />
reviewing the adequacy of the monitoring (including logging)<br />
<br />
systems within the network.<br />
<br />
6.68. Thus, for the avoidance of any doubt, this decision relates solely to<br />
Marriott’s failures after 25 May 2018. The Commissioner has not<br />
<br />
issued a decision under the Data Protection Act 1998 (“DPA<br />
1998”), despite the historic, pre-2018 nature of the concerns i<br />
<br />
respect of the Starwood system.<br />
<br />
<br />
<br />
<br />
<br />
<br />
8 Marriott’s Second Representations, page 47.<br />
47 () A ticle 25<br />
<br />
6.69. The Commissioner acknowledges that the NOI, at para 58, included<br />
<br />
an erroneous reference to Article 25 GDPR. This was a typographical<br />
error. The penalty figure set out i the NOI did not take into account<br />
any breach of Article 25.<br />
<br />
(5) Article 33<br />
<br />
<br />
6.70. At the NOI stage, a provisional finding of breach of Article 33 GDPR<br />
was proposed. However, this finding no longer forms part of the<br />
decision against Marriott.<br />
<br />
<br />
6.71. In reaching this decision, the Commissioner did consider Marriott’s<br />
claims that ( the Commissioner failed to identify the date on which<br />
Marriott became aware of the breach;® and (ii) the Commissioner<br />
<br />
misapplied the GDPR rules on when a controller must be taken to be<br />
aware of a personal data breach.®?<br />
<br />
<br />
6.72. However, i i not accepted that the NOI failed to identify the date<br />
on which Marriott became aware of the breach for the purposes of<br />
Article 33 GDPR. The Commissioner identified 8 September 2018 as<br />
<br />
the relevant date at para 52 of the NOI: “Marriott had been aware<br />
of unauthorised access to the Starwood systems since the Guardium<br />
alert on 8 September 2018... It would have been reasonable at that<br />
<br />
point for Marriott to conclude that personal data was likely to have<br />
been accessed by an unauthorised party.” The reference to the<br />
<br />
“dmp” files i para 53 of the NOI cannot reasonably be read as<br />
referring to the identification of the dmp files on 13 November<br />
2018.4 Rather, this was a reference to the fact that on 7 September<br />
<br />
2018 the Attacker exported the “Guest_Master_Profile” table - a<br />
table that Marriott knew to contain personal data - into a “dmp’” file.<br />
Marriott was alerted to the presence of the Attacker by Accenture<br />
<br />
on 8 September 2018, the day after this took place.<br />
<br />
6.73. Marriott was also incorrect to submit that the GDPR requires a data<br />
<br />
controller to be reasonably certain that a personal data breach has<br />
occurred before notifying the Commissioner. Rather, a data<br />
controller must be able reasonably to conclude that i i likely a<br />
<br />
<br />
<br />
8 Marriott’s First Representations, -2, 3.2.1<br />
8 Marriott’s First Representations, -2.11.2.4<br />
8 Marriott’s First Representations, para 2.1.<br />
48 personal data breach has occurred to trigger the notification<br />
<br />
requirement under Article 33.<br />
<br />
6.74. Nevertheless, the Commissioner took into account, i particular,<br />
Marriott’s explanation that a count can be performed on a database<br />
<br />
without any of the personal data held on that database being<br />
accessed, and that Marriott’s position i that i was unaware of the<br />
<br />
export of the “Guest_Master_Profile” table into a “dmp” file (which<br />
took place on 7 September 2018) until 13 November 2018. ® The<br />
Commissioner has also taken into account Marriott’s submission that<br />
<br />
the “Guest_Master_Profile” contained non-personal data, and<br />
therefore i was only with decryption of that file on 19 November<br />
<br />
2018 that i became aware of the personal data breach.<br />
<br />
6.75. Thus, i this particular case, and i the light of Marriott’s<br />
<br />
Representations, the Commissioner has decided not to make a<br />
finding that Marriott breached Article 33 GDPR.<br />
<br />
(6) Article 34<br />
<br />
6.76. The NOI contained a provisional finding of a breach of Article 34<br />
<br />
GDPR. Marriott submitted detailed submissions i response to that<br />
proposal.®<br />
<br />
<br />
6.77. The Commissioner recognises that Marriott established a dedicated<br />
website regarding the breach, and issued a press release which was<br />
widely-reported.®” Marriott claims in its Representations that a<br />
<br />
dedicated website and press release would have been sufficient for<br />
i to have discharged its obligations under Article 34.8° This i<br />
<br />
incorrect.<br />
<br />
6.78. Article 34(1) requires Marriott to “communicate the personal data<br />
<br />
breach to the data subject” (emphasis added). Where this would<br />
involve “disproportionate effort”, Marriott may issue a public<br />
communication or similar measure (Article 34(3)(c)). Sending an<br />
<br />
email to data subjects whose current email addresses are stored on<br />
Marriott’s systems i not, on any view, a disproportionate measure.<br />
<br />
I i a routine commercial activity. This i supported by the fact that<br />
Marriott did inform the data subjects, via email, very soon after i<br />
<br />
<br />
8 Marriott’s First Representations, paras 2.4-2.10.<br />
8 Marriott’s First Representations, paras 2.11-2.16.<br />
8 Marriott’s First Representations, para 2.12.<br />
8 Marriott’s First Representations, para 2.14.<br />
49 identified the breach. The Commissioner accepts that some data<br />
subjects will not have been contactable i that way; the most<br />
<br />
obvious example being individuals who had changed their contact<br />
details. In these cases, i may have involved a disproportionate<br />
<br />
effort to track those individuals down i order to communicate the<br />
breach and, for such individuals, Marriott will have discharged its<br />
duty by way of its press release and dedicated website. However,<br />
<br />
Marriott i not entitled to rely upon communications which are<br />
addressed to the world at large (such as its press release and<br />
<br />
website) as discharging its duties under Article 34(1) i relation to<br />
all data subjects.<br />
<br />
6.79. The Commissioner i accordingly entitled to consider Marriott's<br />
<br />
direct communications (including emails) with the affected data<br />
subjects as the means by which Marriott sought to satisfy its<br />
<br />
obligations under Article 34 GDPR.<br />
<br />
6.80. The email sent by Marriot referred to a “dedicated call centre”, this<br />
being a specific telephone line set up for affected data subjects to<br />
<br />
contact for further information, but i did not include the telephone<br />
number. The email, having communicated the “name” of the contact<br />
<br />
point, did not communicate the “contact details” of the point where<br />
more information could be obtained. While plainly not deliberate,<br />
these omissions to some extent undermined the effectiveness of the<br />
<br />
notification.<br />
<br />
6.81. The Commissioner has taken into account the fact that the email<br />
<br />
contained a link to the dedicated website, which i turn provided the<br />
telephone number for the dedicated call centre,®? although the email<br />
itself did not. On this occasion, and i light of the information that<br />
<br />
Marriott did i fact provide to affected data subjects, this Penalty<br />
Notice does not include any finding that Marriott breached Article 34<br />
GDPR.<br />
<br />
<br />
7.REASONS FOR IMPOSING A PENALTY & CALCULATION<br />
<br />
OF THE APPROPRIATE AMOUNT<br />
<br />
<br />
7.1. For the reasons set out above, the Commissioner’s view i that<br />
Marriott has failed to comply with Articles 5(1)(f) and 32 GDPR.<br />
These failures fall within the scope of section 149(2) and 155(1)(a)<br />
<br />
<br />
8 Marriott’s First Representations, para 2.14(a).<br />
50 DPA. For the reasons explained below, the Commissioner has<br />
decided that i i appropriate to impose a penalty i the light of the<br />
<br />
infringements she has identified.<br />
<br />
7.2. In deciding to impose a penalty, and calculating the appropriate<br />
<br />
amount, the Commissioner has had regard to the matters listed i<br />
Articles 83(1) and (2) GDPR and has applied the five-step approach<br />
set out in her RAP.<br />
<br />
<br />
The imposition of a penalty i appropriate in this case<br />
<br />
7.3. Both the RAP and Article 83 GDPR provide guidance as to the<br />
circumstances i which i i appropriate to impose an administrative<br />
<br />
fine or penalty for breaches of the obligations imposed by the GDPR.<br />
<br />
7.4. Article 83(2) GDPR lists a number of factors that must be taken into<br />
<br />
account. These are each discussed i detail below i determining the<br />
appropriate level of fine, i accordance with the steps outlined i the<br />
RAP. The points made below are also relied upon i justifying the<br />
<br />
Commissioner’s decision to impose a penalty, i the light of the<br />
findings of infringement set out above.<br />
<br />
<br />
7.5. The RAP provides guidance on when the Commissioner will deem a<br />
penalty to be appropriate.°° In particular, the RAP explains that a<br />
penalty i more likely to be imposed where, inter alia, (a) a number<br />
<br />
of individuals have been affected; (b) there has been a degree of<br />
damage or harm (which may _ include’ distress and/or<br />
<br />
embarrassment); and (c) there has been a failure to apply<br />
reasonable measures (including relating to privacy by design) to<br />
mitigate any breach (or the possibility of it).<br />
<br />
<br />
7.6. As discussed in more detail below, each of those features i present<br />
i this case. Taking together the findings made above about the<br />
<br />
nature of the infringements, their likely impact, and the fact that<br />
Marriott failed to comply with its GDPR_ obligations, the<br />
Commissioner considers i appropriate to apply an effective,<br />
<br />
dissuasive and proportionate penalty, reflecting the seriousness of<br />
the breaches which have occurred.<br />
<br />
<br />
<br />
<br />
<br />
<br />
° Pages 24-25, see para 2.37 above.<br />
51Calculation of the appropriate penalty<br />
<br />
Step 1: an ‘initial element’ removing any financial gain from the<br />
breach*!<br />
<br />
<br />
7.7. Marriott did not gain any financial benefit, or avoid any losses,<br />
directly or indirectly as a result of the breach. The Commissioner<br />
<br />
has not, therefore, added an initial element at this stage.<br />
<br />
Step 2: Adding i an element to censure the breach based on its<br />
scale and severity, taking into account the considerations identified<br />
at sections 155(2)-(4) DPA<br />
<br />
<br />
7.8. Sections 155(2)-(4) DPA refer to and reproduce the matters listed<br />
i Articles 83(1) and 83(2).<br />
<br />
<br />
The nature, gravity and duration of the failure (Article<br />
83(2)(a))<br />
<br />
<br />
7.9. Nature and gravity of the failures: The nature of the failures i<br />
of significant concern. As set out above, there were multiple<br />
<br />
measures that Marriott could have put i place that would have<br />
allowed for the detection of or mitigated the Attack insofar as i<br />
continued after 25 May 2018.°2 What the Attack shows i that during<br />
<br />
the relevant period Marriott was processing data on a system that<br />
had multiple security failings that were exploited by the Attacker<br />
<br />
and could have been exploited by others.<br />
<br />
7.10. In Marriott’s submissions i has placed a great deal of emphasis on<br />
<br />
other security measures i had i place, criticising the NOI/draft<br />
decision for failing to look at the matter holistically.?? This criticism<br />
i misplaced. The Commissioner has carried out a holistic analysis<br />
<br />
of the relevant systems and security processes operated by Marriott.<br />
What that analysis showed was that the measures identified i<br />
<br />
section 6 above were appropriate to secure the CDE. Marriott’s<br />
implementation (or perceived implementation) of other security<br />
<br />
measures was not sufficient. I was appropriate for there to be<br />
<br />
<br />
<br />
° Removing any financial gain the data controllerhave obtainedfrom the infringementi<br />
consistent with ensuring that the penalty i effective, proportionate and dissuasive (Article 83(1)),<br />
and has regard to Article 83(2)(whichrefers to “financial benefits gaor losses avoided,<br />
directly or indirectly, from the infringement. ”<br />
° Marriott’s First Representations at para 3.2(a) have been considered and in section 6<br />
above.<br />
° Marriott’s Second Representations, para 2.2(c).<br />
52 multiple layers of security i this case (for the reasons given at<br />
<br />
paragraph 6.17 above).<br />
<br />
7.11. An extremely large number of individuals were affected by the<br />
<br />
breach, specifically, 339 million guest records, of which — for the<br />
purposes of this penalty - 30.1 million®* were guest records<br />
associated with EEA member states. Marriott has explained that the<br />
<br />
total number of affected guests i difficult to estimate from this<br />
figure as i may hold multiple records for an individual guest.°° Even<br />
<br />
taking into account that the true number of affected individuals may<br />
be 40% lower than initially estimated by Marriott,°° this i still a<br />
<br />
significant number of individuals.<br />
<br />
7.12. The mitigating steps taken by Marriott will have gone some way to<br />
<br />
reassuring Marriott’s customers and therefore may have reduced or<br />
mitigated the distress that may otherwise have been caused by the<br />
data breach. The assurances given and the mitigating steps taken<br />
<br />
by Marriott are taken into account below. I i nevertheless likely<br />
that some of the affected individuals will, depending on their<br />
<br />
circumstances, still have suffered anxiety and distress as a result of<br />
the disclosure of their personal information (including payment card<br />
<br />
information?”) to an unknown individual or individuals. The<br />
Commissioner has considered i this regard the submissions made<br />
by Marriott i i Representations.°° She notes the following points:<br />
<br />
<br />
a. The Commissioner has not seen any evidence of financial<br />
damage and i not required to investigate the existence or<br />
otherwise of financial damage.°? In calculating the appropriate<br />
<br />
level of penalty, the potential existence of such damage has not<br />
been assumed or taken into account.<br />
<br />
<br />
b. I i possible that some individuals may have cancelled their<br />
payment cards. Contrary to Marriott’s submissions,!°° the<br />
Commissioner i not required to investigate or identify evidence<br />
<br />
of individuals actually cancelling their cards. In circumstances<br />
<br />
° Marriott’s First Representations, page 65<br />
° See Marriott’s Second Representations, paras 2.4-2.6.<br />
% Ibid.<br />
° Notwithstandingthe fact that there wano actual financial hato individuals, see Marriott’s<br />
Second Representations para 2.7(a)(i).<br />
° Marriott’s First Representatipara 3.1(d) and Marriott’s SecoRepresentationsparas 2.7-<br />
2.8,<br />
° A paint emphasisedi Marriott’s First Representatipara 3.2(d)(ii)(A); and Marriott’s Second<br />
Representations, para 2.7(a)(i).<br />
100 Marriott’s Second Representations, para 2.7(a)(iii).<br />
53 where a large number of individuals have been informed that<br />
<br />
their data, including some credit card data have been<br />
compromised, the Commissioner considers i likely that some<br />
individuals will have taken this step.<br />
<br />
<br />
c The possibility that some individuals may have been prompted<br />
to cancel their payment cards i just one element of the overall<br />
<br />
assessment of whether the breaches of the GDPR were likely to<br />
cause distress. The act of cancelling a card may i and of itself<br />
only cause inconvenience. I i the reason why such action was<br />
<br />
necessary, the disclosure of personal information, that can<br />
cause distress amongst some.<br />
<br />
<br />
d. The fact that the Marriott call centre received 57,000 calls<br />
between 30 November 2018 and 31 May 2019 (7,500 of these<br />
being calls to EU-based call centres) i indicative of the<br />
<br />
potential level of concern amongst affected data subjects on<br />
learning of the breach and subsequently.*%<br />
<br />
<br />
e. Further, even i individuals opted not to cancel their credit<br />
cards, the Commissioner considers i likely that some<br />
individuals will have experienced distress at having their<br />
<br />
personal data exposed i a large-scale data breach. Marriott’s<br />
suggestion that distress will only arise i cases where they are<br />
<br />
advised by their banks to cancel their payment cards!° ignores<br />
the fact that a personal data (not just financial data) i of<br />
significance to individuals, a significance which i reflected i<br />
<br />
the legal protections afforded to that data under the GDPR.<br />
<br />
7.13. Duration: Although the Attack itself spanned a four-year period,<br />
the infringements that the Commissioner relies on i this Notice<br />
<br />
occurred between 25 May 2018 (the date when the GDPR came into<br />
force) and 17 September 2018. The Commissioner considers this to<br />
<br />
be a significant period of time over which unauthorised access to<br />
personal data went undetected and/or unremedied.?°%<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
101 See further Step 5 below.<br />
102 See Marriott’s SeconRepresentations,para 2.7(a)(iii), whii then contradictedby the<br />
statement i para 2.7(a)(iv), which suggests that card cancellation i merely an “inconveniencan”<br />
not, as suggestei sub-para (iii) a necessary componof a finding of distress.<br />
103 Marriott’s First Representations at para 3.2(b) and Marriott’s Second Representations at para 2.3.<br />
54 The intentional or negligent character of the infringement<br />
<br />
(Article 83(2)(b))<br />
<br />
7.14. The Commissioner has had regard to the guidelines provided by the<br />
<br />
Article 29 Working Party i relation to assessing the character of the<br />
infringement i issue. I explains that:<br />
<br />
. In general, “intent” includes both knowledge and wilfulness<br />
<br />
in relation to the characteristics of an offence, whereas<br />
“unintentional” means that there was no intention to cause<br />
the infringement although the controller/processor breached<br />
the duty of care which is required in the law.<br />
<br />
<br />
It is generally admitted that intentional breaches,<br />
demonstrating contempt for the provisions of the law, are<br />
more severe than unintentional ones and therefore may be<br />
more likely to warrant the application of an administrative<br />
<br />
fine. The relevant conclusions about wilfulness or negligence<br />
will be drawn on the basis of identifying objective elements<br />
of conduct gathered from the facts of the case...1°<br />
<br />
7.15. The Commissioner recognises that the infringement was not an<br />
<br />
intentional or deliberate act on the part of Marriott. This has been<br />
taken into account i assessing whether a fine i appropriate i this<br />
<br />
case.<br />
<br />
7.16. The Commissioner does, however, consider that Marriott was<br />
<br />
negligent (within the meaning of Article 83(2)(b) GDPR) i<br />
maintaining systems that suffered from the vulnerabilities and<br />
<br />
shortcomings identified i Section 6 above.!°<br />
<br />
7.17. In making this determination, the Commissioner places some weight<br />
on the relevant context: a company of the size and profile of Marriott<br />
<br />
i expected to be aware that i i likely to be targeted by attackers,<br />
sophisticated or otherwise. Marriott must be aware that the nature<br />
<br />
of its business involves processing large volumes of personal data,<br />
including sensitive personal data. The risk of any compromise of that<br />
<br />
information may have significant consequences for Marriott’s<br />
customers and its own business.<br />
<br />
<br />
<br />
<br />
<br />
104 Pp.11-12.<br />
105 Marriott’s general claim at par2.9(b) of its SecoRepresentationrefers to its specific<br />
explanations i section 3 of those representations, which have been i section 6 above.<br />
557.18. In view of these factors, the Commissioner: (a) would expect<br />
<br />
Marriott to have taken appropriate steps or a combination of<br />
appropriate steps to secure the personal data of its customers; and<br />
(b) considers that Marriott failed to comply with the standards<br />
<br />
imposed by the GDPR i failing to do so. Beyond this, the<br />
Commissioner has not treated the nature of Marriott’s conduct under<br />
<br />
Article 83(2)(b) as an aggravating factor i assessing whether to<br />
impose a penalty, or how much that penalty should be. However,<br />
she i obliged to take into account the character of the infringement<br />
<br />
under Article 83(2)(b). Thus, she does not consider that she has<br />
erred i “applying this factor”, as Marriott submitted i its First<br />
<br />
Representations.1%<br />
<br />
7.19. Marriott relied upon the Article 29 WP Guidelines to argue that the<br />
<br />
draft decision failed to treat the fact that the breaches were not<br />
deliberate as a positive factor i favour i assessing whether to<br />
impose a fine.‘°” These Guidelines state that intentional breaches<br />
<br />
are more likely to warrant the application of a fine. Marriott<br />
submitted that i this i the case, the absence of intention must<br />
<br />
weigh in the controller’s favour.<br />
<br />
7.20. I i unclear what additional weight Marriott considers the absence<br />
of intention should attract i this case. The mere recognition i the<br />
<br />
Article 29 WP Guidelines of the obvious point that a deliberate<br />
breach i more likely to result i certain consequences does not alter<br />
<br />
the fact that a penalty may be imposed for a breach of a different<br />
nature (and nor would i be consistent with Article 83 GDPR i fines<br />
<br />
only applied to deliberate conduct). The Commissioner has taken<br />
into account the fact that the breaches were not deliberate as part<br />
of her overall assessment (as Marriott recognises?°*). However, i<br />
<br />
circumstances where, as here, the breaches were negligent within<br />
the meaning of Article 83(2)(b), that fact must also be taken into<br />
<br />
account when assessing whether to impose a fine and, i so, at what<br />
level.<br />
<br />
7.21. Marriott also criticised the Commissioner’s analysis as being<br />
<br />
duplicative because she had regard to, inter alia, the scale of<br />
Marriott’s processing operations i assessing whether its actions<br />
<br />
<br />
<br />
106 Marriott’s Representations, para 3.3.<br />
107 Marriott’s Second Representations, para 2.9(a).<br />
108 Ibid.<br />
56 were negligent under Article 83(2)(b), as well as i assessing<br />
whether i complied with Articles 5 and 32 GDPR.!°? While i i true<br />
<br />
that the Commissioner considered some of these factors when<br />
concluding whether there was a breach of Articles 5 and 32, these<br />
<br />
factors are relevant i both contexts. The issue of whether a breach<br />
has arisen, and the nature of Marriott’s responsibility for i are<br />
clearly related issues.<br />
<br />
<br />
Any action taken by the controller or processor to mitigate<br />
the damage suffered by data subjects (Article 83(2)(c))<br />
<br />
<br />
7.22. The Commissioner has carefully considered Marriott’s submissions<br />
to the effect that i could not discern from the draft decision how the<br />
mitigation action i took i response to the Attack has been taken<br />
<br />
into account because i was dealt with at this Step, rather than at<br />
Step 5.110<br />
<br />
<br />
7.23. The Commissioner remains of the view that i makes no difference<br />
to the ultimate decision on what, i any, penalty to impose whether<br />
the action taken by the controller to mitigate the damage i taken<br />
<br />
into account here, or under Step 5 i this Penalty Notice. However,<br />
she has decided to consider this issue separately under Step 5 i<br />
<br />
this Penalty Notice.<br />
<br />
The degree of responsibility of the controller or processor<br />
(Article 83)(2)(d))<br />
<br />
<br />
7.24. As a controller, Marriott i responsible under the GDPR for the<br />
security of its systems and the protection of personal data stored<br />
<br />
within those systems. I i required by the GDPR to implement<br />
security measures to reduce the vulnerability of those systems, and<br />
the vulnerability of the personal data processed within those<br />
<br />
systems, to attack. While the entry of the Attacker into Starwood’s<br />
systems pre-dates Marriott’s acquisition of that company, Marriott<br />
had an ongoing duty to ensure the safety and security of the<br />
<br />
systems i was using to process personal data.<br />
<br />
7.25. As i clear from Section 6 above, there were multiple deficiencies i<br />
<br />
the security measures i place i respect of the Starwood system,<br />
which Marriott continued to operate to process personal data after<br />
<br />
<br />
109 Marriott’s Second Representations, para 2.9(c).<br />
110 Marriott’s Second Representations, paras 1.9-1.10, and 1.34.<br />
5/ the GDPR came into force. As a result, the Attacker was able to<br />
<br />
remain present and undetected i the system after 25 May 2018<br />
until the triggering of the Guardium alert i September 2018.<br />
<br />
<br />
7.26. The Commissioner therefore considers that, for the duration of the<br />
infringement on which this penalty i based, Marriott i wholly<br />
responsible for the breaches of Articles 5(1)(f) and 32 GDPR<br />
<br />
described above.<br />
<br />
7.27. In its Representations, Marriott highlighted the fact that the NOI did<br />
<br />
not mention that Accenture provided i with third-party IT<br />
services.'!! In response to the draft decision, Marriott explained that<br />
<br />
i its view, the fact that i engaged Accenture to assist i the security<br />
management of the Starwood network should be taken into account<br />
<br />
i assessing Marriott’s responsibility for the Attack.<br />
<br />
7.28. I i acknowledged that Accenture i an experienced provider of<br />
security services and that i provided services i relation to<br />
<br />
Marriott’s security environment. However, the fact that i was<br />
charged with implementing, maintaining or managing certain<br />
<br />
elements of the system does not reduce Marriott’s responsibility for<br />
the breaches of the GDPR that have been identified. In<br />
<br />
circumstances where Marriott accepts that i i the relevant data<br />
controller, and significant failures i its security measures have been<br />
identified, the engagement of third parties cannot reduce its degree<br />
<br />
of responsibility.<br />
<br />
7.29, For the avoidance of doubt, however, in taking a holistic view of the<br />
<br />
security measures put i place, account has been taken of, for<br />
example, the fact that Guardium was i place and certain alerts were<br />
<br />
applied under that system (which Accenture monitored).<br />
<br />
7.30. Finally, Marriott i correct to state in its Representations that the<br />
<br />
Article 29 WP Guidelines provide that “industry standards... are<br />
important to take into account” when assessing compliance with the<br />
GDPR. The Commissioner has taken into account Marriott’s detailed<br />
<br />
submissions on its compliance with PCI DSS standards, i particular<br />
i respect to the concerns which arose i respect of the application<br />
<br />
<br />
<br />
<br />
<br />
111 Marriott’s First Representatpara 3.5, anMarriott’s SeconRepresentationsparas2.10-<br />
2.11.<br />
58 of MFA across the Starwood network.!!2 However, Marriott’s<br />
<br />
obligations under Article 5(1)(f) and Article 32 GDPR go beyond the<br />
requirements of the PCI DSS and extend to all personal data, not<br />
<br />
just cardholder information with which those standards are<br />
concerned. The fact that Marriott may have complied with certain<br />
industry guidance focusing on specific types of personal data does<br />
<br />
not obviate or reduce its responsibility for the security of all of the<br />
personal data i holds.<br />
<br />
<br />
Relevant previous infringements (Article 83(2)(e))<br />
<br />
7.31. Marriott has no relevant previous infringements or failures to comply<br />
<br />
with past notices.<br />
<br />
7.32. Marriott claims that this fact should weigh positively i its favour,<br />
<br />
rather than neutrally.1t? The fact that Marriott has no relevant<br />
previous infringements i a matter that has been taken into account<br />
i the Commissioner’s decision whether to impose a penalty, and i<br />
<br />
her decision as to the appropriate level of that penalty.<br />
<br />
Degree of cooperation with supervisory authority (Article<br />
<br />
83(2)(f))<br />
<br />
7.33. Marriott has cooperated fully with her investigation and this has<br />
<br />
been taken into account.<br />
<br />
Categories of personal data affected (Article 83(2)(g))<br />
<br />
<br />
7.34. The Commissioner has identified the relevant categories of personal<br />
data in Section 4 above. As noted there, the data included in some<br />
(but not all) cases unencrypted passport details, details of travel,<br />
<br />
and various other categories of personal information including<br />
name, gender, date of birth, VIP status, address, phone number,<br />
<br />
email address, and credit card data.<br />
<br />
Manner in which the infringement became known to the<br />
<br />
Commissioner (Article 83(2)(h))<br />
<br />
<br />
<br />
<br />
<br />
<br />
112 See Marriott’s First Representations, para 3.6 and MarriRepresentationspara 2.12<br />
and Section 3.<br />
113 Marriott’s First Representations, para 3.7.<br />
597.35. Marriott notified the Commissioner of the Attack on 22 November<br />
2018 and i considered to have complied with its obligations i this<br />
<br />
respect.<br />
<br />
Conclusion at step 2<br />
<br />
7.36. Taking into account: (a) the matters set out i Sections 2-4 and 6<br />
<br />
above; (b) the matters referred to in this section; and (c) the need<br />
to apply an effective, proportionate and dissuasive fine i the<br />
context of a controller of Marriott’s scale and turnover, the<br />
<br />
Commissioner considers that a penalty of £28 million would be<br />
appropriate, before adjustment i accordance with Steps 3-5 below<br />
<br />
and the application of the Commissioner’s Covid-19 policy. This<br />
amount i considered appropriate to reflect the seriousness of the<br />
breach and takes into account i particular the need for the penalty<br />
<br />
to be effective, proportionate and dissuasive.<br />
<br />
Step 3: Adding i an element to reflect any aggravating factors<br />
(Article 83(2)(k))<br />
<br />
7.37. The amount of the penalty, as identified at Step 2, may be increased<br />
<br />
where there are ‘other’ aggravating factors.'1+ In this case, the<br />
Commissioner does not consider there to be any other relevant<br />
<br />
aggravating factors. Thus, no adjustment i made to the penalty<br />
level determined at Step 2.<br />
<br />
Step 4: Adding i an amount for a deterrent effect on others<br />
<br />
7.38. The Commissioner i under an obligation to impose a penalty which<br />
<br />
i “dissuasive”. The need for the penalty to be dissuasive in relation<br />
to Marriott itself i addressed by the analysis at Step 2. Having<br />
<br />
regard to the amount of the penalty identified under step 2, the<br />
Commissioner does not consider i necessary to increase the penalty<br />
further under Step 4 to dissuade others.!!°<br />
<br />
<br />
7.39. The Commissioner i not aware of widespread issues of poor practice<br />
that may be particularly deterred by the imposition of a higher<br />
<br />
penalty. Given Marriott’s size and the scale of its operations, and<br />
the fact that the Commissioner has decided to impose a penalty that<br />
already takes those factors into account as part of the need to<br />
<br />
ensure that any penalty i proportionate, effective and dissuasive<br />
<br />
<br />
114 Tn accordance with Article 83(2)(k) GDPR, section 155(3)(k) DPA. and page 11 of the RAP.<br />
115 This makes redundant the points about this Step made by Marriott i i Representations.<br />
60 and to reflect the seriousness of the breach, the Commissioner<br />
<br />
considers that no adjustment i necessary under Step 4.<br />
<br />
Step 5: Reducing the amount (save that i the initial element) to<br />
reflect any mitigating factors, including ability to pay (financial<br />
hardship) (Article 83(2)(k))<br />
<br />
<br />
7.40. As explained above, i principle, other relevant mitigating factors<br />
could be taken into account under Step 2 or Step 5 of the RAP.<br />
Previously the Commissioner considered such matters i the round<br />
<br />
under Step 2 of the RAP, taking into account the factors in Article<br />
83 GDPR and section 155(3) DPA 2018. However, i the light of<br />
<br />
Marriott’s representations for the purposes of this Penalty Notice the<br />
Commissioner has considered the relevant mitigating factors under<br />
<br />
Step 5.<br />
<br />
7.41. Following the guidance set out at page 11 of the RAP, and having<br />
considered Marriott’s Representations, the Commissioner has taken<br />
<br />
into account the following mitigating factors:<br />
<br />
a. Marriott had, prior to becoming aware of the Attack, confirmed<br />
<br />
in 2018 a new $19 million security investment for 2019, which<br />
raised Marriott’s budgeted spend for that year on security to<br />
$49.5million. Subsequent investment decisions i 2019 have<br />
<br />
raised Marriott’s forecasted IT security budget spend on IT<br />
security for 2020 to $108.5million;<br />
<br />
<br />
b. Marriott took immediate steps to mitigate the effects of the<br />
Attack and protect the interests of data subjects by<br />
<br />
implementing remedial measures;<br />
<br />
c Marriott cooperated fully with the Commissioner's investigation,<br />
including responding promptly to requests for information;<br />
<br />
<br />
d. Widespread reporting i the media of the Attack i likely to have<br />
increased the awareness of other data controllers of the risks<br />
<br />
posed by cyber-attacks and of the need to ensure that they take<br />
all appropriate measures to secure personal data; and<br />
<br />
e. The Attack and subsequent regulatory action has adversely<br />
<br />
affected Marriott’s brand and reputation, which will have had<br />
some dissuasive effect on Marriott and other data controllers.<br />
<br />
<br />
<br />
617.42. More specifically, the Commissioner has taken into account the fact<br />
that, upon being alerted to the Attack, Marriott acted promptly to<br />
<br />
mitigate the risk of damage suffered by data subjects, by way of the<br />
following technical remedial measures:<br />
<br />
<br />
a. The deployment of real-time monitoring and forensic tools on<br />
70,000 devices on the Starwood network;<br />
<br />
b. Implementing password resets;<br />
<br />
<br />
c Disabling known compromised accounts; and<br />
<br />
d. Implementing enhanced detection tools.<br />
<br />
<br />
7.43. These measures should allow Marriott to prevent similar breaches i<br />
the future, including by identifying any additional attackers or<br />
malicious software being utilised on its servers.<br />
<br />
<br />
7.44, The Commissioner has also taken into account the fact that Marriott<br />
also took steps to: (a) establish a notification and communication<br />
<br />
regime; (b) create a bespoke incident website i numerous<br />
languages; (c) send 9.2 million notification emails to data subjects<br />
whose country of residence was recorded i the Starwood Guest<br />
<br />
Reservation Database as being i the EU); (d) establish a dedicated<br />
call centre; (e) provide web monitoring to affected data subjects;<br />
<br />
(f) enhance its data subject rights programme; (g) engage with card<br />
networks; and (h) improve its technical and _ organisational<br />
measures generally.1?© I i also noted that Marriott informed a<br />
<br />
number of other regulatory and law enforcement agencies.<br />
<br />
7.45. I i acknowledged that the steps outlined above will have gone<br />
some way to reassuring Marriott’s customers, and therefore may<br />
<br />
have reduced or mitigated any distress caused by the breach.<br />
However, the fact that the Marriott call centre received 57,000 calls<br />
<br />
between 30 November 2018 and 31 May 2019 (7,500 of these being<br />
calls to EU-based call centres)?!’ i indicative of the level of concern<br />
amongst affected data subjects on learning of the breach and<br />
<br />
subsequently.1!®<br />
<br />
<br />
116 Marriott’s First Representations, para 3.4.<br />
117 Marriott’s Second Representations, para 2.7(b)(ii).<br />
118 Contrary to para 2.7(a)(b)(i) of MarriottRepresentations, i i not being suggested that<br />
all of those who called Marriott’s call centre were suffering from distrbut i i likely<br />
<br />
627.46. Contrary to Marriott’s submissions,!+9 the fact that very few of these<br />
<br />
calls were escalated internally or resulted i a complaint i<br />
irrelevant. The information provided by Marriott suggests that call<br />
handlers had FAQs available to advise customers on how to respond<br />
<br />
to the breach etc, which was presumably intended to address most<br />
situations arising.!2° Thus, the fact that only a certain number of<br />
<br />
individuals had their calls escalated / resulted i a complaint does<br />
not provide any real indication of the extent to which individuals<br />
were distressed or harmed by the loss of their data.<br />
<br />
<br />
7.47. Marriot also relied i this regard on a claim that the Commissioner’s<br />
findings of distress and harm were materially undermined because<br />
<br />
the centre only received 57,000 calls when millions of individuals<br />
were affected by the breaches.!*! However, i circumstances where:<br />
<br />
(a) Marriott had established a dedicated website to address<br />
concerns; and (b) individuals may have sought advice from third<br />
parties and/or acted on their own knowledge and experience, the<br />
<br />
comparison between these figures does not undermine the<br />
Commissioner’s findings. The number of calls i sufficiently large to<br />
<br />
suggest that there were data subjects who were concerned.<br />
<br />
7.48. Thus, while the Commissioner has taken into account, as outlined<br />
below, the steps taken by Marriott to mitigate the impact of its<br />
<br />
breaches of the GDPR, she remains of the view that those actions<br />
would not have immediately neutralised all the concerns on the part<br />
<br />
of data subjects about their data being i the hands of criminals /<br />
outside of Marriott’s control.<br />
<br />
<br />
7.49. Having regard to the mitigating factors set out above, i i<br />
appropriate to reduce the £28 million penalty by 20%, i.e. to £22.4<br />
million.<br />
<br />
<br />
7.50. As a result of the Covid-19 pandemic, Marriott has also argued that<br />
any penalty should be reduced because of the financial hardship i<br />
<br />
would cause.<br />
<br />
7.51. The Commissioner has considered Marriott’s representations, and<br />
the evidence i has provided. Although the Covid-19 pandemic has<br />
<br />
<br />
that - as stated here - the majority of callers were at least sufficiently concerned to make the call,<br />
which i inconsistent with Marriott’s position that no or only trivial harm at all would have arisen.<br />
119 Marriott’s Second Representations, para 2.7(b)(iii).<br />
120 Marriott’s Second Representations, para 2.7(b)(iii).<br />
121 Marriott’s Second Representations, para 2.7(b)(iv).<br />
63 had a significant impact on Marriott’s revenues, Marriott’s overall<br />
<br />
financial position i such that the Commissioner does not consider<br />
that the imposition of a penalty i the range being proposed will<br />
cause financial hardship, or that Marriott will be unable to pay such<br />
<br />
a penalty.<br />
<br />
7.52. However, the Commissioner has published guidance entitled “The<br />
<br />
ICO’s regulatory approach during the Coronavirus public health<br />
emergency”.'?2 That guidance indicates that “As set out in the<br />
Regulatory Action Policy, before issuing fines we take into account<br />
<br />
the economic impact and affordability. In current circumstances,<br />
this is likely to mean the level of fines reduces.” While the proposed<br />
<br />
penalty will not cause financial hardship for Marriott, the<br />
Commissioner considers i appropriate to reduce the penalty that<br />
<br />
would otherwise have been imposed, i light of the current public<br />
health emergency and associated economic consequences. This i<br />
addressed below, separately from Step 5.<br />
<br />
<br />
7.53. The Commissioner has carefully considered Marriott’s submissions<br />
that there are other additional mitigating factors that should be<br />
<br />
taken into account i this case.!23 However, none of the points raised<br />
justify a further reduction of the appropriate penalty beyond the<br />
discount set out above. In particular:<br />
<br />
<br />
The Commissioner does not consider i appropriate to further<br />
reduce the penalty by reference to costs to Marriott of taking<br />
<br />
measures to rectify or mitigate the impact of its infringement,<br />
including the cost establishing a bespoke website, call centre,<br />
<br />
web monitoring, the enhancement of Marriott’s data subject<br />
rights programme, and any other customer-facing remediation<br />
activities. The fact that Marriott was required to expend a large<br />
<br />
amount - on Marriott’s assessment i excess of $50 million+<br />
- i customer-facing remediation activities i not directly<br />
<br />
relevant to the amount of any penalty. The fact that mitigating<br />
measures were taken, i accordance with Marriott’s obligations<br />
as a controller, has already been taken into account.<br />
<br />
<br />
<br />
<br />
<br />
<br />
122 Version 2.1, 13 July 2020.<br />
123 Marriott’s First Representations, para 3.13(c).<br />
124 Marriott’s First Representations, paras 3.4(a) and 3.13(c)(vi).<br />
64 Marriott’s preparations for the introduction of GDPR are<br />
noted.!2° However, these do not address the Commissioner’s<br />
<br />
conclusions on Marriott’s failure to implement appropriate<br />
security measures i relation to the systems i acquired from<br />
<br />
Starwood.<br />
<br />
The Commissioner has recognised that the Attack involved<br />
persistent criminal activity.17© But this does not alter the fact<br />
<br />
that the security of Marriott’s network was inadequate i a<br />
number of respects, and that those failings could and should<br />
<br />
have been addressed on a prospective basis through the<br />
implementation of appropriate measures. I i Marriott’s<br />
breaches of Articles 5(1)(f) and 32 GDPR for which i i being<br />
<br />
penalised, not the actions of third parties.<br />
<br />
The security measures that were deployed on the Starwood<br />
<br />
security environment and on the Starwood Guest Reservation<br />
Database are noted.!?” However, the existence of these<br />
measures do not detract from the Commissioner’s conclusions<br />
<br />
on Marriott’s failure to implement appropriate security<br />
measures (see section 6). That Marriott took some steps to<br />
<br />
secure the Starwood system i not considered to be a mitigating<br />
factor i the circumstances of an infringement of this scale and<br />
severity.<br />
<br />
<br />
7.54. Accordingly, having carefully considered the mitigating factors<br />
raised by Marriott, which are relevant to the assessment of the<br />
appropriate level of any penalty, the overall penalty payable by<br />
<br />
Marriott after Step 5 i £22.4 million.<br />
<br />
Application of Covid-19 Policy<br />
<br />
7.55. As described above, having regard to the impact of the Covid-19<br />
<br />
pandemic (on Marriott and more generally), and consistently with<br />
the Commissioner’s published guidance, a further reduction i<br />
appropriate and proportionate. The final penalty payable will<br />
<br />
therefore be reduced to £18.4 million.<br />
<br />
<br />
<br />
<br />
<br />
125 As relied upon at paras 3.13(c)(iii) of Marriott’s First Representations.<br />
126 Marriott’s First Representations, para 3.13(c)(iv).<br />
127 Marriott’s First Representations, para 3.13(c)(i)-(ii).<br />
65 Application of the fining tier(s) (Articles 83(4) and (5) GDPR)<br />
<br />
7.56. The infringement of Article 5(1)(f) GDPR falls within Article 83(5)(a)<br />
<br />
GDPR, whereas Article 32 falls within Article 83(4)(a). The<br />
appropriate tier i therefore that imposed by Article 83(5)(a) as this<br />
<br />
i the gravest breach i issue i this case.<br />
<br />
7.57. In any event, for the year ended 31 December 2017 Marriott has<br />
<br />
confirmed that its relevant worldwide annual turnover i $4.997<br />
billion. The penalty the Commissioner has decided to impose on<br />
Marriott i the sum of £18.4 million. This i considerably less than<br />
<br />
4%, indeed considerably less than 1%, of Marriott’s total worldwide<br />
annual turnover, and accordingly well within the cap imposed by<br />
<br />
Article 83(5) GDPR.<br />
<br />
Marriott’s other representations on the decision to impose a<br />
<br />
penalty and the appropriate Penalty amount<br />
<br />
7.58. Marriott’s Representations contained detailed submissions i<br />
response to: (a) the Commissioner’s decision to impose a penalty at<br />
<br />
all; and (b) the proposed penalty amount, as indicated i the Notice<br />
of Intent. The Commissioner has carefully considered those<br />
<br />
submissions and, to the extent they have not been addressed above,<br />
responds to them below.<br />
<br />
<br />
7.59. In summary, Marriott submitted as follows:<br />
<br />
a. First, the Commissioner misapplied Article 83(2) i deciding to<br />
impose a fine and in determining the appropriate level of<br />
<br />
penalty. A proper application of that Article should result i no<br />
fine being imposed at all or, i the alternative, i should result<br />
<br />
i the imposition of only a low level of penalty;!2°<br />
<br />
b. Second, the Commissioner unlawfully applied an unpublished<br />
internal document, entitled “Draft Internal Procedure for<br />
<br />
Setting and Issuing Monetary Penalties”, i setting the<br />
proposed penalty on Marriott which was included i the NOI.+29<br />
<br />
However, setting a proposed penalty amount without the Draft<br />
<br />
<br />
<br />
128 Marriott’s First Representations, Executive para 8 and Section 3; and Marriott’s Second<br />
Representations, Section 2.<br />
129 Marriott’s First RepresentatExecutive Summary,para 9(a) and paras 4.2-4.12, 4.14(e),<br />
4.19,<br />
66 Internal Procedure (or similar), as the Commissioner did i the<br />
<br />
draft decision, also offends the principle of legal certainty.1*°<br />
<br />
c Third, the Commissioner erred by relying on turnover as the<br />
<br />
sole metric i determining the level of fine proposed i the NOI,<br />
and i continuing to treat turnover the most important factor i<br />
<br />
its quantification analysis i the draft decision;+3!<br />
<br />
d. Fourth, the Commissioner has applied the wrong fining Tier<br />
<br />
under Article 83 GDPR i calculating the proposed fine;+%<br />
<br />
e. Fifth, the Commissioner erred in the NOI by applying an uplift<br />
<br />
to ensure an appropriate deterrent effect; 17?<br />
<br />
f Sixth, the Commissioner breached Marriott’s legitimate<br />
<br />
expectation that she would operate her fining powers under the<br />
GDPR i accordance with past precedents, i.e. decisions made,<br />
<br />
under the DPA 1998 and/or only applying incremental increases<br />
to the fines that would have been imposed under the 1998 Act<br />
<br />
(which was subject to a £500,000 maximum fine limit).1*4 This<br />
same failure, which Marriott described as a failure to comply<br />
<br />
with the “Precedents-Based Approach”, i also said to amount<br />
to a breach of the principle of legal certainty.1*° In its Second<br />
<br />
Representations, i particular, Marriott contends that i the<br />
absence of any new guidance providing clear and specific<br />
<br />
quantification methodology determining how fines are to be<br />
calculated, any decision to issue a fine would breach that<br />
<br />
principle.17© In this regard Marriott also relies on a comparison<br />
with a case decided by the Financial Conduct Authority (the<br />
<br />
“FCA”) i respect of Tesco Bank.'?” I also relies on an alleged<br />
inconsistency between the penalty proposed i this case and<br />
those imposed through other decisions issued by the<br />
<br />
<br />
<br />
<br />
130 Marriott’s Second Representations, Executive summary, para 1 and paras 1.1-1.5.<br />
131 Marriott’s First RepresentatiExecutive Summary, para 9(b), and paras 4.14-4.15and<br />
Marriott’s SeconRepresentations, paras 1.35-1.38.<br />
132 Marriott’s First Representations, Executive Summary, para 9(b), and paras 4.16-4.17.<br />
133 Marriott’s First Representations, paras 4.24-4.30<br />
134 Marriott’s First Representations, Executive Summary, para 9(c), and paras 4.36-4.41; Marriott’s<br />
135 Marriott’s First RepresentatiExecutive Summary,d para 9(c), and paras 4.50-4.73and<br />
Marriott’s SeconRepresentationsExecutive Summary, para 1, and para 1.1.<br />
136 Marriott’s Second Representations, Executive Summary, para 1 and paras 1.6-1.11.<br />
137 Marriott’s First Representations, paras 4.3and Marriott’s SeconRepresentationsparas<br />
1.26-1.27<br />
<br />
67 Commissioner and by other European supervisory<br />
<br />
authorities.+#8<br />
<br />
g. Seventh, the Commissioner has acted contrary to the RAP<br />
<br />
because she has failed to calculate the penalty proposed i the<br />
NOI and the draft decision i accordance with its terms;+79 and<br />
<br />
h. Eighth, the Commissioner proposed a penalty i the NOI which<br />
<br />
i disproportionate on its face NOI, and the revised penalty set<br />
out i the draft decision remains disproportionate.14°<br />
<br />
(1) Application of Article 83(2)<br />
<br />
<br />
7.60. The Commissioner has described at paragraphs 7.3-7.53 how the<br />
factors listed i Article 83(2) apply to the facts of this case. In its<br />
<br />
Representations, Marriott criticised the Commissioner’s findings i<br />
this regard. Where necessary those criticisms have been addressed<br />
<br />
at each step of the analysis set out above and/or i Section 6 above.<br />
<br />
(2) Draft Internal Procedure<br />
<br />
7.61. Prior to issuing the NOI i this case, the Commissioner had<br />
developed a Draft Internal Procedure for calculating proposed fines,<br />
<br />
as a supplement to the RAP. Its purpose was to provide an indicative<br />
guide, by reference to the turnover of the controller, as to the<br />
<br />
appropriate penalty. As the GDPR i a new regime, this additional<br />
tool was intended to assist the decision-makers i applying Article<br />
<br />
83 GDPR and the RAP to the facts of a particular case.<br />
<br />
7.62. Marriott made detailed submissions on this issue.‘4+ The<br />
<br />
Commissioner has considered those submissions i deciding how to<br />
approach the calculation of the penalty to be imposed i the draft<br />
decision, and ultimately i this Notice.<br />
<br />
<br />
7.63. The Commissioner remains of the view that the controller’s turnover<br />
i a relevant consideration i determining the appropriate level of<br />
<br />
penalty (see below), but she has decided that the Draft Internal<br />
Procedure should not be used. Therefore, i deciding the appropriate<br />
<br />
<br />
138 Marriott’s Second Representations, Executive Summary, para paras 1.12-1.19.<br />
139 Marriott’First Representationsparas4.42-4.49; and Marriott’s SecondRepresentations,<br />
Executive Summary,para 2, and paras 1.32-1.34.<br />
140 Marriott’s First RepresentatiExecutive Summary, para 9(d), and paras 4.74-4.77,and<br />
Executive Summary,para 1, and paras 1.39-1.41 of Marriott’s SRepresentations.<br />
141 See paras 4.2-4.12 of Marriott’s First Representations and parag1.2-1.5 of Marriott’s<br />
Second Representations i particular.<br />
68 penalty i this case the Commissioner has not relied on the Draft<br />
Internal Procedure (she did not rely upon i for the purposes of her<br />
<br />
draft decision, and the same approach was adopted i preparing this<br />
Penalty Notice). She has instead relied only on Article 83 GDPR,<br />
<br />
section 155 DPA and the RAP. The approach taken to the calculation<br />
of the penalty for the purposes of this Notice i set out above.<br />
<br />
7.64. Marriott i wrong to assert that, but for its pressing for disclosure i<br />
<br />
correspondence, the Commissioner would not have disclosed the<br />
draft guidance document.!42 The policy was provided on 2 August<br />
<br />
2019 i response to a request made i a letter from Marriott dated<br />
24 July 2019. The NOI set out how the penalty was arrived at. The<br />
Commissioner also provided further information about how the<br />
<br />
penalty was calculated i her letter of 17 July 2019. The<br />
Commissioner i obliged to consult the controller on the NOI and she<br />
<br />
did so. Marriott took the opportunity to make detailed submissions,<br />
and the Commissioner has carefully considered all those<br />
submissions, and acted upon them to address the concerns raised.<br />
<br />
<br />
7.65. Marriott’s First Representations also criticised the use of a<br />
percentage range as part of its process for calculating the proposed<br />
<br />
penalty (applying the Draft Internal Procedure) and/or the way i<br />
which the Commissioner applied the turnover bands at the NOI.147<br />
As this approach has not been adopted i this Notice, nor has the<br />
<br />
Draft Internal Procedure been applied, the Commissioner does not<br />
respond to the individual points made by Marriot on the application<br />
of the Draft Internal Procedure further here.<br />
<br />
<br />
7.66. In its Second Representations, Marriott states that whilst i<br />
welcomes the fact that the Draft Internal Procedure i no longer<br />
<br />
relied upon by the Commissioner, (a) the Commissioner cannot rely<br />
upon the £99.2m figure proposed in the NOI as a reference point<br />
when assessing the legality or proportionality of the present<br />
<br />
proposed penalty figure;!** (b) the RAP cannot constitute an<br />
adequate basis for the calculation of a penalty i circumstances<br />
<br />
where the Commissioner had previously devised the Draft Internal<br />
Procedure;!*° and (c) i the absence of the Draft Internal Procedure,<br />
there i a lack of clarity governing penalty calculation and<br />
<br />
<br />
142 Marriott’s Representations, paras 4.2 and 4.8.<br />
143 Marriott’s Representations, paras 4.19-4.23.<br />
144 Marriott’s Second Representations, para 1.3.<br />
145 Marriott’s Second Representations, para 1.4.<br />
69 undermines legal certainty.!*© These points are not accepted for the<br />
following reasons.<br />
<br />
<br />
7.67. First, the Commissioner does not seek to use the figure of £99.2m,<br />
as proposed i the NOI, as a “reference point” for the penalty set i<br />
<br />
the draft decision, or the present penalty. Rather, the Commissioner<br />
carried out a fresh calculation exercise having regard to the factors<br />
listed under Article 83 of the GDPR and the RAP. See further para<br />
<br />
7.128 below.<br />
<br />
7.68. Second, the Draft Internal Procedure was not developed to ‘cure’<br />
<br />
any gap i legal certainty left by the RAP. I was intended to be a<br />
helpful supplement to the RAP for internal decision-making<br />
purposes. In deciding what level of penalty may (at the consultation<br />
<br />
stage) or i appropriate i this case, the Commissioner has always<br />
applied the approach set out i the RAP, and considered the factors<br />
<br />
under Article 83 GDPR. The fact that a document was created to<br />
provide supplemental detail to the RAP does not render the RAP so<br />
deficient so as to prevent a penalty being calculated i this case.<br />
<br />
Marriott’s submissions on legal certainty are addressed i more<br />
detail below.<br />
<br />
(3) The Commissioner’s reliance on Marriott’s turnover<br />
<br />
7.69.<br />
Marriott advanced a number of criticisms of the Commissioner’s<br />
reliance on turnover i calculating her proposed penalty in its First<br />
and Second Representations (see, for example, para 4.14 of its First<br />
<br />
Representations).<br />
<br />
7.70. First, Marriott submitted that the only metric the Commissioner used<br />
to calculate the penalty proposed i the NOI was turnover. This i<br />
<br />
incorrect. As i clear from the NOI itself, while turnover was used as<br />
a starting point in seeking to assess the appropriate penalty, a range<br />
<br />
of other relevant factors were considered i accordance with the RAP<br />
and the GDPR. In any event, the turnover-bandings set out i the<br />
Draft Internal Procedure has not been used i preparing this Notice.<br />
<br />
<br />
7.71. Second, Marriott submitted that turnover cannot be regarded as a<br />
core metric i a case such as this where the wrongdoer has not<br />
<br />
profited from the breach. Marriot claimed that there i no logical<br />
relationship between the breach and the controller’s turnover. The<br />
<br />
<br />
146 Marriott’s Second Representations, para 1.5.<br />
70 Commissioner’s approach, Marriott said, simply punishes a<br />
controller for being a large undertaking. Marriott compares the<br />
<br />
penalty proposed i this case to the Commissioner’s decision<br />
regarding Doorstep Dispensaree Ltd, dated 20 December 2019,<br />
<br />
suggesting that this shows that the Commissioner i treating<br />
turnover, unjustifiably, as the most important factor.**’<br />
<br />
7.7/2. The Commissioner does not accept these arguments. She considers<br />
<br />
turnover to be a relevant consideration i determining the<br />
appropriate level of penalty i this case (as well as i other cases<br />
<br />
not involving a controller profiting from a breach), for the following<br />
reasons:<br />
<br />
a. A turnover-based approach i consistent with the approach<br />
taken to penalties i the GDPR. The Data Protection Directive<br />
<br />
did not prescribe the level of fines that Member State<br />
authorities should impose for data breaches. The GDPR departs<br />
from that approach. In doing so, i expresses the maximum<br />
<br />
penalty in terms of a percentage of turnover. Turnover i<br />
therefore a relevant factor i determining the appropriate level<br />
of penalty to be imposed. This i also reflected i the Recitals,<br />
<br />
which make clear that the economic position of the controller i<br />
relevant even where the controller i a private person and not<br />
an undertaking: “ Where administrative fines are imposed on<br />
persons that are not an undertaking, the supervisory authority<br />
<br />
should take account of the general level of income in the<br />
Member State as well as the economic situation of the person<br />
in considering the appropriate amount of the fine.”<br />
<br />
<br />
b. Further, and i any event, the Commissioner i obliged to<br />
ensure that any penalties imposed are “effective, proportionate<br />
<br />
and dissuasive”. Having regard to a data controller’s turnover<br />
complies with this principle by ensuring that the level of any<br />
penalty i not only proportionate, but i also likely to be an<br />
effective and dissuasive deterrent for the undertaking on which<br />
<br />
i i imposed, and other equivalent controllers. I i self-evident<br />
that imposing the same penalty on an undertaking with a<br />
turnover of billions of pounds as would be imposed on a small<br />
<br />
or medium sized business would not be effective, proportionate<br />
or dissuasive. Comparable regulatory regimes that share the<br />
GDPR’s emphasis on deterrence, such as under competition<br />
<br />
<br />
<br />
147 Marriott’s Second Representations, paras 1.36-1.37.<br />
71 law, also take turnover into account i i some form in setting<br />
penalties.<br />
<br />
<br />
c Marriott’s claim that the introduction of the maximum amount<br />
safeguard caps i Articles 83(4) and (5) does not mean that<br />
<br />
turnover can be treated as a relevant metric i incorrect, for the<br />
reasons articulated i points (a) and (b) above.!*° In particular,<br />
Marriott’s claim that treating turnover as a relevant metric<br />
<br />
“outside of disgorgement of profits cases is illogical and<br />
perverse”, does not withstand scrutiny. I i plain from the<br />
relevant provisions of the GDPR, read as a whole, that the<br />
economic position of a controller i one relevant factor i<br />
<br />
determining what penalty i appropriate on the particular facts<br />
of any case. The GDPR does not limit the relevance of turnover<br />
to cases involving disgorgement.<br />
<br />
<br />
d. As to the decision i Doorstep, the difference between the<br />
turnover of that controller and Marriott i obviously relevant.<br />
<br />
However, each case i considered on its individual facts.<br />
Marriott’s attempts to compare the number of records involved,<br />
and then scale up the appropriate level of fine (60 times the<br />
<br />
number of records, results i a maximum 60 times higher level<br />
of fine), are misconceived. See further paras 7.116-7.119<br />
below.<br />
<br />
7.73. Third, Marriott submitted that any penalty regime engages the<br />
<br />
fundamental rights of controllers, including their fundamental right<br />
to property as provided for under Article 1 of Protocol 1 of the<br />
<br />
European Convention on Human rights, and Article 17 of the EU<br />
Charter of Fundamental Rights.149 The Commissioner recognises<br />
that i imposing a penalty on a controller, she must comply with any<br />
<br />
relevant fundamental rights that are engaged, including under the<br />
ECHR or the EU Charter. However, i i not accepted that taking into<br />
<br />
account a controller’s turnover i determining the appropriate<br />
penalty i incompatible with those rights because i i arbitrary or<br />
results i grossly disproportionate levels of penalty (as Marriott<br />
<br />
contended at para 4.14(c) of its First Representations). I i an<br />
approach that complies with the regime established by the GDPR.<br />
<br />
<br />
<br />
<br />
<br />
148 Marriott’s First Representations, para 4.14(d).<br />
149 Marriott’s First Representations, para 4.14(c).<br />
127.74. Fourth, Marriott contended that the turnover approach _ i<br />
<br />
inconsistent with the RAP.!°° This i incorrect.<br />
<br />
7.75. As explained above, the calculation of the proposed penalty i the<br />
NOI was not exclusively based on turnover, contrary to Marriott’s<br />
<br />
claim. I took account of the various factors discussed i the RAP.<br />
This Notice addresses each step of the process of the RAP in turn to<br />
<br />
make even clearer that the penalty has been set i accordance with<br />
its terms. Turnover i relevant to establishing whether a penalty i<br />
appropriate, proportionate, effective and dissuasive i applying the<br />
<br />
steps set out in the RAP, as explained above.<br />
<br />
7.76. Moreover, Marriott’s reliance in this regard on reference in the RAP<br />
<br />
to circumstances i which the Commissioner will convene an<br />
advisory panel i misplaced.1>! The RAP describes “very significant”<br />
<br />
penalties as those “expected to be those over the threshold of 1M”<br />
i that particular context, i.e. the context i which the Commissioner<br />
may convene an advisory panel. This was not intended to be - and<br />
<br />
i any event cannot objectively be read as giving - an indication to<br />
controllers of the likely penalty they may face i the event of a data<br />
<br />
breach, particularly in light of the provisions of GDPR. The section<br />
of the RAP setting out how penalties will be calculated does not refer<br />
to the concept of “very significant” penalties at all.<br />
<br />
<br />
7.77. Consequently, the RAP’s discussion of when an advisory panel may<br />
be convened i no basis for saying that turnover i not a relevant<br />
<br />
factor i determining penalty. Marriott was also therefore wrong to<br />
claim in its Representations that: (a) the £1million figure referred to<br />
<br />
i the discussion of when an advisory panel may be appropriate<br />
should be the starting point for calculating fines i the most serious<br />
and significant cases before the Commissioner;1>* and (b) the<br />
<br />
Commissioner must justify imposing any fine above that threshold<br />
figure. This i a misreading of the RAP, see further below.<br />
<br />
<br />
7.78. Firth, Marriott contended that what the Commissioner should have<br />
done i quantifying the appropriate penalty was to “(a) start with<br />
what an infringement of this nature is objectively worth in penalty<br />
<br />
terms having regard to its nature, gravity and duration, irrespective<br />
of the financial stature of the wrongdoer; then (b) add or take away<br />
<br />
<br />
150 Marriott’s First Representations, para 4.14(f).<br />
151 Page 26 of the RAP. See also para 4.46 of Marriott’s First Representations.<br />
152 Marriott’s First Representations, para 4.46.<br />
13 amounts to reflect respectively aggravating and mitigating factors;<br />
<br />
before moving at the final stage of the analysis to (c) the question<br />
of whether, in view of all the circumstances, some increase in the<br />
penalty is required to ensure a deterrent effect.”'>?<br />
<br />
<br />
7.79. The Commissioner’s approach i set out above. She has considered<br />
each step of the RAP, and a of the factors listed i Article 83 GDPR,<br />
<br />
i order to arrive at the overall appropriate penalty. Given that the<br />
financial stature of the wrongdoer would need to be taken into<br />
account at least i considering whether an increase i fine would be<br />
<br />
necessary to secure a deterrent effect, i i not clear that adopting<br />
the alternative structure proposed by Marriott would make any<br />
<br />
material difference to the outcome.<br />
<br />
(4) The appropriate tier<br />
<br />
7.80. In response to the NOI, Marriott submitted that the Commissioner<br />
<br />
had applied the wrong fining tier. I was said that the Commissioner<br />
incorrectly categorised the breaches i issue as a Tier 2<br />
infringement, allowing for a maximum fine of 4% of turnover.!>4 This<br />
<br />
submission was based, i summary, on the following points:<br />
<br />
a. Article 5(1)(f) i simply a shorter, summary version, of the<br />
<br />
more detailed and specific obligation i Article 32. Article 32<br />
GDPR therefore amounts to the /ex specialis of Article 5(1)(f)<br />
and should therefore take precedence.<br />
<br />
<br />
b. The maximum fine should be 2% in this case because:<br />
<br />
i Any ambiguity in the wording of a provision of law<br />
imposing a civil penalty should be resolved i favour of the<br />
<br />
controller.<br />
<br />
<br />
i |The wording of Article 83(4) makes clear that the intention<br />
was to impose this lower maximum cap for breaches of<br />
Article 32, which i the /ex specialis.<br />
<br />
7.81. The Commissioner does not accept these submissions, for the<br />
<br />
following reasons.<br />
<br />
<br />
<br />
<br />
<br />
153 Marriott’s First Representations, para 4.15.<br />
154 Marriott’s First Representations, paras 4.16-4.17.<br />
747.82. First, the GDPR addresses expressly what the appropriate maximum<br />
<br />
fine should be when a controller breaches the “basic principles of<br />
processing” under Article 5 GDPR. Article 5(1)(f), as one of the basic<br />
principles of processing, cannot be dismissed as simply a summary<br />
<br />
of a later new provision included i the GDPR. The EU legislature has<br />
made i clear that a higher penalty i appropriate where a controller<br />
<br />
i found to have breached the basic principles of processing that<br />
underpin the regime. Contrary to Marriott’s submissions, Article<br />
83(5)(a) provides i clear i explicit and unambiguous terms that<br />
<br />
4% i the appropriate cap for breaches of Article 5, including Article<br />
5(1)(f).<br />
<br />
<br />
7.83. Second, the GDPR also recognises that the same or linked<br />
processing operations may give rise to infringements of several<br />
<br />
provisions of that Regulation. I addresses this by making clear that<br />
the total amount of any penalty i to be the subject of the amount<br />
specified for the gravest infringement (see Article 83(3)).<br />
<br />
<br />
7.84. Third, the principle of /ex specialis means that “where a legal issue<br />
falls within the ambit of a provision framed in general terms, but is<br />
<br />
also specifically addressed by another provision, the specific<br />
provision overrides the more general one.”!>> The Commissioner<br />
does not accept that the application of the /ex specialis principle<br />
<br />
precludes the Commissioner from treating this case as a Tier 2<br />
infringement.<br />
<br />
<br />
7.85. Article 5(1)(f) and Article 32 are evidently distinct provisions of the<br />
GDPR, notwithstanding the degree of overlap. Article 32 applies to<br />
<br />
processors, whilst Article 5 does not. Contrary to Marriott’s<br />
submission, there i no basis upon which to give Article 32<br />
precedence over Article 5(1)(f). They can be applied to controllers<br />
<br />
at the same time: Article 32 does not override the basic<br />
requirements laid down in Article 5(1)(f), read with Article 5(2),<br />
<br />
which establish the responsibility of the controller for demonstrating<br />
compliance with the security obligation and any breach of that<br />
principle.<br />
<br />
<br />
7.86. Further, and in any event, the provisions in Article 83(4) and Article<br />
83(5) are distinct provisions which make explicit provision for<br />
<br />
<br />
<br />
155 R (Hallam) v Secretary of State for Justice [202 at [144]. See also Case T-60/06 RENV<br />
I Italy v Commissio(2016), at [81].<br />
15 different fining tiers to apply to breaches of Articles 5 and 32 GDPR.<br />
I i clear that any infringement of Article 32 falls within the scope<br />
<br />
of Article 83(4) whilst an infringement of Article 5(1)(f) falls within<br />
the scope of Article 83(5). Article 83(4) i not more specific than<br />
<br />
Article 83(5). I i incapable of overriding or taking precedence over<br />
i Rather, any issue as to which maximum penalty applies i<br />
resolved by the application of Article 83(3) which states i terms<br />
<br />
that i these circumstances “the total amount of the administrative<br />
fine shall not exceed the amount specified for the gravest<br />
<br />
infringement.” The legislation itself provides the mechanism for<br />
addressing circumstances i which processing engages more than<br />
one obligation.<br />
<br />
<br />
7.87. The Commissioner notes that her interpretation of Articles 83(4)-(5)<br />
i supported by the Article 29 Working Party’s Guidelines on the<br />
<br />
application and setting of administrative fines for the purposes of<br />
the GDPR, which states:<br />
<br />
Specific infringements are not given a specific price tag in the<br />
<br />
Regulation, only a cap (maximum amount). This can be indicative<br />
of a relative lower degree of gravity for a breach of obligations<br />
<br />
listed in article 83(4), compared with those set out in article<br />
83(5). The effective, proportionate and dissuasive reaction to a<br />
breach of article 83(5) will however depend on the circumstances<br />
<br />
of the case...<br />
<br />
The occurrence of several different infringements committed<br />
<br />
together in any particular single case means that the supervisory<br />
authority is able to apply the administrative fines at a level which<br />
is effective, proportionate and dissuasive within the limit of the<br />
<br />
gravest infringement. Therefore, if an infringement of article 8<br />
and article 12 has been discovered, then the supervisory authority<br />
may be able to apply the corrective measures as set out in article<br />
<br />
83(5) which correspond to the category of the gravest<br />
infringement, namely article 12....1°°<br />
<br />
<br />
7.88. Fourth, i any event, Marriott’s main objection to the use of the 4%<br />
maximum penalty appears to be its impact on the turnover-bands<br />
applied under the Draft Internal Procedure, which was applied i<br />
<br />
calculating the proposed fine included i the Notice of Intent. As this<br />
<br />
<br />
156 Pages 9-10.<br />
16 approach has not been adopted i determining the final level of<br />
penalty to be imposed by this Notice, the same concerns do not<br />
<br />
arise. I i noted that the final penalty imposed i well below the 2%<br />
cap, and so the application of that cap i reaching the final decision,<br />
<br />
as opposed to a 4% cap, would have made no difference.<br />
<br />
7.89. Marriott also asserted i a single paragraph of its First<br />
Representations that the Commissioner’s approach to quantification<br />
<br />
i “wholly arbitrary”.'°’ This i not accepted, either as a criticism of<br />
the NOI or this Notice. I appears that this argument rested on<br />
<br />
Marriott’s contention that there are no clear and precise rules i<br />
place governing the setting of the penalty by the Commissioner. This<br />
claim i addressed below.<br />
<br />
(5) An uplift to ensure a deterrent effect<br />
<br />
<br />
7.90. Marriott claimed that the proposal i the NOI to increase the<br />
proposed penalty for the infringement to 2.5% to ensure that i<br />
<br />
would have a sufficient deterrent effect was arbitrary and<br />
unlawful.1°° This i not accepted. The Commissioner i obliged to<br />
consider whether such an uplift should be made under the RAP and<br />
<br />
Article 83 GDPR.<br />
<br />
7.91. Marriott's criticisms of the NOI in this regard relied heavily on its<br />
<br />
criticisms of the previous use made of the Draft Internal Procedure’s<br />
turnover-based approach i setting the proposed penalty at that<br />
stage.'°°? These points have been addressed above. I i however,<br />
<br />
important to note that para 61(d) of the NOI explained that i the<br />
light of the scale and severity of the infringement and factors<br />
discussed i para 61(a)-(c), a penalty of between 1.5 and 2% would<br />
<br />
be appropriate and proportionate. Para 61(f) then went on to<br />
consider what an appropriate uplift would be to ensure a deterrent<br />
<br />
effect, which was a separate issue that warranted individual<br />
consideration at a later stage of the analysis. These are separate<br />
steps under the RAP (see Section 2 above). I i therefore incorrect<br />
<br />
to assert, as Marriot did, that any uplift from the judged starting<br />
point means that the Commissioner: “is knowingly imposing a<br />
<br />
disproportionate penalty sum. °°<br />
<br />
<br />
157 Marriott’s First Representations, para 4.18.<br />
158 Marriott’s First Representations, para 4.24.<br />
159 Marriott’s First Representations, paras 4.25-4.30.<br />
160 Marriott’s First Representations, para 4.25.<br />
ae7.92. In any event, as set out above under Step 4, no additional amount<br />
has been added in this case for deterrent effect.<br />
<br />
(6) Legitimate Expectation and Legal Certainty<br />
<br />
<br />
The alleged legitimate expectation<br />
<br />
7.93. In response to the NOI and draft decision, Marriott relied on<br />
<br />
selective quotes from public statements made by the Commissioner<br />
or her office about the new GDPR regime to contend that fines under<br />
the GDPR should be set i accordance with past precedents, i.e.<br />
<br />
decisions made under the DPA 1998.'6! What Marriott seeks, i<br />
effect, i for the Commissioner unilaterally to impose the previous<br />
<br />
domestic cap and approach to fines which applied i the UK prior to<br />
the harmonised regime under the GDPR.<br />
<br />
7.94. Plainly i i not open to the Commissioner, as a matter of domestic<br />
<br />
or EU law, to adopt unilaterally an approach that would undermine<br />
the object and purpose of the new EU regime.<br />
<br />
<br />
7.95. The GDPR, and consequently the DPA, represent a significant<br />
departure from the regime under DPA 1998 and the 1995 Directive.<br />
The GDPR was expressly intended to harmonise the rights of, and<br />
<br />
protections afforded to, data subjects across the EU. I differs<br />
markedly from the 1995 Directive, most obviously i that i<br />
introduces significantly higher and more effective penalties, with<br />
<br />
maximum penalties defined expressly by reference to turnover. The<br />
GDPR also imposes new obligations on controllers, including new<br />
<br />
organisational requirements such as the designation of a data<br />
protection officer and new provisions on the lawfulness of<br />
processing. The GDPR and the DPA have significantly changed the<br />
<br />
legal landscape i data protection and enforcement.<br />
<br />
7.96. Marriott’s submissions are to the effect that public statements made<br />
<br />
by the Commissioner override these changes, and as such she i<br />
bound to apply i effect the DPA 1998 and/or only apply incremental<br />
increases to the level of fine that would have been issued under that<br />
<br />
Act. Public statements made by the Commissioner or her staff, which<br />
are i any event quoted selectively and/or taken out of their proper<br />
<br />
context by Marriott, are incapable of achieving this outcome.<br />
<br />
<br />
161 Marriott’s First Representations, paras 4.37-4.41. See also Marriott’s First Representations, paras<br />
4.65-4.66, see also Marriott’s SRepresentations, para 1.28-1.31.<br />
187.97. More specifically, the public statements referred to by Marriott i its<br />
Representations were not intended to be - and cannot objectively<br />
<br />
be read as - assurances to any controller that the Commissioner<br />
would not use her powers on a case by case basis, to impose<br />
<br />
effective, proportionate and dissuasive penalties i appropriate<br />
cases. Marriott disputes this, however, the Commissioner maintains<br />
her position for the following reasons:<br />
<br />
<br />
a. Marriott refers to a blog post published by Elizabeth Denham<br />
on 9 August 2017.1 Whilst i i true that the post states that<br />
<br />
the Commissioner will not “simply scale up penalties” issued<br />
under the DPA 1998, i also states: “Don’t get me wrong, the<br />
UK fought for increased powers when the GDPR was being<br />
<br />
drawn up. Heavy fines for serious breaches reflect just how<br />
important personal data is in the 21°* century world. We intend<br />
<br />
to use those powers proportionately and judiciously.”<br />
<br />
b. Marriott refers to a speech made by James Dipple-Johnstone at<br />
the Data Protection Practitioner’s Conference on 9 April 2018,/°<br />
<br />
however the quotation which Marriott selectively cited i<br />
preceded by a summary of the approach the Commissioner<br />
<br />
intended to take, including “we will look at each case on its own<br />
merits. We'll look at the features and context of each case. And,<br />
this is important, we will focus on area of greatest risk to people<br />
<br />
- potential or actual harm... The more serious, high impact,<br />
deliberate, wilful or repeated breaches can expect the most<br />
<br />
robust response.”<br />
<br />
7.98. There i nothing within these quotations which can be read as giving<br />
rise to a legitimate expectation that the Commissioner would either:<br />
<br />
(a) issue fines i accordance with the previous maximum limit which<br />
applied under the DPA 1998 and/or past cases issued under that<br />
Act; or (b) only apply incremental increases to the level of fine that<br />
<br />
would have been imposed under the DPA 1998.16 As made clear i<br />
the blog and speech to which Marriott has referred, the<br />
<br />
Commissioner had always been clear that she would (in accordance<br />
with her obligations) use her full powers ona case by case basis, to<br />
<br />
<br />
<br />
<br />
162 Marriott’s Second Representations, para 1.29(a).<br />
163 Marriott’s Second Representations, para 1.29(b).<br />
164 Marriott’s Second Representations, paras 1.30-1.31.<br />
19 impose effective, proportionate and dissuasive penalties i<br />
appropriate cases, which includes the possibility of large fines.<br />
<br />
<br />
7.99. Marriott accepted i its Second Representations that the<br />
Commissioner i not constrained by the previous statutory<br />
<br />
maximum of £500,000.'© But i practice, its attempt to limit the<br />
Commissioner to only making incremental increases to the fine level<br />
that would have applied under the DPA 1998 amounts to the same<br />
<br />
thing. The starting point i the application of Article 83 GDPR, the<br />
DPA 2018 and the RAP. I i not what the decision would have been<br />
<br />
under a superseded legal regime.<br />
<br />
The alleged lack of legal certainty<br />
<br />
7.100. As set out above, the Commissioner recognises that i imposing a<br />
<br />
penalty on a controller, she must comply with any relevant<br />
fundamental rights that are engaged, including under the ECHR or<br />
<br />
the EU Charter. She does not accept, however, that the penalty<br />
regime applicable under, i particular, Article 83 GDPR lacks<br />
sufficient certainty such that i cannot be lawfully applied. That i i<br />
<br />
effect Marriott’s case. I contends that unless the Commissioner<br />
applies a precedents-based approach based on decisions made<br />
<br />
under the DPA 1998, i i impossible for the Commissioner to meet<br />
the requirement of legal certainty.1®<br />
<br />
7.101. The DPA reflects the directly applicable EU law framework for<br />
<br />
determining penalties. The Commissioner does not agree with<br />
Marriott that Article 83 GDPR or section 155 DPA are so unclear that<br />
<br />
they are unlawful. Taken together, those provisions specify the<br />
circumstances i which a data protection authority has the power to<br />
impose an administrative penalty, and the matters that are relevant<br />
<br />
to that decision and the amount of any penalty. The legislative<br />
regime i supplemented by the RAP, which provides additional<br />
guidance i this regard. Contrary to para 4.60 of Marriott’s First<br />
<br />
Representations, the RAP cannot be dismissed as “unclear and open-<br />
ended”.<br />
<br />
<br />
7.102. Marriott’s submissions on legal certainty are wrong for the following<br />
seven reasons.<br />
<br />
<br />
<br />
165 Marriott’s Second Representations, para 1.30.<br />
166 Marriott’s First Representations, paras 4.50-4.73.<br />
807.103. First, in accordance with section 161 DPA 2018 the RAP was laid<br />
<br />
before Parliament for approval, and was duly approved.<br />
<br />
7.104. In its Second Representations, Marriott emphasised the fact that<br />
Articles 83(8)-(9) and 70(1)(k) GDPR “directly envisage and expect”<br />
<br />
that the high-level principles set out i the legislation will be the<br />
subject of national or supranational guidance.!®” Pursuant to section<br />
<br />
160 DPA, the Commissioner i obliged to issue guidance i respect<br />
of how she will determine the amount of penalties to be imposed.<br />
She has done so through the RAP.<br />
<br />
<br />
7.105. Second, the RAP, which must be read alongside the DPA and, in<br />
particular, Article 83 GDPR, provides sufficient clarity and legal<br />
<br />
certainty, as required under the ECHR and EU law. In particular, the<br />
RAP explains that Step 2 intends to “censure” the breach, and this<br />
<br />
requires taking into consideration its scale (including the number of<br />
data subjects affected) and the severity of the breach itself, and<br />
expressly refers to the factors set out i the DPA. Examples of<br />
<br />
aggravating factors are set out i the RAP to assist with the<br />
interpretation of Step 3, as well as mitigating factors (to be<br />
<br />
considered at Step 5). Marriott’s argument appears to be that<br />
because i i possible for the RAP to be more detailed, i must follow<br />
that the RAP i insufficiently detailed to fulfil the requirements of<br />
<br />
legal certainty. That i not the case.<br />
<br />
7.106. I i not suggested that i i impossible to produce more detailed<br />
<br />
quantification guidance.1®* The GDPR i a new regime. Whilst not<br />
necessary for the purposes of legal certainty, more detailed<br />
<br />
guidance may well be developed over time as the UK and EU Member<br />
States gain experience in applying i The Commissioner has<br />
committed to updating the guidance available i the future.<br />
<br />
However, the fact that there i potential for further development of<br />
the guidance does not mean that the present guidance i so unclear<br />
<br />
as to be unlawful. The RAP provides sufficient guidance as to the<br />
circumstances i which penalties, including large penalties, will be<br />
applied.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
167 Marriott’s Second Representations, para 1.9.<br />
168 Marriott’s Second Representations, para 1.10.<br />
817.107. Third, i i neither necessary nor possible to produce a specific<br />
quantification framework which tells controllers precisely what level<br />
<br />
of fine they may face.<br />
<br />
7.108. In para 1.9 of its Second Representations, Marriott claims that the<br />
<br />
Commissioner cannot lawfully impose penalties without setting out<br />
a further quantification methodology.'®? This i incorrect. The<br />
guidance available from Article 83 GDPR, the DPA and the RAP,<br />
<br />
cannot be rejected as legally uncertain purely on the basis that i<br />
does not attempt to specify exactly what levels of penalty might<br />
<br />
attach to wrongdoing.'”°<br />
<br />
7.109. I would be impossible for the Commissioner to specify all the types<br />
of situations, and relevant circumstances, i which a penalty may<br />
<br />
be imposed under the GDPR. Nor could any guidance permit a<br />
controller to calculate specifically what any fine might be (especially<br />
<br />
by reference to a particular fine). The guidance must be general<br />
enough i order to cover a wide range of potential situations, and<br />
respect the general discretion of the Commission (subject to public<br />
<br />
law principles). The GDPR also requires the Commissioner to take a<br />
case-by-case approach, guided by the need to ensure that any<br />
<br />
penalty i effective, proportionate and dissuasive, and subject to the<br />
prescribed turnover caps.<br />
<br />
7.110. Fourth, contrary to Marriott’s submissions,‘7! there i also no flaw i<br />
<br />
the Commissioner’s approach because, on the particular facts of this<br />
case, no adjustments needed to be made at certain steps i the<br />
process. The draft decision explained clearly, i particular, that: (a)<br />
<br />
the need to ensure the penalty i dissuasive was taken into account<br />
sufficiently under Step 2 such that there was no need for a further<br />
<br />
uplift reflecting the need for the penalty sum to deter others under<br />
Step 4;172 and (b) the mitigating factors had been taken into account<br />
under Step 2, so no adjustment was made at Step 5 to avoid<br />
<br />
‘double-counting’. The fact that certain steps did not require<br />
adjustments to be made i a particular case particular case does not<br />
<br />
render the RAP, which i intended to be of general application,<br />
“deficient” .173<br />
<br />
<br />
169 Marriott’s Second Representations, para 7.93.<br />
170 Marriott’s Second Representations, paras 1.7-1.10.<br />
171 Marriott’s Second Representations, para 1.34.<br />
172 Marriott’s Second Representations, para 1.34.<br />
173 Marriott’s Second Representations, para 1.10, see also para 1.34.<br />
827.111. In any event, to assist Marriott, the Commissioner has dealt with<br />
<br />
the mitigating factors arising i this case under Step 5 of the analysis<br />
(rather than Step 2, see para 7.40 above) so that i can see the<br />
<br />
impact of these factors on the overall level of penalty.<br />
<br />
7.112. Fifth, as explained at paragraph 7.68 above, the Draft Internal<br />
<br />
Procedure was not developed and i not relied upon for the purposes<br />
of meeting the legal certainty requirement, contrary to Marriott’s<br />
<br />
submissions during the course of the investigation.1’* While i was<br />
intended to be a helpful supplement to the RAP for internal decision-<br />
making purposes, i has been disregarded for the purposes of this<br />
<br />
Notice.<br />
<br />
7.113. Sixth, for the reasons given above i respect of Marriott’s legitimate<br />
<br />
expectation argument, i i not open to the Commissioner to re-<br />
impose the different, UK-only, legislative cap on fines i the manner<br />
<br />
sought by Marriott. The bands which applied under the DPA 1998,<br />
and the decisions made under i cannot be relied upon as a<br />
<br />
justification for the Commissioner to fail to comply with EU law.<br />
<br />
7.114. Finally, as to the claim made by Marriott that other bodies, namely<br />
<br />
the FCA and the EU Commission, apply more rigorous and more<br />
predictable rules, i i noted that each regulator must take<br />
<br />
enforcement action within the bounds of its own legal obligations,<br />
and i this case the Commissioner i bound to comply, i particular,<br />
with Article 83 of the GDPR.*7°<br />
<br />
<br />
Other decisions by the Commissioner / Decisions by other European<br />
authorities<br />
<br />
<br />
7.115. Marriott submitted i its Representations that the proposed penalty<br />
i inconsistent with previous action by the Commissioner and other<br />
<br />
EU supervisory authorities, contrary to the stated aim of GDPR being<br />
to create a harmonised regime. ?’° In its Representations,’”” Marriott<br />
<br />
states that the proposed penalty i (a) inconsistent with action taken<br />
by other EU supervisory authorities, (b) contrary to the stated aim<br />
<br />
of the GDPR being a harmonised regime; and (c) inconsistent with<br />
<br />
<br />
<br />
174 Marriott’s First Representations, para 4.61 and MarriotRepresentations, para 1.4.<br />
175 The submissiomade at paras 1.20-1.25 of Marriott’s SRepresentations are noted.<br />
1.12-1.19.tt’s First Representaparas 4.69-4.7and Marriott’s SeconRepresentationsparas<br />
177 Marriott’s Second Representations, paras 1.14-1.19.<br />
<br />
83 the decision taken by the Commissioner i a different case. Marriott<br />
<br />
specifically refers to the following cases:<br />
<br />
a. the decision by CNIL to impose a €50 million penalty on Google.<br />
Marriott contended that the infringements i Google’s case<br />
<br />
were more serious than those considered i this Notice.<br />
<br />
b. the Austrian Data Protection Authority against Osterreichische<br />
<br />
Post AG, which was fined €18 million;<br />
<br />
c a €2.6 million fine issued by the Bulgarian Commission of<br />
Personal Data Protection to the Bulgarian Revenue Agency i<br />
<br />
relation to a cyber-attack which affected over 5 million data<br />
subjects;<br />
<br />
<br />
d. a fine of €645,000 imposed on Morele.net by the Polish<br />
supervisory authority for a cyber-attack affecting over 2 million<br />
<br />
data subjects;<br />
<br />
e. a fine of €150,000 impose on Raiffeisen Bank by the Romanian<br />
supervisory authority concerning the misuse of customer data<br />
<br />
by employees of the bank;<br />
<br />
f the Romanian authority on UniCredit Bank SA. The company<br />
<br />
was fined of €130,000 for a breach of Article 25 GDPR due to<br />
the compromise of payment details, when its worldwide<br />
turnover for 2018 was of €18 billion; and<br />
<br />
<br />
g. the Commissioner’s decision regarding Doorstep Dispensaree<br />
Ltd, dated 20 December 2019.<br />
<br />
<br />
7.116. The purpose of GDPR i as Marriott contends, to secure a<br />
harmonised regime. However, that harmonisation i achieved<br />
<br />
through the application of harmonised rules and standards to the<br />
particular facts of the case at issue. Any cross-border processing<br />
decision must then be subject to the Article 60 process.<br />
<br />
<br />
7.117. The Commissioner, along with other EU supervisory authorities,<br />
must comply with her obligations under Article 83 and that means<br />
<br />
that she i required to impose a penalty which, i her own judgment,<br />
having regard to all the matters listed i Article 83, and on the facts<br />
<br />
of the individual case, i effective, proportionate, and dissuasive. In<br />
principle, ‘equivalent’ breaches should attach ‘equivalent’ penalties.<br />
<br />
84 But i practice, each case will turn on its own particular facts. Whilst<br />
<br />
the Commissioner has considered the limited information available<br />
about the cases to which Marriott has referred, she maintains that<br />
simple comparisons of the penalties imposed i different cases do<br />
<br />
not show that the Commissioner has erred i applying Article 83<br />
GDPR, DPA and/or the RAP.<br />
<br />
<br />
7.118. There i a great degree of variation i the penalties imposed by<br />
supervisory authorities even i the context of the limited fines<br />
imposed to date,?”® which are - i the Commissioner’s view -<br />
<br />
indicative of a decision-making process that i fact-specific. I would<br />
be premature and not necessarily helpful to rely heavily at this<br />
<br />
juncture on a survey of the action taken by other supervisory<br />
authorities, given the relatively few decisions that have been taken<br />
<br />
under the new regime. This i particularly the case where there i<br />
limited public information available about the reasons for the<br />
decisions taken by other authorities.<br />
<br />
<br />
7.119. In any event, as the Commissioner i acting as lead authority i this<br />
case, the way to ensure consistency i not by comparing the penalty<br />
<br />
to a selection of other penalties issued on different facts in the EU.<br />
Rather, the consistency mechanism provided for by Articles 60(4)<br />
and 63 GDPR will allow for all of the supervisory authorities<br />
<br />
concerned to cooperate with the Commissioner, make enquiries, and<br />
contribute their views i order to ensure the consistency of the<br />
<br />
ultimate penalty sum with penalties that have been ( there are any)<br />
and/or will be applied i similar situations. The Article 60 process i<br />
<br />
one of the factors which, as noted in Article 63, contributes to the<br />
consistent application of the GDPR and the Commissioner i entitled<br />
to rely on the process as a contributory factor.<br />
<br />
(7) Application of the RAP<br />
<br />
<br />
7.120. In response to the NOI and/or the draft decision, Marriott submitted<br />
that the Commissioner had acted contrary to the RAP by: (a) failing<br />
<br />
to consider separately the appropriate fines for the provisionally<br />
found breaches of Articles 33 and 34 GDPR, from those i relation<br />
to Articles 5(1)(f) and 32 GDPR; (b) failing to adopt the starting<br />
<br />
<br />
<br />
178 Notably the decision of the FrSA, the CNIL, to fine Goog50 million EuroSee also<br />
https://www.enforcementtracker.cowhich suggests there i significant variation i the level of<br />
fines that have been imposed to date, ranging from a few thousand to millions of pounds.<br />
<br />
85 point that any penalty of over £1 million i reserved for very<br />
<br />
significant cases; and/or (c) failing to correctly apply the factors that<br />
the RAP categorises as determining whether a higher penalty can be<br />
imposed.+79<br />
<br />
<br />
7.121. As to the first issue, the Commissioner has not included in her final<br />
decision a finding that Marriott breached Article 33 or 34 GDPR.<br />
<br />
Thus, this issue no longer arises.<br />
<br />
7.122. The second issue i based on a misreading of the RAP. Marriott<br />
misunderstood the discussion of the circumstances i which she may<br />
<br />
convene an advisory panel. This point has been addressed above at<br />
paras 7.76-7.77.<br />
<br />
<br />
7.123. In response to the draft decision, Marriott submitted that the<br />
Commissioner i seeking to “reinterpret” the wording of page 26 of<br />
<br />
the RAP i this regard. That i incorrect. The section of the RAP<br />
which addresses specifically the setting of a penalty does not refer<br />
to this concept of “very significant” penalties at all. This language i<br />
<br />
used only to describe the types of situations i which the<br />
Commissioner may convene an advisory panel.!®°<br />
<br />
<br />
7.124. Marriott also submitted that the fact that: “the ICO appears to have<br />
determined that this case is not significant enough to merit<br />
convening the panel, which is entirely inconsistent with the fine<br />
<br />
imposed and further demonstrates the arbitrariness of this process.”<br />
181 This submission i unfounded. The Commissioner has discretion<br />
<br />
over whether to convene a panel. The reasons why a panel was not<br />
convened i this case was explained i correspondence, i.e. this<br />
<br />
decision would be subject to the Article 60 consultation process. In<br />
such circumstances, the panel was unnecessary. I does not imply<br />
that this case lacks significance. For the reasons outlined above, this<br />
<br />
case has been found to involve significant breaches of the GDPR.<br />
<br />
7.125. The third issue was also based on a misinterpretation or<br />
<br />
misapplication of the RAP. Contrary to Marriott’s submissions, ! ®2 the<br />
RAP does not set out at page 27 the only categories of cases i which<br />
i i justifiable for the Commissioner to impose a high penalty. The<br />
<br />
<br />
179 Marriott’s First Representaparas 4.42-4.49and Marriott’s SecoRepresentationsparas<br />
1.32-1.34.<br />
180 Page 26 of the RAP.<br />
181 Marriott’s Second Representations, para 1.33.<br />
182 Marriott’s Second Representations, para 1.32.<br />
86 examples provided are not to be applied as a list of criteria which<br />
<br />
must be met i any case before a penalty exceeding £1 million can<br />
be imposed. They provide a general indication of the circumstances<br />
i which a penalty will be higher. The Commissioner i not therefore<br />
<br />
departing from guidance i a manner which has to be justified. This<br />
Penalty Notice explains why the fine set i appropriate.<br />
<br />
<br />
7.126. The GDPR was enacted i 2016 and came into force two years later.<br />
Data controllers, especially global undertakings of the size of<br />
Marriott, would have been fully aware of the maximum penalties<br />
<br />
permitted by GDPR. The reference to the sum of £1 million i the<br />
RAP does no more than describe the circumstances i which the<br />
<br />
Commissioner may decide to convene an advisory panel, and page<br />
27 of the RAP cannot be relied upon to confine the Commissioner’s<br />
<br />
power to impose penalties i the manner sought by Marriott. The<br />
decision as to whether a penalty should be imposed and at what<br />
level, i order to provide an effective, proportionate and dissuasive<br />
<br />
result has to be reached through the application of Article 83(2)<br />
GDPR and section 155 DPA 2018. It i clear from the RAP that the<br />
<br />
Commissioner will adopt a case-specific approach, taking into<br />
account all relevant considerations. That i the approach taken i<br />
this case.<br />
<br />
<br />
(8) Proportionality<br />
<br />
7.127. Marriott contends that the proposed penalty set out i the NOI was<br />
disproportionate on its face.18? This argument i not accepted i<br />
<br />
respect of the provisional penalty that was proposed i the light of<br />
the information available at that time.<br />
<br />
<br />
7.128. I i also not accepted that the penalty proposed i the draft decision<br />
was also disproportionate. That proposed penalty took account of<br />
and reflected the submissions made by Marriott i response to the<br />
<br />
NOI. Marriott criticised the approach taken i the draft decision on<br />
the basis that the claim that the fine proposed was proportionate<br />
<br />
rested inappropriately on a comparison with the level of penalty set<br />
out i the NOI1®*, That was not the approach taken. Section 7 of the<br />
draft decision explained clearly the basis upon which, at that time,<br />
<br />
the proposed penalty was proportionate. In any event, this Penalty<br />
Notice explains i clear terms why the level of final penalty imposed<br />
<br />
<br />
183 Marriott’s First Representations, paras 4.74-4.77 and Second Representations, para 1.8.<br />
184 Marriott’s Second Representations, paras 1.8 and 1.40.<br />
87 i proportionate i the light of the findings reached by the<br />
Commissioner (see paragraphs 7.3-7.57 above).<br />
<br />
7.129. The mathematical error made at para 5.43 of the draft decision i<br />
<br />
noted.?8° No such error i made at para 7.57 above.<br />
<br />
8. HOW THE PENALTY IS TO BE PAID<br />
<br />
<br />
8.1. The penalty must be paid to the Commissioner’s office by BACS<br />
transfer or cheque.<br />
<br />
8.2. The penalty i not kept by the Commissioner but will be paid into<br />
<br />
the Consolidated Fund which i the Government’s general bank<br />
account at the Bank of England.<br />
<br />
<br />
9. ENFORCEMENT POWERS<br />
<br />
9.1. The Commissioner will not take action to enforce a penalty unless:<br />
<br />
e all or any of the penalty has not been paid;<br />
<br />
<br />
e all relevant appeals against the penalty notice and any variation<br />
of i have either been decided or withdrawn; and<br />
<br />
e the period for appealing against the penalty and any variation<br />
<br />
of i has expired.<br />
<br />
9.2. In England, Wales and Northern Ireland, the penalty i recoverable<br />
by Order of the County Court or the High Court. In Scotland, the<br />
<br />
penalty can be enforced i the same manner as an extract registered<br />
decree arbitral bearing a warrant for execution issued by the sheriff<br />
court of any sheriffdom i Scotland.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
185 Marriott’s Second Representations, para 1.41.<br />
88Dated the 30° day of October 2020<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Elizabeth Denham<br />
Information Commissioner<br />
<br />
<br />
Information Commissioner’s Office<br />
<br />
Wycliffe House<br />
Water Lane<br />
<br />
Wilmslow<br />
Cheshire<br />
<br />
SK9 5AF<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
89 ANNEX 1<br />
<br />
<br />
RIGHTS OF APPEAL AGAINST DECISIONS OF THE C O M M I S S I O N E R<br />
<br />
<br />
<br />
1. Section 162(1) of the Data Protection Act 2018 gives any<br />
person upon whom a penalty notice has been served a right of<br />
appeal to the First-tier Tribunal (Information Rights) (the<br />
<br />
‘Tribunal’) against the notice.<br />
<br />
<br />
2. I you decide to appeal and i the Tribunal considers:-<br />
<br />
<br />
a) that the notice against which the appeal i brought i<br />
<br />
not in accordance with the law; or<br />
<br />
<br />
b) to the extent that the notice involved an exercise of<br />
discretion by the Commissioner, that she ought to have<br />
<br />
exercised her discretion differently,<br />
<br />
<br />
the Tribunal will allow the appeal or substitute such other<br />
decision as could have been made by the Commissioner. In<br />
<br />
any other case the Tribunal will dismiss the appeal.<br />
<br />
<br />
3. You may bring an appeal by serving a notice of appeal on the<br />
Tribunal at the following address:<br />
<br />
General Regulatory Chamber<br />
<br />
HM Courts & Tribunals Service<br />
PO Box 9300<br />
<br />
Leicester<br />
LE1 8DJ<br />
<br />
<br />
a) The notice of appeal should be sent so i i received by<br />
<br />
the Tribunal within 28 days of the date of the notice.<br />
<br />
<br />
b) I your notice of appeal i late the Tribunal will not<br />
admit i unless the Tribunal has extended the time for<br />
<br />
complying with this rule.<br />
<br />
<br />
<br />
90The notice of appeal should state:-<br />
<br />
<br />
a) your name and address/name and address of your<br />
<br />
representative (if any);<br />
<br />
b) an address where documents may be sent or delivered<br />
to you;<br />
<br />
C) the name and address of the Information<br />
Commissioner;<br />
<br />
<br />
d) details of the decision to which the proceedings relate;<br />
<br />
<br />
e) the result that you are seeking;<br />
<br />
<br />
f the grounds on which you rely;<br />
<br />
g) you must provide with the notice of appeal a copy of the<br />
<br />
penalty notice or variation notice;<br />
h) i you have exceeded the time limit mentioned above<br />
<br />
the notice of appeal must include a request for an<br />
extension of time and the reason why the notice of<br />
<br />
appeal was not provided i time.<br />
<br />
<br />
Before deciding whether or not to appeal you may wish to<br />
consult your solicitor or another adviser. At the hearing of an<br />
<br />
appeal a party may conduct his case himself or may be<br />
represented by any person whom he may appoint for that<br />
<br />
purpose.<br />
<br />
<br />
The statutory provisions concerning appeals to the First-tier<br />
Tribunal (General Regulatory Chamber) are contained i<br />
<br />
sections 162 and 163 of, and Schedule 16 to, the Data<br />
Protection Act 2018, and Tribunal Procedure (First-tier<br />
Tribunal) (General Regulatory Chamber) Rules 2009<br />
<br />
(Statutory Instrument 2009 No. 1976 (L.20)).<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
91<br />
</pre></blockquote></div>
Hk
https://gdprhub.eu/index.php?title=Court_of_Appeal_of_Brussels_-_2020/AR/1160_(First_Interim_Decision)&diff=12132
Court of Appeal of Brussels - 2020/AR/1160 (First Interim Decision)
2020-11-10T16:38:53Z
<p>Hk: /* English Machine Translation of the Decision */</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Belgium<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=HvB<br />
|Court_With_Country=HvB (Belgium)<br />
<br />
|Case_Number_Name=2020/AR/1160<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Tussenarrest 16092020<br />
|Original_Source_Link_1=https://urldefense.com/v3/__https:/www.autoriteprotectiondonnees.be/publications/arret-intermediaire-du-16-septembre-2020-de-la-cour-des-marches-disponible-en-neerlandais.pdf__;!!JMiYFPDqHV3Cgg!EA8iNbZ62eVc5jr-ZeI1uCcIhyc__cjzLMKjY9mk3g1D3avJbtgc3A6GMzl0WNSRTFnFlPg$<br />
|Original_Source_Language_1=Dutch<br />
|Original_Source_Language__Code_1=NL<br />
<br />
|Date_Decided=16.09.2020<br />
|Date_Published=16.09.2020<br />
|Year=2020<br />
<br />
<br />
<br />
|National_Law_Name_1=Art. 1066, par 2, 6° Ger. W<br />
|National_Law_Link_1=http://www.ejustice.just.fgov.be/cgi_loi/loi_a1.pl?language=nl&la=N&cn=1967101004&table_name=wet&&caller=list&fromtab=wet&tri=dd+AS+RANK<br />
|National_Law_Name_2=Art. 108 WOG<br />
|National_Law_Link_2=https://www.gegevensbeschermingsautoriteit.be/burger/de-autoriteit/organisatie<br />
|National_Law_Name_3=art, 19 3rd paragraph Ger. W<br />
|National_Law_Link_3=http://www.ejustice.just.fgov.be/cgi_loi/loi_a1.pl?language=nl&la=N&cn=1967101004&table_name=wet&&caller=list&fromtab=wet&tri=dd+AS+RANK<br />
|National_Law_Name_4=Art. 1402 Ger. W<br />
|National_Law_Link_4=http://www.ejustice.just.fgov.be/cgi_loi/loi_a1.pl?language=nl&la=N&cn=1967101004&table_name=wet&&caller=list&fromtab=wet&tri=dd+AS+RANK<br />
<br />
|Party_Name_1=Proximus<br />
|Party_Link_1=<br />
|Party_Name_2=GBA/ADP<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=GBA/ADP<br />
|Appeal_From_Case_Number_Name=42/2020<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Enzo Marquet<br />
|<br />
}}<br />
<br />
The Brussels Court of Appeal suspended the provisional enforceability of the Belgian DPA's decision for failing to motivate its initial decision. <br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
Proximus appeals the provisionally enforceable aspect of its appealed decision of the Belgian DPA.<br />
<br />
===Dispute===<br />
Is the decision of the Belgian DPA provisionally enforceable even though it is under appeal?<br />
<br />
===Holding===<br />
The Court of Appeal decided the following:<br />
[[Article 66 GDPR]] gives the possibility for a procedure of urgency and from this article (and [[article 61 GDPR| Article 66]] and [[Article 62 GDPR]]), the European lawmaker did not intend to make decision of a DPA provisionally enforceable. <br />
<br />
The Court continues to explain that decisions are provisionally enforceable during an appeal when the appealing courts entirely reviews the case (rules regarding independency and impartiality of judges are the same). The DPA however, is a body created by an administrative body of the government and its judges are appoint by vote of the Chamber of Representatives and thus the same rules regarding judges do not apply.<br />
<br />
The Court of Appeal does not entirely review the administrative decision, but only its merits regarding applicable law and good governance. In cases of urgency and when requested, the provisional enforceable aspect of the decision can be suspended. <br />
<br />
The appeal against an administrative decision can only be effective if there is no pressure o the appealing party to immediately pay a fine or to align itself with the appealed decision.<br />
<br />
The Court of Appeal states that the DPA failed to adequately motivate its decision and thus the provisionally enforceability cannot be granted automatically. When the DPA sends a document to a defending party, principles of good governance must allow for a reply by the party and the DPA must take the reply into consideration in its decision. The name of the 'document' of the reply does not matter, as the procedure for administrative bodies are not as stringent as those for courts.<br />
<br />
If the DPA only considers the 'formal conclusion' when motivating its decision (and not the aforementioned 'document'), the duty of motivation is breached. If the DPA would be able to 'chose' to which arguments to reply, the principles of the rule of law would also be breached. Interpreting this any differently would mean the DPA would be able to ignore the remarks in the document, which is not a sign of good governance.<br />
<br />
The Court of Appeal suspends the provisional enforceability of the decision. Any actions already taken must be reverted.<br />
==Comment==<br />
On the 27th of January 2021, the full merits of the decision will be reviewed.<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.<br />
<br />
<pre><br />
Issue<br />
Directory number Issued Issued to<br />
<br />
2020/4778<br />
Date pronouncement<br />
ep on<br />
16 September20 € BUR<br />
BUR BUR<br />
Role number<br />
2020/AR/1160<br />
<br />
<br />
Not to be offered to the<br />
Recipient<br />
<br />
<br />
<br />
<br />
Interim opening<br />
practicability H o w F o f b o a r d s<br />
Treatment round:<br />
27/01/2021,(1 B ru ssel<br />
<br />
Section Market Court<br />
<br />
room 19A<br />
<br />
<br />
Judgment<br />
<br />
<br />
<br />
<br />
Offered on<br />
<br />
<br />
Not to register<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
[ COVER 01-0000173b124-0001-0010-01-01-1 |<br />
<br />
S TI NNTE NTIT IMTT TI<br />
Brussels Court of Appeal - 2020/AR/1160 -p. 2<br />
<br />
<br />
<br />
<br />
<br />
INZAKE:<br />
<br />
<br />
PRROXIMUS N.VV, ON 0202,239,951, with registered office at 1030 BRUSSELS, King Albert I<br />
avenue 27,<br />
<br />
Applicant,<br />
<br />
<br />
represented by Mr CRADDOCK Peter, Rechtsanwalt, 1000 BRUSSELS, 120 Terhulpsesteenweg.<br />
<br />
<br />
Against the decision of the Chamber of Disputes of the Data Protection Authority number<br />
42/2020 of 30 June 2020.<br />
<br />
<br />
AGAINST:<br />
<br />
<br />
The DATA PROTECTION AUTHORITY, ON 0694.679.950, with registered office at 1000<br />
<br />
BRUSSELS, Drukpressstraat 35,<br />
Defendant,<br />
<br />
<br />
represented by Mr ROETS Joos, Rechtsanwalt, 2018 ANTWERPEN, Oostenstraat 38, bus 201.<br />
<br />
<br />
<br />
<br />
<br />
1. Jurisdiction of the Market Court,<br />
<br />
<br />
The Court shall have its jurisdiction on the basis of an application lodged at the Registry of the Court of Appeal at<br />
<br />
Brussels on 28 August 2020 by PROXIMUS SA against the DATA PROTECTION AUTHORITY IT<br />
(hereinafter "GBA").<br />
<br />
<br />
B this application, PROXIMUS SA claims that z b the Market Court is bringing an action against the<br />
<br />
decision of the GBA's Dispute Settlement Chamber No 42/2020 of 30 June 2020, notified to it<br />
letter dated 30 July 2020.<br />
<br />
<br />
2 Limited debate - provisional enforceability.<br />
<br />
<br />
PROXIMUS SA requests that, before justice is done on the merits of the dispute, the<br />
<br />
provisional enforcement of the contested decision would be suspended in application of<br />
Article 1066, l 2 6° in conjunction with Article 1402 in conjunction with Article 19, l 3 Ger. W. and that this limited debate on<br />
<br />
The inaugural session would be dealt with.<br />
<br />
<br />
At the hearing on 9 September 2020, the date on which the proceedings were brought before the Court,<br />
the debate shall be confined to the point on the right .<br />
<br />
<br />
<br />
<br />
<br />
[ p a c e 01-0000173b124-0002-0010-01-01-4 |<br />
<br />
<br />
<br />
<br />
Lae |Court of Appeal Brussels - 2020/AR/1160 -p. 3<br />
<br />
<br />
<br />
<br />
<br />
3. Legal framework for the restricted debate.<br />
<br />
3.1.<br />
<br />
Article 108 of the Law of 3 December 2017 establishing the Data Protection Authority<br />
(hereinafter "WOG") reads as follows:<br />
<br />
<br />
"§ 1 The Arbitration Chamber shall inform the parties i of its decision and of the possibility to<br />
<br />
appeal within a period of thirty days, from 1[...] the notification, with the<br />
Market Court.<br />
<br />
<br />
Subject to exceptions laid down by law or unless the Dispute Settlement Chamber with special<br />
<br />
Reasoned decision-makers recommend i the decision executable in stock, such as<br />
notwithstanding appeal.<br />
<br />
<br />
The decision to delete data in accordance with Article 100 § 1 10°, i unenforceable<br />
<br />
in stock.<br />
<br />
§ 2 Appeals against decisions of the Arbitration Chamber under Articles 71 and 90 are permitted.<br />
<br />
open to the Market Court dealing with the case as i interlocutory proceedings pursuant to Articles 1035<br />
to 1038, 1040 and 1041 of the Judicial Code".<br />
<br />
<br />
The provisional enforceability of decisions of the GBA's Dispute Settlement Chamber shall apply from<br />
<br />
ipso jure, which does not mean that it is not possible for the court, in the context of an effective<br />
provision could not be reversed (see below).<br />
<br />
<br />
3.2,<br />
<br />
Article 1066(2), 6° Ger. W. states that the matters for which only brief debates are necessary shall be dealt with by<br />
detained and advocated at the initiation hearing, or otherwise within a maximum of three months, and, if so<br />
<br />
necessary, at an afternoon session, and that this applies in the event of a challenge to a decision<br />
of which provisional enforcement without a bond or cantonment i is authorised, or<br />
<br />
of which provisional enforcement has been expressly authorised or refused, with the result that<br />
on the understanding that, for the time being, debates will be confined to those particular modalities.<br />
<br />
<br />
This article is not relevant because the Market Court deals with all the stories as in<br />
<br />
interlocutory proceedings.<br />
<br />
3.3.<br />
<br />
Article 1402 Ger. W. which states that "Without prejudice to the application of Article 1066, second paragraph, 6°, the following may apply<br />
the courts i appeal]1 i do not, in any event, prohibit or order the enforcement of judgments<br />
<br />
suspend, on pain of nullity' is also irrelevant.<br />
<br />
<br />
<br />
<br />
<br />
[ p a c e 01-00001736224-0003-0010-01-01-4 |<br />
<br />
<br />
<br />
Le 4 Court of Appeal Brussels - 2020/AR/1160 -p. 4<br />
<br />
<br />
<br />
<br />
The Market Court does not rule as an appellate court of the judiciary.<br />
<br />
<br />
The story which, according to Article 108 of the WOG, may be brought before the Market Court i a "one<br />
<br />
construction" remedy based on Article 47 HGEU against an administrative decision.<br />
<br />
3.4.<br />
<br />
The provision of Article 19(3) of Regulation (EC) No . W. according to which "Before doing justice, the judge,<br />
i any state of justice, [ the situation of the parties may be provisionally settled [ i<br />
<br />
not appropriate at a time when the Market Court is assessing the actions/stories brought with full jurisdiction<br />
within a relatively short period of time.<br />
<br />
<br />
The rules of the Ger. W. aim to ensure that justice is administered in such a way that a<br />
judicial decision may intervene within a reasonable time, but only if<br />
<br />
all guarantees of protection of the right of defence are continuously guaranteed.<br />
In order to achieve this objective i it is determining that the protection rules sensu /ato from the<br />
<br />
Ger. W. are used loyally and are not turned away from the purpose for which they have been set. I<br />
From this point of view, art. 19 Ger. W. cannot serve to change the formal framework of the 'normal' procedures.<br />
<br />
bypass. It is not a question of immediately circumventing the rules on prior notification.<br />
to conduct disguised proceedings on the merits of the case before the court on the pretext of a preliminary injunction.<br />
<br />
measure i within the meaning of Article 19 of Regulation (EC) No .../.... W.<br />
<br />
I that sentence should be used very cautiously and I it is not appropriate to use this article.<br />
<br />
<br />
4 The facts.<br />
<br />
<br />
The Market Court refers to the exposition of the facts as set out in the following paragraphs.<br />
<br />
application by PROXIMUS SA and i the first conclusion of the GBA.<br />
<br />
The examination of the facts of the case is not relevant to the assessment of whether or not the<br />
<br />
provisional enforceability (which is set out as a legal principle i Article 108 § 1 of the Act requires<br />
be maintained where an applicant brings an action before the Market Court which, as a result<br />
<br />
rights (may) have been violated.<br />
<br />
<br />
5. The assessment: suspension of the provisional enforceability of the contested decision.<br />
decision.<br />
5.1.<br />
<br />
The GBA argues (point 15 i fine):<br />
<br />
<br />
"After all, Proximus was, and is, free to challenge this decision within the i Art.<br />
108 §1 of the WOG, and to - within this framework - take the interim measures if it so wishes.<br />
<br />
claim in accordance with article 19, paragraph 3 Ger.W., which has been done, as evidenced by the following<br />
<br />
<br />
<br />
[ p a c e 01-00002736124-0004-0010-01-01-4 |<br />
<br />
<br />
<br />
| o " e |Court of Appeal Brussels - 2020/AR/1160 -p. 5<br />
<br />
<br />
<br />
<br />
profession. The question whether the interim measures requested by Proximus should be taken as soon as possible.<br />
<br />
granted, does not, however, affect the regularity of the contested decision, but has<br />
relates to the (in)merits of the present claim in accordance with Article 19(3).<br />
Ger.W. It is for the Court of Justice to rule on this question now with due consideration (<br />
<br />
of the evidence provided by Proximus al-dan-not in support of the need for the<br />
requested suspension, { of the balancing of interests between the parties, and ( of the fact that<br />
<br />
exceptions to the principle laid down in Article 108(1)(2) of the WOG should become restrictive<br />
interpreted."<br />
<br />
<br />
5.2.<br />
<br />
PROXIMUS NV states:<br />
<br />
The contested decision infringes the (Basic) Law, Proximus' rights of defence, the<br />
<br />
European law and the principles of good administration. It also has irreversible consequences.<br />
gene for Proximus.<br />
<br />
<br />
and beyond:<br />
<br />
<br />
40. In its response to the proposed fine dated July 1, 2020, Proximus requested the<br />
Litigation chamber to "order that this decision shall not be provisionally enforceable i or at least<br />
<br />
that an appeal against the decision has a suspensive effect on enforcement' and was referred back<br />
to Article 108, § 1 2° paragraph of the GBA Act. It has also been clarified why enforceability on a pre-emptive basis<br />
The Council would be problematic in the present case, in particular because the alleged infringements "are structural in nature".<br />
<br />
to the way in which the whole sector has developed and to the fact that Proximus<br />
has played a special role to date".<br />
<br />
<br />
4l, However, the contested decision makes no reference to provisional enforceability. In order to<br />
not only is Article 102 of the GBA Act violated, but also makes the Dispute Chamber<br />
Breach of the principle of due care and of the duty to state reasons as a principle of due process.<br />
<br />
administration. After all, nowhere in the decision does it appear that the Disputes Chamber has examined whether<br />
considered suspending the enforceability of the contested decision pending a<br />
<br />
decision on appeal before your Court.<br />
<br />
42. On this document, i the decision is affected by a legal defect, and i to the extent that it does not in itself<br />
<br />
the invalidity of the disputed decisions (quod non), at least the<br />
the exportability of the contested decision be suspended immediately.<br />
<br />
<br />
5.3. .<br />
I the extent to which the Market Court, on the basis of Article 6.1 of the ECHR and Union law in particular article.<br />
<br />
47 HGEU must ensure effective redress and effective redress only makes sense i<br />
where the semi-trailer is not 'put under pressure' by the GBA's decision provisionally<br />
<br />
enforceable i the Court has unlimited jurisdiction to suspend provisional enforceability.<br />
<br />
<br />
<br />
[ p a c e 01-0000173b124-0005-0010-01-01-4 |<br />
<br />
<br />
<br />
<br />
Brussels Court of Appeal - 2020/AR/1160 - p 6<br />
<br />
<br />
<br />
<br />
<br />
Article 78, l 1 AVG' provides:<br />
<br />
<br />
Art. 78 Right to an effective remedy against a supervisory authority".<br />
<br />
authority.<br />
1 Without prejudice to other means of administrative or extra-judicial redress, the following shall apply<br />
<br />
any natural or legal person the right to take legal action against a natural or legal person concerning him or her<br />
binding decision of a supervisory authority an effective remedy<br />
<br />
I.<br />
<br />
2 Without prejudice to other means of administrative or extrajudicial redress, the following shall be available<br />
every data subject the right to an effective remedy if the person concerned<br />
<br />
supervisory authority competent in accordance with Articles 55 and 56 no complaint<br />
treats or does not inform the person concerned within three months i of the progress or the<br />
<br />
result of the complaint lodged under Article 77.<br />
3. Proceedings against a supervisory authority shall be brought before the courts of the<br />
<br />
Member State in which the supervisory authority i is established.<br />
against a decision of a supervisory authority<br />
4 When proceedings are instituted<br />
authority to which an opinion or a decision of the Committee i is addressed within the framework of the<br />
<br />
consistency mechanism i, the supervisory authority shall give that advice or<br />
decision shall be vested in the courts.<br />
<br />
<br />
Point (143) of the preamble states:<br />
<br />
"(143) [ Without prejudice to this right under Article 263 TFEU, any natural or legal person, whether natural or legal, shall, in particular by reason of his or her nationality, renounce his or her right to vote.<br />
to oppose a decision of a supervisory authority which has been taken at<br />
legal person the law<br />
produce legal effects in respect of that person before the competent national court or tribunal.<br />
particular job<br />
effective remedy. Such a decision has more<br />
on the exercise of powers of investigation, correction and authorisation<br />
<br />
by the supervisory authority, or on the rejection of complaints. [<br />
<br />
<br />
5.4. .<br />
Article 66 ACC provides for an urgency procedure i in case urgent measures need to be taken.<br />
<br />
are affected. From this fact (and the fact that also under Articles 61 and 62 AVG the<br />
in the territory of the Member State<br />
supervisory authorities to take a provisional measure<br />
<br />
<br />
<br />
*Regulation (EU) 2016/679 of 27 April 2016 of the European Parliament and of the Council on the<br />
protection of individuals i related to the processing of personal data and concerning<br />
the free movement of such data and repealing Directive 95/46/EC (General Regulation<br />
data protection)<br />
<br />
* "In exceptional circumstances, a supervisory authority concerned may, in its opinion i<br />
the need for urgent action to protect the rights and freedoms of data subjects, i<br />
derogation from the coherence mechanism referred to in Articles 63, 64 and 65 or from the coherence mechanism referred to in Article 60.<br />
procedure, provisional measures with a limited period of validity not exceeding three months, without delay<br />
<br />
to take months in order to produce legal effects on their own territory".<br />
<br />
<br />
<br />
p a c e 04-00001736124-000b-0010-01-01-4 | [ p a c e<br />
<br />
<br />
l<br />
<br />
L G e _ Court of Appeal Brussels - 2020/AR/1160 -p. 7<br />
<br />
<br />
<br />
<br />
<br />
for which it is responsible) it follows that it was not the intention of the European legislator to amend the<br />
decisions of the Chamber of Disputes of an authority of a Member State to issue enforceable stock b<br />
<br />
make.<br />
<br />
<br />
Now the appeal (the ordinary administrative appeal) against a decision of a<br />
administrative court (which the GBA does not do! suspensive, i the citizen (sensu<br />
<br />
(lato both physical and legal persons) who feel grieved by a decision of the<br />
Disputes Chamber of the GBA entitled before the Market Court to suspend the b the WOG<br />
<br />
claimed enforceability b stock i limine litis.<br />
<br />
<br />
5.5.<br />
The "provisional enforceability by operation of law" i is defensible when the appeal is an "ordinary appeal".<br />
<br />
Appeal' i where the case i fact and i law is re-examined from the outset this time<br />
by another judge of the judiciary. I that case are the appointment rules, the rules<br />
<br />
of independence and impartiality of both the first judge and the appellate judge alike.<br />
<br />
<br />
This is not the case when it comes to redress before a court of law (in this case, the court of first instance).<br />
Market Court) which has to rule on a decision taken by a body of a<br />
<br />
administrative authority whose members are appointed by a majority vote i the<br />
Chamber of Deputies.<br />
<br />
<br />
5.6.<br />
<br />
Since the Market Court assesses the merits of an administrative decision on the basis of the<br />
rules of compliance not only with the rules of the relevant legislation, but also what<br />
<br />
as regards the rules of good administration sensu lato and respect for fundamental rights<br />
sensu lato but always gives its verdict within a very reasonable period of time according to the<br />
<br />
principles of justice 'such as i interlocutory proceedings', it is for the Court, where the applicant so requests, to<br />
may, where appropriate, grant a stay of provisional enforcement until such time as the Court<br />
<br />
has made a statement on the merits of the established story itself.<br />
<br />
<br />
Recourse to an administrative decision can only be effective if the<br />
the applicant is not put under pressure to pay and/or comply with a fine immediately<br />
<br />
to the decisions of the contested decision.<br />
<br />
<br />
5.7.<br />
The Market Court finds in this regard that SA PROXIMUS is correct in asserting that the disputed<br />
<br />
decide on the plea relied on to derogate from the automatic nature of article<br />
108 § 1 of the WOG has not replied in a reasoned manner and has therefore not taken the decision alone<br />
<br />
already affected by the illegality of an inadequate statement of reasons i.<br />
<br />
<br />
<br />
<br />
<br />
<br />
[ p a c e 01-00001736124-0007-0030-01-01-4 |<br />
<br />
<br />
Okra0]<br />
<br />
. 4 Court of Appeal Brussels - 2020/AR/1160 -p. 8<br />
<br />
<br />
<br />
<br />
<br />
PROXIMUS S.A. had indicated i the reply to the "form for reaction against proposed action".<br />
fine" (document 3 GBA - point 3 page 6) order that the decision be declared unenforceable b<br />
<br />
stock and that the appeal against it would have a suspensive effect.<br />
<br />
<br />
Whether a document submitted to the GBA Dispute Settlement Chamber by a party is a document that the<br />
conclusion', 'statement', 'letter' or whatever it is called, i not relevant to the<br />
obligation of the GBA's Dispute Settlement Chamber to insist on the content of that written document<br />
<br />
reply. Where a 'conclusion' is the means of a party to proceedings before the Courts and<br />
courts, this shall not apply to a dispute settlement body of an administrative<br />
<br />
government. The legislator has not imposed strict procedural rules, which means that any<br />
written notification submitted in due time to the Dispute Settlement Chamber of the GBA i, shall<br />
to be assessed and answered.<br />
<br />
<br />
Now the GBA's Dispute Settlement Chamber will impose a sanction on the party on whom it wishes to impose a sanction.<br />
<br />
sending an ad hoc document asking for an answer, implies that the<br />
Dispute Chamber of the GBA, to respect the rules of good administration sensu lato (the<br />
<br />
including the obligation to state reasons, including the party's comments i that<br />
reply document, shall reply in the decision.<br />
<br />
<br />
The GBA's Dispute Settlement Chamber limits itself - as regards the grounds for the decision - to<br />
answering what i a formal "conclusion" i included, without taking into account<br />
<br />
with all other writings and documents submitted in good time, infringes the obligation to state reasons.<br />
<br />
Moreover, it appears that the GBA's Dispute Settlement Chamber is well aware of this fact.<br />
<br />
given that, for example, marginal 70 of the contested decision is indeed<br />
responds to a comment made by PROXIMUS SA i the aforementioned<br />
<br />
reply form. It does not fit i a rule of law that the GBA's Dispute Chamber could<br />
choose' to which argument z a then does not provide an answer.<br />
<br />
<br />
Judging otherwise would mean that the GBA's Dispute Settlement Chamber would be attached to the GBA.<br />
requests the parties to submit comments and then to disregard them, which in itself<br />
<br />
an instance of maladministration.<br />
<br />
<br />
5.8.<br />
The Dispute Settlement Chamber of the GBA has the obligation to state reasons (by analogy with Articles 2 and 3<br />
of the Law of 29 July 1991 on the express grounds for administrative acts)<br />
<br />
violated.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
T pace 01-0000173b324-0008-0010-01-01-4 |<br />
<br />
<br />
<br />
8 |Court of Appeal Brussels - 2020/AR/1160 -p. 9<br />
<br />
<br />
<br />
<br />
6. Decision.<br />
<br />
<br />
Before pronouncing on the merits of the action brought by PROXIMUS NV, the following information shall be provided<br />
suspended the provisional enforceability of the contested decision until the Market Court<br />
<br />
will have ruled on the merits of the case.<br />
<br />
<br />
Any implementation that has already taken place must be reversed immediately.<br />
<br />
FOR THESE REASONS,<br />
<br />
THE COURT,<br />
<br />
Decisive on contradiction;<br />
<br />
<br />
Having regard to article 24 of the law of 15 June 1935 on the use of languages i court cases;<br />
<br />
<br />
Only in respect of the claim for suspension of provisional enforceability;<br />
<br />
Declares this part of the claim admissible and well founded;<br />
<br />
<br />
Recommends the lifting of the provisional enforceability of the decision of the Chamber of Disputes<br />
<br />
of the Data Protection Authority of 30 June 2020 concerning number 42/2020 until the Court of Justice<br />
will have ruled on the merits;<br />
<br />
<br />
Says that any implementing measures already taken should be immediately annulled<br />
become;<br />
<br />
<br />
For the rest, hold on;<br />
<br />
Determines the final calendar as follows:<br />
<br />
-GBA: no later than 21 October 2020;<br />
- NV Proximus: no later than 2 December 2020;<br />
<br />
-GBA: not later than 13 January 2021;<br />
and will present the substance of the case for consideration at the hearing on 27 January 2021 at 2 p.m.<br />
for a joint plea of 180 minutes. ,<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
[ p a c e 02-0000173b124-0009-0010-01-02-4 |<br />
<br />
<br />
<br />
1 Brussels Court of Appeal - 2020/AR/1160 -p. 10<br />
<br />
<br />
<br />
<br />
This judgment was delivered at the public civil hearing of the Market Court - Chamber<br />
19A of the Brussels Court of Appeal on 16 September 2020 by:<br />
<br />
<br />
M. BOSMANS - President-in-Office of the Council<br />
A-M. WHITETERSRaadsheer ,<br />
O. DUGARDYN Alternate Counsellor<br />
A. DECLERCK _ Registrar<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
A. RCK O.DUGARDYN -<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
A-M.WHITETERS . BOSMANS<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
[ p a c e 01-00001736124-0010-0010-01-01-4| [ p a c e<br />
<br />
<br />
LB 4<br />
</pre></div>
Hk
https://gdprhub.eu/index.php?title=Rb._Noord-Holland_-_AWB-20_2618&diff=12131
Rb. Noord-Holland - AWB-20 2618
2020-11-10T15:04:56Z
<p>Hk: /* English Machine Translation of the Decision */</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Netherlands<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=Rb. Noord-Holland<br />
|Court_With_Country=Rb. Noord-Holland (Netherlands)<br />
<br />
|Case_Number_Name=AWB-20_2618<br />
|ECLI=ECLI:NL:RBNHO:2020:8440<br />
<br />
|Original_Source_Name_1=Rechtspraak.nl<br />
|Original_Source_Link_1=https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBNHO:2020:8440&showbutton=true&keyword=AVG<br />
|Original_Source_Language_1=Dutch<br />
|Original_Source_Language__Code_1=NL<br />
<br />
|Date_Decided=27.10.2020<br />
|Date_Published=02.11.2020<br />
|Year=2020<br />
<br />
<br />
|EU_Law_Name_1=Article 8 ECHR<br />
|EU_Law_Link_1=https://www.coe.int/fr/web/conventions/full-list/-/conventions/treaty/005<br />
<br />
<br />
|Party_Name_1=Tax and Customs Administration<br />
|Party_Link_1=https://www.belastingdienst.nl/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The way in which the Dutch Tax and Customs Administration has organised its proceedings doesn't constitute a breach of Article 8 of the ECHR, as such interference in an individual's right to privacy is consistent with the requirements of Article 8 para. 2.<br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
The plaintiff received a tax assessment from the Dutch Tax and Customs Administration (i.e. a letter in which it tells you how much you have to pay). She didn’t agree with its content, and therefore submitted an objection. The Tax and Customs Administration rejected the objection and maintained the assessment and the tax decision. So the plaintiff filed an appeal. <br />
<br />
One of the grounds for appeal argued by the plaintiff was that her privacy (as enshrined in the GDPR and in Article 8 of the European Convention on Human Rights) has been violated. Different stages of the tax levy and objection processes have indeed been assigned to different organisational units established in different locations, which gave the plaintiff an unpleasant feeling that her details were everywhere. As a result, a relatively large number of people were required to gain access to her information.<br />
<br />
===Dispute===<br />
Does the way the tax levy and objection processes of the Dutch Tax and Customs Administration have been designed violate the plaintiff's privacy?<br />
<br />
===Holding===<br />
In the District Court's opinion, the tax levy and objection processes constitute in itself an interference with an individual's right to privacy by the public authorities. After all, the Tax and Customs Administration collects and stores large amounts of information of a private nature in that context. Such interference is reinforced by the fact that various stages of the tax levy and objection processes were assigned to different organisational units.<br />
<br />
However, not all interference with an individual's right to privacy constitutes a breach of Article 8 of the ECHR. This is not the case if the interference is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. (Article 8(2) of the ECHR).<br />
<br />
According to the Court, <br />
<br />
(1) The way in which the Tax and Customs Administration has organised its proceedings (assigning different stages of the tax levy and objection processes to different organisational units established in different locations) is regulated by the law (Article 3 of the Tax and Customs Administration Implementation Regulations 2003). It therefore meets the requirement of a legal basis. <br />
<br />
(2) This type of organisation was prompted by the desire to shape the activities of the Tax and Customs Administration as efficiently as possible and enable greater flexibility. This makes the measure necessary in a democratic society in the interest of the economic well-being of the country. <br />
<br />
In view of the foregoing, the Court concluded that the plaintiff's right to privacy has not been violated and the appeal was dismissed as unfounded.<br />
<br />
==Comment==<br />
''Share your comments here!''<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.<br />
<br />
<pre><br />
Ruling<br />
<br />
North-Holland District Court<br />
Place of session Haarlem<br />
Administrative law<br />
Case number: HAA 20/2618<br />
judgment of the single chamber of 27 October 2020 in the case between<br />
drs. [X] , residing at [Z] , plaintiff,<br />
and<br />
the inspector of the Belastingdienst/Particulieren, Amsterdam office, defendant.<br />
Process Process<br />
The plaintiff lodged a complaint with the defendant. Since the defendant did not take a decision on the matter, the claimant served him with a notice of default and subsequently brought an action for failure to take a decision in time.<br />
The plaintiff also gave notice of default to the defendant for failing to impose an income tax and national insurance contributions (IB/PVV) assessment for the year 2018 in time. She also brought an action in that regard.<br />
The defendant subsequently imposed on the claimant an IB/PVV assessment for the year 2018, calculated on the basis of a taxable income from work and home of € 15,025. In doing so, he issued an order in respect of tax interest, in which an amount of € 3 was paid in tax interest. The claimant lodged both an objection and an appeal against this assessment and the interest decision.<br />
By ruling on the objection, the defendant has maintained the assessment and the decision on tax interest. The plaintiff has also lodged an appeal.<br />
The defendant submitted a statement of defence.<br />
The claimant submitted further documents before the hearing. Copies of these documents were provided to the defendant.<br />
The investigation at the hearing took place on 5 August 2020 in Haarlem.<br />
The claimant appeared. The defendant was represented by [A] and mr. [B] .<br />
Considerations<br />
Facts<br />
1. The plaintiff was born on [...] .<br />
<br />
2. The claimant's income in the year 2018 consisted of a payment under the Participation Act in the amount of € 15,229.<br />
<br />
3. By letter of 17 December 2018, the claimant submitted a request for data erasure to the defendant under the General Data Protection Regulation (AVG). An appeal is currently pending before the District Court of Amsterdam.<br />
<br />
4. On 29 March 2019, the claimant's IB/PVV for the year 2018 was received by the defendant.<br />
<br />
5. By letter dated 29 October 2019, the defendant requested additional information from the claimant following her IB/PVV declaration for the year 2018. The claimant provided this information by letter of 6 November 2019.<br />
<br />
6. On 6 November 2019, the plaintiff also served notice of default on the defendant for failing to rule on a complaint filed by the plaintiff on 30 September 2019 at the offices of the Tax and Customs Administration, Amsterdam.<br />
<br />
7. By letter dated 8 November 2019, the defendant informed the plaintiff that its notice of default does not relate to an application within the meaning of Article 1:3 of the General Administrative Law Act (Algemene wet bestuursrecht, Awb), so that it is not entitled to assess the right to a penalty payment. According to the letter, this notification is not subject to objection or appeal.<br />
<br />
8. By letter of 11 November 2019, the defendant informed the claimant of its intention to derogate from its IB/PVV declaration for the year 2018.<br />
<br />
9. By letter dated 20 November 2019, the plaintiff responded to the defendant's intention and asked him to issue a provisional judgment in accordance with her declaration.<br />
<br />
10. By letter of 29 November 2019, the claimant responded to the defendant's letter of 8 November 2019. The subject matter of this letter is mentioned: "Your letter dated 8 Nov 2019 regarding IGS. Objection".<br />
<br />
11. On 5 December 2019, the defendant announced that it would impose the IB/PVV assessment for the year 2018 in accordance with its letter of 11 November 2019.<br />
<br />
12. By letter of 9 December 2019, the plaintiff lodged an appeal with the District Court of Amsterdam against the defendant's refusal to make a (correct) decision. The Court of Amsterdam registered this appeal under case number AMS 19/6551 and requested plaintiff by letter of 10 December 2019 to send a copy of the notice of default. By letter of 18 December 2019, the plaintiff sent the notice of default of 6 November 2019 and the letter of the defendant of 8 November 2019 to the Court of Amsterdam.<br />
<br />
13. By letter of 8 December 2019, received by the defendant on 12 December 2019, the plaintiff objected to the letter of 5 December 2019. The defendant interpreted this letter as an objection to the IB/PVV assessment still to be imposed for the year 2018, and maintained the processing of the objection.<br />
<br />
14. By letter of 20 January 2020, the plaintiff served notice of default on the defendant on the ground that it had not yet issued the IB/PVV assessment for the year 2018 and had failed to rule on the objection of 8 December 2019.<br />
<br />
15. On 22 January 2020, the District Court of Amsterdam forwarded the appeal which it had registered under case number AMS 19/6551 to the District Court because it considered that it lacked jurisdiction. The court registered this case under case number HAA 20/2618.<br />
<br />
16. By letter of 23 January 2020, the defendant informed the claimant that its notice of default of 20 January 2020 does not relate to an application within the meaning of Article 1:3 of the General Administrative Law Act (Awb), because filing a declaration is not an application. As a result, he is not entitled to assess the right to a penalty payment. According to the letter, this notification is not subject to objection or appeal.<br />
<br />
17. By letter of 2 February 2020, the claimant brought a 'direct action' before the court 'concerning IB 2018', complaining, inter alia, that the defendant had not issued an IB/PVV assessment for the year 2018. The claimant also referred to the letter of formal notice of 20 January 2020. The Court included this letter in the case file number HAA 20/2618.<br />
<br />
18. On 5 March 2020, the defendant imposed on the claimant the assessment IB/PVV for the year 2018. This assessment includes a refund of € 79 (including tax interest to be reimbursed).<br />
<br />
19. By letter of 5 March 2020, the claimant lodged an appeal against this attack with the court. The Court also included this letter in the case file number HAA 20/2618.<br />
<br />
20. On 12 March 2020, the defendant asked the plaintiff to state the reasons for her objection of 12 December 2019. By letter of 15 March 2020, the claimant responded and asked the defendant to agree to a direct appeal.<br />
<br />
21. On 27 March 2020, the defendant gave its decision on the objection of 12 December 2019.<br />
<br />
22. By letter of 6 April 2020, received at the Court on 7 April 2020, the plaintiff supplemented her appeal in the case with number HAA 20/2618, commenting, inter alia, on the judgment on the objection.<br />
<br />
Admissibility of the action<br />
23. Before assessing the points of contention between the parties, the court will assess the admissibility of the appeal ex officio.<br />
<br />
24. From the plaintiff's letters received by the court, the court concludes that the plaintiff appeals against the defendant's subsequent decisions:<br />
<br />
The absence of a decision on the claimant's complaint lodged with the defendant on (Default notice from plaintiff dated 6 November 2019);<br />
The non-imposition of IB/PVV assessment for the year 2018 (plaintiff's formal notice of 20 January 2020);<br />
Failure to rule on the objection of 8 December 2019 (plaintiff's formal notice of 20 January 2020);<br />
The IB/PVV assessment imposed on the claimant by the defendant for the year 2018, dated 5 March 2020;<br />
Judgment on defendant's objection of 27 March 2020.<br />
25. The Court considers as follows in this respect.<br />
<br />
No appeal may be lodged against a decision on the handling of a complaint about the conduct of an administrative body on the basis of Article 9:3 of the General Administrative Law Act (Awb). Since failure to take a decision in time pursuant to Section 6:2(1)(b) of the General Administrative Law Act is equated with a decision, no appeal may be lodged against it either. Insofar as the appeal is directed against the failure to reach a decision on the claimant's complaint, the appeal is therefore inadmissible. For reasons of procedural economy, the court will pronounce the declaration of inadmissibility itself.<br />
An assessment, although not a decision on application, is considered a decision within the meaning of Section 6:2, first paragraph, opening words and letter b, of the Awb, so that the absence of such an assessment is assimilated to a decision against which, pursuant to Section 8:1 of the Awb read in conjunction with Section 26 of the Algemene Wet inzake rijksbelastingen (AWR), an appeal may be lodged with the administrative court (see the judgment of the Supreme Court of 24 June 2011, ECLI:NL:HR:2011:BP8929). Pursuant to Section 7:1(1)(f) of the General Administrative Law Act (Awb), it is not necessary to first go through the objection procedure in such a case. In the plaintiff's letter of 2 February 2020, the court reads an appeal against the lack of assessment IB/PVV for the year 2018. However, it follows from the aforementioned judgment of the Supreme Court that such an appeal is inadmissible if the appeal is filed before the administrative body is in default. In a case such as the present, this is not the case if the assessment has been issued before the expiry of the statutory period prescribed in article 11, paragraph 3 of the AWR. As will be considered below, the assessment IB/PVV for the year 2018 has in fact been issued within that period in respect of the claimant. This means that the appeal is also inadmissible to that extent.<br />
The same applies to the appeal against the absence of a decision on an objection relating to the IB/PVV assessment for the year 2018 and the accompanying interest decision. As will be considered below, the defendant did not exceed the time-limit for lodging an appeal and was therefore not at fault. The action is therefore also inadmissible to that extent.<br />
It follows from the foregoing that, in principle, an appeal is possible in respect of the IB/PVV assessment imposed on the claimant for the year 2018, dated 5 March 2020, and the accompanying decision concerning tax interest. However, the person granted the right to lodge an appeal with an administrative court must lodge an objection before lodging an appeal (Article 7:1(1) of the General Administrative Law Act). To the extent that the claimant wished to lodge a direct appeal against the assessment and the decision on tax interest, her appeal is therefore inadmissible.<br />
However, the appeal is admissible to the extent that the claimant has lodged an appeal against the decision on the objection of 27 March 2020, which relates to the aforementioned assessment and order. The Court reads such an appeal in the plaintiff's letter of 6 April 2020, which is also directed against the judgment on objection.<br />
26. The foregoing means that the appeal is only admissible to the extent that it is directed against the judgment on objection relating to that IB/PVV assessment for the year 2018 and the decision on tax interest thereon.<br />
<br />
Dispute<br />
27. In dispute is the answer to the following questions:<br />
-<br />
Was the attack imposed in good time?<br />
-<br />
Did the defendant decide on the claimant's objection in due time?<br />
-<br />
Is there a right to deduct costs related to legal proceedings?<br />
-<br />
Is there a right to deduct specific healthcare costs?<br />
-<br />
If the costs relating to legal proceedings and healthcare costs are not deducted from Box 1 income, can they be taken into account as debts in Box 3?<br />
-<br />
Has the defendant violated the plaintiff's privacy?<br />
-<br />
Has the defendant compiled the file correctly?<br />
-<br />
Has the defendant infringed the general principles of good administration?<br />
Assessment of the dispute<br />
Attack imposed in good time?<br />
28. The plaintiff takes the view that the attack was established too late.<br />
<br />
29. The defendant takes the view that the attack was imposed within the period of time allowed for its imposition.<br />
<br />
30. Article 11(3) of the AWR stipulates that the power to determine the tax assessment lapses three years after the time at which the tax debt has arisen. Pursuant to Section 11, paragraph 4, of the AWR, an income tax liability arises at the time when the period for which the tax is levied ends.<br />
<br />
31. The period of taxation in this case is the tax year 2018. This period shall end on 31 December 2018. This means that the defendant had the power to issue an assessment until 31 December 2021. The assessment was dated 5 March 2020 and in these proceedings it was neither stated nor revealed that the assessment was not notified to the claimant until after that date. The District Court is therefore of the opinion that the assessment was issued on time.<br />
<br />
A timely decision on an objection?<br />
32. The plaintiff argues that there was no decision on the objection. Therefore, the appeal of 2 February 2020 concerns the failure to issue a decision.<br />
<br />
33. The defendant takes the view that the objection could only be dealt with after the attack had been imposed. That was done on 5 March 2020. The judgment on the objection was rendered on 27 March 2020 and is therefore timely.<br />
<br />
34. The court first of all holds that in her letter of 2 February 2020, the plaintiff appeals against the failure to rule on her objection to the defendant's letter of 5 December 2019. As considered above, her appeal is inadmissible to that extent.<br />
<br />
35. To the extent that the plaintiff wishes to argue that the contested judgment on the objection of 27 March 2020 was not rendered in time, the court will consider as follows. Pursuant to Section 7:10(1) of the General Administrative Law Act (Awb), an administrative body must decide in a case such as the present within six weeks, counting from the day after the day on which the period for lodging the notice of objection has expired. Pursuant to Section 22j of the AWR, this period commences with the date of the assessment (5 March 2020) and not with the receipt of the notice of objection on 12 December 2019. In view of the above, the period expired on 16 April 2020, so that the decision on the objection was made within the deadline.<br />
<br />
Costs of legal proceedings<br />
36. In her IB/PVV return for the year 2018, the claimant deducted an amount of € 1,323 in legal costs. These costs have been classified in the declarations under the deductible costs of periodic benefits. The claimant is of the opinion that these costs reduce her ability to pay and should therefore be deducted.<br />
<br />
37. The defendant did not allow this amount to be deducted. He disputes that the costs were incurred to acquire, collect and maintain the distribution pursuant to the Participation Act.<br />
<br />
38. The plaintiff is right to point out that income tax is intended by the legislator as a means of taxation (see, for example, Parliamentary Papers II 1998/99, 26 727, no. 3, pp. 4-7). However, it is not the case that this intention of the legislator already means that the claimant is entitled to deduct costs which reduce her ability to pay. Various regulations in the Wet inkomstenbelasting 2001 (Income Tax Act 2001) (including the personal deductions to which the claimant is entitled) take account of certain limitations on capacity. It is up to the legislator to determine which limitations are taken into account and which are not. The legislator's decision not to make a statutory provision for the type of costs plaintiff faces cannot in principle be called into question in court, because the court may under no circumstances assess the inner value or fairness of the law (Article 11 of the General Provisions Act). Nor is the judge free, in the given constitutional relations, to assess the law against the general principles of law, should the principle of force majeure already be taken into account (cf. the judgment of the Supreme Court of 14 April 1989, ECLI:NL:HR:1989:AD5725).<br />
<br />
39. The claimant has entered the legal costs incurred in her tax return in the field of deductible expenses in respect of periodic benefits. This field relates to the costs that are charged on benefits and benefits in kind in so far as they have been incurred for the acquisition, collection and maintenance of those benefits and benefits in kind (Article 3.108 of the Wet IB 2001). In order to be able to deduct such costs, the claimant must demonstrate that she has incurred the costs of acquiring, collecting and maintaining her benefits. In the opinion of the court, she has failed to do so in the face of the substantiated dispute by the defendant. The court can in fact deduce from the documents of the proceedings what kind of costs are involved (court registry costs, travel expenses, registered letters, postage stamps, etc.), but not to what extent these costs were incurred for proceedings to acquire, collect and maintain the benefit under the Participation Act. The court understands from the plaintiff's documents that these are not only proceedings relating to a benefit, but also, for example, proceedings in the field of taxes, care allowance and youth care. However, the court cannot deduce from the documents what part of the costs relate to the proceedings in relation to a benefit.<br />
<br />
40. The court therefore concludes that the costs incurred by the plaintiff in the year 2018 for the various legal proceedings are not deductible.<br />
<br />
Specific healthcare costs<br />
41. In the claimant's IB/PVV declaration for the year 2018 an amount of € 1,669 in specific healthcare costs has been deducted. According to the claimant, these costs were incurred on the prescription of a physician. According to the claimant, in view of her income and ability to pay, it would not be balanced to exclude the costs of deduction. She argues that if she did not pay those costs, she would be left out in the open.<br />
<br />
42. The defendant takes the view that it has correctly established the deduction in respect of specific healthcare costs. According to the defendant, a collection premium (€ 583.37) and expenses for proceedings at Stichting Klachten en Geschillen Zorgverzekeringen (€ 56.20) do not constitute healthcare costs. For the other costs the defendant has eliminated payment costs and excess. Only the uninsured dental costs to the amount of € 454.56 will then remain. To these costs the defendant applies a threshold of € 251. This leaves a deductible amount of € 204.<br />
<br />
43. Load-carrying factors, as considered above, can only be taken into account in the determination of the attack if there is a legal basis for doing so. In the case of healthcare costs, this basis can be found in Article 6.1, second paragraph, opening words and letter d, read in conjunction with Article 6.17 of the Personal Income Tax Act 2001. In the case of claimant pursuant to Article 6.20, first paragraph, opening words and letter b, of the Personal Income Tax Act 2001, these costs will only be taken into account to the extent that, after application of the increase pursuant to Article 6.19 of the Personal Income Tax Act 2001, they together exceed 1.65% of the aggregate income before application of the personal deduction. For plaintiffs in 2018 this threshold amounts to € 15,229 * 1.65% = € 251.<br />
<br />
44. The Court is of the opinion that the costs which - as far as the parties are not in dispute - fall under the policy excess and the collection costs charged by the healthcare insurer do not constitute specific healthcare costs within the meaning of Article 6.17 of the IB 2001 Act. Premiums for healthcare insurance and payments to the healthcare insurer pursuant to the policy excess do not constitute specific healthcare costs within the meaning of Article 6.18(1) of the Wet IB 2001 (Individual Healthcare Insurance Act, IB 2001). The same applies, in the District Court's opinion, to collection costs in respect of such payment obligations to the healthcare insurer, to the extent that collection costs can be regarded as expenditure incurred due to sickness or invalidity at all (as required by Article 6.17(1) of the Wet IB 2001).<br />
<br />
45. In the opinion of the court, costs for a procedure before a Disputes Committee fall outside the enumeration of Article 6.17(1) of the Personal Income Tax Act 2001 and are therefore not eligible for deduction as specific healthcare costs.<br />
<br />
46. In view of the foregoing, the court is of the opinion that the defendant was right to set the deductible specific healthcare costs for the year 2018 at € 204.<br />
<br />
Box 3<br />
47. The claimant has entered debts in box 3 in her declaration. This was wrongly not taken into account, according to the claimant. She further argues that if the costs of legal proceedings and medical expenses are not deducted in box 1, they must be taken into account as debts in box 3.<br />
<br />
48. The defendant takes the view that the box 3 power cannot be negative. Since the claimant has no assets in box 3, it is irrelevant, in the defendant's view, whether debts in box 3 should be taken into account.<br />
<br />
49. It is correct in itself that amounts owed by the claimant on 1 January 2018 which are not taken into account in box 1 or box 2 are deductible in box 3. To this end, Article 5.3(1) of the Personal Income Tax Act 2001 stipulates that the basis of return for box 3 consists of the value of the assets less the value of the debts. Article 5.2, first paragraph, of the Personal Income Tax Act 2001 stipulates that the joint basis of savings and investments is equal to the joint basis of return at the beginning of the calendar year (reference date) of the taxpayer and its partner insofar as this joint basis of return exceeds the tax-free assets of the taxpayer and its partner.<br />
<br />
50. However, these provisions also show that tax is only levied in Box 3 if the balance of assets and liabilities exceeds the tax-exempt assets. Since there is no dispute between the parties that, on 1 January 2018, the plaintiff had no assets worth more than the tax-exempt assets (€30,000) and that the plaintiff was not subject to box 3 tax in these years, the deduction of debts in box 3 cannot lead to an amendment of the contested decisions for the plaintiff. Therefore, the court is not entitled to adjudicate on those debts.<br />
<br />
Privacy<br />
51. The plaintiff complains that her privacy has been violated. She received the request to file a complaint from Breda and the provisional attack from Doetinchem. She stated that she had to correspond with the defendant on five to nine different veins. This gives the plaintiff an unpleasant feeling, because she gets the idea that her details are everywhere. For this reason she also started AVG proceedings against the defendant. The claimant concludes that the invasion of her privacy must lead to the destruction of the attacks.<br />
<br />
52. The defendant refers in this respect to the AVG proceedings pending before the District Court of Amsterdam and disputes that a possible invasion of privacy could lead to the annulment of the attacks, because there is no legal basis for this.<br />
<br />
53. The court interprets the plaintiff's argument as an appeal to the right to respect for privacy, as enshrined in Article 10 of the Constitution (Gw) and Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR).The court thus understands the claimant's argument that she does not so much object to the levying of income tax per se, but rather to the way in which the levy and objection processes at the Tax and Customs Administration have been designed, and in particular the fact that different stages of these processes have been assigned to different organisational units established in different locations.<br />
<br />
54. In the opinion of the court, the levying of the current Dutch income tax constitutes in itself an interference in the privacy of the public authorities. After all, the defendant collects and stores large amounts of information of a private nature in that context. Moreover, the interference is reinforced by the fact that the defendant has assigned various stages of the levy and objection processes to different organisational units of the Tax and Customs Administration. As a result, a relatively large number of different officials are required to gain access to the information of a private nature referred to above. In this case, as far as the court has been able to establish, the plaintiff has received mail from the Tax and Customs Administration/Particulieren, the Amsterdam office, the Tax and Customs Administration/Particulieren, Team IGS office Arnhem and the Tax and Customs Administration, Heerlen office (apparently the organisational unit Central Administrative Processes). In view of the claimant's argument, the District Court will only deal with the latter aspect of the interference.<br />
<br />
55. Not all invasions of privacy constitute a violation of Article 10 of the GP and Article 8 of the ECHR. This is not the case if the interference is provided for by law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, the prevention of disorder and crime, the protection of health or morals or the protection of the rights and freedoms of others (Article 8(2) of the ECHR).<br />
<br />
56. In the opinion of the court, the way in which the Tax and Customs Administration has organised its proceedings under the law has been formalised. Article 3(2) of the AWR states that ministerial regulations shall lay down rules on the main lines of the organisation of the National Tax Administration and on the inspector to whom a taxpayer falls. The subdivision of the Tax and Customs Administration into the various organisational divisions with which the claimant has corresponded is regulated in Article 3 of the Tax and Customs Administration Implementation Regulations 2003. The inspector to which the claimant belongs is laid down in Article 11(1) of the Tax and Customs Administration Implementation Regulation 2003. It does not follow from these regulations that the Tax and Customs Administration/Particulate organisational unit has a centralised default notice team in Arnhem. As the establishment of the Tax and Customs Administration/Particulieren organisational unit is provided for by law itself, the court does not see this as a breach of the requirement of a legal basis.<br />
<br />
57. According to the regulator, the method of organisation described above is motivated by the desire for greater flexibility in the work of the Tax and Customs Administration (see the decree of the State Secretary for Finance of 19 December 2002, no. WDB2002/835 M, Netherlands Government Gazette 2002, 247 / p. 19, p. 5). In this way, the court understands the regulator's intention with the new, partially centralised organisational form of the Tax and Customs Administration to shape the Tax and Customs Administration's work processes as efficiently as possible. This, in the opinion of the court, makes the measure necessary in a democratic society in the interest of the economic well-being of the country. The court therefore concludes that the claimant's right to respect for her privacy has not been violated. It is not for the court to answer the question of how restoration of rights within the meaning of Article 13 of the ECHR should take shape.<br />
<br />
Composition of the dossier<br />
58. The plaintiff has complained about the composition of the file in this case. She feels that this is always going wrong. For example, she does not see her own appeal between the documents accompanying the defence. In addition, the defendant in this case has also referred to proceedings number 19/6551 and has also added documents from those proceedings to the file. This appears to the plaintiff to be a deliberate deception, because that is a completely different procedure. All in all, according to the claimant, the composition of the file is selective.<br />
<br />
59. According to the defendant, the Court of Amsterdam issued the number AMS 19/6551 and the case was then forwarded to the court and registered there under the number HAA 20/2618. The proceedings are therefore the same.<br />
<br />
60. The court states first and foremost that pursuant to Section 8:42(1) of the General Administrative Law Act the defendant must send the documents relating to the case to the court. He has done this in his statement of defence. The court has no reason to assume that the defendant has not sent all documents relating to the case. Nor, in the opinion of the court, does that obligation go so far as to require a defendant administrative body to send an appeal submitted in the proceedings in question to the administrative court. Such a course of affairs would not be efficient, given the circumstance that a defendant administrative body correctly receives the notice of appeal from the administrative court (cf. Section 6:14(2) and Section 8:42(1) of the General Administrative Law Act).<br />
<br />
61. The summary of the facts included at the beginning of this judgment shows that the District Court of Amsterdam forwarded the file with number AMS 19/6551 to the District Court because it considered itself to have no jurisdiction. The District Court registered this file under case number HAA 20/2618. Thus, as the defendant rightly argues, it concerns the same procedure, so that there is no unlawful merging of files.<br />
<br />
General principles<br />
62. The plaintiff has serious suspicions of fraud. The plaintiff has therefore reported the matter to the Public Prosecution Service on several occasions. The plaintiff claims that the principle of the protection of legitimate expectations and other principles of good administration have been infringed. She complains that the defendant's decisions, and in particular his deviation from the declaration, were insufficiently reasoned.<br />
<br />
63. The court emphasises that the trial of criminal offences is not entrusted to the administrative courts. However, in these proceedings, the court may decide whether the defendant has infringed general principles of good administration, including the principle of the protection of legitimate expectations and the duty to state reasons. However, the court has not established what the breaches alleged by the plaintiff consist of, nor has it become plausible that she has been adversely affected by them. The court therefore sees no reason to annul or reduce the contested decisions.<br />
<br />
Slotsom<br />
64. In view of the foregoing, the appeal should be dismissed as unfounded in so far as it is directed against the judgment on the objection of 27 March 2020. For the rest, the appeal should be dismissed as inadmissible.<br />
<br />
Legal costs<br />
65. There are no grounds for an order to pay costs.<br />
<br />
Decision<br />
The court:<br />
-<br />
Dismisses the action as unfounded in so far as it is directed against the judgment on appeal of 27 March 2020; and<br />
-<br />
dismisses the remainder of the action as inadmissible.<br />
This judgment was delivered by Mr C. Maas, judge, in the presence of Mr M. van Doesburg, registrar. The judgment was rendered on 27 October 2020. As a result of measures surrounding the coronavirus, this decision was not pronounced at a public verdict hearing. As soon as public pronouncement is possible again, this verdict will, if necessary, still be pronounced in public.<br />
court clerk<br />
Copy sent to parties on:<br />
Legal remedy<br />
To the extent that this judgment dismisses as inadmissible the appeal against the failure to decide on the claimant's complaint, the parties may lodge an appeal against this judgment within six weeks after it was sent to the Administrative Jurisdiction Division of the Council of State, Postbus 20019, 2500 EA The Hague, the Netherlands. (Further information www.raadvanstate.nl)<br />
<br />
For the rest, the parties may lodge an appeal against this ruling with the Court of Appeal of Amsterdam (tax chamber), PO Box 1312, 1000 BH Amsterdam, within six weeks of dispatch.<br />
When lodging an appeal, the following must be observed:<br />
1. a copy of this judgment will be submitted with the notice of appeal.<br />
2. the notice of appeal must be signed and state at least the following:<br />
a. the name and address of the appellant;<br />
b. a date;<br />
c. a description of the decision against which the appeal has been lodged;<br />
d. the grounds for the appeal.<br />
</pre></div>
Hk
https://gdprhub.eu/index.php?title=Rb._Zeeland-West-Brabant_-_AWB-_20_6846&diff=12130
Rb. Zeeland-West-Brabant - AWB- 20 6846
2020-11-10T15:01:00Z
<p>Hk: /* English Machine Translation of the Decision */</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Netherlands<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=Rb. Zeeland-West-Brabant<br />
|Court_With_Country=Rb. Zeeland-West-Brabant (Netherlands)<br />
<br />
|Case_Number_Name=AWB- 20_6846<br />
|ECLI=ECLI:NL:RBZWB:2020:3789 <br />
<br />
|Original_Source_Name_1=de Rechtspraak<br />
|Original_Source_Link_1=https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBZWB:2020:3789<br />
|Original_Source_Language_1=Dutch<br />
|Original_Source_Language__Code_1=NL<br />
<br />
|Date_Decided=13.08.2020<br />
|Date_Published=03.11.2020<br />
|Year=2020<br />
<br />
|GDPR_Article_1=Article 12(3) GDPR<br />
|GDPR_Article_Link_1=Article 12 GDPR#3<br />
<br />
<br />
|National_Law_Name_1=Algemene wet bestuursrecht<br />
|National_Law_Link_1=https://wetten.overheid.nl/BWBR0005537/2020-07-01<br />
|National_Law_Name_2=Article 34 Uitvoeringswet Algemene Verordening Gegevensbescherming<br />
|National_Law_Link_2=https://wetten.overheid.nl/jci1.3:c:BWBR0040940&hoofdstuk=3&paragraaf=3.3&artikel=34&z=2018-05-25&g=2018-05-25<br />
|National_Law_Name_3=Algemene wet bestuursrecht<br />
|National_Law_Link_3=https://wetten.overheid.nl/BWBR0005537/2020-07-01<br />
<br />
|Party_Name_1=Tax officer of the municipality of Bergen op Zoom<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
Court considered that pursuant to Article 12(3) GDPR, data controllers must provide data subjects with information on Article 15 to 22 requests without delay and in any case within one month of receipt. Article 34 GDPR Implementation Act (“UAVG”) states that a written decision on the request is a decision within the meaning of the Dutch Administrative law. <br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
On 4 June 2020 the plaintiff lodged a complaint against the tax officer’s failure to decide on his objection to the result of the access request. Under the Dutch Administrative law, public authorities are obliged to issue decisions within specific timelines, otherwise they should pay a penalty.<br />
<br />
===Dispute===<br />
===Holding===<br />
The Court found that the tax officer has indeed failed to decide on the plaintiff’s objection.The case is mostly based on the Dutch Administrative law. <br />
<br />
GDPR-wise, the Court considered that pursuant to Article 12(3) of the GDPR, data controller must provide data subject with the information on Article 15 to 22 requests without delay and in any case within one month of receipt. Article 34 of the GDPR Implementation Act states that a written decision on the request should be deemed as a decision within the meaning of the Dutch Administrative law. <br />
==Comment==<br />
''Share your comments here!''<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.<br />
<br />
<pre><br />
Ruling<br />
<br />
COURT SEAGOING WESTBRABANT<br />
Administrative law<br />
Case number: BRE 20/6846 AVG<br />
judgment of 13 August 2020 of the single chamber in the case between<br />
name plaintiff] , at [place name] , plaintiff,<br />
authorised representative: [authorised representative] ,<br />
and<br />
the tax officer of the municipality of Bergen op Zoom, defendant.<br />
Proceedings<br />
By letter of 4 June 2020, the claimant's authorised representative appealed against the failure of the charging officer to take a decision in due time on the claimant's objection to the request for access to personal data under the General Data Protection Regulation (AVG).<br />
<br />
The court has decided to speed up the handling of the appeal, pursuant to section 8.2.3 of the General Administrative Law Act (Awb).<br />
The court then applied Section 8:54(1) of the General Administrative Law Act (Awb), so that no hearing was required.<br />
Considerations<br />
1. On the basis of the documents, the court shall proceed on the basis of the following facts and circumstances.<br />
<br />
By decision of 12 December 2019 (primary decision), the tax officer decided on the request for access to personal data under the AVG.<br />
The claimant's authorised representative objected to the primary decision by letter of 29 January 2020.<br />
By letter of 20 April 2020, the authorised representative of the claimant informed the tax officer that no action had been taken since the objection had not yet been decided on. The representative of the claimant requests the levy official to decide on the objection as soon as possible.<br />
On 17 June 2020, the authorised representative of the claimant filed a digital appeal against the failure of the tax officer to take a decision on the claimant's objection in time.<br />
The levy official submitted documents and a statement of defence by letter dated 2 July 2020.<br />
2. An appeal may be lodged against the failure to take a decision in time (Section 6:2, opening words and under b, in conjunction with Section 7:1, subsection 1, opening words and under f, of the General Administrative Law Act). The notice of appeal may be submitted as soon as the administrative body is in default of taking a decision on time and two weeks have passed since the administrative body received a written notice of default (Section 6:12(2) of the General Administrative Law Act). The administrative body shall decide on the objection within six weeks of the day on which the objection period has expired (Section 7:10(1) of the General Administrative Law Act). If the levy official sets up an Advisory Committee on Objections, the decision period shall be twelve weeks after the day on which the objection period has expired (Sections 7:10, first paragraph, and 7:13 of the General Administrative Law Act).<br />
<br />
3. The levy official submitted documents and a statement of defence by letter dated 2 July 2020. The tax officer wrongly assumed that the appeal did not decide in time on the claimant's objection to the additional assessment for parking tax. It is clear from the notice of appeal of 4 June 2020 that the authorised representative of the claimant is appealing against the failure to decide in time on the objection of 29 January 2020 against the decision of 12 December 2019 deciding on the request for inspection under the AVG of 1 December 2019.<br />
<br />
Now that the duty officer has failed to fulfil his obligation to submit the correct documents and a statement of defence focused on this appeal, the Court finds that the claimant's agent submitted an application for inspection under the AVG by letter of 1 December 2019.<br />
Pursuant to Article 12(3) of the AVG, the data controller shall provide the data subject with information on the action taken on the request pursuant to Articles 15 through 22 without delay and in any event within one month of receipt of the request. Article 34 of the General Data Protection Implementation Act states that a written decision on the request shall be deemed to be a decision within the meaning of the General Administrative Law Act.<br />
In spite of the absence of a reference for a remedy, the court deems the letter of 12 December 2019 to be a decision within the meaning of the General Administrative Law Act (Awb), which was objected to in good time by letter of 29 January 2020. Subsequently, the District Court finds that the levy official - if she makes use of an Advisory Committee on Objections - should have made a decision by 16 April 2020 at the latest. This decision period has been exceeded. The District Court also found that the claimant's representative validly declared the levy official in default by letter of 20 April 2020 and that (more than) two weeks had elapsed since then.<br />
The appeal is manifestly well founded.<br />
4. Article 4:17 of the General Administrative Law Act stipulates that if a decision is not taken on time, the administrative body shall owe a penalty for each day that it is in default for a maximum of 42 days. The penalty shall be € 23 per day for the first fourteen days, € 35 per day for the following fourteen days and € 45 per day for the remaining days. The administrative body shall determine the periodic penalty payment within two weeks after the last day on which the periodic penalty payment was due (Section 4:18(1) of the General Administrative Law Act).<br />
The levy official has not determined the amount of the periodic penalty payment. The court will still do so pursuant to Section 8:55c of the General Administrative Law Act. The court finds that the notice of default is dated 28 November 2019 and was received by the levy official on 3 December 2019. The court finds that more than 42 days have elapsed since two weeks after receipt of the notice of default, and that the duty officer has still not decided on the notice of objection. The District Court therefore ruled that the levy official has now forfeited the maximum amount of € 1,442 in periodic penalty payments.<br />
5. Pursuant to Section 8:55d(1) of the General Administrative Law Act (Awb), if the appeal is well-founded and a decision has not yet been announced, the court shall decide that the administrative body shall publish a decision within two weeks of the day on which the decision is sent.<br />
<br />
In view of the measures currently in force in the Netherlands to prevent the spread of the corona virus COVID-19, the District Court is of the opinion that there is now a special situation as referred to in Section 8:55d(3) of the Awb. The District Court will therefore determine that the duty officer must still make and send a decision within four weeks of the day on which this ruling is sent.<br />
Pursuant to Article 8:55d(2) of the Awb and in accordance with the national policy (published on www.rechtspraak.nl), the court will determine that Rijkswaterstaat owes a penalty payment of € 100 for each day by which the aforementioned period is exceeded, with a maximum of € 15,000.<br />
6. Because the court declares the appeal to be well-founded, the court determines that the duty officer reimburses the plaintiff for the court fee he has paid.<br />
7. In addition, the court shall order the levy official to pay the legal costs incurred by the plaintiff. The costs of the proceedings shall be calculated in accordance with the Decree on Administrative Law Costs. The duty officer shall be ordered to reimburse the costs of legal assistance. The court sets these costs at € 262.50 (1 point for filing the appeal with a value per point of € 525.00 and a weighting factor of 0.5). The court is of the opinion that this case is of light weight, because the case only concerns the question whether the decision period has been exceeded and whether a penalty payment is due.<br />
<br />
Decision<br />
The court:<br />
-<br />
declares the appeal to be well founded;<br />
-<br />
nullifies the failure to take a decision on the appeal in due time, which is equivalent to a decision;<br />
-<br />
instructs the levy official to publish a decision on the objection within four weeks of the date of dispatch of this ruling;<br />
-<br />
sets the penalty payment forfeited by the tax officer at € 1,442;<br />
-<br />
provides that the tax official shall forfeit to the claimant a penalty payment of € 100 for each day by which he exceeds the aforementioned period, up to a maximum of € 15,000;<br />
-<br />
instructs the tax officer to compensate the claimant for the court fee of € 178;<br />
-<br />
orders the tax officer to pay the applicant's legal costs up to an amount of € 262.50.<br />
This judgment was rendered by P.H.J.G. Römers, judge, in the presence of D. Alblas, registrar. The decision was pronounced in public on 13 August 2020.<br />
registrar judge<br />
Copy sent to parties on:<br />
What can you do if you disagree with this statement?<br />
This ruling can be appealed to this court within six weeks of the day it was sent. The person lodging the objection may be asked to be heard on the objection.<br />
</pre></div>
Hk
https://gdprhub.eu/index.php?title=AEPD_(Spain)_-_PS/00245/2019&diff=12129
AEPD (Spain) - PS/00245/2019
2020-11-10T14:58:11Z
<p>Hk: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=PS/00245/2019 <br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEDP<br />
|Original_Source_Link_1=https://www.aepd.es/es/documento/ps-00245-2019.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=29.10.2020<br />
|Date_Published=<br />
|Year=2020<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 9(1) GDPR<br />
|GDPR_Article_Link_2=Article 9 GDPR#1<br />
|GDPR_Article_3=Article 13 GDPR<br />
|GDPR_Article_Link_3=Article 13 GDPR<br />
|GDPR_Article_4=Article 83(5)(a) GDPR<br />
|GDPR_Article_Link_4=Article 83 GDPR#5a<br />
|GDPR_Article_5=Article 83(5)(b) GDPR<br />
|GDPR_Article_Link_5=Article 83 GDPR#5b<br />
<br />
<br />
|National_Law_Name_1=Article 77 LOPDDGG<br />
|National_Law_Link_1=https://www.boe.es/eli/es/lo/2018/12/05/3/con<br />
<br />
|Party_Name_1=Departamento de Educación del Gobierno de Navarra<br />
|Party_Link_1=https://www.educacion.navarra.es/web/dpto<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Francesc Julve Falcó<br />
|<br />
}}<br />
<br />
The Spanish DPA (AEPD) has imposed three different warning sanctions on the Department of Education of the Government of Navarra for infringing Articles 5(1)(a), 9(1), and 13 GDPR on the processing of data from surveys answered by schoolchildren.<br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
On 25 February 2019, an individual filed a complaint with the AEDP against the Department of Education of the Government of Navarra regarding a survey conducted by his son in class, asking him about intimate, family, and personal issues.<br />
<br />
The respondent stated that the purpose of the surveys was to guide and inform schools and families about the level of education acquired by the schoolchildren. Together with these surveys, context questionnaires were provided to obtain information on the socio-economic and cultural conditions of the schools in order to contextualize the results obtained.<br />
<br />
The respondent also explained in detail the respective organic laws that justified the collection of these personal data of the students, in order to know better the conditions of the students. At the same time, it also described the security and confidentiality measures that were being followed to protect this information.<br />
<br />
The Department of Education of the Government of Navarra replied to the decision to initiate the procedure, agreeing with the allegations of infringement of Articles 5(1)(a) GDPR and 13 GDPR.<br />
On the other hand, they disagreed with the infringement of Article 5(1)(a) GDPR in relation to Article 9(1) GDPR with regard to the question of the gender identity of pupils. <br />
<br />
===Dispute===<br />
Should government surveys of underage students do comply with the principles of transparency, lawfulness, and fairness, respecting Articles 5 (1) (a), 9 (1), and 13 GDPR?<br />
<br />
===Holding===<br />
The Spanish DPA confirmed that the defendant collected specific personal data that was not necessary for the purpose in question. Therefore, if they could have achieved the same purpose without processing those data, there is no legal basis for processing them.<br />
<br />
Consequently, the infringement of Article 5(1)(a) GDPR in relation to Article 9(1) GDPR is established. Article 13 GDPR is also considered to have been infringed as regards the information to be provided when personal data are obtained from the data subject.<br />
<br />
The Spanish legal system has chosen not to penalize public bodies with a fine, as indicated in Article 77(1)(c) LOPDDGG, and paragraphs 2, 4, 5, and 6 of the same article. <br />
<br />
In view of the above, the Director of the Spanish Data Protection Agency decided to impose three different warning sanctions: one for infringement of Article 5(1)(a) GDPR, another for infringement of the same Article 5(1)(a) GDPR in relation to Article 9(1) GDPR, and a third warning sanction for infringement of Article 13 GDPR.<br />
<br />
<br />
==Comment==<br />
''Share your comments here!''<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
1/36<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Procedure No.: PS/00245/2019<br />
938-300320<br />
<br />
<br />
RESOLUTION OF SANCTIONING PROCEDURE<br />
<br />
<br />
From the procedure instructed by the Spanish Data Protection Agency and in<br />
based on the following<br />
<br />
<br />
BACKGROUND<br />
<br />
<br />
FIRST: A.A.A. (hereinafter the complainant) dated 25/02/2019, filed a complaint<br />
before the Spanish Data Protection Agency against the DEPARTMENT OF<br />
EDUCATION OF THE GOVERNMENT OF NAVARRA (DIRECTORATE GENERAL OF EDUCATION)<br />
(hereinafter referred to as the Respondent).<br />
<br />
<br />
The complainant states that his son is studying at a state school in the 4th year of<br />
(4EP from now on) and has carried out a nominative survey where, among others<br />
issues, asks about "your gender (boy/girl/other), the language you use<br />
out of school, their feelings about school, their relationships with their peers, or<br />
<br />
profession of his parents, with special reference to the military career, issues that<br />
Understands that they are part of the student's privacy and family life".<br />
<br />
<br />
"To fill in the survey, students must access the web platform of the de-<br />
Education Department of the Government of Navarre<br />
(https://www.educacion.navarra.es/web/dpto/evaluacion-y-calidad/evaluacion/evaluacion-ex-<br />
terna/evaluacion-de-navarra/educacion-infantil-y primaria-curso-2018-2019)".<br />
<br />
SECOND: In view of the facts, the complaint was transferred on 1/04/2019<br />
<br />
to inform the requested party of the causes of the incident, measures<br />
adopted to prevent similar incidents from occurring, and copy of the communications<br />
The Commission shall inform the complainant of the decision it has taken concerning the transfer of this<br />
claim.<br />
<br />
THIRD: The requested party states:<br />
<br />
1) "Since the implementation of the Organic Law 2/2006, of 3/05, on Education (LOE), all<br />
<br />
The education authorities must carry out, during the primary education stage<br />
general diagnostic assessments of the core competencies achieved by their<br />
students (ED from now on). This legislation provides for the implementation of these assessments with<br />
census character [Articles 21 which indicated until its amendment by LO 2/2013 "At the end -<br />
czar el segundo ciclo de la educación primaria"-cuarto de primaria- y 144 de la LOE]. You are<br />
<br />
evaluations are of a formative and guiding nature for the centres, and informative for<br />
families and for the whole educational community".<br />
<br />
"In the Autonomous Community of Navarre, from the 2009/2010 school year to the<br />
This 4EP census is being conducted for the 2013/2014 school year.<br />
<br />
<br />
With the entry into force of Organic Law 8/2013, DE 9/12, for the improvement of the ca-<br />
In the case of the Education Ministry (LOMCE), this individualised census evaluation was maintained, but it was transferred to the<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 - Madrid sedeagpd.gob.es 2/36<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
giving its application to 3rd and 6th year of Primary Education. See Articles 20, 21 and 144 of the<br />
LOMCE].<br />
<br />
<br />
In the Autonomous Community of Navarra, a Census Diagnostic Evaluation was carried out in<br />
3º Primary Education during the 2014/2015 school year and in 6º Primary Education du-<br />
The school year 2015/2016. During these two school years, no eva-<br />
diagnostic evaluation in 4EP".<br />
<br />
Royal Decree-Law 5/2016, DE 9/12, on urgent measures for the extension of the<br />
<br />
Article 3 of the LOMCE's implementation timetable abolished the census-based nature of<br />
evaluation in Primary Education, transforming it into an evaluation with a sample character<br />
where the selection of students and schools must be sufficient to obtain representative data<br />
at the level of each Educational Administration. So that from the school year<br />
2016/2017 to date, in the Autonomous Community of Navarre assessments are being carried out<br />
<br />
Sample diagnostics in 3rd and 6th year of Primary Education. In order not to lose the individual character of the<br />
of diagnostic evaluations, and under Article 144.2 of the LOMCE, which<br />
provides that "education administrations may establish other evaluations with<br />
diagnostic purposes", in Navarra, the history of diagnostic evaluations was taken up again by censa-<br />
4th year of Primary Education from 2016/2017.<br />
<br />
<br />
<br />
2) In addition to DE, "simultaneous" context questionnaires are carried out, (CC in<br />
hereinafter) drawn up in accordance with criteria determined by the Ministry of Education, Culture and<br />
Sport, which provide information on socio-economic and cultural conditions<br />
The aim is to provide a context for the results obtained. See, for example<br />
For example, Article 7.5. of ROYAL DECREE 1058/2015, DE 20/11, regulating<br />
the general characteristics of the tests of the final evaluation of primary education are<br />
<br />
tableted in the LOE]:<br />
<br />
Simultaneously with the conclusion of the final stage evaluation, the following will be implemented<br />
<br />
context questionnaires, to be drawn up by the Ministry of Education, Culture and Sport.<br />
These questionnaires will provide information on socio-economic conditions and<br />
cultural centres for the contextualisation of the results obtained'.<br />
<br />
<br />
"Article 8 on results states:<br />
<br />
"1. The result of the final stage evaluation shall be expressed at the following levels for<br />
each of the competences: Insufficient (IN), Sufficient (SU), Good (BI), Remarkable (NT) and<br />
Outstanding (SB).<br />
<br />
The competent education authorities shall record the level obtained by each<br />
<br />
in an individual report, which will be given to the parents or<br />
legal guardians and transferred to schools where the students are to continue their<br />
schooling. The report will be of an informative and guiding nature for schools where<br />
have completed the sixth year of Primary Education and for those centres where they<br />
to attend the next school year, as well as for the teaching teams, parents<br />
or legal tutors and the student body."<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 - Madrid sedeagpd.gob.es 3/36<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
3) In the Autonomous Community of Navarre, during the seven school years included<br />
between 2009/2010 and 2015/2016 (both inclusive), the DCs associated with DE to which<br />
The students' answers were made anonymously, allowing only the students to perform their tasks.<br />
<br />
The study of the factors influencing performance results is a key element of the<br />
school level. From the 2016/2017 school year onwards, it was agreed, subject to prior authoris<br />
The Directorate-General for Education, its online implementation (with identification and<br />
user). He states that once the questionnaire has been answered, no other user or teacher will be able to do so,<br />
neither student nor director can know the identification data of each student (except<br />
two members of the technical unit managing the evaluation procedure). "This<br />
<br />
The change is an advantage and an improvement over the statistical analysis carried out after the<br />
The information obtained can be used to link the results of each study to the other.<br />
The aim is to provide information on the social, economic and cultural conditions of the<br />
The students will be given a more detailed explanation of the course at the level of the students or groups of students within the same<br />
centre."<br />
<br />
<br />
This fact favours the detection of needs or strengths for the improvement of the system<br />
education, as more individualized information can be obtained.<br />
<br />
"During the current school year 2018/2019, the Community of Navarra is<br />
by carrying out, among other things, the 4EP census survey in all public centres and concerta<br />
<br />
two who are registered at that level of education. The online application phase of the CC<br />
for students was held in February 2019 and the competition tests were held in the<br />
The week of 6 to 12 October is the week of the first meeting of the<br />
10/05/2019. You can access the online questionnaire for this school year at the link<br />
http://dpto.educacion.navarra.es/eed/ (the application must be accessed under the name<br />
<br />
Irati test user and Irati test password).<br />
<br />
The design, organisation and execution of the DE provided for in the LOE is one of<br />
the functions associated with the Evaluation, Quality, Training, Equality and Convi-<br />
Within this Service, the technical unit responsible for managing them is the Section<br />
<br />
of Evaluation and Quality. See DECRETO FORAL 5/2017 of 11/01, establishing the European Commission's<br />
ec the organic structure of the department of education]".<br />
<br />
"Access to the online application that allows you to carry out the survey, through a<br />
numerical user ID and an associated password, and the data that is recorded<br />
in the survey do not contain any nominative reference".<br />
<br />
<br />
"School addresses know the users and passwords aso-<br />
The students' names are shared with the teachers responsible for the<br />
supervision of the application of the survey in the centre (generally tutoring teachers).<br />
These data are not public and are only accessible to the director of each centre.<br />
<br />
The school is not allowed to use the school's own resources, but only after identification with personal credentials in the school management programme.<br />
EDUCA strainer. This information is also known by the technician of the<br />
Education that manages the assignment of users and passwords.<br />
<br />
"For the users surveyed, the online application only allows access to the en-<br />
<br />
It costs only once, so the answers are recorded and the centre cannot access them.<br />
der them. So the school does not know or have access to the answers recorded<br />
by their students. Neither did the Education Department technician who managed<br />
the assignment of users and passwords knows these answers.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 - Madrid sedeagpd.gob.es 4/36<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
"The computer technician who designs and manages data collection through the en-<br />
does not know the nominal identification data of the respondents, it only knows the<br />
users and passwords".<br />
<br />
<br />
"The Department of Education guarantees the confidentiality of the data provided<br />
for each student in the online questionnaire. In this sense, only two technicians from the uni-<br />
The data analysts in charge of analysing the recorded data know the allocation of the identified<br />
res numerical (users) and the responses. This connection is necessary in order to link<br />
the individual results obtained in the performance tests of the different com-<br />
<br />
The following is a list of the main factors that have been taken into account to determine the success of the project and the associated contextual factors (collected by means of the questionnaire).<br />
<br />
In addition, the databases are stored on the network drives of the De-<br />
The schools are located in the Department of Education, and therefore are only accessible from within the Department itself.<br />
access to the computer equipment by means of a user and<br />
<br />
password which must be changed every 30 days".<br />
<br />
"For all the above reasons, it should be noted that although the survey does not<br />
is anonymous, personal data are pseudonymised, i.e. they cannot<br />
be attributed to an interested party without the use of additional information. Please note that<br />
This additional information is given separately and is subject to technical and organisational measures.<br />
<br />
The Commission has adopted a number of measures designed to ensure that personal data are not attributed to a natural person<br />
identified or identifiable. In fact, the RGPD explicitly introduces this in its Article 32,<br />
concerning the security of the processing of personal data, pseudonymisation as<br />
an appropriate measure to ensure a level of safety commensurate with the risk".<br />
<br />
<br />
4) The questions in the questionnaire are not intended to attack convictions or privacy<br />
of the respondent, the objective being to collect the minimum necessary information to allow, after<br />
its subsequent analysis, contextualising the overall results of DE, providing information on the<br />
The following is an overview of the performance of the various competencies assessed, but also of the<br />
on the socio-economic and cultural conditions of the education system. In this respect,<br />
<br />
the usefulness of the survey is enormous, both for the schools themselves and for the<br />
Department of Education.<br />
<br />
5) The CC is compulsory for each student of 4EP, although they can leave<br />
unanswered questions, it can even be sent with all your unanswered questions, "without<br />
consequences for the student".<br />
<br />
<br />
"The necessary collaboration of students and families responding to the survey, with<br />
It is important to detect needs and to design improvement plans in the centres.<br />
colare. Thus, for example, some studies useful for the education system as a whole,<br />
that would not be possible without the collaboration of families and students, are<br />
<br />
<br />
o From the questions concerning the parents' level of education, their level of occupation -<br />
The presence in the home of different consumer goods (magazines, housing, etc.)<br />
own, encyclopedias, books, mobile phone with internet access, tablet,) you can obtain<br />
the SOCIO-ECONOMIC AND CULTURAL INDEX (ISEC). Thanks to this indicator, at the level of<br />
<br />
centre, in the DE report, the centres have the ISEC of centre and the<br />
estimated for each competition in relation to that index, with the signalling of the<br />
The centre's location. The schools' ISEC is also used, within the<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 - Madrid sedeagpd.gob.es 5/36<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Department of Education, along with many other factors, when distributing the hours<br />
diversity awareness programmes allocated to schools.<br />
<br />
<br />
o Questions concerning the use of language in the school and family environment are useful at the<br />
The new courses are part of the Department of Education's internal curriculum, as they allow for studies on language use.<br />
The Committee is pleased to note that the following policies have been adopted to help improve the way schools are advised to<br />
to define and develop its Centre Linguistic Project (PLC).<br />
<br />
<br />
<br />
6) "On the question of sex, with three answer options, the objective is simply<br />
is to give the survey an all-inclusive character. This also gives<br />
compliance with article 19.a) of the recently approved Provincial Law 17/2019, of 4/04, on<br />
The Commission's report on gender equality, which states that "in statistics and studies, the<br />
nistraciones Públicas de Navarra, to guarantee the effectiveness of the incorporation of<br />
<br />
gender perspective in their day-to-day work, they should systematically include the<br />
of sex, collecting the different categories, in all statistics, surveys and<br />
data that they carry out". It should also be stressed that other organisations are educating<br />
University of Navarra (UPNA) or the University of the Basque Country (UBP).<br />
(UPV), already include this format in their access questionnaires. Also with the same<br />
The term "inclusive" is used to cover the full range of family typologies.<br />
<br />
The "father" or the "mother" should be the same as the "father" or the "mother". Under no circumstances will I be su-<br />
It is not intended to indoctrinate or convince children or young people to take up the challenge.<br />
Some respondents simply collect and analyse the information that students and their<br />
families share for the diagnosis and improvement of education in Navarra.<br />
<br />
<br />
7) "With regard to the question concerning the "level of employment" of the parents, I include<br />
The first is a series of blocks of possible professions, classified in five groups, from the lowest to the highest.<br />
at a higher level according to the professional category involved. Therefore, the profession is not registered.<br />
The value of a number from 1 to 5 represents the lowest or highest<br />
level of employment of the mother and father.<br />
<br />
<br />
In view of the above, it is impossible to deduce whether the respondent belongs to<br />
specifically to the category "basic, medium or high scale military", as mentioned in<br />
the claim, or to another category of that group.<br />
<br />
8) "From the Technical Unit responsible for the questionnaire, it is acknowledged that the respondent<br />
<br />
The Commission's proposal for a Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data has not provided sufficient transparency and clarity, at least as far as the Commission is concerned.<br />
In the case of personal data, the information concerning the purpose of the processing will be provided in the form of a report.<br />
The purpose of the processing of personal data and the legal basis for such processing,<br />
as indicated in Article 13.1.c) of the RGPD and Articles 12 to 18 of the LOPDGDD".<br />
<br />
<br />
"Considers that at the information level, they should change the aspect of the aims of the<br />
processing for which the data are intended, the legal basis for the processing and the existence of the<br />
right to request from the controller access to, and rectification and deletion of, data<br />
data, and therefore:<br />
<br />
<br />
1-An explicit reference is added to the basic information on protection of<br />
data in the action protocol sent to schools and published on the website<br />
of the Department of Education.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 - Madrid sedeagpd.gob.es 6/36<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
2- A short letter will be drafted to serve as a model for schools and will be<br />
will provide a single, simple and clear information document (diptych or triptych type) where the<br />
carve out aspects of what an ED is, why it should be carried out, usefulness etc.<br />
<br />
<br />
This letter and the information document must be sent to all families. The docu-<br />
This information will also be published on the website of the Department of Education.<br />
the.<br />
<br />
- When the data is requested, and during the preliminary phase of preparation, in the<br />
<br />
application itself, the information provided in Article 13 shall be included in the home page<br />
of the RGPD indicates that it should be made available to interested parties (student and family).<br />
<br />
More specifically, when collecting the data, it will be presented within the<br />
of the interested party's vision, the following text:<br />
<br />
<br />
"In accordance with the provisions of the RGPD and Organic Law 3/2018 on Pro-<br />
Personal Data and Guarantee of Digital Rights, the data of character<br />
The evaluation and quality of the staff will be dealt with by the Evaluation and Quality Section of the Edu-<br />
The Government of Navarre's "responsible" role and its incorporation into the activity of the<br />
The "Primary Education Census Diagnostic Evaluation" treatment is aimed at<br />
<br />
to contextualise the overall results of the diagnostic evaluation, providing information on the<br />
The following is an overview of the performance of the various competencies assessed, but also of the<br />
on the socio-economic and cultural conditions of the education system or other factors<br />
associated with it such as language use, school and community climate or<br />
satisfaction with the school. We also inform you that you can exercise your rights<br />
<br />
The following are some of the options for access, rectification, deletion and portability of your data, limitation and objection<br />
The evaluation and quality section of the department is responsible for processing them, where appropriate.<br />
The Government of Navarre's Education Department at the e-mail address".<br />
<br />
" Purpose of the treatment To obtain information on the socio-economic conditions of the<br />
<br />
and cultural centres for the contextualisation of the results obtained, as well as<br />
as well as other factors related to school performance such as language use, the<br />
school and community atmosphere or satisfaction with the school.<br />
<br />
Legitimacy of processing (legal obligation)<br />
<br />
<br />
Rule enabling data processing:<br />
- Organic Law 2/2006, of 3/05, on Education (LOE).<br />
- Organic Law 8/2013, of 9/12, for the improvement of educational quality (LOMCE).<br />
<br />
It is mandatory to provide the data. There are no consequences for not doing so, although the<br />
<br />
The collaboration required is indispensable in order to contribute together to the improvement of the system<br />
educational.<br />
The online application of the survey allows you to leave questions unanswered.<br />
<br />
The recorded data will not be passed on to third parties.<br />
<br />
<br />
Exceptionally, for possible internal use in the technical units of the Department<br />
The data already analysed will either be sent globally, where there is no identification of the<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 - Madrid sedeagpd.gob.es 7/36<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The data would be shared anonymously or, if submitted, by the students themselves.<br />
The student's name is not mentioned, that is, without any reference to each student's ID.<br />
There are no international transfers of data.<br />
<br />
Data retention time:<br />
A maximum of 3 school years after the school year in which the re<br />
taking them.<br />
Automated decisions No automated decisions will be taken on the information fa-<br />
cylindrical".<br />
<br />
<br />
9) The person claimed provides a copy of:<br />
<br />
A- "ACTIONS PROTOCOL" associated with the "CENTRAL DIAGNOSTIC ASSESSMENT<br />
SAL 4º DE EDUCACIÓN DE PRIMARIA CURSO 2018-2019", published in pdf on the website of<br />
Department of Education from 14/01/2019, on the link: https://www.educacion.na-<br />
<br />
varra.es/documents/27590/1381944/Protocolo_4EP_2018_2019_castellano.pdf/fe4a6b07-<br />
50eb-12e9-88b6-ee2671d9156c, 16 pages, on file. It is included in the file with<br />
the name "EVALUATION 4 EP"<br />
<br />
You can access it, standing out:<br />
<br />
<br />
1) The index refers to the protocol for the online application of the<br />
socio-economic and cultural questionnaire, who will carry out the tests, delivery and custody,<br />
specific instructions for the English language proficiency test, introduction<br />
of data, obtaining reports -student and centre-, custody of evidence.<br />
<br />
<br />
2) On the protocol for the online application of the "socio-economic and<br />
cultural" in point B of the table of contents, page 3, is indicated as the most prominent:<br />
<br />
"The Department of Education will ensure the confidentiality of data provided by<br />
two for each student in the online questionnaire. In the diagnostic evaluation report,<br />
<br />
the centres will have the Socioeconomic and Cultural Index, the estimated scores<br />
for each competition in relation to that index, and the graphs with the regression line<br />
Performance-ISEC for each competition, with signalling of the centre's position.<br />
<br />
For the best application of the questionnaire, the centres will follow the instructions below:<br />
<br />
<br />
The questionnaire must be completed by all students in the 4th year of Primary Education,<br />
in accordance with the criteria set out in section "(E) Adaptation of tests".<br />
<br />
2. The questionnaire will be available at the following address:<br />
http://dpto.educacion.navarra.es/eed/<br />
<br />
<br />
3. Each student will access the web application using a username (six ca-<br />
rical characters) and a personal password (four characters: two numbers and two le-<br />
after).<br />
CAUTION! This password can only be used once....<br />
<br />
<br />
5. School principals shall obtain the list of names<br />
The user name and passwords (as many as there are students enrolled) through the in-<br />
Educa Formatics<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 - Madrid sedeagpd.gob.es 8/36<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
(Educa → School evaluation → Diagnostic evaluation).<br />
<br />
This list will also include the identification data of each student (cur-<br />
<br />
The name of the group and the full name). The directors will be able to access it from the<br />
28/01/2019.<br />
<br />
At the time of application, the director of the centre will provide the names of<br />
The user name and passwords of each 4th year EP tutor (as many as there are students),<br />
for distribution to your students.<br />
<br />
<br />
6. Preparation. Before applying, teachers, tutors, students and families will be able to<br />
practice freely, accessing the application with the following username and password<br />
sign of proof:<br />
<br />
<br />
Test user name: Irati<br />
Test password: Irati<br />
<br />
The centre can prepare the completion of the questionnaire in a way that will<br />
will be appropriate. In any case, it is considered convenient to carry out tutorial activities<br />
The students will be given a questionnaire, instructions on how to fill in the questionnaire, and a list of the questions to be answered.<br />
<br />
The Commission will be able to provide the necessary information and to answer questions at the time of implementation.<br />
tas.<br />
<br />
<br />
7. Implementation session. This session will be planned by the tutorial staff, using the<br />
<br />
computers in the centre. The students will access the application, each tutor will distribute<br />
Each student will be given a username and password to enter in the application form.<br />
and fill in the questionnaire.<br />
<br />
It is easy to fill in, if it has been prepared in advance, and it is worth noting the if<br />
<br />
aspects:<br />
<br />
...To end the questionnaire and save the answers, click on the In-<br />
viar. This is a prerequisite for saving the answers.<br />
<br />
If you have left any questions unanswered, when you click on the submit button, the application will be<br />
<br />
The Commission warns of this fact, and the questionnaire can continue to be filled in, or<br />
to terminate it by clicking on the send as is button.<br />
<br />
After clicking on the send button and completing the questionnaire, you will not be able to access any further<br />
vely with the username and password used.<br />
<br />
<br />
8. Deadlines. The questionnaire will be completed between February 1 and 28. The questionnaires<br />
introduced after the deadline, will not be taken into account for the calculation of the centre's ISEC. It is<br />
It is advisable not to leave the application for the last few days, in case any pro-<br />
Access problem.<br />
<br />
<br />
9. Clarifications and doubts. Any doubts that may arise may be referred to the Evaluation Section.<br />
and Quality, either by e-mail (sec.eka@navarra.es) or through the<br />
telephone ....<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 - Madrid sedeagpd.gob.es 9/36<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The correct completion of the questionnaire will allow the centres to have data<br />
more reliable and to know better important aspects for the education of their students.<br />
<br />
<br />
Section N contains "Obtaining student and school reports", in<br />
The student report is about the evaluation of the competence of the<br />
mathematics, English and linguistics. A report is also made with the overall results<br />
of the school's students as a whole.<br />
<br />
<br />
It is indicated that the EDUCA application through which the tests are instrumented<br />
provides, in addition to the reports, data files and files with the answers of the<br />
students, the questions left blank and the score obtained. It also focuses on<br />
that "the corrected booklets will be kept and preserved in the school until<br />
30/11/2019 date from which they may be destroyed, and that "The student report is a<br />
<br />
valid instrument to be given to families in the context of the tutorial action, in the<br />
month of June".<br />
<br />
On the results, assessments and data from the evaluation reports of<br />
context, nothing is indicated.<br />
<br />
<br />
B-DIAGNOSTIC ASSESSMENT SURVEY 2018-2019 header with instructions<br />
among which it is reported that you have to "answer several questions about yourself and your<br />
family" headed by "sex", options: a-boy, b-girl, c-other options, model<br />
linguistic study, with references among the answers to options, in Spanish,<br />
B, in Basque with Spanish as a subject and some other subjects in Spanish,<br />
<br />
language in which he watches TV, or reads books or uses video games, social networks, talks to<br />
the teachers in the classroom and outside, which language they prefer (distinguishing) with<br />
friends in the street, in the school yard or at home with the family, on which continent you have<br />
born you, your mother, your father? Parents' level of education, their employment situation, work<br />
your parents' current job, with jobs and occupations as "Watchman" "worker<br />
<br />
of the field", "medical", "military architect of the upper scale", or "medium scale", if<br />
have their own single room, as is the relationship with their classmates on<br />
if you feel lonely, marginalized<br />
<br />
-Resolution 30/03/2016 of the Secretary of State for Education "defining the<br />
context questionnaires and the centre's common indicators for the evaluation of<br />
<br />
primary education", BOE 15/04/2016. Article 21 of the LOE provides for<br />
individual assessment of all students at the end of the sixth year<br />
and that the evaluation criteria and general characteristics of this evaluation<br />
for the entire Spanish education system will be established by the Government.<br />
<br />
<br />
- Royal Decree 1058/2015 of 20/11 regulating the general characteristics<br />
of the tests of the final evaluation of primary education established in the LOE. In its ar-<br />
Article 8.1, and in compliance with the provisions of Article 147 of the aforementioned LOE, determines<br />
The results of the final stage evaluations will be made available to the<br />
of the educational community, through common indicators for all schools<br />
<br />
and that these common indicators will be established by the Spanish Ministry of Education.<br />
cation, Culture and Sport. In the second section: "Context questionnaires":<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 - Madrid sedeagpd.gob.es 10/36<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
1. The context questionnaires to be applied in the final evaluation of Education<br />
Primary will be three: One aimed at students in the sixth year of Primary Education who<br />
The evaluation (hereinafter referred to as the student questionnaire), another one addressed to their parents, and a third one addressed to the teachers.<br />
<br />
The following are some of the questions asked by the families, mothers and legal guardians (hereafter referred to as the family questionnaire), and a third one<br />
The following questionnaire was sent to the management of the primary school<br />
the address).<br />
<br />
2. The questions and answer options that must be in-<br />
The following are the results of each of the questionnaires defined in the previous section<br />
<br />
in ANNEX ONE of this resolution<br />
<br />
In no way does it indicate that the questionnaire should be nominative, or anonymous or<br />
the destination or processing that is undertaken with such data. The ANNEX ONE, questionnaire, does not<br />
requests the inclusion of the student's name.<br />
<br />
<br />
Articles 144 and 145 of the LOE state:<br />
144<br />
"1. The evaluation criteria for individual evaluations<br />
indicated in articles 20.3, 21, 29 and 36 bis of this Organic Law will be common for the<br />
the State as a whole.<br />
<br />
In particular, the tests and procedures for the evaluations indicated in the<br />
<br />
Articles 29 and 36a will be designed by the Ministry of Education, Culture and Sport, through<br />
of the National Institute for Educational Evaluation. These tests will be standardized and<br />
design in such a way as to enable accurate assessments and comparisons to be made<br />
and monitoring the evolution of results over time<br />
obtained.<br />
<br />
<br />
The material execution of the tests is the responsibility of the educational administrations<br />
competent. The tests will be applied and qualified by the System's teachers<br />
Educational Spanish outside the centre.<br />
<br />
The procedure for the review of the results of the inspections will be regulated<br />
<br />
evaluations.<br />
<br />
Education administrations may establish other assessments for the purpose of<br />
diagnosis".<br />
<br />
145<br />
"Evaluation of the centres".<br />
<br />
"1. Podrán education administrations, within the framework of their competencies, to develop and<br />
to carry out evaluation plans for schools, which will take into account the<br />
socio-economic and cultural situations of the host families and students, the environment<br />
of the centre itself and the resources available to it.<br />
<br />
<br />
2. Asimismo, education administrations will support and facilitate the self-evaluation of<br />
the educational establishments."<br />
<br />
<br />
LOE, Additional Provision Twenty-third. Students' personal data<br />
"1. Schools may collect personal data on their students that are<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 - Madrid sedeagpd.gob.es 11/36<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
necessary for the exercise of their educational function. These data may refer to<br />
to the origin and family and social environment, to personal characteristics or conditions, to<br />
development and results of their schooling, as well as to those other circumstances whose<br />
<br />
knowledge is necessary for the education and guidance of students.<br />
<br />
2. Parents or guardians and the students themselves must collaborate in obtaining<br />
information referred to in this article. The incorporation of a student into a<br />
school will imply consent to the processing of your data and, where appropriate, the<br />
transfer of data from the centre where he had been attending school with<br />
<br />
previously, under the terms established in the legislation on data protection. At<br />
in any case, the information referred to in this paragraph shall be strictly necessary<br />
for the teaching and guidance function, and may not be used for purposes other than<br />
educational without express consent.<br />
<br />
3. Technical standards and regulations shall be applied to the processing of student data<br />
<br />
organisational arrangements to ensure their security and confidentiality. The teaching staff and the rest of the<br />
personnel who, in the exercise of their duties, have access to personal and family data or who<br />
affect the honour and privacy of minors or their families will be subject to the duty of secrecy.<br />
<br />
4. The transfer of data, including those of a reserved nature, necessary for the system<br />
educational, will be carried out preferably by telematic means and will be subject to the legislation in<br />
<br />
protection of personal data. In the case of the transfer of data between<br />
Autonomous Communities or between them and the State, the minimum conditions shall be<br />
agreed by the Government with the Autonomous Communities, within the Conference<br />
Education Sector".<br />
<br />
LA LOMCE reformulated the wording of article 147 of the LOE, indicating<br />
<br />
147:<br />
<br />
"The Government, after consulting the Autonomous Communities, shall present annually to the<br />
<br />
Congress of Deputies a report on the main indicators of the system<br />
the results of Spanish diagnostic evaluations or<br />
and the recommendations arising from them, as well as on the<br />
highlights of the Council's report on the education system<br />
State school.<br />
<br />
<br />
The results of the evaluations carried out by the education authorities shall be<br />
brought to the attention of the educational community through common indicators for<br />
all Spanish schools, without identification of personal data and<br />
after consideration of the socio-economic and socio-cultural factors of the context".<br />
<br />
<br />
<br />
1) The claimant has been contacted by post to inform him of<br />
which is manifested to the AEPD.<br />
<br />
<br />
FOURTH: The complaint was admitted for processing by the Director of the AEPD on 11/06/2019.<br />
<br />
FIFTH: On 20/12/2019, it was agreed by the Director of the AEPD:<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 - Madrid Sedeagpd.gob.es 12/36<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
"FIRST: START THE PROCEDURE FOR PENALTIES against the<br />
DIRECTORATE GENERAL OF EDUCATION ( DEPARTMENT OF EDUCATION, GOVERNMENT<br />
DE NAVARRA), for the alleged infringement of Article 5.1(a) of the GPRS, in accordance with<br />
<br />
Article 83(5)(a) of the GPRS.<br />
<br />
SECOND: Initiate the procedure for sanctioning the<br />
DIRECTORATE GENERAL OF EDUCATION ( DEPARTMENT OF EDUCATION, GOVERNMENT<br />
DE NAVARRA), for the alleged infringement of Article 5.1 a) of the RGPD in relation to Article<br />
Article 9.1 of the same RGPD, in accordance with Article 83.5.a) of the said RGPD.<br />
<br />
<br />
THIRD: START THE PENALTY PROCEDURE for APPEAKANCE to the<br />
DIRECTORATE GENERAL OF EDUCATION- DEPARTMENT OF EDUCATION, GOVERNMENT<br />
DE NAVARRA), for the alleged infringement of Article 13 of the RGPD in accordance with the ar-<br />
Article 83.5(b) of the RGPD.<br />
<br />
<br />
SIXTH: Against the agreement of initiation, the claimed one dated 14/01/2020 makes the<br />
The following claims are made:<br />
<br />
1) He agrees with the imputation of the infraction of article 5.1 a) of the RGPD and<br />
establishes as a proactive measure the review, deletion and modification of any data<br />
<br />
identification of the CC carried out during the course of 4EP 2018/2019. In the event that it is decided to continue<br />
In this and subsequent courses, the evaluation will be carried out anonymously, from<br />
so that the RGPD is not applicable.<br />
<br />
2) The infringement of Article 13 RGPD is assumed, since when the CC were made, no information was provided on the results of the tests.<br />
<br />
The Committee has also adopted an appropriate position on data processing and the rights of parents and guardians of children.<br />
the students. Work is underway to establish a model clause. The department of<br />
Education has published an entire section on the website dedicated to Data Protection -<br />
of the register of processing activities, documentation of interest<br />
and models for educational institutions and managers and frequently asked questions about treatment of<br />
<br />
data in the field of education.<br />
<br />
3) They do not agree that Article 5(1)(a) has been infringed in relation to<br />
The Committee is pleased to see that the RGPD is in line with 9.1 of the RGPD when the "other options" variant is included in the CC<br />
in the question "sex", although the service in charge of the evaluation did not determine any more specificities.<br />
The questionnaire referred to in the "other options" box.<br />
<br />
Including this option within the gender variable refers or is referring only to<br />
the gender identity of students, and the Spanish Data Protection Agency seems<br />
confuse it with sexual orientation or sexual life, which are especially protected by<br />
the European standard. Article 5 of the Provincial Law 8/2017 of 19/06 on social equality in the<br />
LGBTBI+ people in force at the time the questionnaires were taken and<br />
<br />
clearly differentiates "definitions for the purposes provided for in this foral law are<br />
<br />
- LGBTBI+ lesbian, gay, bisexual, transgender, intersex people<br />
and other minorities on the basis of sexual and/or gender identity, sexual orientation and/or<br />
gender issues.<br />
<br />
<br />
- sexual orientation orientation of erotic sexual or affective desire experienced by a per-<br />
The awareness of belonging to one sex is directed towards other sexual identities.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 - Madrid sedeagpd.gob.es 13/36<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
- gender identity a feeling of belonging to a human group defined around the<br />
categories of men and women, identifying with either of them (binary) both (no bina-<br />
rio) or none (gender)".<br />
<br />
It ends by indicating that, without prejudice to the anonymisation of the CCAs that are carried out,<br />
<br />
From now on, this department understands that it did not violate article 9 of the regulation,<br />
since it was only asking for the gender identity of the students.<br />
<br />
SEVENTH: On 4/03/2020 it was decided to start the trial period<br />
requesting:<br />
<br />
1) To the Department of Education of the Government of Navarra (Directorate General of<br />
education):<br />
<br />
1.1.1.Provision or regulation of the Government of Navarra authorising or permitting<br />
resume diagnostic evaluations of 4EP from the 2016/2017 school year.<br />
<br />
On 2/06/2020 he replied that this was the decision of the Director General of<br />
<br />
Education 273/2016 approving the instructions that will regulate the course<br />
16/17 the organisation and operation of centres. The fourth section, two, establishes<br />
the conditions under which the DE tests will be reapplied at the end of the 4EP It is in-<br />
The legal framework for the diagnostic evaluation will be coordinated by the evaluation section.<br />
and quality. It will have external tests that will evaluate competencies and will be applied<br />
and corrected in the schools. "This evaluation is of a formative and guiding nature-<br />
<br />
for the centres. The information obtained from this analysis will be relevant to the<br />
educational attention to the needs detected. The centres will decide when and how to for-<br />
The Committee is also concerned that reports should be sent to families before the end of the school year if they are not available.<br />
It is advisable that this is done in the context of the tutorial action".<br />
<br />
1.1.2 What is the distinction between census-type and sample-type evaluations?<br />
<br />
It states that the census refers to the participation of the entire population under study,<br />
<br />
such as 4EP, which samples only a certain set of the target population<br />
study.<br />
<br />
1.1.3 You said: "From the 2016/2017 school year onwards, it was agreed, before the end of the year, to<br />
The Commission has authorised the Directorate-General for Education to implement the online application of the<br />
socio-economic and cultural aspects of the diagnostic and individualised evaluations of the<br />
<br />
The Navarra education system will no longer be anonymous and will be accessed through a password per-<br />
The aim is to guarantee the confidentiality of the data provided by students in the<br />
Answers answered"<br />
<br />
In this connection, you are requested:<br />
<br />
-It is understood that what is done online, are both types of tests, the<br />
diagnostic competency tests, and context questionnaire tests? In this sense, it is<br />
requests that you report on the need or obligation for both types of questioning -<br />
The student must be identified, and the provision or rule from which this identity is deduced must be specified.<br />
tificability.<br />
<br />
It indicates that DE is a tool for diagnosing and identifying the degree of acquisition of<br />
<br />
The aim is to improve the basic skills of all students to include improvements at the individual level.<br />
and the centre. The need to generate reports for families in the area of ac<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 - Madrid Sedeagpd.gob.es 14/36<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The tutorial is based on the level of acquisition of the assessed skills of each student.<br />
The diagnostic evaluation tests are nominal and in Navarre they are<br />
diagnostic tests have always been done manually on paper.<br />
<br />
The CC has been online since the academic year 2011/2012 and until the<br />
2016/17 had always been answered anonymously<br />
<br />
1.1.4. You are asked to report on the generation of the password keys and<br />
user in the questionnaires, in the diagnostic one and in the context one, moreover, if the keys<br />
user name and password are the same as the second one, if they are related or can be<br />
relate both questionnaires in terms of their author.<br />
<br />
As only the context questionnaire was done online, the answers were<br />
that:<br />
<br />
-Credentials were generated in the academic year 2018-19 that allowed the identification of the<br />
participating students.<br />
<br />
- "EDUCA's iidgnrpersona, the management information system, was used<br />
<br />
educational department of the Department of Education. The centres distributed the identifiers to the<br />
Students, each their own, and they completed the questionnaire. “<br />
<br />
"As the questionnaire did not allow access for the second time, the centres could not<br />
The answers are known."" "In the Department, not all people<br />
had access to the answers to the questionnaire were able to identify the people<br />
The first of these was the introduction of a new system for the management of the health care unit.<br />
process, because they had the answers and also the list of identifiers<br />
<br />
and people."<br />
<br />
At EDUCA, users and passwords for the questionnaires for the 2018-19 academic year and an-<br />
The previous years have been eliminated (this is done each time the current school year is loaded).<br />
EDUCA only serves as a system to facilitate these credentials. Both the questionnaire<br />
as the response records are outside EDUCA.<br />
<br />
1.1.5. In "Protocol of actions" associated with the "Census Diagnostic Evaluation<br />
4ºEP curso 2018-2019" published on the Department of Education's website refers to<br />
The protocol for the online application of the socio-economic and cultural questionnaire is applicable.<br />
<br />
Above it, which appears in point B of the index, page 3 is indicated as the most outstanding -<br />
do<br />
<br />
For the best application of the questionnaire, the centres will follow the following instructions<br />
nes:<br />
<br />
-3: Each student will access the web application using a<br />
user (six numeric characters) and a personal password (four characters: two nú-<br />
<br />
Careful! This password can only be used once ....<br />
<br />
On the key generation system, they are asked for the mode of generation of<br />
the username and password, for this CC data to be filled in to obtain-<br />
the, method of storage, how long the questionnaires are kept, and which units, and<br />
people had access and why they could and should access it.<br />
<br />
It is reported that measures have been taken since the academic year 2019/2020, related to<br />
the issues which are the subject of this test:<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 - Madrid sedeagpd.gob.es 15/36<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The Director-General for Education issued an Instruction on 23 January 2020<br />
the online questionnaire will be anonymous this academic year 2019-2020 and through<br />
a random key that will guarantee the confidentiality of the data provided by the student<br />
The answers to these questions are The copy of the reply, signed on 23/01/2020, also states: 'Once<br />
No other user, teacher, student, director or teacher has answered the questionnaire.<br />
<br />
The staff of the education department will be able to find out the identification data of each es-<br />
tudiante"." The directors of the centres will obtain through EDUCA the relation-<br />
The use of usernames and passwords to be allocated among the student body will be<br />
ra random."<br />
<br />
All records, archives and backups where the information could be accessed have been destroyed.<br />
<br />
confidential data of students from previous courses may appear.<br />
<br />
It also provides a pdf guide on the website called "day-to-day evaluation".<br />
Census data for the fourth primary school year 2019-2020, protocol of actions" It is indicated that from -<br />
The questionnaire should be filled in by all students who are studying 4EP and who, in order to access the<br />
<br />
Each application will use a random username/password but only once, even though it uses<br />
Passwords will be obtained through the EDUCA application and will be distributed randomly.<br />
tory to the students. There are also instructions for the assessment of competencies<br />
which is handmade on paper, in the form of booklets in which the answer is selected<br />
ta. It is indicated that a student report is generated and with the generic definition of the levels<br />
The level achieved in each assessed competence is directly scored by the<br />
<br />
The following information is provided for each test and space for observations can be filled in by your-<br />
tor or tutor . As for the custody of the evidence, it is said that the booklets were kept in<br />
They will be available and preserved until 30/11/2020.<br />
<br />
<br />
1) To the Ministry of Education and Vocational Training - Institute of Evaluation and<br />
Educational Administrations:<br />
<br />
<br />
<br />
2.1 Regarding the DE questionnaire on basic competences and CC, please<br />
to report:<br />
<br />
On which courses are they compulsory?<br />
<br />
On 12/03/2020, it indicates that Organic Law 8/2013 of 9/12 provides for three evaluations<br />
In the third and sixth grades (end of primary school), and in the second year of primary school, the<br />
daria, in the fourth year (Articles 20.3, 21 and 29).<br />
<br />
It states that CC are carried out in cases of:<br />
<br />
a) Individualised assessment of third year of primary education, with the following results<br />
The education authorities are responsible for regulating whether or not<br />
apply or not CC and of what type.<br />
<br />
b) It is carried out in the final evaluation of primary education, sixth grade, in accordance with<br />
Article 7.5 of RD 1058/2015 of 20/11 which regulates the general characteristics of<br />
tests of the final evaluation of primary education, it is indicated: "simultaneously with the<br />
<br />
the final stage evaluation will be carried out using context questionnaires which will<br />
The Ministry of Education, Culture and Sport. These questionnaires were described in<br />
the resolution of 4/12/2017 of the Secretary of State for Education, Vocational Training and<br />
Universities . These evaluations have been carried out at the end of the 2015-2016 academic year, until<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 - Madrid sedeagpd.gob.es 16/36<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
2018-2019. The implementation of these evaluations is the responsibility of the government<br />
The Ministry of Education is responsible for compliance with these regulations.<br />
<br />
It refers to the appeal decided by the Constitutional Court on various provisions of the<br />
Royal Decree 310/2016 of 29/07, by Judgement 114/2019 of 16/10 which considers<br />
partially a positive conflict of competences and declares the unconstitutionality and<br />
<br />
nullity of the provisions of the aforementioned Royal Decree related to the preparation of the CC, which already<br />
is not within the competence of the Ministry of Education as it corresponds to<br />
(STCO 109/2019 FJ 9) because it "does not constitute a<br />
direct configuration of the requirements for obtaining a diploma<br />
academic. Therefore, Article 5.1 of the RD states that "as of the ruling, the<br />
<br />
information on the socio-economic and cultural background conditions of the centres<br />
The results of the survey will be obtained through the application of different context questionnaires", has not<br />
to be prepared by the National Institute for Educational Evaluation, of the Ministry of<br />
Education, Culture and Sport. The same sense of the content of this ruling is appreciated,<br />
referred to RD 1058/2015 which regulates the general characteristics of the<br />
final evaluation of Primary Education, is contained in the related plenary judgment<br />
<br />
of the T Co, No. 109/2019 of 3/10.<br />
<br />
<br />
CC are also carried out in the final assessment of Compulsory Secondary Education which<br />
is regulated by the provisions of Article 22 of Royal Decree Law 5/2016 of 9/12 on measures<br />
urgent for the extension of the calendar for the implementation of the Organic Law 8/2013. These<br />
questionnaires have been established by annual ministerial order for the courses<br />
<br />
2016, 2.017, 2018.<br />
2.1.2. Indicate if both questionnaires are developed in the same act.<br />
<br />
They say that CCs can be aimed at students, their parents and guardians<br />
<br />
and that addressed to the management of the primary school.<br />
<br />
He adds that in the schedules planned for the application of the tests a pe-<br />
The period for students to complete the CC and for families to complete the CC<br />
the questionnaire at your home.<br />
<br />
2.1.3. Report whether both questionnaires are nominal and can and should be identified by the<br />
The student who completes the form will be given a copy. Legal basis from which this identification can be deduced<br />
<br />
He says that both the assessment tests and the QCs "are carried out in an ano-<br />
The It is clear that this statement is contrary to what has also been stated in evidence<br />
by the respondent who stated that the "diagnostic evaluation is of a nomi<br />
<br />
In Navarre, they have always been done manually on paper," although the question<br />
I could have understood the question about the various context questionnaires that exist.<br />
here. As for the legal basis:<br />
<br />
Third PD<br />
<br />
"It is the responsibility of the educational administrations. Within the scope of the Ministry of<br />
Education and vocational training the instructions given each school year reco-<br />
I expressly request that the evaluation data be processed anonymously. "To guarantee the<br />
Anonymity of the answers to the family questionnaire will be given out in envelopes that the families can use to send in their own answers.<br />
<br />
The Commission will be able to close the questionnaires once they have been filled in".<br />
PD, final evaluation<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 - Madrid Sedeagpd.gob.es 17/36<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
"Article 8.4 of Royal Decree 1058/2015 states that "the results of the evaluations<br />
The final stages will be brought to the attention of the educational community through in-<br />
dicators common to all Spanish schools without identification of data from<br />
<br />
personal nature and after consideration of the socio-economic and cultural factors of<br />
context.<br />
<br />
It should be noted that since the entry into force of Royal Decree Law 5/2016 the<br />
The evaluation is sample-based and has a diagnostic purpose, so the indicators are not common.<br />
The new system will be available for all Spanish centres. According to article 3: "the provisions of the Royal Decree<br />
1058/2015 of 20/11 shall apply only to the extent that they do not conflict with this provision".<br />
Competence for the material conduct of the tests lies with the educational authorities.<br />
<br />
catives. In the area of the Ministry's competence, the annual instructions include in<br />
the following paragraph:' confidentiality. All participants in the evaluation process<br />
will at all times maintain the utmost confidentiality regarding the content of the<br />
and their results until they are made public. In any case, the<br />
personal data resulting from the application of the tests must be processed in accordance with<br />
the provisions of the regulations in force. “<br />
<br />
ESO final evaluation<br />
<br />
Royal Decree 310/2016 of 29/07 regulating the final evaluations of<br />
<br />
Article 3.1(g) of the Secondary Education Act states that the following shall apply<br />
to educational administrations to take measures to ensure the custody and<br />
confidentiality of the evidence as well as ensuring the anonymity of the data of<br />
students in the correction and grading phase of the tests"<br />
<br />
Article 5.3 "Context questionnaires shall in all cases be anonymous".<br />
<br />
2.1.4. Indicate whether the Institute develops uniform criteria related to the identification of<br />
The ability of the questionnaires/pupil.<br />
<br />
It states that the Institute coordinates the implementation of the evaluation in the field of com-<br />
The Ministry's competence. The identification of students in these evaluations is done me-<br />
The students are assigned a unique numerical code prior to the completion of<br />
<br />
the evaluation. The Institute does not know the correspondence between codes and names so<br />
cannot identify the student body.<br />
<br />
In 3rd year of PD, the only course in which the evaluation is individualized and a report is given<br />
of results to the students, the identification is done in the educational centres themselves and in<br />
the Provincial Directorates of Education in Ceuta and Melilla or the Regional Ministries of Education<br />
the different countries. Since the evaluations of 6th year PE and 4th year ESO are not<br />
<br />
individualized students are not identified at any time. The Institute shares with<br />
the Autonomous Communities the method used for the anonymisation of evaluations<br />
but it is up to them to implement this system or not.<br />
<br />
2.1.5. On whether the Institute is aware of the context questionnaires that are carried out by the<br />
different Autonomous Regions, and whether to issue any kind of report.<br />
<br />
It states that it is not compulsory in relation to assessments of its competence.<br />
<br />
2.1.6. On whether you have implemented in such questionnaires or addressed the issue of<br />
questions about gender identity?<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 - Madrid Sedeagpd.gob.es 18/36<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
It states that the Autonomous Communities drawn up by the Institute and those defined in the BOE for the 6th<br />
EP and 4th year of ESO that have been prescribed for all educational administrations has-<br />
The 2019/2020 course does not contain any questions on gender identity, only<br />
<br />
to the student if he or she is a boy or a girl and to the families the questionnaires refer to their child or<br />
daughter.<br />
<br />
1) You can access the website of the claimed party at the following address: https://www.educacio-<br />
n.navarra.es/web/dpto/evaluación-y-calidad/evaluacion/evaluacion-externa/evaluacion-de-<br />
navarra/child and primary education - course 2018-2019, entitled "Protocol of actions<br />
<br />
of CENSAL DIAGNOSTIC ASSESSMENT 4th year of Primary Education Academic year<br />
2018-2019", the file contains the name "webnavarra eva 4 instru" and<br />
The archive contains the publication of all the elements of the test.<br />
ba even the answers. It opens for verification, the maths test, com-<br />
and you can see that on the front of the booklet there are spaces for the identification<br />
cation of the student, centre, classroom, date, location, referring to the DE as mentioned.<br />
<br />
It is therefore proven that the competence assessment questionnaire developed in<br />
the diagnostic assessment test must be nominative.<br />
<br />
The guide for the use of the EDUCA computer application indicates that this<br />
application, tasks can be carried out according to an assigned profile and as an example,<br />
generate report for families in relation to the diagnostic evaluation, Identify the alumni<br />
The Commission has been exempted from this requirement, and has made observations, recorded responses, and access to the report on the results of the work of the Commission.<br />
<br />
There are three profiles: director, tutor and manager - management team and<br />
administrative staff.<br />
<br />
EIGHTH: A proposal for a resolution, of the verbatim, is issued on 8/09/2020:<br />
<br />
"1-The Director of the Spanish Data Protection Agency should sanction<br />
with a warning to the defendant, by:<br />
<br />
- a breach of Article 5(1)(a) of the GPRS, pursuant to Article 83(5)(a)<br />
of the RGPD.<br />
<br />
<br />
<br />
- a breach of Article 5.1(a) of the GPRS, in conjunction with Article 9.1 of the<br />
RGPD and 9.1 of the LOPDGDD, in accordance with article 83.5 a) of the RGPD.<br />
<br />
<br />
<br />
-a breach of Article 13 of the GPRS, pursuant to Article 83(5)(b) of the<br />
RGPD"<br />
<br />
Allegations are received on 23/09/2020 reiterating this.<br />
<br />
<br />
PROVEN FACTS<br />
<br />
1) The complainant states that his son is in 2018/2019, 4th grade of primary school (9-<br />
10 years) in an Associated School of the Autonomous Community of Navarre and has had to<br />
a nominal questionnaire which among other things contains questions such as sex:<br />
(boy/girl/other options), about the language you use outside school, your feelings<br />
<br />
to school, their relationships with their peers, or their parents' profession.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 - Madrid Sedeagpd.gob.es 19/36<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
2) In the Spanish primary education system, there are two modalities<br />
individualised diagnostic evaluation (ID) for all students.<br />
<br />
<br />
Third year evaluation: the degree of mastery of the skills will be checked,<br />
skills and abilities in oral and written expression and comprehension, calculation and resolution<br />
of problems. If this assessment proves to be unfavourable, the teaching team will have to adopt it,<br />
in collaboration with families, the most appropriate ordinary or extraordinary measures<br />
setting and implementing plans to improve individual or collective results that allow<br />
solve the difficulties.<br />
<br />
<br />
Final evaluation of Primary Education, in the sixth year, which will check the<br />
<br />
degree of acquisition of linguistic and mathematical communication skills, and<br />
of basic competences in science and technology, as well as the achievement of the objectives of the<br />
stage. The result of the evaluation will be expressed in the levels: Insufficient (IN), Sufficient<br />
(SU), Good (BI), Notable (NT) or Outstanding (SB). The level obtained by each student is<br />
will be recorded in a report that will be given to the parents or legal guardians. This report will<br />
will be of an informative and guiding nature for those schools where students have<br />
<br />
for the sixth year of Primary Education and for those who will continue<br />
their studies, as well as for teaching teams, parents or legal guardians and<br />
students.<br />
<br />
3) Simultaneously with the conclusion of the final stage evaluation, the following will be applied<br />
<br />
context questionnaires (CC), complementary to the competence test, which<br />
will be drawn up ( at the date of the complaint ) by the Ministry of Education, Culture and Sport.<br />
These questionnaires provide information on the socio-economic conditions and<br />
cultural centres for the contextualisation of the results obtained.<br />
<br />
<br />
Royal Decree 1058 /2015 of 20/11 regulating the general characteristics of<br />
the tests of the final evaluation of primary education established in the LOE in its article<br />
The following is a summary of the results of the evaluations carried out in the sixth year of primary school by the<br />
CC indicates that there would be three, one for the student, one for the families and one for the school do-<br />
and that "the questions and answer options that must be<br />
included in each of the questionnaires defined in the previous section are those indicated<br />
<br />
in ANNEX ONE of the resolution"<br />
<br />
<br />
4) The education regulations provide that the Autonomous Regions may carry out other evaluations<br />
for diagnostic purposes, in accordance with Article 144.2 of Organic Law 2/2006,<br />
<br />
of 3/05, on Education, modified by the Organic Law 8/2013, of 9/12, for the Improvement of<br />
Educational Quality. In the Autonomous Community of Navarre, this power is used and ED and CC are carried out<br />
for the fourth year of primary school from the 2009/2010 school year.<br />
<br />
In the Autonomous Community of Navarre, the EDs are carried out on forms that are named for each<br />
<br />
paper format,(booklets in which the data for each student is filled in at the<br />
the test, considering that it has been carried out in accordance with the<br />
to relate the degree of acquisition of competences and improvement of the student.<br />
<br />
5) In the Autonomous Community of Navarre, during the seven school years between<br />
2009/2010 and 2015/2016 (both inclusive), the forms for the fourth grade CC<br />
<br />
that the students respond to were made anonymously, without containing their data<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 - Madrid sedeagpd.gob.es 20/36<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
personal. From the 2016/2017 school year, "it was agreed", to carry out the CC through a<br />
application, online, no longer anonymous, accessed through the pair (user<br />
password) that was assigned to the students. In the academic year 18-19, the CCs were<br />
<br />
during the month of February 2019 and the DE tests during the week of 6 to<br />
10/05/2019.<br />
<br />
6) The respondent had a PROTOCOL of action associated with the assessment<br />
census diagnosis of the fourth year of primary education for 2018/2019 published on its website<br />
since 14/01/2019, in which it referred to both DE and CC tests. In the pun-<br />
<br />
In addition to 5 of the INSTRUCTIONS for the implementation of the questionnaire, it was indicated (for the questions<br />
In the case of the context studies, which were carried out online, the DE was done on paper, while the directors of the<br />
A list of user names will be made available to teachers and school principals.<br />
The computer application allows you to enter your name and password, as well as the number of students enrolled.<br />
EDUCATE. This list will also include the identification data of each student<br />
<br />
(course, group and full name). The directors will be able to access it from the<br />
of 28/01/2019. At the time of application, the director of the centre provides<br />
The usernames and passwords will be given to each 4th year EP tutor (as many as there are<br />
students), for distribution to their students.<br />
<br />
The test is carried out using the centre's computers, distributing<br />
<br />
each tutor to each student their username/password to be entered in the<br />
application and complete and submit the questionnaire. Before sending it, the application warns of<br />
possible unanswered questions, and may disregard this option and terminate the<br />
How to send it as it is, or fill in what is missing.<br />
<br />
<br />
<br />
7) The personal data of the students collected in the forms of the CC<br />
were stored in the databases of the respondent that were kept in the<br />
network units of the Department of Education server, accessible from within<br />
of the Department itself, and on the computer equipment by means of a user name and password.<br />
<br />
<br />
8) In the form of the CC associated with the DE, for the 2018-2019 fourth year of primary school,<br />
The "Questions and answer options which must be included in the<br />
The "PUPIL QUESTIONNAIRE" is included in each of the questionnaires<br />
instructions, informing that you have to "answer several questions only".<br />
and your family". All questions are answered by ticking boxes in the answers.<br />
<br />
The following are offered under the heading of "sex", options: a-boy, b-girl, c-other "For the sake of the<br />
How often have you missed this course in an unjustified way? How many<br />
days a week you dedicate to doing homework? options, linguistic model in which you study,<br />
with references among the answers to options, in Spanish, B, in Basque with the caste-<br />
The course is taught in Spanish, the language in which you watch television,<br />
<br />
or reads books or uses video games, social networks, talks to teachers in the classroom and was<br />
ra, which language he uses preferably (distinguishing) with friends in the street, in the courtyard<br />
from school or at home with your family, on which continent were you born, your mother, your father?<br />
Parents' level of education, their employment situation, your parents' current job, with trades<br />
and example jobs such as "watchman" "farm worker", "doctor", "architect<br />
<br />
"upper scale military", or "middle scale", if they have their own single room,<br />
as is the relationship with his classmates about whether he feels lonely, marginalized.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 - Madrid Sedeagpd.gob.es 21/36<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The context questionnaire does not have to contain the identification data of the student who is carrying out the<br />
This follows from the analogical application of the provisions for these CC in the RD which refers to<br />
the CC for the compulsory tests of the sixth year of primary school<br />
<br />
<br />
9) Filling in the CC form is compulsory for each student in the fourth year of<br />
primary, although questions can be left unanswered, it can even be sent with<br />
all your unanswered questions.<br />
<br />
10) As stated by the respondent, the legal authorisation for the processing of data for the CC<br />
is the fulfillment of a legal obligation derived from the LO 2/2006, LOE, with<br />
<br />
amendments to the LO 8/2012 LOMCE, although no regulation states that the CC<br />
must contain the student's identification data. The aforementioned regulations for education<br />
The primary education system consists of the Organic Law 2/2006, of 3/05, on Education, modified by the<br />
Organic 8/2013, of 9/12, for the Improvement of Educational Quality, which provides in its article<br />
21 conducting an individual assessment of all students at the end of the sixth<br />
Primary Education course. The Royal Decree 1058/2015, of 20/11, regulates<br />
<br />
general characteristics of the tests of the final evaluation of Primary Education,<br />
<br />
11) On the question in the CC of, sex of the student completing the questionnaire, with<br />
three response options, boy-girl, other options, was introduced unilaterally by<br />
the one requested in application of Article 19.a) of the Provincial Law 17/2019, of 4/04, on equality<br />
<br />
between men and women, which points out that "in statistics and studies, the<br />
The aim is to ensure that the public authorities of Navarre are effective in incorporating the perspective of<br />
in their day-to-day work, they should systematically include the variable of sex, rec<br />
The different categories, in all statistics, surveys and data collection<br />
that they carry out". As determined by the rules applicable to the CC, the questions of<br />
This questionnaire was prepared by the Ministry of Education, which did not introduce any aspect of the<br />
<br />
guno on the subject. If it was pointed out that education administrations could introduce<br />
new issues, but not expand on them.<br />
<br />
12) With the EDUCA application in which the data is stored, it is possible to produce information on the<br />
month and access the questionnaires, see the answers, the questions left blank, and the<br />
score obtained. The "corrected booklets", alluding to ED, are kept in the<br />
<br />
school until 30/11/2019. Families are given a "student report at the<br />
month of June"<br />
<br />
(13) At least in the CC, there was no reference to the collection, storage, storage, processing and distribution of the products.<br />
The processing of personal data, the legal basis or the exercise of rights<br />
chos. It is not known if the same thing happened in the diagnostic skills questionnaire (DQ)<br />
<br />
which has not been the subject of the complaint, although the interdependence between am-<br />
bos.<br />
<br />
(14) In the course of these proceedings, the respondent has stated that<br />
<br />
-You have added explicit references to the basic information on data protection in<br />
<br />
the protocol of actions sent to the schools and published on the website of the De-<br />
Education Department.<br />
<br />
-Implementing the information on DE and CC that will be given to the families, in addition<br />
to be exhibited on the Regional Ministry's website.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 - Madrid sedeagpd.gob.es 22/36<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
-The information aspects of data collection and processing will be provided<br />
when the data is requested in the online application itself.<br />
<br />
-Provides for a data retention period of three school years following the school year<br />
in which they are collected.<br />
<br />
- Users and passwords for the cur-<br />
so 2018-19 and earlier (this is done each time the current school year is loaded) and<br />
<br />
in evidence claimed to have destroyed all records, files and backups<br />
in which data on students from previous courses may appear.<br />
<br />
The Director-General for Education issued an Instruction on 23 January 2020<br />
it is provided that the CC online will be anonymous this academic year 2019-2020 and through a key<br />
random.<br />
<br />
-The protocol of actions for the questionnaires for the 2019-2010 academic year has been changed<br />
of the fourth year of primary school published on the web.<br />
<br />
<br />
<br />
<br />
<br />
LEGAL FOUNDATIONS<br />
<br />
I<br />
<br />
By virtue of the powers conferred on each authority in Article 58(2) of the GPRS<br />
<br />
control, and in accordance with the provisions of Articles 47 and 48.1 of the LOPDGDD, the<br />
The Spanish Data Protection Agency is competent to resolve this procedure.<br />
<br />
<br />
II<br />
<br />
<br />
As a starting point, it should be noted that the twenty-third additional<br />
of the Organic Law 2/2006, of 3/05, on Education, generally establishes the principles<br />
in relation to the processing and communication of personal data within<br />
of its scope, by providing for the following:<br />
<br />
<br />
"1. Schools may collect personal data from their students that<br />
are necessary for the exercise of their educational function. Such data may make<br />
reference to the origin and family and social environment, characteristics or conditions<br />
and results of their schooling, as well as those of other<br />
circumstances whose knowledge is necessary for the education and guidance of<br />
<br />
the students.<br />
<br />
2. Parents or guardians and the students themselves must collaborate in obtaining<br />
the information referred to in this article. The incorporation of a student<br />
to an educational establishment will imply consent to the processing of its data and,<br />
<br />
where appropriate, the transfer of data from the centre where it was<br />
schooling, under the terms established in the legislation on<br />
data protection. In any case, the information referred to in this section<br />
will be the strictly necessary for the teaching and guidance function, and cannot<br />
be treated for purposes other than educational without express consent.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 - Madrid Sedeagpd.gob.es 23/36<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
3. In the processing of student data, normas técnicas and<br />
organisational arrangements to ensure their security and confidentiality. The teaching staff and the<br />
<br />
other personnel who, in the exercise of their duties, access personal data and<br />
or that affect the honour and privacy of minors or their families will be<br />
subject to the duty of secrecy.<br />
<br />
4. The transfer of data, including those of a reserved nature, necesarios to the<br />
educational system, will be carried out preferably by telematic means and will be subject to<br />
<br />
legislation on the protection of personal data, and the<br />
minimum conditions shall be agreed by the Government with the Communities<br />
Autonomous within the Sectoral Conference on Education".<br />
<br />
In this complaint, the issue at stake is the competence of the assessment of<br />
<br />
the quality of teaching by means of questionnaires, in this particular case, not in the<br />
The evaluation of acquired knowledge is not the same as the evaluation of socio-economic factors and<br />
cultural issues related to the homes, environment and environments where the<br />
student. For example, the Socio-economic and Cultural Index (ISEC), which also includes<br />
among others, in the PISA tests, is calculated from some of the answers of<br />
The students and their families in the context questionnaires, which summarise various aspects of the<br />
<br />
training on the social and family context of the students and is elaborated from data<br />
as the level of education of the father, mother, their professions, or level of resources do-<br />
The use of a computer for personal use is also possible.<br />
<br />
On whether for the 2018/2019 academic year the current regulations required the course to be<br />
Some kind of context assessment, and if required, if this is a requirement, is<br />
must be anonymous or identifiable, it should be noted:<br />
<br />
Even with the modification of the LOE by the LOMCE (2013), it is not apparent that<br />
there is a reference to the obligation to carry out any evaluation of the students of 4EP. An-<br />
<br />
Article 21 of the LOE also did not indicate that it was obligatory or<br />
census, stating: "At the end of the second cycle of primary education all children<br />
centres will carry out a diagnostic assessment of the basic skills achieved<br />
by their students. This evaluation, which is the responsibility of the educational administrations, will have<br />
training and guidance for the centres and information for families and the community<br />
<br />
together with the educational community. These evaluations will have as a reference framework the<br />
general diagnostic evaluations established in article 144.1 of this law".<br />
<br />
Article 20.3 of the LOMCE states<br />
<br />
"Schools will carry out an individualised assessment of all pupils<br />
The school will be open to all students at the end of the third year of Primary Education, as arranged by the Admissions Authorities.<br />
The educational institutions, which will check the degree of mastery of the skills, ca-<br />
patience and skills in oral and written expression and comprehension, calculation and<br />
problems in relation to the degree of acquisition of competence in line-based communication<br />
<br />
and mathematical competence. If this assessment is unfavourable, the team will be able to<br />
The teacher shall take the most appropriate ordinary or extraordinary measures<br />
<br />
Since 30/12/2013 the diagnostic evaluation is on the teaching of sixth form.<br />
It follows that it will not be anonymous, as Article 21(3) indicates that the result of the analysis will be published in the Official Journal of the European Union.<br />
The certificate will also be given to the parents.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 - Madrid sedeagpd.gob.es 24/36<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
It indicates that with the entry into force of the LOMCE, the individual assessment<br />
The 4EP census was maintained for the 3rd and 6th grades of primary school, and that voluntary<br />
In accordance with Article 144.2 of the LOMCE in Navarre, the historical evaluation of the<br />
<br />
4EP diagnostic census data from 2016-2017.<br />
The result is that there is no obligation derived from the law, which expressly establishes<br />
<br />
the carrying out of any kind of evaluation, or specifically the evaluation of<br />
context, although article 144.2 of the LOE states: "The educational administrations<br />
may establish other assessments for diagnostic purposes.<br />
claimed<br />
<br />
Taking as an example of context evaluation, that of the end of primary school, it is pointed out<br />
in Royal Decree 1058/2015, in its article 7.5, which at the same time as the<br />
of the final stage evaluation, context questionnaires developed by the<br />
<br />
Ministry of Education, Culture and Sport. These questionnaires will make it possible to obtain<br />
information on the socio-economic and cultural conditions of the centres for<br />
contextualisation of the results obtained. Also in its article 8.1, and "giving<br />
compliance with Article 147 of the LOE, the results of the final stage evaluations<br />
will be brought to the attention of the educational community through common indicators<br />
<br />
for all Spanish schools, and that these common indicators will be<br />
established by the Ministry of Education, Culture and Sport."<br />
On whether the applicable regulations establish that the data from the context questionnaire<br />
<br />
must be anonymous, or the resolution of 30/03/2016 of the<br />
State Secretariat for Education, Vocational Training and Universities, which<br />
define the context questionnaires and common centre indicators for<br />
The final evaluation of primary education determines in its article 7.5 that "in a<br />
At the same time as the final stage evaluation is carried out, questionnaires will be applied to<br />
context, to be drawn up by the Ministry of Education, Culture and Sport. These questionnaires<br />
<br />
will provide information on the socio-economic and cultural conditions of<br />
centres for the contextualisation of the results obtained. It is indicated as outstanding:<br />
<br />
Article Two: Background questionnaires.<br />
<br />
<br />
"The context questionnaires to be applied in the final evaluation of Educa-<br />
There will be three primary schools: one for pupils in the sixth year of primary education<br />
to carry out the evaluation (hereinafter referred to as the student questionnaire), another one addressed to their<br />
parents and legal guardians (hereinafter referred to as the family questionnaire), and a third<br />
addressed to the management of the primary school (hereinafter referred to as the<br />
<br />
for the management).<br />
<br />
2. The questions and answer options that must be<br />
included in each of the questionnaires defined in the previous section are those indicated<br />
in ANNEX I to this resolution<br />
<br />
<br />
3. Educational administrations may:<br />
<br />
a) To apply questionnaires addressed to other groups, in addition to those indicated in article<br />
The second paragraph of paragraph 1 of this resolution.<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 - Madrid sedeagpd.gob.es 25/36<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
b) To include other questions in each questionnaire in addition to those referred to in Article<br />
the second part of this resolution. However, no response options may be added<br />
other than the questions set out in ANNEX ONE to this resolution.<br />
<br />
<br />
c) Apply the different questionnaires in the format considered most appropriate (pa-<br />
pel or digital).<br />
<br />
d) To define the time and place of completion of the different questionnaires.<br />
<br />
<br />
e) Lay out the questionnaires according to their needs and alter the order of the questions.<br />
This includes the possibility of jointly designing the questionnaire for the<br />
and the questionnaire for families, provided that it is clearly stated who<br />
you must complete each part.<br />
<br />
<br />
The third point states that "The National Institute for Educational Evaluation facilitates the<br />
educational administrations will provide a code book with the necessary instructions and<br />
mandatory for the correct recording of data and subsequent processing<br />
of the common indicators" .<br />
<br />
This State Secretariat resolution has been amended by a resolution of<br />
<br />
4/12/2017, BOE of 27/12, which varies one question in this ANNEX ONE.<br />
<br />
No aspect of data protection is included in the resolution or in the<br />
modifies it.<br />
<br />
<br />
The ANNEX ONE mentioned above lists the questions and response options that<br />
The following should be included in each of the questionnaires, indicating and differentiating<br />
The student's form must be filled in by the parents or guardians. The question-<br />
The student body starts with the question "Are you a boy or a girl?<br />
and contains questions about how often you use a computer or tablet<br />
<br />
for school work in each of the following locations, how many days a week of<br />
The first thing you have to do is to do your homework. It contains a block total of 11 questions, ending with the "In<br />
general to what extent you agree with these statements about your teachers and<br />
teachers? A) I know what you expect me to do...There is no indication in any section that the ques-<br />
The context context is to be nominative or the student is or can be identified in<br />
The identity of the students who complete the questionnaire is therefore not revealed.<br />
<br />
ec as necessary in any rule, nor is it justified in relation to the purpose of the data<br />
The following is a list of<br />
<br />
The questionnaire for families starts with questions such as in which country they were born.<br />
If you and your daughter or son, please indicate how often you use the family home<br />
<br />
following resources..., with four response options, number of people who convert<br />
see at home, degree of satisfaction with the following aspects related to the school... in<br />
As for the teaching staff, or the question of whether you would recommend this centre, how many<br />
days a week your child does homework including studying how often you<br />
or other people in the house talk about the following with your son or daughter... you also wonder<br />
<br />
the highest level of study completed by the mother or father, or the category that<br />
better describes the employment situation of the mother and father.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 - Madrid Sedeagpd.gob.es 26/36<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In the context test that made the claim of 4 EP, for the student are contained<br />
17 issues, some other than ANNEX ONE, plus the above-mentioned boy/girl,<br />
related to the use of language, including those referred to in ANNEX ONE<br />
<br />
questionnaire for families, such as those referring to parents, parents' employment status,<br />
their level of education and the kind of work they do.<br />
<br />
The issue must be linked not only to existing legislation, but also to<br />
contextual assessments that are carried out in conjunction with evaluations of<br />
and for the purpose of the data extracted from this evaluation of the<br />
<br />
context.<br />
<br />
<br />
The result is that there is no obligation derived from law, which expressly establishes<br />
the carrying out of any kind of evaluation, or specifically the evaluation of<br />
context, although article 144.2 of the LOE states: "The educational administrations<br />
may establish other assessments for diagnostic purposes.<br />
claimed.<br />
<br />
<br />
It is concluded that the online context questionnaire for<br />
4EP students contain personal data, it is not anonymous, it is not justified because<br />
must not be anonymous, having been so in the past, and has no information clause of<br />
data collection.<br />
<br />
While the DE questionnaire of competencies is nominative, it contains the da-<br />
It is clear from the regulations that such identification must be<br />
However, the CC does not have such a character, which is furthermore completed in<br />
different moments. Nor does it follow from its purpose that it should be nominative<br />
<br />
when, they were anonymous, those carried out before the one carried out in the academic year 2018-<br />
2019.<br />
<br />
However, for the academic year 2018-19 which is the subject of the complaint, the CC was nominated by the<br />
ve, the access and user passwords being assigned by the system itself. No indication<br />
<br />
In no section of the regulations in force does the CC have to be named or have<br />
o the student surveyed should be identified, so that the identity of the students who meet the requirements of the<br />
The questionnaire is not required by any standard, nor is it justified in<br />
The data will be used in accordance with the purpose for which they are intended, and it will be possible to obtain the same factual information.<br />
The data will be processed without processing the personal data of the students, i.e. without filling in their names.<br />
<br />
The questionnaire.<br />
<br />
III<br />
<br />
The respondent collected information associated with some data and stored it in her<br />
systems for the realisation of indicators, which according to the precedents do not require<br />
<br />
san of the identification of the author of the questionnaire. The collection and processing of this data<br />
This involves the processing of specific personal data that is not necessary for the purposes of<br />
The Commission is also aware of the need to ensure that personal identification data are recorded, and therefore ex-<br />
The data protection laws, which do have proof of ED, are being processed.<br />
As an example, it should be noted that the statistical analyses of the centre's group or at national level -<br />
<br />
The information provided in the questionnaire should not be correlated with the identified or identifiable author of the questionnaire.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 - Madrid Sedeagpd.gob.es 27/36<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
As for the statement by e claiming "that although the survey is not<br />
anonymous, personal data are pseudonymised, i.e. they cannot<br />
be attributed to an interested party without the use of additional information", that Regulation extends<br />
<br />
their protection, as set out in Article 1(2), to the rights and freedoms<br />
of natural persons, and in particular their right to protection of the<br />
personal data, defined in Article 4.1 as "any information relating to a person<br />
identified or identifiable natural person ("the data subject"); an identifiable natural person<br />
any person whose identity can be established, directly or indirectly, in particular<br />
by means of an identifier, such as a name, an identification number, data<br />
<br />
location, an online identifier or one or more elements of the identity<br />
physical, physiological, genetic, psychological, economic, cultural or social characteristics of that person.<br />
<br />
Therefore, the respondent is charged, generally speaking, with the following<br />
of the 2018-2019 academic year made with personal data of 4EP students, the<br />
commission of the infringement of Article 5.1.a) of the RGPD, which states<br />
<br />
"The personal data will be:<br />
<br />
<br />
(a) processed in a lawful, fair and transparent manner in relation to the data subject ("lawfulness,<br />
loyalty and transparency")<br />
<br />
<br />
The infringement is connected to the cases in which the various bases are determined<br />
Article 6 of the RGPD, entitled "Lawfulness of processing", contains the following<br />
indicates:<br />
<br />
1. Treatment shall only be lawful if at least one of the following conditions is met<br />
nes:" and those which serve this purpose.<br />
<br />
<br />
In this case, there is no need for such questionnaires to be associated<br />
the student who completes them, who must be named, and the rule does not indicate that it affects<br />
to the student or must contain his or her data. This applies to the entire questionnaire in general,<br />
and it is established that there is no legitimate basis for the processing carried out.<br />
<br />
As a general rule, data should only be collected for specific purposes.<br />
and legitimate and explicit purposes. This prerequisite involves analysing whether the personal data<br />
The following are the main reasons why the treatment is necessary and right for the<br />
The aim is to develop and assess the CC The specification of the purpose<br />
<br />
of data processing analysed the current regulations and purposes of the processing by the CC<br />
does not result in personal data having to be used to fulfil the purpose for which<br />
is designated in the LOE and concordant norms.<br />
<br />
If the aims of the questionnaire treatments can be achieved without the use of a<br />
<br />
The processing of personal data, in addition to proving that it is not<br />
It follows that there is no concrete legitimate basis for this, considering that the<br />
processing of personal data has an impact on the fundamental rights of the student,<br />
in terms of personal data and privacy. So if the same purpose can be<br />
achieved without processing the data, if it does not derive from the regulations in force that are to be processed, not<br />
there is a legal basis for processing them.<br />
<br />
<br />
IV<br />
<br />
Because it deals with "sex" in the same questionnaire: with the options "boy",<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 - Madrid Sedeagpd.gob.es 28/36<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
"girl", and "other options" is charged with the infringement of Article 5.1.a) of the RGPD,<br />
considered as special category data as they relate to "data relating to<br />
the sexual life or sexual orientation of a natural person", which has no basis<br />
<br />
legal to be treated as it has been in the CC questionnaire, by introducing in the<br />
question: sex: boy, girl, a third with the selection of "other options".<br />
<br />
The complaint does not detail what this option refers to, which is intended to<br />
socio-economic questionnaires accompanying the evaluation test of<br />
diagnosis where knowledge and skills are valued. The ED tests are<br />
<br />
the 2018-2019 CC, which are also denounced, without being<br />
inform the parents of the processing of data, and that the questionnaires do not contain<br />
information clauses that must contain the aspects and purposes of the data for the purposes<br />
information and exercise of rights.<br />
<br />
These articles are marked:<br />
<br />
<br />
5"1. The personal data will be:<br />
<br />
(a) processed in a lawful, fair and transparent manner in relation to the data subject ("lawfulness,<br />
loyalty and transparency")<br />
<br />
<br />
9. 1. The processing of personal data revealing ethnic origin is prohibited<br />
or racial, political opinions, religious or philosophical convictions, or the<br />
and the processing of genetic data, biometric data to identify<br />
unambiguously to a natural person, data relating to health or data relating to life<br />
sexual orientation of a natural person.<br />
<br />
<br />
9.2. Paragraph 1 shall not apply where one of the following circumstances applies<br />
following:<br />
<br />
a) the data subject has given his explicit consent to the processing of such data<br />
<br />
for one or more of the specified purposes, except where the law of<br />
Union or of the Member States provides that the ban referred to in the<br />
paragraph 1 may not be lifted by the person concerned;"<br />
<br />
<br />
Adding Article 9.1 of the LOPDGDD "For the purposes of Article 9.2.a) of<br />
Regulation (EU) 2016/679 , in order to avoid discriminatory situations, the only<br />
consent of the data subject will not be sufficient to lift the ban on data processing<br />
whose main purpose is to identify their ideology, trade union membership, religion, orientation<br />
<br />
sexual orientation, beliefs or racial or ethnic origin.<br />
It is recalled that the option presented in the context questionnaire was "sex", in addition<br />
of the boy-girl one, "other options". This is a question included in ANNEX ONE of the<br />
<br />
Royal Decree 1058/2015 and in the resolution of 30/03/2016, recalling that the<br />
The possibility for the Autonomous Regions of " Including other questions in each questionnaire in addition to the<br />
The following are the main points made in Article 2 of this resolution. However, no op-<br />
The following questions were answered by the Commission, other than the questions in Annex 1 to the Preliminary Report<br />
The resolution. There is the possibility of introducing new ones. This regulation, provides for<br />
<br />
ANNEX ONE: "Questions and answer options which must be included in the<br />
The questions and answer options that are asked in each of the questionnaires are<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 - Madrid sedeagpd.gob.es 29/36<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The following should be included in each of the questionnaires defined under the heading<br />
The definitions of the above are those indicated in ANNEX I to this resolution".<br />
<br />
<br />
First of all, the model questionnaire created by the respondent is out of line with the<br />
The model of the ANNEX ONE of the resolution of<br />
30/03/2016 which does not include this term.<br />
<br />
It is noted that within sex the given option of "other option" is unrelated.<br />
The "gender of the student" is not biologically determined, but is<br />
that would fall under the issue of gender identity that is introduced without explanation<br />
in the questionnaire.<br />
<br />
<br />
Gender refers to the social and cultural construction that defines the different carac-<br />
emotional, affective and intellectual characteristics, as well as the behaviours that each person<br />
The concept of "gender equality" is not a new one, but it is one that has been assigned to men and women as their own.<br />
<br />
The main reason for this is the fact that men and women do not identify with these characteristics, and so, apart from the<br />
Male and female there would be other genders: trans, intersex, non-binary gender, pangene -<br />
ro, etc. In this way, there are as many genders as there are identities, and therefore as many identities.<br />
gender as people.<br />
<br />
<br />
On the specific term "gender identity", the RGPD makes no mention of it.<br />
<br />
On the other hand, "sexual orientation" is the emotional, romantic, sexual and psycho-<br />
(Wikipedia) and is how it is experienced by the person in a sustained way over time.<br />
describes different from gender identity.<br />
<br />
The Universal Declaration of Human Rights, the International Covenant on<br />
Civil and Political Rights and the International Covenant on Economic, Social and Cultural Rights<br />
include in their guarantees on non-discrimination, lists of prohibited grounds for<br />
<br />
discrimination. These lists do not explicitly mention sexual orientation and identity<br />
but conclude with the expressions "any other condition" or "any other<br />
social status". The use of these expressions shows that the intention was that these lists<br />
were open and illustrative; in other words, the grounds for discrimination are not<br />
closed.<br />
<br />
It is clear and corroborated that sexual orientation and gender identity are two as-<br />
<br />
different points. In its case law, general comments and concluding observations, the<br />
United Nations treaty bodies have consistently held<br />
that sexual orientation and gender identity are prohibited grounds for discrimination<br />
nation in accordance with international law. Moreover, the procedures have long been<br />
The special procedures of the Human Rights Council have recognised the discrimination that exists<br />
<br />
because of sexual orientation and gender identity.<br />
<br />
In the same vein, various mechanisms for the protection of human rights<br />
at the international level, such as the Committees, have affirmed that States have an obligation<br />
to protect people from discrimination on the basis of their sexual orientation. It is possible to<br />
This is reflected in decisions of the Human Rights Committee - (Toonen v.<br />
Australia, 1994) and in general comments of the Committee on Economic Rights, So-<br />
<br />
Committee on the Rights of the Child, the Committee against Torture, the Committee on the Rights of the Child, the<br />
The Committee on the Elimination of Discrimination against Women For example, in its observation<br />
In general, the Committee on Economic, Social and Cultural Rights points out that the States parties to the Covenant have a duty to protect the rights of the child.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 - Madrid sedeagpd.gob.es 30/36<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
must ensure that a person's sexual preferences do not constitute a<br />
obstacle to the realization of the rights recognized by the covenant. Gender identity<br />
is also recognised as a prohibited ground of discrimination. The Committee on Economic, Social and Cultural Rights<br />
<br />
The right to non-discrimination in Article 2 of the Convention on the Rights of the Child has been interpreted as<br />
The Convention on the Rights of the Child includes sexual orientation and gender identity.<br />
The CC that was made in February 2019, according to the petitioner, is intended to comply with the<br />
<br />
mandate contained in legal provisions to ensure the effective integration of<br />
the gender perspective in the ordinary activity of public authorities "including<br />
systematically the gender variable in statistics, surveys and data collection that<br />
carry out", an action which, as indicated in Article 19 of Law 17/2019 of 4/04 of the same<br />
The number of men and women it indicates:<br />
<br />
<br />
The Public Administrations of Navarre, in order to guarantee the efficiency of the incorporation of<br />
The gender perspective in their day-to-day work should be<br />
<br />
a) Systematically include the variable of sex, collecting the different categories, in<br />
all the statistics, surveys and data collection they carry out.<br />
<br />
<br />
b) Establish new gender indicators that will make it possible to better understand<br />
differences in values, roles, situations, conditions, aspirations and<br />
the needs of women and men, and their manifestation and interaction in the reality that<br />
should be analysed and included in statistical operations.<br />
<br />
<br />
(c) Carry out sufficiently large samples so that the various variables<br />
can be analysed according to the gender variable, and deal with the available data on<br />
so that the different situations and needs of women and girls can be<br />
men in the various fields of action".<br />
<br />
As can be seen, the above-mentioned rules of reference, which are based on the ANNEX<br />
<br />
ONE, refers exclusively to the variable "sex" differentiating exclusively between<br />
boy-girl.<br />
<br />
The introduction of such a gender identity identifying its holder would have to<br />
be carried out in any case, when there is a relationship between what is being asked, for some purpose that<br />
<br />
the data is to be obtained for the purpose for which the data is to be processed, without any attempt to collect data by<br />
have them, without a specific purpose, and in this case, the survey was of a socio-economic and<br />
The evaluation of the project was carried out by the Ministry of Health and the Ministry of<br />
studies or analyses that aspect, so it makes no sense to establish a single<br />
that scope, with no connection to the rest of the issues. In this sense, it is not appreciated<br />
<br />
need in the treatment of that option when carrying out the questionnaire.<br />
<br />
Furthermore, for statistical purposes, Spanish regulations maintain, as does the<br />
in most European countries, the binary model of sex: male and female, which appears<br />
Article 170 of the Decree of 14/11/1958 approving the<br />
Regulation of the Civil Registry Law. In this case, moreover, the possibility of introducing<br />
<br />
in the questionnaires the variable "other options" under "sex" does not correspond to this<br />
The concept of "legal aid" is not well understood and lacks the necessary legal basis in our legal system.<br />
<br />
In the Agency's view, the exception provided for in point (j), being the processing<br />
necessary for statistical purposes, does not apply, as it requires that the<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 - Madrid Sedeagpd.gob.es 31/36<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
provided for in Union or Member State law, which must be proportionate to the<br />
objective pursued, respecting in substance the right to data protection and establishing<br />
appropriate and specific measures to protect the interests and fundamental rights of<br />
<br />
and the above-mentioned regulations only cover the variable "sex".<br />
<br />
In any case, a questionnaire is presented here in which the student, while not mentioning the<br />
If your sexual orientation is not clear, you can deduce that you do not feel like a boy or a girl, if you mark other<br />
options, an issue that can be considered to be related to sexual orientation, which<br />
The issue is often developed in the standards in a unitary way, and in the background, to a question that I would like to address.<br />
<br />
This is a very important issue, and one that should be related to expressing your beliefs, as gender identity is a matter of concern to all of us.<br />
The internal structure of each, as defined by the Inter-American Committee on Economic, Social and Cultural Rights, is as follows<br />
The European Union is committed to the promotion of human rights in accordance with resolution AG/RES. 2653 (XLI-O/11):<br />
Human Rights, Sexual Orientation and Gender Identity, 23 /04/2012 which defines<br />
like:<br />
<br />
<br />
"Gender identity is the internal and individual experience of gender as each<br />
The person experiences it deeply, which may or may not correspond to the sex assigned to him or her.<br />
The body's personal experience (which could be in the form of a "body" or "body") is the most important factor in determining whether or not a person is born.<br />
to change the appearance or function of the body through medical techniques,<br />
surgical or other, provided that it is freely chosen) and other ex<br />
<br />
gender issues, including dress, speech and manners."<br />
<br />
That is, she is questioning her sense of gender, with which she identifies, if she co-<br />
affects the one assigned at birth: woman or man, or "others", when their sex is felt, with the<br />
which is identified, does not coincide with that assigned at birth, which is outside the character and purpose<br />
<br />
of the educational context questionnaire as it is not oriented in that way and it should not<br />
oblige minors or any other person to express or declare their beliefs<br />
personal and intimate affairs. This prohibition is based on the following<br />
points out the precept transcribed, in avoiding discriminatory situations, such as those that could<br />
The public register of the sexual orientation of girls and women in the<br />
<br />
persons or the collection of gender identity of various groups without a<br />
determined or without a legitimate basis, or of beliefs.<br />
<br />
According to this provision, the general rule is a ban on processing<br />
of such data, unless one of the exceptions set out in its<br />
paragraph 2.<br />
<br />
<br />
The contribution of the information of the questionnaire was obligatory, not being it<br />
to all issues. In any case, this should be clearly reported<br />
and thus indicated in the data collection systems.<br />
<br />
<br />
The infringement of Article 5.1.a) of the RGPD is considered and accredited in relation to<br />
9.1 of the RGPD and 9.1 of the LOPDGDD.<br />
<br />
V<br />
<br />
The questionnaire does not contain any information clause on the protection of<br />
<br />
data.<br />
<br />
No content or information given to students, parents/parents<br />
on the completion of this questionnaire.<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 - Madrid sedeagpd.gob.es 32/36<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Considering the previous declaration of infringement of Article 5.1.<br />
The lack of a legitimising basis for the treatment of 4EP students by the CC, and<br />
<br />
The purpose of this is to analyse the conduct of the respondent, which in this case was indeed collected from<br />
The course is designed for the personal use of all students.<br />
<br />
As soon as personal data is collected, it means that it was not contained in<br />
the same information on the purpose, legitimate basis and exercise of rights of the alumni<br />
The Commission is not aware of any such information, as it was not included in the questionnaire, nor is it clear that the information was given<br />
<br />
a, parents/guardians on the completion of this questionnaire.<br />
<br />
In this case, it was possible to know who each of the questionnaires corresponded to by<br />
have associated user and password data, identifiable since they were assigned<br />
by the directors of the centres.<br />
<br />
<br />
The information collected and the transparency of such collection and processing is<br />
a principle established by the GDR in Articles 12 and 13.<br />
are not sufficient to legitimise the processing of personal data, but they are a condition is<br />
The processing of personal data is essential to guarantee the legality of the processing.<br />
<br />
<br />
In order to be valid, the treatment must be legal, fair and transparent.<br />
The aim is to ensure that the public is supported on a legitimate basis and that it is informed at the time of any re<br />
take the data from the points made in Articles 12 and 13 of the RGPD. Also the<br />
contraventions of these principles are independent.<br />
<br />
<br />
The defendant does not comply with the provisions of Article 13 of the RGPD, as indicated in the Informa-<br />
The information to be provided when personal data are obtained from the data subject:<br />
<br />
<br />
"1. Where personal data relating to a data subject are collected, the<br />
When the data are obtained, the data controller will provide you with all the<br />
information below:<br />
<br />
<br />
a) the identity and contact details of the person in charge and, where appropriate, his representative<br />
<br />
b) the contact details of the data protection delegate, if applicable;<br />
<br />
(c) the purposes of the processing for which the personal data are intended and the legal basis of<br />
treatment;<br />
<br />
<br />
(d) where the processing is based on Article 6(1)(f), the legitimate interests<br />
of the person in charge or of a third party;<br />
<br />
e) the recipients or categories of recipients of the personal data, where applicable;<br />
<br />
<br />
(f) where appropriate, the controller's intention to transfer personal data to a third country or<br />
international organization and the existence or absence of a decision on the adequacy of<br />
Commission, or, in the case of transfers referred to in Article 46 or 47 or Article<br />
49(1), second subparagraph, reference to adequate or appropriate safeguards and<br />
means of obtaining a copy of these or the fact that they have been lent.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 - Madrid Sedeagpd.gob.es 33/36<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
2. In addition to the information referred to in paragraph 1, the controller<br />
shall provide the data subject, at the time the personal data are obtained, with the following<br />
information necessary to ensure fair and transparent data processing:<br />
<br />
<br />
a) the period during which the personal data will be kept or, when this is not possible,<br />
the criteria used to determine this deadline;<br />
<br />
b) the existence of the right to request access to the data from the data controller<br />
and their rectification or deletion or the limitation of their<br />
<br />
processing, or to oppose the processing, as well as the right to the portability of the data;<br />
<br />
(c) where the processing is based on Article 6(1)(a) or Article 9,<br />
paragraph 2(a), the existence of the right to withdraw consent at any<br />
time, without affecting the lawfulness of processing based on prior consent<br />
to its withdrawal;<br />
<br />
<br />
(d) the right to lodge a complaint with a supervisory authority;<br />
<br />
(e) whether the communication of personal data is a legal or contractual requirement, or a<br />
necessary to enter into a contract, and whether the data subject is obliged to provide the<br />
personal data and is informed of the possible consequences of not providing such data;<br />
<br />
<br />
(f) the existence of automated decisions, including profiling, to be<br />
referred to in Article 22(1) and (4) and, at least in such cases, significant information<br />
on the logic applied, as well as the importance and expected consequences of such<br />
treatment for the interested party.<br />
<br />
<br />
3. Where the controller plans the further processing of data<br />
for a purpose other than that for which they were collected, will provide the<br />
information about that other purpose and, prior to such further processing, information<br />
<br />
any additional relevant information within the meaning of paragraph 2.<br />
<br />
4. The provisions of paragraphs 1, 2 and 3 shall not apply when and to the extent<br />
<br />
that the person concerned already has the information".<br />
<br />
<br />
In the context of the information provided to children or their representatives, the<br />
The use of short notices in simple language should be particularly stressed in Wales.<br />
The course is short, concise and didactic and easy to understand. A short notice will contain the in-<br />
basic training to be communicated when collecting personal data directly from the inte-<br />
<br />
(Articles 10 and 11). This notice shall be accompanied by a further notice ex<br />
tense, perhaps a hypertext link, which will contain all the relevant details. It informs you-<br />
The legal representatives and the children who have the custody of the child shall (always) be informed of the<br />
required quality<br />
VI<br />
<br />
Article 83.5 a and b of the GPRD, considers that the infringement of "the principles<br />
treatment, including the conditions for consent under the<br />
<br />
Articles 5, 6, 7 and 9" and "the rights of the data subjects under Articles 12 to 22;<br />
is punishable under Article 83(5) of the said<br />
Regulation, with administrative fines of up to EUR 20,000,000 or, in the case of<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 - Madrid Sedeagpd.gob.es 34/36<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
one company, for an amount equivalent to 4% of turnover at most<br />
overall annual total for the previous financial year, opting for the highest amount".<br />
In addition, Article 83.7 of the GPMR states<br />
<br />
"Without prejudice to the corrective powers of the supervisory authorities under<br />
Article 58(2), each Member State may lay down rules as to whether it may, and<br />
to what extent, imposing administrative fines on public authorities and bodies is<br />
in that Member State".<br />
<br />
<br />
The Spanish legal system has chosen not to penalise with a fine the<br />
public entities, as indicated in Article 77.1. c) and 2. 4. 5. and 6. of the LOPDDGG:<br />
<br />
"1. The regime established in this Article shall apply to processing operations for which<br />
are responsible or in charge:<br />
<br />
c) The General State Administration, the Administrations of the Communities<br />
The local authorities and the entities that make up the local administration.<br />
<br />
<br />
2. Where the persons responsible for, or in charge of, the activities listed in paragraph 1 commit<br />
any of the offences referred to in Articles 72 to 74 of this organic law, the<br />
The competent data protection authority shall issue a decision sanctioning<br />
the same with caution. The resolution will also set out the measures that<br />
the appropriate action should be taken to bring about the cessation of the conduct or the correction of the effects of the infringement that is<br />
would have committed.<br />
<br />
<br />
The decision shall be notified to the controller or processor, to the body of which<br />
depends hierarchically, where appropriate, and to those affected who had the status of<br />
interested, if any.<br />
<br />
4. The data protection authority must be informed of decisions that<br />
<br />
be made in connection with the measures and actions referred to in paragraphs<br />
previous.<br />
<br />
5. The following shall be communicated to the Ombudsman or, where appropriate, to the analogous institutions<br />
the autonomous communities the actions carried out and the decisions taken at<br />
under this article.<br />
<br />
<br />
6. When the competent authority is the Spanish Data Protection Agency, it shall<br />
will publish on its website, with due separation, the resolutions referring to<br />
entities in paragraph 1 of this article, with express indication of the identity of the<br />
the controller or processor who committed the infringement".<br />
<br />
<br />
Article 58(2) of the GPRS states: "Each supervisory authority shall have all the<br />
The following corrective powers are indicated below:<br />
(b) to punish any controller or processor with a warning<br />
<br />
where processing operations have infringed the provisions of this Regulation<br />
mento;<br />
<br />
(d) order the controller or processor to carry out the processing operations<br />
<br />
treatment in accordance with the provisions of this Regulation, where appropriate, of<br />
in a certain way and within a specified time".<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 - Madrid Sedeagpd.gob.es 35/36<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Therefore, in accordance with the applicable legislation and assessed on the basis of<br />
graduation of penalties whose existence has been established,<br />
<br />
<br />
<br />
the Director of the Spanish Data Protection Agency RESOLVES:<br />
<br />
FIRST: TO IMPOSE ON THE DEPARTMENT OF EDUCATION OF THE GOVERNMENT OF<br />
NAVARRA, with NIF S3100007H:<br />
<br />
<br />
- A warning penalty for an infringement of Article 5.1.a) of the GPRS, of<br />
in accordance with Article 83.5(a) of the GPRS.<br />
<br />
- A warning penalty for an infringement of Article 5.1.a) of the GPRS, in<br />
relation to Article 9.1 of the RGPD and 9.1 of the LOPDGDD, in accordance with Article<br />
<br />
83.5 a) of the RGPD.<br />
<br />
- A penalty of a warning for an infringement of Article 13 of the RGPD,<br />
in accordance with Article 83.5(b) of the GPRS.<br />
<br />
SECOND: To notify this resolution to the DEPARTMENT OF EDUCATION OF THE<br />
<br />
GOVERNMENT OF NAVARRA.<br />
<br />
THIRD: TO COMMUNICATE this resolution to the PEOPLE'S DEFENDER, of<br />
in accordance with the provisions of Article 77.5 of the LOPDGDD<br />
<br />
<br />
FOURTH: In accordance with the provisions of article 50 of the LOPDGDD, this<br />
The decision will be made public after it has been notified to the interested parties.<br />
<br />
Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the<br />
LOPDGDD, and in accordance with Article 123 of the LPACAP, the<br />
<br />
The interested parties may lodge an appeal for reconsideration with the Director of<br />
the Spanish Data Protection Agency within one month from the day<br />
following the notification of this decision or directly in an appeal<br />
before the Administrative Chamber of the National Court of Justice, with<br />
in accordance with Article 25 and the fourth additional provision, paragraph 5<br />
of Law 29/1998, of 13/07, regulating the Contentious-Administrative Jurisdiction, in<br />
<br />
two months from the day following the notification of this act, as laid down in<br />
provided for in Article 46.1 of the aforementioned Law.<br />
<br />
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, it is<br />
may suspend, as a precautionary measure, the final administrative decision if the interested party<br />
<br />
expresses its intention to lodge an administrative appeal. If this is the<br />
In this case, the interested party must formally communicate this fact in writing to the<br />
Spanish Data Protection Agency, presenting it through the Electronic Register<br />
of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through one of the<br />
other registrations provided for in Article 16.4 of the aforementioned LPACAP. It must also be transferred to<br />
<br />
the Agency the documentation proving that the contentious action has been effectively brought<br />
administrative. If the Agency is not aware that the action has been brought<br />
administrative proceedings within two months from the day following notification<br />
of this resolution, would terminate the precautionary suspension.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 - Madrid Sedeagpd.gob.es 36/36<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Mar Spain Martí<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
<br />
28001 - Madrid sedeagpd.gob.es<br />
</pre></div>
Hk
https://gdprhub.eu/index.php?title=DPC_-_Tusla_Child_and_Family_Agency&diff=12128
DPC - Tusla Child and Family Agency
2020-11-10T14:50:52Z
<p>Hk: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Ireland<br />
|DPA-BG-Color=background-color:#013d35;<br />
|DPAlogo=LogoIE.png<br />
|DPA_Abbrevation=DPC<br />
|DPA_With_Country=DPC (Ireland)<br />
<br />
|Case_Number_Name=Tusla Child and Family Agency <br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Irish Data Protection Commissioner <br />
|Original_Source_Link_1=https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commission-fine-tusla-child-and-family-agency-confirmed-court<br />
|Original_Source_Language_1=English<br />
|Original_Source_Language__Code_1=EN<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=17.05.2020<br />
|Date_Published=04.11.2020<br />
|Year=2020<br />
|Fine=75000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 32(1) GDPR<br />
|GDPR_Article_Link_1=Article 32 GDPR#1<br />
|GDPR_Article_2=Article 33(1) GDPR<br />
|GDPR_Article_Link_2=Article 33 GDPR#1<br />
|GDPR_Article_3=Article 58(2)(d) GDPR<br />
|GDPR_Article_Link_3=Article 58 GDPR#2d<br />
|GDPR_Article_4=Article 58(2)(b) GDPR<br />
|GDPR_Article_Link_4=Article 58 GDPR#2b<br />
|GDPR_Article_5=Article 58(2)(i) GDPR<br />
|GDPR_Article_Link_5=Article 58 GDPR#2i<br />
<br />
<br />
|National_Law_Name_1=s143 Data Protection Act <br />
|National_Law_Link_1=http://www.irishstatutebook.ie/eli/2018/act/7/section/143/enacted/en/html#sec143<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The Irish Data Protection Commissioner (DPC) fined Tusla (the Irish Child and Family Agency) €75000 for “unintentionally providing” the personal data of children to third parties in three separate incidents. <br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
The DPC commenced an inquiry after Tusla notified the DPC of three data breaches. <br />
<br />
The breaches all involved a failure to redact personal data when providing documents to third parties, including: <br />
<br />
-giving the father of two children in care their foster carer’s address <br />
<br />
-giving a person who was accused of child sexual abuse the address of the child who made the complaint and the telephone number of the child’s mother <br />
<br />
-giving the grandmother of a child in care the address and contact details of the child’s foster parents and the location of the child’s school. <br />
<br />
<br />
===Dispute===<br />
Did the breaches by Tusla infringe Articles 32-34 of the GDPR?<br />
<br />
===Holding===<br />
The DPC held that Tusla infringed Article 32(1) GDPR by failing to carry out measures that would have ensured an appropriate level of security of the data, such as redacting the names and contact details of the children. <br />
<br />
The DPC also held that the third breach also violated Article 33(1), because of a failure to notify the DPC without undue delay. <br />
<br />
Aside from the €75000 fine, the DPC also ordered Tusla to bring its processing operations into compliance with Article 32(1) and issued reprimands in respect of the infringements, pursuant to Articles 58(2)(b), (d), and (i) GDPR respectively. <br />
<br />
==Comment==<br />
Procedure for imposing fines:<br />
<br />
Under section 143 of the Ireland Data Protection Act 2018, a DPC decision to issue a fine to a controller or processor must be confirmed by the Circuit Court in Ireland before the fine can be imposed. The DPC must apply to the Circuit Court to confirm its decision to impose a fine after the expiration of time period where the controller or processor can appeal the decision.<br />
<br />
According to the DPC, this is its first application to the Circuit Court to confirm a decision to fine since the entry into force of the GDPR. <br />
<br />
At the time of submitting this decision to GDPRhub, the Circuit Court confirmation was “unreported” and unavailable in an online format that the general public could access. <br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the English original. Please refer to the English original for more details.<br />
<br />
<pre><br />
Data Protection Commission Fine on Tusla Child and Family Agency Confirmed in Court<br />
===================================================================================<br />
<br />
04th November 2020 - Press Release<br />
<br />
The Irish Data Protection Commission (DPC) today had the decision to<br />
impose an administrative fine on Tusla Child and Family Agency confirmed<br />
in the Dublin Circuit Court. The application to confirm the decision to<br />
impose an administrative fine of €75,000 was made pursuant to Section 143<br />
of the Data Protection Act 2018. This was the first fine issued under the<br />
GDPR in Ireland following a statutory inquiry and is the first application<br />
under Section 143.<br />
<br />
This inquiry was commenced in respect of three personal data breaches<br />
notified by Tusla to the DPC. All three personal data breaches occurred in<br />
circumstances where Tusla failed to redact personal data when providing<br />
documents to third parties. The first personal data breach occurred when<br />
Tusla unintentionally provided the father of two children in care with<br />
their foster carer’s address. The second breach occurred when Tusla<br />
unintentionally provided an individual who was accused of child sexual<br />
abuse with the address of the child who made the complaint and with her<br />
mother’s telephone number. The third breach occurred when Tusla<br />
unintentionally provided the grandmother of a child in care with the<br />
address and contact details of the child’s foster parents and the location<br />
of the child’s school.<br />
<br />
Decision<br />
--------<br />
<br />
* The decision found that Tusla infringed Article 32(1) of the GDPR by<br />
failing to implement appropriate organisational measures to ensure a level<br />
of security appropriate to the risk presented by its processing of<br />
personal data in respect of its sharing of documents with third parties.<br />
<br />
* The decision also found that Tusla infringed Article 33(1) of the GDPR<br />
by failing to notify the DPC of the third breach without undue delay.<br />
<br />
Corrective Powers<br />
-----------------<br />
<br />
* The DPC imposed an administrative fine of €75,000 on Tusla for its<br />
infringements of Article 32(1) and Article 33(1).<br />
<br />
* The DPC ordered Tusla to bring its processing operations into compliance<br />
with Article 32(1) of the GDPR by implementing appropriate organisational<br />
measures to ensure a level of security appropriate to the risk.<br />
<br />
* The DPC issued Tusla with reprimands in respect of the infringements of<br />
Articles 32(1) and 33(1) of the GDPR.<br />
</pre></div>
Hk
https://gdprhub.eu/index.php?title=IP_-_07121-1/2020/1555&diff=11360
IP - 07121-1/2020/1555
2020-09-16T12:04:31Z
<p>Hk: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Slovenia<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoSL.png<br />
|DPA_Abbrevation=IP<br />
|DPA_With_Country=IP (Slovenia)<br />
<br />
|Case_Number_Name=07121-1/2020/1555<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Informacijski pooblaščenec<br />
|Original_Source_Link_1=https://www.ip-rs.si/vop/?tx_jzgdprdecisions_pi1%5BshowUid%5D=1910<br />
|Original_Source_Language_1=Slovenian<br />
|Original_Source_Language__Code_1=SL<br />
<br />
|Type=Advisory Opinion<br />
|Outcome=<br />
|Date_Decided=<br />
|Date_Published=09.09.2020<br />
|Year=<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 6(1)(c) GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR#1c<br />
|GDPR_Article_2=Article 6(1)(e) GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR#1e<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The Slovenian DPA issued guidance stating that schools could only create a list of pupils who refused to wear protective facemasks if it had a legal basis for doing so. It also said that parents could be asked to sign a statement authorising schools to keep records of such a list, only if the signature of the parents was freely given, specific, informed, and unambiguous. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The Slovenian DPA issued guidance on whether schools are allowed to create lists of students who refuse to wear protective facemaks. The DPA was also asked whether parents could be required to sign a statement authorizing a school to keep records of such a list. <br />
<br />
=== Dispute ===<br />
Whether schools are allowed to create lists of students who refuse to wear masks at school, as per instruction from the Ministry of Education, Science and Sport.<br />
<br />
Whether parents are required to sign a statement which authorizes the school to keep such records. <br />
<br />
=== Holding ===<br />
Regarding the first question of whether schools are allowed to create lists of students refusing to wear protective masks, the DPA stated that it will depend on whether the school has a legal basis for this processing operation. If they are relying on consent as their legal basis, this needs to be voluntary, specific, informed, and unambiguous. In the event that there is a duty to sign a statement, then this consent will not be deemed to be voluntary. The DPA then held that the only appropriate legal basis for the processing of personal data of school children is 6(1)(c) GDPR or 6(1)(e) GDPR. With regards to whether there were any national laws in place that permitted the processing of student data in relation to wearing protective masks, the IP held that neither the Slovenian Infectious Diseases Act nor the Ordinance on Interim Measures to Reduce the Risk of SARS-CoV- 27 provide for this, so they cannot be relied on.<br />
<br />
Regarding the second question of whether parents are required to sign a statement which authorizes the school to keep such records of pupils, the DPA said if a statement is to be signed by parents, it must be done in accordance with the conditions for consent. In other words, the statement needs to be signed in a manner which is voluntary, specific, informed, and unambiguous. <br />
<br />
Finally, the DPA said it was in the process of introducing a new procedure of inspection over the implementation of laws regarding the protection of personal data. <br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.<br />
<br />
<pre><br />
On 7 September 2020, the Information Commissioner (hereinafter IP) received your request for an opinion regarding the lists of students who do not wish to wear protective masks. You are interested in whether schools are allowed to work and submit lists of students who refuse to wear protective masks at school under the instructions of the Ministry of Education, Science and Sport. Are parents required to sign a statement authorizing the school to keep records?<br />
<br />
On the basis of the information you have provided to us, in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Directive 95/46 / EC (hereinafter the General Regulation on Data Protection), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07-UPB1, hereinafter ZVOP-1) and 2 In accordance with Article of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter ZInfP), we provide our non-binding opinion on your question.<br />
<br />
Based on the known information, it is crucial whether the data you state that the school wants to collect and record could be placed among the data for which the school has a legal basis for their processing in any of the applicable laws. No law explicitly requires this.<br />
<br />
Any consent as a legal basis for data processing must be voluntary (without coercion), specific, informed and unambiguous (in principle, also determined by law in the public sector when it comes to performing public tasks). If it is a duty or conditionality to sign a certain statement, then it is not possible to speak of consent as defined by the General Data Protection Regulation.<br />
<br />
The IP cannot give a final answer on the legality of the described request of the school in the opinion, so we are conducting an inspection procedure in connection with the stated dilemma. It verifies the existence of a legal basis for the described treatments.<br />
<br />
There must be an appropriate and lawful legal basis for any processing of personal data. These are set out in Article 6 (1) of the General Data Protection Regulation and are for the public sector, which includes educational institutions such as primary and secondary schools, as follows:<br />
<br />
• consent where public tasks are not involved (point (a)),<br />
<br />
• the conclusion or performance of a contract (point (b)),<br />
<br />
law (point (c)),<br />
<br />
protection of vital interests (point (d)),<br />
<br />
• implementation of a public task (point (e) in connection with the fourth paragraph of Article 9 of ZVOP-1).<br />
<br />
<br />
<br />
According to IP, the only appropriate legal basis for the processing of personal data of school children is 6 (1 (c)) or 6 (1 (e)) of the General Regulation on Data Protection, as processing is necessary to fulfill the legal obligation that applies to the controller or. in relation to the performance of public tasks. Exceptions are certain data, where, in addition to the law, consent is also required, which is already determined by law.<br />
<br />
The processing of personal data in the implementation of primary and secondary education is defined by the Primary School Act (ZOsn) 1, the Gymnasiums Act (ZGim) 2, the Vocational Education and Training Act (ZPSI-1) 3 and the Education Organization and Financing Act (ZOFVI). ) 4. Schools process personal data on pupils / students and their parents on the basis of Article 95 of the ZOsn or Article 42 of the ZGim or Article 86 of ZPSI-1, and more detailed rules are also contained in the Rules on the collection and protection of personal data in the field of primary education5. ZOFVI also contains a provision regarding the processing of personal data, namely Article 119 of this Act stipulates as a teacher's obligation "the collection and processing of data in connection with the performance of educational and other work".<br />
<br />
The laws in the field of primary and secondary education therefore specify which types of databases and records are kept by primary and secondary schools and when the data of pupils / students may be collected on the basis of personal consent or consent of parents or guardians of children when it comes to the implementation of a public educational program. According to the IP, the data you state that the school wishes to collect and record would be difficult to place among the data for which the school is based, in which of the laws listed.<br />
<br />
However, for such processing of pupils' personal data in connection with the wearing of protective masks to be lawful in the current epidemiological situation, it cannot be traced either in the Infectious Diseases Act6 or in the Ordinance on Interim Measures to Reduce the Risk of SARS-CoV- 27, issued on 3 September 2020. The latter explicitly stipulates that this decree (which stipulates the mandatory use of protective masks in enclosed public spaces) does not apply to educational institutions and organized sports activities, for which the application protective masks or other forms of protection of the oral and nasal part of the face use the recommendations of the National Institute of Public Health, which are published on the website of the National Institute of Public Health.<br />
<br />
When asked if you are required to sign a statement authorizing the school to keep these records, the IP answers that any consent must be voluntary (without coercion, trickery), specific (accurate, for a specific purpose), informed and unambiguous (understandable). only in one way). If it is a duty or conditionality to sign a certain statement, then it is not possible to speak of consent as defined by the General Data Protection Regulation. You can read more about consent on the IP website https://www.ip-rs.si/zakonodaja/reforma-evropskega-zakonodajnega-okvira-za-varstvo-osebnih-podatkov/kljucna-podrocja-uredbe/privolitev/ . Where the legal basis for the processing of personal data is the law, it is not necessary to obtain additional consent for the collection and transmission of personal data at all.<br />
<br />
Since the IP has already received several questions or. reports of alleged violations regarding the collection and transmission of personal data of students in connection with the wearing of protective masks, also introduced a procedure of inspection control over the implementation of laws in the field of personal data protection. The process is ongoing, so we can't give you a more specific answer at this time. We suggest that you follow our website www.ip-rs.si , where the IP will publish its findings after the inspection.<br />
<br />
We advise you to read more about the rights of the individual regarding data protection on our website www.tiodlocas.si .<br />
<br />
All IP opinions are published and available on our website: https://www.ip-rs.si/vop/ .<br />
<br />
Also, all key areas as regulated by the General Regulation on Data Protection are presented at: https://www.ip-rs.si/zakonodaja/reforma-evropskega-zakonodajnega-okvira-za-varstvo-osebnih-podatkov/kljucna -areas-of the regulation / , where you can find a lot of useful advice on the essential obligations of companies and other organizations for the proper implementation of personal data protection measures.<br />
<br />
<br />
<br />
Greetings,<br />
<br />
Mojca Prelesnik,<br />
<br />
Information Commissioner<br />
<br />
Karolina Kušević, B.Sc. dipl. prav.,<br />
IP consultant<br />
</pre></div>
Hk
https://gdprhub.eu/index.php?title=File:LogoSL.png&diff=11359
File:LogoSL.png
2020-09-16T12:02:51Z
<p>Hk: </p>
<hr />
<div></div>
Hk
https://gdprhub.eu/index.php?title=MediaWiki:Captcha-addurl-whitelist&diff=8075
MediaWiki:Captcha-addurl-whitelist
2020-01-26T17:14:02Z
<p>Hk: </p>
<hr />
<div> #<!-- leave this line exactly as it is --> <pre><br />
# Syntax is as follows:<br />
# * Everything from a "#" character to the end of the line is a comment<br />
# * Every non-blank line is a regex fragment which will only match hosts inside URLs<br />
84.113.230.143 # office<br />
2a01:4f8:231:1de2::/64 # homer incl. vpn<br />
10.90.129.0/24 # homer vpn<br />
213.47.150.96/28 # horst<br />
2001:470:99d6::/48 # horst<br />
#</pre> <!-- leave this line exactly as it is --></div>
Hk