https://gdprhub.eu/api.php?hidebots=1&urlversion=1&days=30&limit=50&target=Category%3AArticle_5%281%29%28c%29_GDPR&action=feedrecentchanges&feedformat=atom
GDPRhub - Changes related to "Category:Article 5(1)(c) GDPR" [en]
2024-03-29T11:58:44Z
Related changes
MediaWiki 1.39.6
https://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_TSV/29/2020&diff=40639&oldid=40638
Tietosuojavaltuutetun toimisto (Finland) - TSV/29/2020
2024-03-28T15:35:13Z
<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 15:35, 28 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l63">Line 63:</td>
<td colspan="2" class="diff-lineno">Line 63:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_To_Link=</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_To_Link=</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>|Initial_Contributor=fred</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>|Initial_Contributor=<ins style="font-weight: bold; text-decoration: none;">[https://gdprhub.eu/index.php?title=User:Fred </ins>fred<ins style="font-weight: bold; text-decoration: none;">]</ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40638:rev-40639 -->
</table>
Fred
https://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_TSV/29/2020&diff=40638&oldid=0
Tietosuojavaltuutetun toimisto (Finland) - TSV/29/2020
2024-03-28T15:34:42Z
<p>Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland) |Case_Number_Name=TSV/29/2020 |ECLI= |Original_Source_Name_1=Finlex |Original_Source_Link_1=https://www.finlex.fi/fi/viranomaiset/tsv/2024/20242123 |Original_Source_Language_1=Finnish |Original_Source_Language__Code_1=FI |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Lan..."</p>
<p><b>New page</b></p><div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Finland<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFI.png<br />
|DPA_Abbrevation=Tietosuojavaltuutetun toimisto<br />
|DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland)<br />
<br />
|Case_Number_Name=TSV/29/2020<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Finlex<br />
|Original_Source_Link_1=https://www.finlex.fi/fi/viranomaiset/tsv/2024/20242123<br />
|Original_Source_Language_1=Finnish<br />
|Original_Source_Language__Code_1=FI<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=27.01.2020<br />
|Date_Decided=12.03.2024<br />
|Date_Published=27.03.2024<br />
|Year=2024<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1c<br />
|GDPR_Article_2=Article 25(2) GDPR<br />
|GDPR_Article_Link_2=Article 25 GDPR#2<br />
|GDPR_Article_3=Article 58(2)(d) GDPR<br />
|GDPR_Article_Link_3=Article 58 GDPR#2d<br />
|GDPR_Article_4=Article 87 GDPR<br />
|GDPR_Article_Link_4=Article 87 GDPR<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
|GDPR_Article_6=<br />
|GDPR_Article_Link_6=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=§ 29(4) Data Protection Act<br />
|National_Law_Link_1=https://www.finlex.fi/fi/laki/ajantasa/2018/20181050#L5P29<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
|National_Law_Name_3=<br />
|National_Law_Link_3=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=fred<br />
|<br />
}}<br />
<br />
The DPA found a hospital to have breached the principle of data minimisation and data protection by design and by default by including personal identification codes in text messages.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The Finnish DPA was notified that a hospital had sent test results to its patients by SMS, including the patient's personal identification code. The DPA then asked the controller to explain the purpose of including personal identification codes in text messages.<br />
<br />
In response to the request, the controller clarified that its mobile service automatically sent test results, treatment instructions and a proposal for the next monitoring date to patients via SMS. The controller stated that the inclusion of the personal identification code in the SMS ensured that the patient information was not inadvertently disclosed to the wrong people.<br />
<br />
The controller considered that the risk related to the processing of the personal identification code was minimal when the personal identification code was sent as an SMS to the patient's mobile phone. The controller claimed that if the SMS was sent to the wrong person, the risks to the life and health of the data subject could be significant.<br />
<br />
=== Holding ===<br />
On the basis of the information provided by the controller, the DPA noted that the purpose of [https://www.finlex.fi/fi/laki/ajantasa/2018/20181050#L5P29 Section 29 of the Finnish Data Protection Act] is to protect the personal identification code and to prevent its unnecessary processing. In addition, according to [https://www.finlex.fi/fi/laki/ajantasa/2018/20181050#L5P29 Section 29(4) of the Finnish Data Protection Act], the personal identification number code should not be unnecessarily included in documents printed from or created on the basis of a filing system. The DPA was of the opinion that SMS should be considered as such a document.<br />
<br />
The DPA emphasised that, in accordance with [[Article 87 GDPR]], the national identity number shall be used only under appropriate safeguards for the rights and freedoms of the data subject. The DPA noted that the personal identification number is a unique and virtually permanent identifier, the access to which by third parties may cause significant harm to the data subject, such as identity theft. Furthermore, the SMS messaging system does not provide for the encryption of message content or traffic data. <br />
<br />
In light of this, the DPA considered that the inclusion of the personal identity code in the SMS does not in fact affect the fact that the SMS is addressed to the right person. The DPA stated that the controller should not process personal identification codes for the sole purpose of facilitating its operations. Therefore, the controller should not have unnecessarily included the personal identity code in the SMS.<br />
<br />
On the basis of the information gathered, the DPA held that the controller had violated [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]], [[Article 25 GDPR#2|Article 25(2) GDPR]] and [https://www.finlex.fi/fi/laki/ajantasa/2018/20181050#L5P29 Section 29(4) of the Finnish Data Protection Act]. As a result, and in accordance with [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], the DPA ordered the controller to bring its processing operations into compliance with the aforementioned provisions.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.<br />
<br />
<pre><br />
Thing<br />
<br />
Sending personal ID and laboratory test data to the patient via text message<br />
Registrar<br />
<br />
Welfare district (At the time the matter was initiated, the hospital district was the data controller. From January 1, 2023, responsibility for the register has been transferred from the hospital district to the welfare district.)<br />
Notification made to the office of the Data Protection Commissioner<br />
<br />
The person who contacted the Data Protection Commissioner's office on January 27, 2020 stated in his report that he had received a text message from the central hospital that started with his personal identification number and in which he was told that his PSA sample had failed. The text message asked to contact the laboratory.<br />
<br />
The initiator inquires about the compliance of the operating method with data protection legislation.<br />
Statement received from the registrar<br />
<br />
The Office of the Data Protection Commissioner has requested an explanation from the data controller with an explanation request dated August 2, 2022. On August 23, 2022, the registrar has issued a written statement on the matter.<br />
<br />
The controller has presented in his report that the inclusion of the personal identification number in text messages ensures that, for example, information is not accidentally directed to wrong persons with the same name.<br />
<br />
According to the registrar, the mobile service automatically sends the patient a text message with the value measured in the test, treatment instructions and a proposal for the next control day. The contents of automatic text messages can be, for example, the following:<br />
<br />
“[Patient ID]: [Test X] score is [Y] and everything is fine. Your next checkup is on [date]”<br />
<br />
“[Patient ID]: The value of [Test X] is [Y]. To check the situation, please contact us"<br />
<br />
According to the registrar, in a service where the personal identification number is transmitted as a text message to the patient's own mobile phone, the risk related to the processing of the personal identification number is estimated to be low. On the other hand, in a situation where a message after a laboratory test is targeted to the wrong person, the risks to the registered person's life and health can be considerably high.<br />
On applicable legislation<br />
<br />
The General Data Protection Regulation (EU) 2016/679 of the European Parliament and the Council (General Data Protection Regulation) and the specifying national data protection act (1050/2018) apply in this case.<br />
<br />
Article 5(1)(c) of the General Data Protection Regulation provides for the principle of data minimization. According to the article, personal data must be relevant and relevant and limited to what is necessary in relation to the purposes for which they are processed.<br />
<br />
Article 25 of the General Data Protection Regulation provides for built-in and default data protection. According to paragraph 1 of the article, taking into account the latest technology and implementation costs, as well as the nature, scope, context and purposes of the processing, as well as the varying probability and seriousness of the risks to the rights and freedoms of natural persons caused by the processing, the controller must, in connection with determining the processing methods and the processing itself, effectively implement data protection principles such as data minimization appropriate technical and organizational measures, such as pseudonymization of data and the necessary protective measures, so that they can be included as part of the processing and so that the processing complies with the requirements of the General Data Protection Regulation and the rights of data subjects are protected. According to paragraph 2 of the article, the controller must implement appropriate technical and organizational measures to ensure that by default only personal data necessary for each specific purpose of the processing is processed. This obligation applies to the amount of personal data collected, the extent of processing, storage time and availability. With the help of these measures, it must be ensured in particular that personal data is not, by default, made available to an unlimited number of people without the contribution of a natural person.<br />
<br />
Article 32 of the General Data Protection Regulation provides for the security of processing. According to paragraph 1 of the article, taking into account the latest technology and implementation costs, the nature, scope, context and purposes of the processing, as well as the risks to the rights and freedoms of natural persons, which vary in their probability and severity, the controller and the personal data processor must implement appropriate technical and organizational measures to ensure a level of security corresponding to the risk. According to paragraph 2 of the article, when assessing the appropriate level of security, special attention must be paid to the risks involved in the processing, especially due to the accidental or illegal destruction, loss, alteration, unauthorized disclosure or access to personal data of transferred, stored or otherwise processed personal data.<br />
<br />
Article 87 of the General Data Protection Regulation provides for the handling of the national identity number. According to the article, member states can define in more detail the special conditions for processing a national identity number or other general identifier. In this case, the national identity number or other general identifier must be used only in compliance with appropriate safeguards regarding the rights and freedoms of the data subject in accordance with the General Data Protection Regulation.<br />
<br />
At the time of the event of the matter to be resolved, Section 29 of the Data Protection Act provides for the processing of personal identification numbers as follows: According to Section 29, subsection 1, personal identification numbers may be processed with the consent of the data subject or, if the processing is stipulated by law. In addition, the personal identification number may be processed if unambiguous identification of the registered person is important: 1) in order to perform a task stipulated by law; 2) to implement the rights and obligations of the registered or data controller; or 3) for historical or scientific research or statistics. According to section 29 subsection 2 of the Data Protection Act, the personal identification number may be processed in the granting of credit or debt collection, insurance, credit institution, payment service, rental and lending activities, credit information activities, health care, social care and other social security or official, employment and other service relationships and related to them in matters concerning related interests. According to section 29 subsection 4 of the Data Protection Act, the personal identification number should not be entered unnecessarily in documents printed or drawn up based on the personal register.<br />
<br />
The regulation of Section 29 of the Data Protection Act has been tightened with a legal amendment that entered into force on January 1, 2024. In this decision of the Deputy Data Protection Commissioner, the regulation in force at the time of the event is applied.<br />
A legal issue<br />
<br />
The Deputy Data Protection Commissioner assesses and resolves the matter on the basis of the aforementioned General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018).<br />
<br />
The Deputy Data Protection Commissioner must resolve:<br />
<br />
Has the controller's procedure, in which it has usually sent automated text messages regarding laboratory visits to registered users, including personal identification numbers, been in accordance with Article 5(1)(c), Article 25(2) and Section 29.4 of the Data Protection Act of the General Data Protection Regulation.<br />
<br />
In the case that is now the subject of the decision, it is also a question of matters related to the use of text messages, related to the security of processing, in accordance with Article 32, paragraphs 1 and 2 of the General Data Protection Regulation. Regarding the protection of personal data sent by text message, the deputy data protection officer gives guidance to the controller.<br />
Decision of the Deputy Data Protection Commissioner<br />
Decision<br />
<br />
The registrant's usual procedure, in which it has sent automated text messages regarding laboratory visits to registered users that include personal identification numbers, has not been in accordance with Section 29.4 of the Data Protection Act (personal identification processing), Article 5 paragraph 1 subsection c (minimization of data) of the General Data Protection Regulation and Article 25 According to section 2 (default data protection).<br />
<br />
The controller is given an order in accordance with Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation to bring the processing activities regarding the processing of the personal identification number into compliance with the provisions of the General Data Protection Regulation and the Data Protection Act.<br />
<br />
The deputy data protection commissioner orders the data controller to submit a report on the measures taken to the data protection commissioner's office by May 13, 2024, unless it applies for an amendment to this decision.<br />
<br />
Regarding the procedure for sending laboratory research data by text message, the deputy data protection commissioner gives guidance to the data controller.<br />
Reasoning<br />
The necessity of a personal ID in text messages<br />
<br />
In the case being evaluated now, the person who reported to the data protection commissioner's office has been sent a text message about the failure of the laboratory test. In addition, the personal identification number of the person who made the report was mentioned in the text message and he was urged to contact the laboratory. The text message was about a message sent to the patient automatically, via a mobile service.<br />
<br />
In its report, the registrar has stated that by including the social security number in text messages, it is ensured that, for example, information is not mistakenly directed to persons with the same name but different social security numbers.<br />
<br />
The purpose of Section 29 of the Data Protection Act is to protect the personal identification number and to try to prevent its unnecessary processing. (HE 96/1998, p. 48.) According to Section 29.4 of the Data Protection Act, the personal identification number must not be entered unnecessarily in documents printed or drawn up based on the personal register.<br />
<br />
The concept of a document is broad. In legislation, the concept of a document is defined, for example, in Section 5.1 of the Publicity Act (621/1999). According to the law, in the law in question, a document means, in addition to a written and pictorial representation, a message made up of signs intended to belong together due to its use, about a specific object or matter, which can only be found out with the help of automatic data processing or audio and video reproduction devices or other aids. (It should also be remembered that the protection of natural persons should be technology-neutral, i.e. it should not depend on the technology used, see e.g. introductory paragraph 15 of the General Data Protection Regulation.) What is stipulated in Section 29.4 of the Data Protection Act is not limited to certain types of documents. In the case being evaluated now, the text message must be considered a document referred to in Section 29.4 of the Data Protection Act, in which the personal identification number should not be entered unnecessarily.<br />
<br />
In addition to Section 29 of the Data Protection Act, other relevant provisions of the General Data Protection Regulation, such as Article 5(1)(c) and Article 25(2) of the General Data Protection Regulation, apply to the processing of personal identification numbers. (The national identity number must only be used in compliance with the appropriate safeguards regarding the rights and freedoms of the data subject in accordance with the General Data Protection Regulation, see Article 87 of the General Data Protection Regulation and HE 9/2018 vp, p. 113. See also e.g. the decision of the Court of Justice of the European Union in case C -439/19, point 96 of the decision.) It follows from the aforementioned provisions that the data controller must build its information systems so that the personal identification number is processed only in situations where it is necessary.<br />
<br />
The deputy data protection commissioner states that the reasons presented by the controller for the necessity of processing the personal identification number are essentially related to the identification of the registered person at the stage when the information of the right patient is retrieved from the information system. It is possible for the registrar to process the personal identification number in its background system for the purpose of identifying the patient and to ensure that it is the right person to whom the text message will be forwarded.<br />
<br />
The Deputy Data Protection Commissioner states that although the personal identification number can be processed to identify the person to whom the text message is intended to be forwarded, the personal identification number should not be unnecessarily included in the content of the text message.<br />
<br />
The deputy data protection commissioner considers that entering a personal identification number in a text message does not actually affect the fact that the message is directed to the right person. The registrar has not brought forward any other grounds for processing the personal identification number, and the Deputy Data Protection Commissioner is not aware of any other grounds on the basis of which it would be necessary to include the personal identification number in the text message. The procedure of the data controller has therefore not been in accordance with Articles 5(1)(c) and 25(2) of the General Data Protection Regulation or Section 29.4 of the Data Protection Act, based on the reasons presented above.<br />
<br />
In this connection, the Deputy Data Protection Commissioner reminds that the personal identification number should not be used, for example, solely for the purpose of making the operations of the data controller smoother, and the data controller should not process the personal identification number only because data processing is easier with the personal identification number. (See also HE 9/2018 vp, pp. 113–114.) Information systems must be built in such a way that text messages sent automatically do not include personal identification numbers unnecessarily. The personal identification number must also be processed in such a way that it does not become improperly available to outsiders.<br />
<br />
With regard to this procedure, the Deputy Data Protection Commissioner issues an order to the data controller to bring the processing operations into compliance with data protection regulations.<br />
Protection of personal data sent by text message<br />
<br />
With regard to the protection of personal data sent by text message, the deputy data protection commissioner provides general guidance to the data controller.<br />
<br />
The person initiating the case has been sent a text message with their personal identification number and information about the failure of a specific, separately named laboratory test. It has been about text messages sent to registrants in the usual way.<br />
<br />
The following can be stated about the data security of text messages: SMS messages travel unprotected in the mobile phone network between telecom companies. The content of SMS messages is not protected during transmission, for example with encryption, except for the radio traffic between the mobile device and the base station of the mobile phone network. The SMS message system (SS7) does not provide conditions for encrypting message content or message transmission information.<br />
<br />
In the case of text messages, it can also be noted that vulnerabilities have been identified in the SS7 protocol suite that implements the transmission mechanisms of SMS messages, which pose a threat to the confidentiality of communications and which cannot be repaired or properly managed. Because of these vulnerabilities, it is possible, for example, to direct SMS messages sent to a certain subscriber interface to a telecommunications company that is not involved in the transmission of communications in the mobile phone network and read them there in plain language. It is also possible to extract data through malware that is injected into mobile devices. In addition, misuse of the roaming feature of the SS7 protocol group may enable, for example, the eavesdropping of traffic between a mobile device and a cellular network. SMS messages can also be intercepted locally using fake access points or malicious applications.<br />
<br />
The personal identification number is a strongly identifying and originally intended to be a permanent identifier, the identification of which bystanders can cause significant harm to the registered person, such as becoming a victim of identity theft. The personal identification number must only be used in compliance with appropriate protective measures regarding the rights and freedoms of the data subject in accordance with the General Data Protection Regulation.<br />
<br />
Information about a medical procedure performed on a specific person is, on the other hand, health-related information belonging to special personal data groups (Article 9 of the General Data Protection Regulation). The controller must protect data belonging to special personal data groups particularly well. (See, e.g., introductory paragraph 51 of the General Data Protection Regulation. The legislation also provides for special confidentiality obligations when the health care unit processes the patient's health data.)<br />
<br />
The Deputy Data Protection Commissioner directs the data controller to note that the data security risks associated with the data controller's procedure as described above, which it must take into account in order to meet the requirements of Article 32, paragraphs 1 and 2 of the General Data Protection Regulation, such as the appropriate management of risks related to access to personal data. Due to the general implementation method of text message protection, it is not practically possible for the data controller to improve this protection with technical measures, but must ensure that the appropriate protection of personal data is implemented by limiting the personal data that can be included in text messages sent unilaterally to registered users.<br />
<br />
The data content of text messages sent to registrants must therefore be formed in accordance with the processing security requirement and the requirements of built-in and default data protection (Article 25 of the General Data Protection Regulation), following a risk-based approach. Likewise, when defining the content of text messages, the controller must properly take into account the shortcomings related to the protection of text messages and the nature of the information delivered by text message.<br />
<br />
Based on the above, the deputy data protection commissioner directs the data controller to limit the data content of text messages appropriately as a default method of operation. For example, in the case of a person who reported to the data protection authorized officer's office, it would have been possible to limit the content of the text message so that the text message would have told about the failure of the laboratory test at a general level and asked the person to contact the laboratory.<br />
<br />
When determining its procedures, the controller should also evaluate the possibilities for alternative methods of operation in the usual way of bringing personal data to the knowledge of the data subjects.<br />
</pre></div>
Fred
https://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_1011/161/22&diff=40631&oldid=40251
Tietosuojavaltuutetun toimisto (Finland) - 1011/161/22
2024-03-27T20:18:55Z
<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 20:18, 27 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l63">Line 63:</td>
<td colspan="2" class="diff-lineno">Line 63:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The DPA found a school to have breached the principle of data <del style="font-weight: bold; text-decoration: none;">minimization </del>for processing the bank account numbers of all its students for the purpose of awarding possible scholarships concerning only some of them.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The DPA found a school to have breached the principle of data <ins style="font-weight: bold; text-decoration: none;">minimisation </ins>for processing the bank account numbers of all its students for the purpose of awarding possible scholarships concerning only some of them.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40251:rev-40631 -->
</table>
Fred
https://gdprhub.eu/index.php?title=DSB_(Austria)_-_2023-0.420.407&diff=40604&oldid=40565
DSB (Austria) - 2023-0.420.407
2024-03-27T14:56:37Z
<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 14:56, 27 March 2024</td>
</tr><tr><td colspan="4" class="diff-multi" lang="en">(One intermediate revision by the same user not shown)</td></tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l14">Line 14:</td>
<td colspan="2" class="diff-lineno">Line 14:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Original_Source_Language_1=German</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Original_Source_Language_1=German</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Original_Source_Language__Code_1=DE</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Original_Source_Language__Code_1=DE</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>|Original_Source_Name_2=</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>|Original_Source_Name_2=<ins style="font-weight: bold; text-decoration: none;">BVwG (Austria)</ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Original_Source_Link_2=</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Original_Source_Link_2=</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Original_Source_Language_2=</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Original_Source_Language_2=</div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l58">Line 58:</td>
<td colspan="2" class="diff-lineno">Line 58:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Party_Link_3=</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Party_Link_3=</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_To_Body=BVwG</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_To_Body=BVwG <ins style="font-weight: bold; text-decoration: none;">(Austria)</ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_To_Case_Number_Name=</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_To_Case_Number_Name=</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_To_Status=Pending appeal</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_To_Status=Pending appeal</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40565:rev-40604 -->
</table>
Im
https://gdprhub.eu/index.php?title=DSB_(Austria)_-_2023-0.420.407&diff=40565&oldid=40556
DSB (Austria) - 2023-0.420.407
2024-03-27T09:23:32Z
<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 09:23, 27 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l67">Line 67:</td>
<td colspan="2" class="diff-lineno">Line 67:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The <del style="font-weight: bold; text-decoration: none;">Austrian </del>DPA imposed a fine of €10,000 on a gynaecologist after he disclosed the data subject's diagnosis in a public response to an online negative review <del style="font-weight: bold; text-decoration: none;">of </del>the data subject.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The DPA imposed a fine of €10,000 on a gynaecologist after he disclosed the data subject's diagnosis in a public response to an online negative review <ins style="font-weight: bold; text-decoration: none;">by </ins>the data subject.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l75">Line 75:</td>
<td colspan="2" class="diff-lineno">Line 75:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Firstly, the Austrian DPA (DSB) held that the controller processed personal data of the data subject by publishing his response online. Moreover, the DPA held that the information regarding a personal’s vaginal infection is data concerning health data under [[Article 4 GDPR#15|Article 4(15) GDPR]]. This is a special category of personal data according to [[Article 9 GDPR#1|Article 9(1) GDPR]] and whose processing is prohibited unless one of the exceptions in [[Article 9 GDPR#2|Article 9(2) GDPR]] applies. The DPA found that this was not the case. Thus, the controller violated [[Article 9 GDPR]] and the principle of <del style="font-weight: bold; text-decoration: none;">legality </del>under [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]].</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Firstly, the Austrian DPA (DSB) held that the controller processed personal data of the data subject by publishing his response online. Moreover, the DPA held that the information regarding a personal’s vaginal infection is data concerning health data under [[Article 4 GDPR#15|Article 4(15) GDPR]]. This is a special category of personal data according to [[Article 9 GDPR#1|Article 9(1) GDPR]] and whose processing is prohibited unless one of the exceptions in [[Article 9 GDPR#2|Article 9(2) GDPR]] applies. The DPA found that this was not the case. Thus, the controller violated [[Article 9 GDPR]] and the principle of <ins style="font-weight: bold; text-decoration: none;">lawfulness </ins>under [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]].</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Secondly, the controller violated the principle of purpose limitation under [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]]. The DPA found that there was no concrete link between the purpose of the data collection (the diagnosis) and the further processing of the data. Moreover, it was not foreseeable to the data subject that the controller would collect data on her medical diagnosis and publish this in a response to the data subject’s review.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Secondly, the controller violated the principle of purpose limitation under [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]]. The DPA found that there was no concrete link between the purpose of the data collection (the diagnosis) and the further processing of the data. Moreover, it was not foreseeable to the data subject that the controller would collect data on her medical diagnosis and publish this in a response to the data subject’s review.</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40556:rev-40565 -->
</table>
Ec
https://gdprhub.eu/index.php?title=DSB_(Austria)_-_2023-0.420.407&diff=40556&oldid=40537
DSB (Austria) - 2023-0.420.407
2024-03-27T08:46:36Z
<p><span dir="auto"><span class="autocomment">Holding</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 08:46, 27 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l75">Line 75:</td>
<td colspan="2" class="diff-lineno">Line 75:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Firstly, the Austrian DPA (DSB) held that the controller processed personal data of the data subject by publishing his response online. Moreover, the DPA held that the information regarding a personal’s vaginal infection is health data under [[Article 4 GDPR#15|Article 4(15) GDPR]]. This is a special category of personal data according to [[Article 9 GDPR#1|Article 9(1) GDPR]] and prohibited unless one of the exceptions in [[Article 9 GDPR#2|Article 9(2) GDPR]] applies. The DPA found that this was not the case. Thus, the controller violated [[Article 9 GDPR]] and the principle of legality under [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]].</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Firstly, the Austrian DPA (DSB) held that the controller processed personal data of the data subject by publishing his response online. Moreover, the DPA held that the information regarding a personal’s vaginal infection is <ins style="font-weight: bold; text-decoration: none;">data concerning </ins>health data under [[Article 4 GDPR#15|Article 4(15) GDPR]]. This is a special category of personal data according to [[Article 9 GDPR#1|Article 9(1) GDPR]] and <ins style="font-weight: bold; text-decoration: none;">whose processing is </ins>prohibited unless one of the exceptions in [[Article 9 GDPR#2|Article 9(2) GDPR]] applies. The DPA found that this was not the case. Thus, the controller violated [[Article 9 GDPR]] and the principle of legality under [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]].</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Secondly, the controller violated the principle of purpose limitation under [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]]. The DPA found that there was no concrete link between the purpose of the data collection and the further processing of the data. Moreover, it was not foreseeable to the data subject that the controller would collect data on her medical diagnosis and publish this in a response to the data subject’s review.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Secondly, the controller violated the principle of purpose limitation under [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]]. The DPA found that there was no concrete link between the purpose of the data collection <ins style="font-weight: bold; text-decoration: none;">(the diagnosis) </ins>and the further processing of the data. Moreover, it was not foreseeable to the data subject that the controller would collect data on her medical diagnosis and publish this in a response to the data subject’s review.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Thirdly, the controller violated the principle of data minimisation under [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]], as the purpose to create a truthful image for readers could have been fulfilled without mentioning the diagnosis.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Thirdly, the controller violated the principle of data minimisation under [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]], as the purpose to create a truthful image for readers could have been fulfilled without mentioning the diagnosis.</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40537:rev-40556 -->
</table>
Mg
https://gdprhub.eu/index.php?title=DSB_(Austria)_-_2023-0.420.407&diff=40537&oldid=40529
DSB (Austria) - 2023-0.420.407
2024-03-26T12:35:21Z
<p>Hi Magdalena, thank you for the great concise summary! I just made sure all the GDPR articles were linked and made the short summary a bit more to the point/juicier for the newsletter! Just to note: to make summaries consistent throughout the GDPR hub, we use DPA instead of the national abbreviation, in this case the DSB. Also to make sure the GDPR articles are automatically linked in your summary you have to specifically write “Article ..(..)(..) GDPR” also if you are mentioning multiple.</p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 12:35, 26 March 2024</td>
</tr><tr><td colspan="4" class="diff-multi" lang="en">(2 intermediate revisions by the same user not shown)</td></tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l58">Line 58:</td>
<td colspan="2" class="diff-lineno">Line 58:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Party_Link_3=</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Party_Link_3=</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_To_Body=<del style="font-weight: bold; text-decoration: none;">VwGH (Austria)</del></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_To_Body=<ins style="font-weight: bold; text-decoration: none;">BVwG</ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_To_Case_Number_Name=</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_To_Case_Number_Name=</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_To_Status=Pending appeal</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_To_Status=Pending appeal</div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l67">Line 67:</td>
<td colspan="2" class="diff-lineno">Line 67:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The Austrian <del style="font-weight: bold; text-decoration: none;">Data Protection Authority (DSB) held that a gynaecologist, the controller, has violated Article 9 and Article 5 (1) (a), (b), (c) GDPR by publishing health data of his patient and </del>imposed a fine of €10,000.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The Austrian <ins style="font-weight: bold; text-decoration: none;">DPA </ins>imposed a fine of €10,000 <ins style="font-weight: bold; text-decoration: none;">on a gynaecologist after he disclosed the data subject's diagnosis in a public response to an online negative review of the data subject</ins>.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Facts ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Facts ===</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>On 26 September 2022 the data subject posted a negative review on a website in her own name on her experiences <del style="font-weight: bold; text-decoration: none;">in the surgery of </del>a <del style="font-weight: bold; text-decoration: none;">gynaecologist</del>. One day later, the controller, the gynaecologist, responded to <del style="font-weight: bold; text-decoration: none;">it by disclosing </del>that <del style="font-weight: bold; text-decoration: none;">she </del>was diagnosed with a vaginal infection<del style="font-weight: bold; text-decoration: none;">. This post was publicly accessible at least until 3 October 2022</del>. The controller argued that he <del style="font-weight: bold; text-decoration: none;">published </del>the data<del style="font-weight: bold; text-decoration: none;">, </del>in order to create a truthful image for readers.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>On 26 September 2022 the data subject posted a negative review on a website in her own name on her experiences <ins style="font-weight: bold; text-decoration: none;">at </ins>a <ins style="font-weight: bold; text-decoration: none;">gynaecologist’s office</ins>. One day later, the controller, the gynaecologist, <ins style="font-weight: bold; text-decoration: none;">publically </ins>responded to <ins style="font-weight: bold; text-decoration: none;">the review and disclosed </ins>that <ins style="font-weight: bold; text-decoration: none;">the data subject </ins>was diagnosed with a vaginal infection. The controller argued that he <ins style="font-weight: bold; text-decoration: none;">disclosed </ins>the <ins style="font-weight: bold; text-decoration: none;">personal </ins>data in order to create a truthful image for readers<ins style="font-weight: bold; text-decoration: none;">. The response was publicly available at least until 3 October 2023</ins>.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Firstly, the DSB held that the <del style="font-weight: bold; text-decoration: none;">GDPR is undoubtedly applicable in </del>the <del style="font-weight: bold; text-decoration: none;">given case and </del>that the data <del style="font-weight: bold; text-decoration: none;">disclosed </del>(<del style="font-weight: bold; text-decoration: none;">health data</del>) is special category data according to [[Article 9 GDPR#1|Article 9(1)]]<del style="font-weight: bold; text-decoration: none;">. Therefore, the processing </del>of the <del style="font-weight: bold; text-decoration: none;">respective data would have been generally prohibited and no </del>exceptions <del style="font-weight: bold; text-decoration: none;">according to </del>Article 9 (2) <del style="font-weight: bold; text-decoration: none;">could be applied</del>. <del style="font-weight: bold; text-decoration: none;">So</del>, the controller violated the principle of legality <del style="font-weight: bold; text-decoration: none;">(Article 9 and </del>[[Article 5 GDPR#1a|Article 5(1)(a)]]<del style="font-weight: bold; text-decoration: none;">)</del>.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Firstly, the <ins style="font-weight: bold; text-decoration: none;">Austrian DPA (</ins>DSB<ins style="font-weight: bold; text-decoration: none;">) </ins>held that the <ins style="font-weight: bold; text-decoration: none;">controller processed personal data of the data subject by publishing his response online. Moreover, </ins>the <ins style="font-weight: bold; text-decoration: none;">DPA held </ins>that the <ins style="font-weight: bold; text-decoration: none;">information regarding a personal’s vaginal infection is health </ins>data <ins style="font-weight: bold; text-decoration: none;">under [[Article 4 GDPR#15|Article 4</ins>(<ins style="font-weight: bold; text-decoration: none;">15</ins>) <ins style="font-weight: bold; text-decoration: none;">GDPR]]. This </ins>is <ins style="font-weight: bold; text-decoration: none;">a </ins>special category <ins style="font-weight: bold; text-decoration: none;">of personal </ins>data according to [[Article 9 GDPR#1|Article 9(1) <ins style="font-weight: bold; text-decoration: none;">GDPR</ins>]] <ins style="font-weight: bold; text-decoration: none;">and prohibited unless one </ins>of the exceptions <ins style="font-weight: bold; text-decoration: none;">in [[Article 9 GDPR#2|</ins>Article 9(2) <ins style="font-weight: bold; text-decoration: none;">GDPR]] applies. The DPA found that this was not the case</ins>. <ins style="font-weight: bold; text-decoration: none;">Thus</ins>, the controller violated <ins style="font-weight: bold; text-decoration: none;">[[Article 9 GDPR]] and </ins>the principle of legality <ins style="font-weight: bold; text-decoration: none;">under </ins>[[Article 5 GDPR#1a|Article 5(1)(a) <ins style="font-weight: bold; text-decoration: none;">GDPR</ins>]].</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Secondly, the <del style="font-weight: bold; text-decoration: none;">disclosure of health data was contrary to </del>the principle of purpose limitation <del style="font-weight: bold; text-decoration: none;">(</del>[[Article 5 GDPR#1b|Article 5(1)(b)]]<del style="font-weight: bold; text-decoration: none;">), as </del>there was no link between the purpose of the data collection and the further processing.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> </div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Thirdly, the controller violated the principle of data minimisation <del style="font-weight: bold; text-decoration: none;">(</del>[[Article 5 GDPR#1c|Article 5(1)(c)]]<del style="font-weight: bold; text-decoration: none;">)</del>, as the purpose to create a truthful image for readers could have been fulfilled without mentioning the diagnosis.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Secondly, the <ins style="font-weight: bold; text-decoration: none;">controller violated </ins>the principle of purpose limitation <ins style="font-weight: bold; text-decoration: none;">under </ins>[[Article 5 GDPR#1b|Article 5(1)(b) <ins style="font-weight: bold; text-decoration: none;">GDPR</ins>]]<ins style="font-weight: bold; text-decoration: none;">. The DPA found that </ins>there was no <ins style="font-weight: bold; text-decoration: none;">concrete </ins>link between the purpose of the data collection and the further processing <ins style="font-weight: bold; text-decoration: none;">of the data. Moreover, it was not foreseeable to the data subject that the controller would collect data on her medical diagnosis and publish this in a response to the data subject’s review</ins>.</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The <del style="font-weight: bold; text-decoration: none;">DSB </del>issued a fine of €10,000 based on the estimated income of the controller, as he did not disclose his financial circumstances. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> </div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The decision <del style="font-weight: bold; text-decoration: none;">is not final as </del>the amount of the penalty has been <del style="font-weight: bold; text-decoration: none;">contested</del>.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Thirdly, the controller violated the principle of data minimisation <ins style="font-weight: bold; text-decoration: none;">under </ins>[[Article 5 GDPR#1c|Article 5(1)(c) <ins style="font-weight: bold; text-decoration: none;">GDPR</ins>]], as the purpose to create a truthful image for readers could have been fulfilled without mentioning the diagnosis.</div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> </div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The <ins style="font-weight: bold; text-decoration: none;">DPA </ins>issued a fine of €10,000 <ins style="font-weight: bold; text-decoration: none;">under [[Article 83 GDPR#1|Article 83(1) GDPR]] </ins>based on the estimated income of the controller, as he did not disclose his financial circumstances.</div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> </div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The decision <ins style="font-weight: bold; text-decoration: none;">regarding </ins>the amount of the penalty has been <ins style="font-weight: bold; text-decoration: none;">challenged at the Federal Administrative Court (Bundesverwaltungsgericht, BVwG)</ins>.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Comment ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Comment ==</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40529:rev-40537 -->
</table>
Ec
https://gdprhub.eu/index.php?title=Helsingin_hallinto-oikeus_(Finland)_-_116/2024&diff=40531&oldid=40031
Helsingin hallinto-oikeus (Finland) - 116/2024
2024-03-25T10:29:10Z
<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 10:29, 25 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l67">Line 67:</td>
<td colspan="2" class="diff-lineno">Line 67:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_From_Status=</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_From_Status=</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_From_Link=https://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_3216/452/17</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_From_Link=https://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_3216/452/17</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_To_Body=</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_To_Body=<ins style="font-weight: bold; text-decoration: none;">Korkein hallinto-oikeus (Finland)</ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_To_Case_Number_Name=</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_To_Case_Number_Name=</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_To_Status=<del style="font-weight: bold; text-decoration: none;">Unknown</del></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_To_Status=<ins style="font-weight: bold; text-decoration: none;">Pending appeal</ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_To_Link=</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_To_Link=</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40031:rev-40531 -->
</table>
Fred
https://gdprhub.eu/index.php?title=DSB_(Austria)_-_2023-0.420.407&diff=40529&oldid=0
DSB (Austria) - 2023-0.420.407
2024-03-25T10:28:28Z
<p>Created page with "{{DPAdecisionBOX |Jurisdiction=Austria |DPA-BG-Color= |DPAlogo=LogoAT.png |DPA_Abbrevation=DSB |DPA_With_Country=DSB (Austria) |Case_Number_Name=2023-0.420.407 |ECLI=ECLI:AT:DSB:2023:2023.0.420.407 |Original_Source_Name_1=RIS |Original_Source_Link_1=https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=07ee55d2-a0a6-4e00-8111-c779c3c97ceb&Position=1&SkipToDocumentPage=True&Abfrage=Dsk&Entscheidungsart=Undefined&Organ=Undefined&SucheNachRechtssatz=True&SucheNachTe..."</p>
<a href="https://gdprhub.eu/index.php?title=DSB_(Austria)_-_2023-0.420.407&diff=40529">Show changes</a>
Magdalena04
https://gdprhub.eu/index.php?title=KHO_-_KHO:2023:56&diff=40507&oldid=33744
KHO - KHO:2023:56
2024-03-21T14:14:00Z
<p><a href="/index.php?title=User:Fred" class="mw-userlink" title="User:Fred"><bdi>Fred</bdi></a> moved page <a href="/index.php?title=KHO_-_KHO:2023:56&redirect=no" class="mw-redirect" title="KHO - KHO:2023:56">KHO - KHO:2023:56</a> to <a href="/index.php?title=Korkein_hallinto-oikeus_(Finland)_-_KHO:2023:56" title="Korkein hallinto-oikeus (Finland) - KHO:2023:56">Korkein hallinto-oikeus (Finland) - KHO:2023:56</a> corrected the name</p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 14:14, 21 March 2024</td>
</tr><tr><td colspan="4" class="diff-multi" lang="en">(One intermediate revision by the same user not shown)</td></tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l4">Line 4:</td>
<td colspan="2" class="diff-lineno">Line 4:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Court-BG-Color=</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Court-BG-Color=</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Courtlogo=Courts_logo1.png</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Courtlogo=Courts_logo1.png</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>|Court_Abbrevation=<del style="font-weight: bold; text-decoration: none;">KHO</del></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>|Court_Abbrevation=<ins style="font-weight: bold; text-decoration: none;">Korkein hallinto-oikeus</ins></div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>|Court_Original_Name=Korkein hallinto-oikeus</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>|Court_Original_Name=Korkein hallinto-oikeus <ins style="font-weight: bold; text-decoration: none;">(Finland)</ins></div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>|Court_English_Name=Supreme Administrative Court <del style="font-weight: bold; text-decoration: none;">in </del>Finland</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>|Court_English_Name=Supreme Administrative Court <ins style="font-weight: bold; text-decoration: none;">of </ins>Finland</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>|Court_With_Country=<del style="font-weight: bold; text-decoration: none;">KHO </del>(Finland)</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>|Court_With_Country=<ins style="font-weight: bold; text-decoration: none;">Korkein hallinto-oikeus </ins>(Finland)</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Case_Number_Name=KHO:2023:56</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Case_Number_Name=KHO:2023:56</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>|ECLI=</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>|ECLI=<ins style="font-weight: bold; text-decoration: none;">ECLI:FI:KHO:2023:56</ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Original_Source_Name_1=Korkein hallinto-oikeus</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Original_Source_Name_1=Korkein hallinto-oikeus</div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l43">Line 43:</td>
<td colspan="2" class="diff-lineno">Line 43:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|EU_Law_Link_2=</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|EU_Law_Link_2=</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>|National_Law_Name_1=<del style="font-weight: bold; text-decoration: none;">Tietosuojalaki (1050/2018) </del>29 <del style="font-weight: bold; text-decoration: none;">§ </del></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>|National_Law_Name_1=<ins style="font-weight: bold; text-decoration: none;">§ </ins>29 <ins style="font-weight: bold; text-decoration: none;">Data Protection Act</ins></div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>|National_Law_Link_1=https://www.finlex.fi/fi/laki/ajantasa/2018/20181050</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>|National_Law_Link_1=https://www.finlex.fi/fi/laki/ajantasa/2018/20181050<ins style="font-weight: bold; text-decoration: none;">#L5P29</ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|National_Law_Name_2=</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|National_Law_Name_2=</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|National_Law_Link_2=</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|National_Law_Link_2=</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-33744:rev-40507 -->
</table>
Fred
https://gdprhub.eu/index.php?title=Helsingin_hallinto-oikeus_(Finland)_-_5398/2023&diff=40495&oldid=40492
Helsingin hallinto-oikeus (Finland) - 5398/2023
2024-03-21T13:55:26Z
<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 13:55, 21 March 2024</td>
</tr><tr><td colspan="4" class="diff-multi" lang="en">(One intermediate revision by the same user not shown)</td></tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l4">Line 4:</td>
<td colspan="2" class="diff-lineno">Line 4:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Court-BG-Color=</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Court-BG-Color=</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Courtlogo=Courts_logo1.png</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Courtlogo=Courts_logo1.png</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>|Court_Abbrevation=Helsingin hallinto-oikeus <del style="font-weight: bold; text-decoration: none;">(Finland)</del></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>|Court_Abbrevation=Helsingin hallinto-oikeus</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Court_Original_Name=Helsingin hallinto-oikeus (Finland)</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Court_Original_Name=Helsingin hallinto-oikeus (Finland)</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Court_English_Name=Administrative Court of Helsinki</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Court_English_Name=Administrative Court of Helsinki</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>|Court_With_Country=Helsingin hallinto-oikeus <del style="font-weight: bold; text-decoration: none;">(Finland) </del>(Finland)</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>|Court_With_Country=Helsingin hallinto-oikeus (Finland)</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Case_Number_Name=5398/2023</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Case_Number_Name=5398/2023</div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l64">Line 64:</td>
<td colspan="2" class="diff-lineno">Line 64:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_To_Link=</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_To_Link=</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>|Initial_Contributor=fred</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>|Initial_Contributor=<ins style="font-weight: bold; text-decoration: none;">[https://gdprhub.eu/index.php?title=User:Fred </ins>fred<ins style="font-weight: bold; text-decoration: none;">]</ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l73">Line 73:</td>
<td colspan="2" class="diff-lineno">Line 73:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Facts ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Facts ===</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The Finnish Motor Insurers' Centre (the controller) had asked the Administrative Court of Helsinki (the Court) to overturn the Finnish DPA's decision, according to which the controller had been fined €52,000 for processing and requesting unnecessary patient information from healthcare providers.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The Finnish Motor Insurers' Centre (the controller) had asked the Administrative Court of Helsinki (the Court) to overturn <ins style="font-weight: bold; text-decoration: none;">[[Tietosuojavaltuutetun toimisto (Finland) - 4431/161/21|</ins>the Finnish DPA's decision<ins style="font-weight: bold; text-decoration: none;">]]</ins>, according to which the controller had been fined €52,000 for processing and requesting unnecessary patient information from healthcare providers.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The controller filed the appeal claiming that it could not determine in advance whether certain information was necessary to settle a claim. The controller considered that under [https://www.finlex.fi/fi/laki/ajantasa/2016/20160460#L7P82 Section 82 of the Finnish Motor Liability Insurance Act], various information could be considered necessary, and therefore it had to process information other than that directly related to the traffic accident.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The controller filed the appeal claiming that it could not determine in advance whether certain information was necessary to settle a claim. The controller considered that under [https://www.finlex.fi/fi/laki/ajantasa/2016/20160460#L7P82 Section 82 of the Finnish Motor Liability Insurance Act], various information could be considered necessary, and therefore it had to process information other than that directly related to the traffic accident.</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40492:rev-40495 -->
</table>
Fred
https://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_4431/161/21&diff=40493&oldid=40491
Tietosuojavaltuutetun toimisto (Finland) - 4431/161/21
2024-03-21T13:53:48Z
<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 13:53, 21 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l67">Line 67:</td>
<td colspan="2" class="diff-lineno">Line 67:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_To_Case_Number_Name=5398/2023</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_To_Case_Number_Name=5398/2023</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_To_Status=Appealed - Overturned</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_To_Status=Appealed - Overturned</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_To_Link=https://gdprhub.eu/index.php?title=<del style="font-weight: bold; text-decoration: none;">File:</del>Helsingin_hallinto-<del style="font-weight: bold; text-decoration: none;">oikeus_5398</del>-2023<del style="font-weight: bold; text-decoration: none;">.pdf</del></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_To_Link=https://gdprhub.eu/index.php?title=Helsingin_hallinto-<ins style="font-weight: bold; text-decoration: none;">oikeus_(Finland)_</ins>-<ins style="font-weight: bold; text-decoration: none;">_5398/</ins>2023</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>|Initial_Contributor=fred</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>|Initial_Contributor=<ins style="font-weight: bold; text-decoration: none;">[https://gdprhub.eu/index.php?title=User:Fred </ins>fred<ins style="font-weight: bold; text-decoration: none;">]</ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40491:rev-40493 -->
</table>
Fred
https://gdprhub.eu/index.php?title=Helsingin_hallinto-oikeus_(Finland)_-_5398/2023&diff=40492&oldid=0
Helsingin hallinto-oikeus (Finland) - 5398/2023
2024-03-21T13:52:33Z
<p>Created page with "{{COURTdecisionBOX |Jurisdiction=Finland |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=Helsingin hallinto-oikeus (Finland) |Court_Original_Name=Helsingin hallinto-oikeus (Finland) |Court_English_Name=Administrative Court of Helsinki |Court_With_Country=Helsingin hallinto-oikeus (Finland) (Finland) |Case_Number_Name=5398/2023 |ECLI= |Original_Source_Name_1=Helsingin hallinto-oikeus |Original_Source_Link_1=https://gdprhub.eu/index.php?title=File:Helsin..."</p>
<a href="https://gdprhub.eu/index.php?title=Helsingin_hallinto-oikeus_(Finland)_-_5398/2023&diff=40492">Show changes</a>
Fred
https://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_4431/161/21&diff=40491&oldid=0
Tietosuojavaltuutetun toimisto (Finland) - 4431/161/21
2024-03-21T13:47:27Z
<p>Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland) |Case_Number_Name=4431/161/21 |ECLI= |Original_Source_Name_1=Finlex |Original_Source_Link_1=https://www.finlex.fi/fi/viranomaiset/tsv/2021/20211243 |Original_Source_Language_1=Finnish |Original_Source_Language__Code_1=FI |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Lan..."</p>
<a href="https://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_4431/161/21&diff=40491">Show changes</a>
Fred
https://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202202954&diff=40484&oldid=40455
AEPD (Spain) - EXP202202954
2024-03-20T16:00:26Z
<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 16:00, 20 March 2024</td>
</tr><tr><td colspan="4" class="diff-multi" lang="en">(One intermediate revision by the same user not shown)</td></tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l71">Line 71:</td>
<td colspan="2" class="diff-lineno">Line 71:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">The DPA imposed warning fines on a </del>government <del style="font-weight: bold; text-decoration: none;">agency that </del>included ‘nonbinary’ as a response in a form question about sex<del style="font-weight: bold; text-decoration: none;">, finding </del>that the response constituted processing of a special category of data and violated the principle of data minimization.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">A </ins>government <ins style="font-weight: bold; text-decoration: none;">office </ins>included ‘nonbinary’ as a response in a form question about sex<ins style="font-weight: bold; text-decoration: none;">. The DPA held </ins>that the response constituted processing of a special category of data and violated the principle of data minimization.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l89">Line 89:</td>
<td colspan="2" class="diff-lineno">Line 89:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Finally, the DPA determined that the controller processed special categories of information prohibited under [[Article 9 GDPR#1|Article 9(1) GDPR]]. Though it noted that gender identity and sexual orientation are distinct, the DPA determined that a response other than man or woman (in this case, nonbinary) can still be considered to relate to sexual life, even if the form does not explicitly refer to sexual orientation or sex life. There was no applicable exception to the prohibition on processing of special categories in this case under Article 9(2) GPDR. As a result, the DPA concluded that the nonbinary response violated [[Article 9 GDPR#1|Article 9(1) GDPR]].</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Finally, the DPA determined that the controller processed special categories of information prohibited under [[Article 9 GDPR#1|Article 9(1) GDPR]]. Though it noted that gender identity and sexual orientation are distinct, the DPA determined that a response other than man or woman (in this case, nonbinary) can still be considered to relate to sexual life, even if the form does not explicitly refer to sexual orientation or sex life. There was no applicable exception to the prohibition on processing of special categories in this case under Article 9(2) GPDR. As a result, the DPA concluded that the nonbinary response violated [[Article 9 GDPR#1|Article 9(1) GDPR]].</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The DPA imposed warning sanctions <del style="font-weight: bold; text-decoration: none;">of an undisclosed amount </del>for the controller’s violations of [[Article 5 GDPR#1c|Article 5(1)(c)]] and [[Article 9 GDPR#1|9(1) GDPR]], pursuant to [[Article 83 GDPR#5a|Article 83(5)(a) GDPR]]. It also ordered the controller to bring processing operations into compliance by removing the nonbinary response in questions of sex/gender from not only in the form arising in the case, but in the processing of all forms processed by the controller.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The DPA imposed warning sanctions for the controller’s violations of [[Article 5 GDPR#1c|Article 5(1)(c)]] and [[Article 9 GDPR#1|9(1) GDPR]], pursuant to [[Article 83 GDPR#5a|Article 83(5)(a) GDPR]]. It also ordered the controller to bring processing operations into compliance by removing the nonbinary response in questions of sex/gender from not only in the form arising in the case, but in the processing of all forms processed by the controller.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Comment ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Comment ==</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40455:rev-40484 -->
</table>
Lm
https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_01/2024&diff=40463&oldid=39922
APD/GBA (Belgium) - 01/2024
2024-03-19T16:10:46Z
<p><span dir="auto"><span class="autocomment">Facts</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 16:10, 19 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l71">Line 71:</td>
<td colspan="2" class="diff-lineno">Line 71:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The Belgian DPA found that a controller violated [[Article 5 GDPR#1|Article 5(1) GDPR]] for not timely deleting a former employee's mailbox. The DPA stated that the mailbox must be deactivated on the last work day and the auto-reply within one month or 3 months in some exceptions.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The Belgian DPA found that a controller violated [[Article 5 GDPR#1|Article 5(1) GDPR]] for not timely deleting a former employee's mailbox. The DPA stated that the mailbox must be deactivated on the last work day and the auto-reply within one month or 3 months in some exceptions. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-39922:rev-40463 -->
</table>
Mg
https://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9993105&diff=40459&oldid=40448
Garante per la protezione dei dati personali (Italy) - 9993105
2024-03-19T15:17:13Z
<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 15:17, 19 March 2024</td>
</tr><tr><td colspan="4" class="diff-multi" lang="en">(One intermediate revision by the same user not shown)</td></tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l67">Line 67:</td>
<td colspan="2" class="diff-lineno">Line 67:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The DPA held that the controller <del style="font-weight: bold; text-decoration: none;">failed to provide justification for retaining </del>the data <del style="font-weight: bold; text-decoration: none;">subject</del>'s <del style="font-weight: bold; text-decoration: none;">email </del>account, <del style="font-weight: bold; text-decoration: none;">even if deletion falls within </del>one <del style="font-weight: bold; text-decoration: none;">of the exceptions outlined in [[Article 17 GDPR#3|Article 17(3) GDPR]]</del>. <del style="font-weight: bold; text-decoration: none;">Consequently, the </del>controller <del style="font-weight: bold; text-decoration: none;">incurred a </del>€15,000 <del style="font-weight: bold; text-decoration: none;">fine for non-compliance with the erasure request</del>.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The DPA held that the controller <ins style="font-weight: bold; text-decoration: none;">violated </ins>the data <ins style="font-weight: bold; text-decoration: none;">minimization principle, as they did not deactivate a former employee</ins>'s <ins style="font-weight: bold; text-decoration: none;">e-mail </ins>account, <ins style="font-weight: bold; text-decoration: none;">claiming the necessity of redirecting customers to another </ins>one. <ins style="font-weight: bold; text-decoration: none;">The </ins>controller <ins style="font-weight: bold; text-decoration: none;">was fined </ins>€15,000.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l78">Line 78:</td>
<td colspan="2" class="diff-lineno">Line 78:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Subsequently, the data subject submitted a formal request to exercise his rights, namely the rights to object and restrict the processing and the right to erasure the e-mail address. The controller did not respond. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Subsequently, the data subject submitted a formal request to exercise his rights, namely the rights to object and restrict the processing and the right to erasure the e-mail address. The controller did not respond. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>As a result, the data subject filed a complaint with the DPA for a failure to comply with the request and, in the event of non-compliance, to impose a ban on the unlawful processing consisting in the persistent activity of their account.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>As a result, the data subject filed a complaint with the DPA for a failure to comply with the request and, in the event of non-compliance, to impose a ban on the unlawful processing consisting in the persistent activity of their account<ins style="font-weight: bold; text-decoration: none;">. </ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> </div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">The investigation revealed, that the controller erased the data subject's account, however, the time of the erasure was not indicated</ins>. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Firstly, the DPA held that the controller failed to <del style="font-weight: bold; text-decoration: none;">fulfil </del>his obligation to follow modalities prescribed by [[Article 12 GDPR|Article 12 GDPR]], in particular to provide the data subject with information on the action taken in respect of a request pursuant to [[Article 15 GDPR]] to [[Article 22 GDPR]] without undue delay and, in any event, at the latest within one month or receipt of the request. The controller violated this provision despite the fact the controller deleted the account ‘de facto’ on an unspecified date after the data subject request. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Firstly, the DPA held that the controller failed to <ins style="font-weight: bold; text-decoration: none;">fulfill </ins>his obligation to follow modalities prescribed by [[Article 12 GDPR|Article 12 GDPR]], in particular to provide the data subject with information on the action taken in respect of a request pursuant to [[Article 15 GDPR]] to [[Article 22 GDPR]] without undue delay and, in any event, at the latest within one month or receipt of the request. The controller violated this provision despite the fact the controller deleted the account ‘de facto’ on an unspecified date after the data subject request. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Secondly, the controller stated to the DPA that they did not respond to the data subject’s request to erase their account for reasons related to [[Article 17 GDPR#3e|Article 17(3)(e) GDPR]]. According to such a provision, the right to erasure does not apply if the processing is necessary ‘for the establishment, exercise or defence of legal claims’. However, the DPA found that the controller would nevertheless had to provide an information of the reasons why the request was not granted. This is expressly established by [[Article 12 GDPR#4|Article 12(4) GDPR]] <del style="font-weight: bold; text-decoration: none;">according to </del>which the controller <del style="font-weight: bold; text-decoration: none;">failed to </del>provide a feedback to data subject without undue delay or within one month of receipt of the request. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Secondly, the controller stated to the DPA that they did not respond to the data subject’s request to erase their account for reasons related to [[Article 17 GDPR#3e|Article 17(3)(e) GDPR]]. According to such a provision, the right to erasure does not apply if the processing is necessary ‘for the establishment, exercise or defence of legal claims’. However, the DPA found that the controller would nevertheless had to provide an information of the reasons why the request was not granted. This is expressly established by [[Article 12 GDPR#4|Article 12(4) GDPR]] which <ins style="font-weight: bold; text-decoration: none;">states that </ins>the controller <ins style="font-weight: bold; text-decoration: none;">must </ins>provide a feedback to data subject without undue delay or within one month of receipt of the request<ins style="font-weight: bold; text-decoration: none;">. The controller failed to comply with this provision</ins>. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Thirdly, the DPA observed that by redirecting the e-mail to another company account - thus carrying out additional processing operations in relation to the data subject - controller breached the principle of minimisation under [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. The DPA stressed that, to be complaint with the principles of necessity and minimization, a controller should deactivate an employee's email account after the termination of the employment and inform the concerned third parties about alternative contact methods. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Thirdly, the DPA observed that by redirecting the e-mail to another company account - thus carrying out additional processing operations in relation to the data subject - controller breached the principle of minimisation under [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. The DPA stressed that, to be complaint with the principles of necessity and minimization, a controller should deactivate an employee's email account after the termination of the employment and inform the concerned third parties about alternative contact methods. </div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40448:rev-40459 -->
</table>
Im
https://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202202954&diff=40455&oldid=40446
AEPD (Spain) - EXP202202954
2024-03-19T15:01:24Z
<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 15:01, 19 March 2024</td>
</tr><tr><td colspan="4" class="diff-multi" lang="en">(3 intermediate revisions by the same user not shown)</td></tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l89">Line 89:</td>
<td colspan="2" class="diff-lineno">Line 89:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Finally, the DPA determined that the controller processed special categories of information prohibited under [[Article 9 GDPR#1|Article 9(1) GDPR]]. Though it noted that gender identity and sexual orientation are distinct, the DPA determined that a response other than man or woman (in this case, nonbinary) can still be considered to relate to sexual life, even if the form does not explicitly refer to sexual orientation or sex life. There was no applicable exception to the prohibition on processing of special categories in this case under Article 9(2) GPDR. As a result, the DPA concluded that the nonbinary response violated [[Article 9 GDPR#1|Article 9(1) GDPR]].</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Finally, the DPA determined that the controller processed special categories of information prohibited under [[Article 9 GDPR#1|Article 9(1) GDPR]]. Though it noted that gender identity and sexual orientation are distinct, the DPA determined that a response other than man or woman (in this case, nonbinary) can still be considered to relate to sexual life, even if the form does not explicitly refer to sexual orientation or sex life. There was no applicable exception to the prohibition on processing of special categories in this case under Article 9(2) GPDR. As a result, the DPA concluded that the nonbinary response violated [[Article 9 GDPR#1|Article 9(1) GDPR]].</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The DPA imposed <del style="font-weight: bold; text-decoration: none;">undisclosed </del>warning sanctions for the controller’s violations of [[Article 5 GDPR#1c|Article 5(1)(c)]] and [[Article 9 GDPR#1|9(1) GDPR]] pursuant to [[Article 83 GDPR#5a|Article 83(5)(a) GDPR]]. It also ordered the controller to bring processing operations into compliance by removing the nonbinary response in <del style="font-weight: bold; text-decoration: none;">form inquiries </del>of sex/gender from not only in the form arising in the case but <del style="font-weight: bold; text-decoration: none;">also more broadly </del>in the processing of forms <del style="font-weight: bold; text-decoration: none;">and documents before its public institutions altogether</del>.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The DPA imposed warning sanctions <ins style="font-weight: bold; text-decoration: none;">of an undisclosed amount </ins>for the controller’s violations of [[Article 5 GDPR#1c|Article 5(1)(c)]] and [[Article 9 GDPR#1|9(1) GDPR]]<ins style="font-weight: bold; text-decoration: none;">, </ins>pursuant to [[Article 83 GDPR#5a|Article 83(5)(a) GDPR]]. It also ordered the controller to bring processing operations into compliance by removing the nonbinary response in <ins style="font-weight: bold; text-decoration: none;">questions </ins>of sex/gender from not only in the form arising in the case<ins style="font-weight: bold; text-decoration: none;">, </ins>but in the processing of <ins style="font-weight: bold; text-decoration: none;">all </ins>forms <ins style="font-weight: bold; text-decoration: none;">processed by the controller</ins>.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Comment ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Comment ==</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40446:rev-40455 -->
</table>
Lm
https://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9993105&diff=40448&oldid=40442
Garante per la protezione dei dati personali (Italy) - 9993105
2024-03-19T14:39:32Z
<p><span dir="auto"><span class="autocomment">Facts</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 14:39, 19 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l74">Line 74:</td>
<td colspan="2" class="diff-lineno">Line 74:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Data subject is a former employee of MP1 s.r.l., the controller. After the termination of his employment contract, the data subject requested the controller to delete their e-mail account which was used for the purpose of managing orders of the controller. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Data subject is a former employee of MP1 s.r.l., the controller. After the termination of his employment contract, the data subject requested the controller to delete their e-mail account which was used for the purpose of managing orders of the controller. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The <del style="font-weight: bold; text-decoration: none;">Company </del>replied <del style="font-weight: bold; text-decoration: none;">to the warning notice </del>claiming that 'no use' had been made of the account, despite specifying afterwards that the account had been <del style="font-weight: bold; text-decoration: none;">redirected </del>to another company account for the management of commercial orders and <del style="font-weight: bold; text-decoration: none;">informing the customers </del>that the data subject no longer <del style="font-weight: bold; text-decoration: none;">works </del>for the controller. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The <ins style="font-weight: bold; text-decoration: none;">controller </ins>replied claiming that 'no use' had been made of the account, despite specifying afterwards that the account had been <ins style="font-weight: bold; text-decoration: none;">migrated </ins>to another company account for the management of commercial orders<ins style="font-weight: bold; text-decoration: none;">. Customers emailing the previous account were redirected to the new one </ins>and <ins style="font-weight: bold; text-decoration: none;">informed </ins>that the data subject no longer <ins style="font-weight: bold; text-decoration: none;">worked </ins>for the controller. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Subsequently, the data subject submitted a formal request to exercise his rights, namely the <del style="font-weight: bold; text-decoration: none;">right </del>to object <del style="font-weight: bold; text-decoration: none;">to the processing of his personal data by e-mail address </del>and <del style="font-weight: bold; text-decoration: none;">requesting the restriction of </del>the processing and the <del style="font-weight: bold; text-decoration: none;">deletion of </del>the e-mail address. The controller did not respond. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Subsequently, the data subject submitted a formal request to exercise his rights, namely the <ins style="font-weight: bold; text-decoration: none;">rights </ins>to object and <ins style="font-weight: bold; text-decoration: none;">restrict </ins>the processing and the <ins style="font-weight: bold; text-decoration: none;">right to erasure </ins>the e-mail address. The controller did not respond. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>As a result, the data subject filed a complaint with the DPA for a failure to comply with the request and, in the event of non-compliance, to impose <del style="font-weight: bold; text-decoration: none;">the prohibition of </del>the unlawful processing consisting in the persistent activity of their account.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>As a result, the data subject filed a complaint with the DPA for a failure to comply with the request and, in the event of non-compliance, to impose <ins style="font-weight: bold; text-decoration: none;">a ban on </ins>the unlawful processing consisting in the persistent activity of their account.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Firstly, the DPA held that the controller failed to fulfil his obligation to follow modalities prescribed by [[Article 12 GDPR|Article 12 GDPR]], in particular to provide the data subject with information on the action taken in respect of a request pursuant to [[Article 15 GDPR]] to [[Article 22 GDPR]] without undue delay and, in any event, at the latest within one month or receipt of the request. <del style="font-weight: bold; text-decoration: none;">This </del>provision <del style="font-weight: bold; text-decoration: none;">cannot be satisfied </del>despite the fact the controller deleted the account ‘de facto’ on an unspecified date after the data subject request. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Firstly, the DPA held that the controller failed to fulfil his obligation to follow modalities prescribed by [[Article 12 GDPR|Article 12 GDPR]], in particular to provide the data subject with information on the action taken in respect of a request pursuant to [[Article 15 GDPR]] to [[Article 22 GDPR]] without undue delay and, in any event, at the latest within one month or receipt of the request. <ins style="font-weight: bold; text-decoration: none;">The controller violated this </ins>provision despite the fact the controller deleted the account ‘de facto’ on an unspecified date after the data subject request. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Secondly, the controller stated to the DPA that they did not respond to the data subject’s request to erase their account for reasons <del style="font-weight: bold; text-decoration: none;">pursuant </del>to [[Article 17 GDPR#3e|Article 17(3)(e) GDPR]] <del style="font-weight: bold; text-decoration: none;">according </del>to <del style="font-weight: bold; text-decoration: none;">which </del>the right to erasure does not apply if the processing is necessary ‘for the establishment, exercise or defence of legal claims’. However, the DPA found that the controller would nevertheless had to provide an information of the reasons why the request was not granted. This is expressly established by [[Article 12 GDPR#4|Article 12(4) GDPR]] according to which the controller failed to provide a feedback to data subject without undue delay or within one month of receipt of the request. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Secondly, the controller stated to the DPA that they did not respond to the data subject’s request to erase their account for reasons <ins style="font-weight: bold; text-decoration: none;">related </ins>to [[Article 17 GDPR#3e|Article 17(3)(e) GDPR]]<ins style="font-weight: bold; text-decoration: none;">. According </ins>to <ins style="font-weight: bold; text-decoration: none;">such a provision, </ins>the right to erasure does not apply if the processing is necessary ‘for the establishment, exercise or defence of legal claims’. However, the DPA found that the controller would nevertheless had to provide an information of the reasons why the request was not granted. This is expressly established by [[Article 12 GDPR#4|Article 12(4) GDPR]] according to which the controller failed to provide a feedback to data subject without undue delay or within one month of receipt of the request. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Thirdly, the DPA observed that redirecting the e-mail to another company account <del style="font-weight: bold; text-decoration: none;">and </del>thus <del style="font-weight: bold; text-decoration: none;">carry </del>out processing operations in relation to the data subject <del style="font-weight: bold; text-decoration: none;">implies that the </del>controller <del style="font-weight: bold; text-decoration: none;">breach </del>the principle of minimisation <del style="font-weight: bold; text-decoration: none;">as per </del>[[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. The DPA <del style="font-weight: bold; text-decoration: none;">has already deemed it </del>to be <del style="font-weight: bold; text-decoration: none;">in accordance </del>with the principles of necessity and minimization <del style="font-weight: bold; text-decoration: none;">that after ending employment</del>, <del style="font-weight: bold; text-decoration: none;">the </del>controller should <del style="font-weight: bold; text-decoration: none;">have deactivated the </del>email account and <del style="font-weight: bold; text-decoration: none;">informed others </del>about alternative contact methods. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Thirdly, the DPA observed that <ins style="font-weight: bold; text-decoration: none;">by </ins>redirecting the e-mail to another company account <ins style="font-weight: bold; text-decoration: none;">- </ins>thus <ins style="font-weight: bold; text-decoration: none;">carrying </ins>out <ins style="font-weight: bold; text-decoration: none;">additional </ins>processing operations in relation to the data subject <ins style="font-weight: bold; text-decoration: none;">- </ins>controller <ins style="font-weight: bold; text-decoration: none;">breached </ins>the principle of minimisation <ins style="font-weight: bold; text-decoration: none;">under </ins>[[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. The DPA <ins style="font-weight: bold; text-decoration: none;">stressed that, </ins>to be <ins style="font-weight: bold; text-decoration: none;">complaint </ins>with the principles of necessity and minimization, <ins style="font-weight: bold; text-decoration: none;">a </ins>controller should <ins style="font-weight: bold; text-decoration: none;">deactivate an employee's </ins>email account <ins style="font-weight: bold; text-decoration: none;">after the termination of the employment </ins>and <ins style="font-weight: bold; text-decoration: none;">inform the concerned third parties </ins>about alternative contact methods. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>As a result, the DPA found <del style="font-weight: bold; text-decoration: none;">a violation </del>of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]], [[Article 12 GDPR|Article 12 GDPR]] and [[Article 17 GDPR|Article 17 GDPR]]. The controller <del style="font-weight: bold; text-decoration: none;">received a fine of </del>€15,000.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>As a result, the DPA found <ins style="font-weight: bold; text-decoration: none;">violations </ins>of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]], [[Article 12 GDPR|Article 12 GDPR]] and [[Article 17 GDPR|Article 17 GDPR]]. The controller <ins style="font-weight: bold; text-decoration: none;">was fined </ins>€15,000.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Comment ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Comment ==</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40442:rev-40448 -->
</table>
Mg
https://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202202954&diff=40446&oldid=40420
AEPD (Spain) - EXP202202954
2024-03-19T13:52:13Z
<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 13:52, 19 March 2024</td>
</tr><tr><td colspan="4" class="diff-multi" lang="en">(2 intermediate revisions by the same user not shown)</td></tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l76">Line 76:</td>
<td colspan="2" class="diff-lineno">Line 76:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Facts ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Facts ===</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>On 31 January 2022, a complaint was filed with the Spanish DPA concerning a government webpage that required certain personal data to submit a form for conciliation of <del style="font-weight: bold; text-decoration: none;">labor </del>disputes to the Canary Islands’ Department of Economy, Knowledge and Employment (controller). In particular, the form included a question concerning sex/gender that obliged a response of man, woman, or nonbinary. The <del style="font-weight: bold; text-decoration: none;">complainant </del>argued that the nonbinary response required disclosure of personal data related to sexual orientation and that such data is beyond the scope of the controller’s legal basis and the form’s purpose. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>On 31 January 2022, a complaint was filed with the Spanish DPA concerning a government webpage that required certain personal data to submit a form for conciliation of <ins style="font-weight: bold; text-decoration: none;">labour </ins>disputes to the Canary Islands’ Department of Economy, Knowledge and Employment (controller). In particular, the form included a question concerning sex/gender that obliged a response of man, woman, or nonbinary. The <ins style="font-weight: bold; text-decoration: none;">data subject </ins>argued that the nonbinary response required disclosure of personal data related to sexual orientation and that such data is beyond the scope of the controller’s legal basis and the form’s purpose. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The controller argued that there was no violation of Article 5(1)(c) or 9(1) GDPR and that it was in fact required to collect such information under Spanish law. In particular, Article 26 of Law 12/89 and Article 20(a) of Law 3/2007 obliges public institutions to collect sex/gender information in all forms for statistical purposes.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The controller argued that there was no violation of Article 5(1)(c) or 9(1) GDPR and that it was in fact required to collect such information under Spanish law. In particular, Article 26 of Law 12/89 and Article 20(a) of Law 3/2007 obliges public institutions to collect sex/gender information in all <ins style="font-weight: bold; text-decoration: none;">administrative </ins>forms for statistical purposes.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The DPA found that the controller exceeded its legal basis for processing under [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]], violated the data minimisation principle under [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]], and improperly processed a special category of information under [[Article 9 GDPR#1|Article 9(1) GDPR]]. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The DPA found that the controller exceeded its legal basis for processing under [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]], violated the data minimisation principle under [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]], and improperly processed a special category of information under [[Article 9 GDPR#1|Article 9(1) GDPR]]. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>First, in finding a violation of [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]], the DPA determined that the controller exceeded their legal basis for processing under Spanish legal requirements. A number of Spanish laws including Article 20 of Law 3/2007 and Article 26 of Law 12/1989 require public institutions to collect data about the applicant’s sex for statistical purposes and monitoring of gender equality. Article 26 of Law 12/1989 specifies ‘woman’ and ‘man’ as the responses to inquiries about sex. On the other hand, the DPA noted that no Spanish laws obliging sex to be documented require the nonbinary response to be included. Including it as a response thus exceeded the scope of the legal requirements that formed the basis for processing under [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]]. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>First, in finding a violation of [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]], the DPA determined that the controller exceeded their legal basis for processing under Spanish legal requirements. A number of Spanish laws including <ins style="font-weight: bold; text-decoration: none;">[https://www.boe.es/buscar/act.php?id=BOE-A-2007-6115 </ins>Article 20 of Law 3/2007<ins style="font-weight: bold; text-decoration: none;">] </ins>and <ins style="font-weight: bold; text-decoration: none;">[https://www.boe.es/buscar/doc.php?id=BOE-A-1989-10767 </ins>Article 26 of Law 12/1989<ins style="font-weight: bold; text-decoration: none;">] </ins>require public institutions to collect data about the applicant’s sex<ins style="font-weight: bold; text-decoration: none;">/gender </ins>for statistical purposes and monitoring of gender equality. <ins style="font-weight: bold; text-decoration: none;">[https://www.boe.es/buscar/doc.php?id=BOE-A-1989-10767 </ins>Article 26 of Law 12/1989<ins style="font-weight: bold; text-decoration: none;">] </ins>specifies ‘woman’ and ‘man’ as the responses to inquiries about sex. On the other hand, the DPA noted that no Spanish laws obliging sex<ins style="font-weight: bold; text-decoration: none;">/gender </ins>to be documented require the nonbinary response to be included. Including it as a response thus exceeded the scope of the legal requirements that formed the basis for processing under [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]]. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Second, the DPA held that the nonbinary response collected personal data that was not necessary for the purpose of processing in violation of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. It considered that the nonbinary response was not related to the purpose for which data was being collected in the form, which related to <del style="font-weight: bold; text-decoration: none;">labor </del>disputes between employers and employees. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Second, the DPA held that the nonbinary response collected personal data that was not necessary for the purpose of processing in violation of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. It considered that the nonbinary response was not related to the purpose for which data was being collected in the form, which related to <ins style="font-weight: bold; text-decoration: none;">labour </ins>disputes between employers and employees. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Finally, the DPA determined that the controller processed special categories of information prohibited under [[Article 9 GDPR#1|Article 9(1) GDPR]]. Though it noted that gender identity and sexual orientation are distinct, the DPA determined that a response other than man or woman (in this case, nonbinary) can still be considered to relate to sexual life, even if the form does not explicitly refer to sexual orientation or sex life. There was no applicable exception to the prohibition on processing of special categories in this case under Article 9(2) GPDR. As a result, the DPA concluded that the nonbinary response violated [[Article 9 GDPR#1|Article 9(1) GDPR]].</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Finally, the DPA determined that the controller processed special categories of information prohibited under [[Article 9 GDPR#1|Article 9(1) GDPR]]. Though it noted that gender identity and sexual orientation are distinct, the DPA determined that a response other than man or woman (in this case, nonbinary) can still be considered to relate to sexual life, even if the form does not explicitly refer to sexual orientation or sex life. There was no applicable exception to the prohibition on processing of special categories in this case under Article 9(2) GPDR. As a result, the DPA concluded that the nonbinary response violated [[Article 9 GDPR#1|Article 9(1) GDPR]].</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40420:rev-40446 -->
</table>
Lm
https://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9993105&diff=40442&oldid=40434
Garante per la protezione dei dati personali (Italy) - 9993105
2024-03-19T13:03:50Z
<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 13:03, 19 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l81">Line 81:</td>
<td colspan="2" class="diff-lineno">Line 81:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Firstly, the DPA held that the controller failed to fulfil his obligation to follow modalities prescribed by [[Article 12 GDPR|Article 12 GDPR]], in particular to provide the data subject with information on the action taken in respect of a request pursuant to Article 15 to Article 22 without undue delay and, in any event, at the latest within one month or receipt of the request. This provision cannot be satisfied despite the fact the controller deleted the account ‘de facto’ on an unspecified date after the data subject request. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Firstly, the DPA held that the controller failed to fulfil his obligation to follow modalities prescribed by [[Article 12 GDPR|Article 12 GDPR]], in particular to provide the data subject with information on the action taken in respect of a request pursuant to <ins style="font-weight: bold; text-decoration: none;">[[</ins>Article 15 <ins style="font-weight: bold; text-decoration: none;">GDPR]] </ins>to <ins style="font-weight: bold; text-decoration: none;">[[</ins>Article 22 <ins style="font-weight: bold; text-decoration: none;">GDPR]] </ins>without undue delay and, in any event, at the latest within one month or receipt of the request. This provision cannot be satisfied despite the fact the controller deleted the account ‘de facto’ on an unspecified date after the data subject request. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Secondly, the controller stated to the DPA that they did not respond to the data subject’s request to erase their account pursuant to [[Article 17 GDPR#3e|Article 17(3)(e) GDPR]] according to which the right to erasure does not apply if the processing is necessary ‘for the establishment, exercise or defence of legal claims’. However, the DPA found that the controller would nevertheless had to provide an information of the reasons why the request was not granted. This is expressly established by [[Article 12 GDPR#4|Article 12(4) GDPR]] according to which the controller failed to provide a feedback to data subject without undue delay or within one month of receipt of the request. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Secondly, the controller stated to the DPA that they did not respond to the data subject’s request to erase their account <ins style="font-weight: bold; text-decoration: none;">for reasons </ins>pursuant to [[Article 17 GDPR#3e|Article 17(3)(e) GDPR]] according to which the right to erasure does not apply if the processing is necessary ‘for the establishment, exercise or defence of legal claims’. However, the DPA found that the controller would nevertheless had to provide an information of the reasons why the request was not granted. This is expressly established by [[Article 12 GDPR#4|Article 12(4) GDPR]] according to which the controller failed to provide a feedback to data subject without undue delay or within one month of receipt of the request. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Thirdly, the DPA observed that redirecting the e-mail to another company account and thus carry out processing operations in relation to the data subject implies that the controller breach the principle of minimisation as per Article 5(1)<del style="font-weight: bold; text-decoration: none;">© </del>GDPR. The DPA has already deemed it to be in accordance with the principles of necessity and minimization that after ending employment, the controller should have deactivated the email account and informed others about alternative contact methods. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Thirdly, the DPA observed that redirecting the e-mail to another company account and thus carry out processing operations in relation to the data subject implies that the controller breach the principle of minimisation as per <ins style="font-weight: bold; text-decoration: none;">[[Article 5 GDPR#1c|</ins>Article 5(1)<ins style="font-weight: bold; text-decoration: none;">(c) </ins>GDPR<ins style="font-weight: bold; text-decoration: none;">]]</ins>. The DPA has already deemed it to be in accordance with the principles of necessity and minimization that after ending employment, the controller should have deactivated the email account and informed others about alternative contact methods. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>As a result, the DPA found a violation of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]], [[Article 12 GDPR|Article 12 GDPR]] and [[Article 17 GDPR|Article 17 GDPR]]. The controller received a fine of €15,000.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>As a result, the DPA found a violation of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]], [[Article 12 GDPR|Article 12 GDPR]] and [[Article 17 GDPR|Article 17 GDPR]]. The controller received a fine of €15,000.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Comment ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Comment ==</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Regarding the obligation of the employer to de-activate the former employees account after the contract was terminated, see Guidelines for electronic mail and the Internet, 1.3.2007, in G. U. No. 58 of 10.3.2007, spec. point 5.2, lett. B.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Regarding the obligation of the employer to de-activate the former employees account after the contract was terminated, see <ins style="font-weight: bold; text-decoration: none;">[https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/1387522 </ins>Guidelines for electronic mail and the Internet<ins style="font-weight: bold; text-decoration: none;">]</ins>, 1.3.2007, in G. U. No. 58 of 10.3.2007, spec. point 5.2, lett. B.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Further Resources ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Further Resources ==</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40434:rev-40442 -->
</table>
Im
https://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9993105&diff=40434&oldid=0
Garante per la protezione dei dati personali (Italy) - 9993105
2024-03-19T10:13:06Z
<p>Created page with "{{DPAdecisionBOX |Jurisdiction=Italy |DPA-BG-Color=background-color:#095d7e; |DPAlogo=LogoIT.png |DPA_Abbrevation=Garante per la protezione dei dati personali |DPA_With_Country=Garante per la protezione dei dati personali (Italy) |Case_Number_Name=9993105 |ECLI= |Original_Source_Name_1=Garante per la protezione dei dati personali |Original_Source_Link_1=https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9993105 |Original_Source_Language_1=Maltese |Origi..."</p>
<a href="https://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9993105&diff=40434">Show changes</a>
Im
https://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202202954&diff=40420&oldid=40419
AEPD (Spain) - EXP202202954
2024-03-18T17:53:24Z
<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 17:53, 18 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l77">Line 77:</td>
<td colspan="2" class="diff-lineno">Line 77:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Facts ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Facts ===</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>On 31 January 2022, a complaint was filed with the Spanish DPA concerning a government webpage that required certain personal data to submit a form for conciliation of labor disputes to the Canary Islands’ Department of Economy, Knowledge and Employment (controller). In particular, the form included a question concerning sex/gender that obliged a response of man, woman, or nonbinary. The complainant argued that the nonbinary response required disclosure of personal data related to sexual orientation and that such data is beyond the scope of the controller’s legal basis and the form’s purpose. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>On 31 January 2022, a complaint was filed with the Spanish DPA concerning a government webpage that required certain personal data to submit a form for conciliation of labor disputes to the Canary Islands’ Department of Economy, Knowledge and Employment (controller). In particular, the form included a question concerning sex/gender that obliged a response of man, woman, or nonbinary. The complainant argued that the nonbinary response required disclosure of personal data related to sexual orientation and that such data is beyond the scope of the controller’s legal basis and the form’s purpose. </div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The controller argued that there was no violation of Article 5(1)(c) or 9(1) GDPR and that it was in fact required to collect such information under Spanish law. In particular, Article 26 of Law 12/89 and Article 20(a) of Law 3/2007 obliges public institutions to collect sex/gender information in all forms for statistical purposes.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The controller argued that there was no violation of Article 5(1)(c) or 9(1) GDPR and that it was in fact required to collect such information under Spanish law. In particular, Article 26 of Law 12/89 and Article 20(a) of Law 3/2007 obliges public institutions to collect sex/gender information in all forms for statistical purposes.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The DPA found that the controller exceeded its legal basis for processing under [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]], violated the data minimisation principle under [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]], and improperly processed a special category of information under [[Article 9 GDPR#1|Article 9(1) GDPR]]. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The DPA found that the controller exceeded its legal basis for processing under [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]], violated the data minimisation principle under [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]], and improperly processed a special category of information under [[Article 9 GDPR#1|Article 9(1) GDPR]]. </div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>First, in finding a violation of [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]], the DPA determined that the controller exceeded their legal basis for processing under Spanish legal requirements. A number of Spanish laws including Article 20 of Law 3/2007 and Article 26 of Law 12/1989 require public institutions to collect data about the applicant’s sex for statistical purposes and monitoring of gender equality. Article 26 of Law 12/1989 specifies ‘woman’ and ‘man’ as the responses to inquiries about sex. On the other hand, the DPA noted that no Spanish laws obliging sex to be documented require the nonbinary response to be included. Including it as a response thus exceeded the scope of the legal requirements that formed the basis for processing under [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]]. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>First, in finding a violation of [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]], the DPA determined that the controller exceeded their legal basis for processing under Spanish legal requirements. A number of Spanish laws including Article 20 of Law 3/2007 and Article 26 of Law 12/1989 require public institutions to collect data about the applicant’s sex for statistical purposes and monitoring of gender equality. Article 26 of Law 12/1989 specifies ‘woman’ and ‘man’ as the responses to inquiries about sex. On the other hand, the DPA noted that no Spanish laws obliging sex to be documented require the nonbinary response to be included. Including it as a response thus exceeded the scope of the legal requirements that formed the basis for processing under [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]]. </div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Second, the DPA held that the nonbinary response collected personal data that was not necessary for the purpose of processing in violation of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. It considered that the nonbinary response was not related to the purpose for which data was being collected in the form, which related to labor disputes between employers and employees. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Second, the DPA held that the nonbinary response collected personal data that was not necessary for the purpose of processing in violation of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. It considered that the nonbinary response was not related to the purpose for which data was being collected in the form, which related to labor disputes between employers and employees. </div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Finally, the DPA determined that the controller processed special categories of information prohibited under [[Article 9 GDPR#1|Article 9(1) GDPR]]. Though it noted that gender identity and sexual orientation are distinct, the DPA determined that a response other than man or woman (in this case, nonbinary) can still be considered to relate to sexual life, even if the form does not explicitly refer to sexual orientation or sex life. There was no applicable exception to the prohibition on processing of special categories in this case under Article 9(2) GPDR. As a result, the DPA concluded that the nonbinary response violated [[Article 9 GDPR#1|Article 9(1) GDPR]].</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Finally, the DPA determined that the controller processed special categories of information prohibited under [[Article 9 GDPR#1|Article 9(1) GDPR]]. Though it noted that gender identity and sexual orientation are distinct, the DPA determined that a response other than man or woman (in this case, nonbinary) can still be considered to relate to sexual life, even if the form does not explicitly refer to sexual orientation or sex life. There was no applicable exception to the prohibition on processing of special categories in this case under Article 9(2) GPDR. As a result, the DPA concluded that the nonbinary response violated [[Article 9 GDPR#1|Article 9(1) GDPR]].</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The DPA imposed undisclosed warning sanctions for the controller’s violations of <del style="font-weight: bold; text-decoration: none;">Articles </del>5(1)(c) and 9(1) GDPR pursuant to [[Article 83 GDPR#5a|Article 83(5)(a) GDPR]]. It also ordered the controller to bring processing operations into compliance by removing the nonbinary response in form inquiries of sex/gender from not only in the form arising in the case but also more broadly in the processing of forms and documents before its public institutions altogether.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> </div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The DPA imposed undisclosed warning sanctions for the controller’s violations of <ins style="font-weight: bold; text-decoration: none;">[[Article 5 GDPR#1c|Article </ins>5(1)(c)<ins style="font-weight: bold; text-decoration: none;">]] </ins>and <ins style="font-weight: bold; text-decoration: none;">[[Article 9 GDPR#1|</ins>9(1) GDPR<ins style="font-weight: bold; text-decoration: none;">]] </ins>pursuant to [[Article 83 GDPR#5a|Article 83(5)(a) GDPR]]. It also ordered the controller to bring processing operations into compliance by removing the nonbinary response in form inquiries of sex/gender from not only in the form arising in the case but also more broadly in the processing of forms and documents before its public institutions altogether.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Comment ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Comment ==</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40419:rev-40420 -->
</table>
Lm
https://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202202954&diff=40419&oldid=0
AEPD (Spain) - EXP202202954
2024-03-18T17:51:59Z
<p>Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202202954 |ECLI= |Original_Source_Name_1=Agencia Española de Protección de Datos |Original_Source_Link_1=https://www.aepd.es/documento/ps-00070-2023.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Langua..."</p>
<a href="https://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202202954&diff=40419">Show changes</a>
Lm
https://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9973749&diff=40341&oldid=40340
Garante per la protezione dei dati personali (Italy) - 9973749
2024-03-13T11:02:51Z
<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 11:02, 13 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l71">Line 71:</td>
<td colspan="2" class="diff-lineno">Line 71:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The DPA fined a lawyer €500 for unlawfully processing a data subject's personal data <del style="font-weight: bold; text-decoration: none;">as </del>a letter regarding his divorce <del style="font-weight: bold; text-decoration: none;">was sent </del>to <del style="font-weight: bold; text-decoration: none;">his </del>company<del style="font-weight: bold; text-decoration: none;">'s </del>email address, accessible by all <del style="font-weight: bold; text-decoration: none;">his </del>employees.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The DPA fined a lawyer €500 for unlawfully processing a data subject's personal data <ins style="font-weight: bold; text-decoration: none;">by sending </ins>a letter regarding his divorce to <ins style="font-weight: bold; text-decoration: none;">the data subject’s </ins>company email address, accessible by all employees.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40340:rev-40341 -->
</table>
Nzm
https://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9973749&diff=40340&oldid=40303
Garante per la protezione dei dati personali (Italy) - 9973749
2024-03-13T11:02:00Z
<p><span dir="auto"><span class="autocomment">Facts</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 11:02, 13 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l82">Line 82:</td>
<td colspan="2" class="diff-lineno">Line 82:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The Italian DPA found the justifications set forth by the controller insufficient and initiated proceedings for potential GDPR violations to evaluate the possibility of applying a penalty as per [[Article 58 GDPR#2|Article 58(2) GDPR]] and [[Article 83 GDPR]]. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The Italian DPA found the justifications set forth by the controller insufficient and initiated proceedings for potential GDPR violations to evaluate the possibility of applying a penalty as per [[Article 58 GDPR#2|Article 58(2) GDPR]] and [[Article 83 GDPR]]. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> </div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>In response, the controller emphasised the confidentiality of the communication, which was specifically directed to the data subject, the limited accessibility of the email within the company, and the necessity of the email to protect their client's vital interests. Additionally, they argued that no tangible harm occurred to the data subject nor did <del style="font-weight: bold; text-decoration: none;">he </del>demonstrate it. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>In response, the controller emphasised the confidentiality of the communication, which was specifically directed to the data subject, the limited accessibility of the email within the company, and the necessity of the email to protect their client's vital interests. Additionally, they argued that no tangible harm occurred to the data subject nor did <ins style="font-weight: bold; text-decoration: none;">the data subject </ins>demonstrate it. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The Italian DPA first held that the disclosure of information regarding the data subject involved the processing of his personal data, as defined in [[Article 4 GDPR|Articles 4(1) and (2) GDPR]]. <del style="font-weight: bold; text-decoration: none;">Despite the controller's argument that the personal nature of the data was unclear, the DPA confirmed that personal data relating to the data subject was processed and associated with the email, thus refuting the controller's defense. </del></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The Italian DPA first held that the disclosure of information regarding the data subject involved the processing of his personal data, as defined in [[Article 4 GDPR|Articles 4(1) and (2) GDPR]]. <ins style="font-weight: bold; text-decoration: none;"> </ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Additionally, the DPA stated that the controller transmitted personal data to the company's email address without a suitable legal basis, thereby contravening [[Article 6 GDPR]] and the principle of data minimization outlined in [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. The alleged justifications under [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]] and [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] regarding legal obligations and vital interests, as claimed during the investigation by the controller, were found by the DPA to lack substantiation. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Additionally, the DPA stated that the controller transmitted personal data to the company's email address without a suitable legal basis, thereby contravening [[Article 6 GDPR]] and the principle of data minimization outlined in [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. The alleged justifications under [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]] and [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] regarding legal obligations and vital interests, as claimed during the investigation by the controller, were found by the DPA to lack substantiation. </div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40303:rev-40340 -->
</table>
Mg
https://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9973749&diff=40303&oldid=39956
Garante per la protezione dei dati personali (Italy) - 9973749
2024-03-11T12:25:03Z
<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 12:25, 11 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l71">Line 71:</td>
<td colspan="2" class="diff-lineno">Line 71:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The <del style="font-weight: bold; text-decoration: none;">Italian </del>DPA fined a lawyer €500 for unlawfully processing a data subject's personal data as a letter regarding his divorce was sent to his company's email address, accessible by all his employees.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The DPA fined a lawyer €500 for unlawfully processing a data subject's personal data as a letter regarding his divorce was sent to his company's email address, accessible by all his employees.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-39956:rev-40303 -->
</table>
Im
https://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_1011/161/22&diff=40251&oldid=40237
Tietosuojavaltuutetun toimisto (Finland) - 1011/161/22
2024-03-06T12:24:16Z
<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 12:24, 6 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l63">Line 63:</td>
<td colspan="2" class="diff-lineno">Line 63:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The <del style="font-weight: bold; text-decoration: none;">Finnish </del>DPA found a school to have breached <del style="font-weight: bold; text-decoration: none;">[[Article 5 GDPR#1c|Article 5(1)(c) GDPR]] </del>for processing the bank account numbers of all its students for the purpose of awarding possible scholarships.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The DPA found a school to have breached <ins style="font-weight: bold; text-decoration: none;">the principle of data minimization </ins>for processing the bank account numbers of all its students for the purpose of awarding possible scholarships <ins style="font-weight: bold; text-decoration: none;">concerning only some of them</ins>.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40237:rev-40251 -->
</table>
Im
https://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_TSV/224/2023&diff=40246&oldid=40228
Tietosuojavaltuutetun toimisto (Finland) - TSV/224/2023
2024-03-06T11:50:33Z
<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 11:50, 6 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l71">Line 71:</td>
<td colspan="2" class="diff-lineno">Line 71:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The DPA <del style="font-weight: bold; text-decoration: none;">ordered </del>a <del style="font-weight: bold; text-decoration: none;">provider </del>of <del style="font-weight: bold; text-decoration: none;">first aid training to facilitate </del>the <del style="font-weight: bold; text-decoration: none;">exercise of </del>data subject rights <del style="font-weight: bold; text-decoration: none;">by no longer requesting a copy of </del>the <del style="font-weight: bold; text-decoration: none;">identity document as </del>a <del style="font-weight: bold; text-decoration: none;">means of identification</del>.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The DPA <ins style="font-weight: bold; text-decoration: none;">held that </ins>a <ins style="font-weight: bold; text-decoration: none;">controller cannot systematically request data subjects to submit a signed form and a copy </ins>of <ins style="font-weight: bold; text-decoration: none;">their ID for an access request, as facilitating </ins>the data subject<ins style="font-weight: bold; text-decoration: none;">'s </ins>rights <ins style="font-weight: bold; text-decoration: none;">under </ins>the <ins style="font-weight: bold; text-decoration: none;">GDPR requires </ins>a <ins style="font-weight: bold; text-decoration: none;">case by case assessment</ins>.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Facts ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Facts ===</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The Finnish DPA was notified that a provider of first aid training ("controller") had requested the data subject to submit by email a signed form and a copy of their ID in order to exercise the right of access.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The Finnish DPA was notified that a provider of first aid training ("controller") had requested the data subject to submit by email a signed form and a copy of their ID in order to exercise the right of access<ins style="font-weight: bold; text-decoration: none;">. The data subject made an access request but did not provide the filled in form and a copy of their ID. Therefore, the controller did not provide access to the personal data</ins>.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The DPA had asked the controller to explain how it facilitated the exercise of data subject rights. In addition, the DPA also asked the controller to clarify how long it retained personal data.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The DPA had asked the controller to explain how it facilitated the exercise of data subject rights. In addition, the DPA also asked the controller to clarify how long it retained personal data.</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40228:rev-40246 -->
</table>
Nzm
https://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_1011/161/22&diff=40237&oldid=39926
Tietosuojavaltuutetun toimisto (Finland) - 1011/161/22
2024-03-06T10:37:11Z
<p><span dir="auto"><span class="autocomment">Holding</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 10:37, 6 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l73">Line 73:</td>
<td colspan="2" class="diff-lineno">Line 73:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>On the basis of the information provided by the controller, the DPA considered that personal data <del style="font-weight: bold; text-decoration: none;">may </del>not be processed and stored only for the sake of certainty and for future use. The controller had unnecessarily processed the bank account numbers of all its students for the purpose of awarding the scholarships, even though <del style="font-weight: bold; text-decoration: none;">they </del>would <del style="font-weight: bold; text-decoration: none;">be </del>awarded only to some students.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>On the basis of the information provided by the controller, the DPA considered that personal data <ins style="font-weight: bold; text-decoration: none;">shall </ins>not be processed and stored only for the sake of certainty and for future use. The controller had unnecessarily processed the bank account numbers of all its students for the purpose of awarding the scholarships, even though <ins style="font-weight: bold; text-decoration: none;">these </ins>would <ins style="font-weight: bold; text-decoration: none;">have been </ins>awarded only to some students.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The DPA emphasised that it would have been possible for the controller to award the scholarships in a less intrusive manner and <del style="font-weight: bold; text-decoration: none;">that on the basis of the information gathered, the DPA held that </del>the controller <del style="font-weight: bold; text-decoration: none;">had </del>violated [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]] by processing the bank account numbers <del style="font-weight: bold; text-decoration: none;">of all its students</del>.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The DPA emphasised that it would have been possible for the controller to award the scholarships in a less intrusive manner and <ins style="font-weight: bold; text-decoration: none;">therefore </ins>the controller violated <ins style="font-weight: bold; text-decoration: none;">the principle of data minimisation enshrined in </ins>[[Article 5 GDPR#1c|Article 5(1)(c) GDPR]] by processing the bank account numbers.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>As a result, the DPA issued a reprimand to the controller in accordance with [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]]. Pursuant to [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], the DPA also ordered the controller to erase the bank account numbers since there were no legal grounds for the processing.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>As a result, the DPA issued a reprimand to the controller in accordance with [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]]. Pursuant to [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], the DPA also ordered the controller to erase the bank account numbers since there were no legal grounds for the processing.</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-39926:rev-40237 -->
</table>
Mg
https://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_TSV/224/2023&diff=40228&oldid=40220
Tietosuojavaltuutetun toimisto (Finland) - TSV/224/2023
2024-03-06T09:07:45Z
<p><span dir="auto"><span class="autocomment">Facts</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 09:07, 6 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l76">Line 76:</td>
<td colspan="2" class="diff-lineno">Line 76:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Facts ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Facts ===</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The Finnish DPA was notified that a provider of first aid training ("controller") had requested the data subject to submit a signed <del style="font-weight: bold; text-decoration: none;">information request </del>form and a copy of their <del style="font-weight: bold; text-decoration: none;">identity document by email </del>in order to exercise the right of access.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The Finnish DPA was notified that a provider of first aid training ("controller") had requested the data subject to submit <ins style="font-weight: bold; text-decoration: none;">by email </ins>a signed form and a copy of their <ins style="font-weight: bold; text-decoration: none;">ID </ins>in order to exercise the right of access.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The DPA had asked the controller to explain how it facilitated the exercise of data subject rights <del style="font-weight: bold; text-decoration: none;">and </del>how long it retained personal data.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The DPA had asked the controller to explain how it facilitated the exercise of data subject rights<ins style="font-weight: bold; text-decoration: none;">. In addition, the DPA also asked the controller to clarify </ins>how long it retained personal data.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>In response to the request, the controller clarified that it could not confirm the identity of the data subject because the access request had been submitted by email, which only contained the name and email address of the data subject. Therefore, the controller could not fulfill the request, because the data subject had not agreed to submit the signed information request form or to identify themselves as requested by the controller.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>In response to the request, the controller clarified that it could not confirm the identity of the data subject because the access request had been submitted by email, which only contained the name and email address of the data subject. Therefore, the controller could not fulfill the request, because the data subject had not agreed to submit the signed information request form or to identify themselves as requested by the controller.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">The </del>controller stated that the completed training was valid for three years and that the personal data would be erased two years after the end of the validity period.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">Concerning the retention periods, the </ins>controller stated that the completed training was valid for three years and that the personal data would be erased two years after the end of the validity period.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l89">Line 89:</td>
<td colspan="2" class="diff-lineno">Line 89:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The DPA emphasised that the controller's possibility to request additional information to confirm the identity of the data subject in accordance with [[Article 12 GDPR#6|Article 12(6) GDPR]] must not lead to unreasonable requirements and the collection of personal data that is not necessary to verify the connection between the data subject and the personal data requested.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The DPA emphasised that the controller's possibility to request additional information to confirm the identity of the data subject in accordance with [[Article 12 GDPR#6|Article 12(6) GDPR]] must not lead to unreasonable requirements and the collection of personal data that is not necessary to verify the connection between the data subject and the personal data requested.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The DPA found that the controller had not facilitated the exercise of data subject rights in accordance with [[Article 12 GDPR#2|Article 12(2) GDPR]], as the data subject <del style="font-weight: bold; text-decoration: none;">incurred </del>an unreasonable <del style="font-weight: bold; text-decoration: none;">amount of trouble </del>when <del style="font-weight: bold; text-decoration: none;">they had to submit </del>a signed <del style="font-weight: bold; text-decoration: none;">information request </del>form <del style="font-weight: bold; text-decoration: none;">in addition to </del>a copy of their <del style="font-weight: bold; text-decoration: none;">identity document</del>.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The DPA found that the controller had not facilitated the exercise of data subject rights in accordance with [[Article 12 GDPR#2|Article 12(2) GDPR]], as the data subject an unreasonable <ins style="font-weight: bold; text-decoration: none;">effort </ins>when <ins style="font-weight: bold; text-decoration: none;">submitting </ins>a signed form <ins style="font-weight: bold; text-decoration: none;">and </ins>a copy of their <ins style="font-weight: bold; text-decoration: none;">ID</ins>.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The DPA also noted that, based on the retention period determined by the controller, it should have erased the data subject's personal data even before the data subject's access request.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The DPA also noted that, based on the retention period determined by the controller, it should have erased the data subject's personal data even before the data subject's access request.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>On the basis of the information gathered, the DPA held that the controller had violated [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]], [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]], [[Article 12 GDPR#2|Article 12(2) GDPR]], [[Article 12 GDPR#6|Article 12(6) GDPR]] and [[Article 25 GDPR#2|Article 25(2) GDPR]]<del style="font-weight: bold; text-decoration: none;">. As a result, and in accordance with [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]], the DPA ordered the controller to comply with the data subject's access request</del>.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>On the basis of the information gathered, the DPA held that the controller had violated [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]], [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]], [[Article 12 GDPR#2|Article 12(2) GDPR]], [[Article 12 GDPR#6|Article 12(6) GDPR]] and [[Article 25 GDPR#2|Article 25(2) GDPR]]. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Pursuant to [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], the DPA also ordered the controller to amend its identity verification policy to comply with the aforementioned provisions of the GDPR and to erase personal data older than the specified retention period without undue delay.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">In accordance with [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]], the DPA ordered the controller to comply with the data subject's access request. </ins>Pursuant to [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], the DPA also ordered the controller to amend its identity verification policy to comply with the aforementioned provisions of the GDPR and to erase personal data older than the specified retention period without undue delay.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Comment ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Comment ==</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40220:rev-40228 -->
</table>
Mg
https://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_TSV/224/2023&diff=40220&oldid=40181
Tietosuojavaltuutetun toimisto (Finland) - TSV/224/2023
2024-03-06T08:00:46Z
<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 08:00, 6 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l71">Line 71:</td>
<td colspan="2" class="diff-lineno">Line 71:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The <del style="font-weight: bold; text-decoration: none;">Finnish </del>DPA ordered a provider of first aid training to facilitate the exercise of data subject rights by no longer requesting a copy of the identity document as a means of identification.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The DPA ordered a provider of first aid training to facilitate the exercise of data subject rights by no longer requesting a copy of the identity document as a means of identification.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Facts ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Facts ===</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The Finnish DPA was notified that a provider of first aid training (<del style="font-weight: bold; text-decoration: none;">the </del>controller) had requested the data subject to submit a signed information request form and a copy of their identity document by email in order to exercise the right of access.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The Finnish DPA was notified that a provider of first aid training (<ins style="font-weight: bold; text-decoration: none;">"</ins>controller<ins style="font-weight: bold; text-decoration: none;">"</ins>) had requested the data subject to submit a signed information request form and a copy of their identity document by email in order to exercise the right of access.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The DPA had asked the controller to explain how it facilitated the exercise of data subject rights and how long it retained personal data.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The DPA had asked the controller to explain how it facilitated the exercise of data subject rights and how long it retained personal data.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>In response to the request, the controller clarified that it could not confirm the identity of the data subject because the access request had been submitted by email, which only contained the name and email address of the data subject. Therefore, the controller could not <del style="font-weight: bold; text-decoration: none;">fulfil </del>the request, because the data subject had not agreed to submit the signed information request form or to identify themselves as requested by the controller.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>In response to the request, the controller clarified that it could not confirm the identity of the data subject because the access request had been submitted by email, which only contained the name and email address of the data subject. Therefore, the controller could not <ins style="font-weight: bold; text-decoration: none;">fulfill </ins>the request, because the data subject had not agreed to submit the signed information request form or to identify themselves as requested by the controller.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The controller stated that the completed training was valid for three years and that the personal data would be erased two years after the end of the validity period.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The controller stated that the completed training was valid for three years and that the personal data would be erased two years after the end of the validity period.</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40181:rev-40220 -->
</table>
Nzm
https://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_TSV/224/2023&diff=40181&oldid=40180
Tietosuojavaltuutetun toimisto (Finland) - TSV/224/2023
2024-03-04T08:43:34Z
<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 08:43, 4 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l67">Line 67:</td>
<td colspan="2" class="diff-lineno">Line 67:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_To_Link=</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_To_Link=</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>|Initial_Contributor=fred</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>|Initial_Contributor=<ins style="font-weight: bold; text-decoration: none;">[https://gdprhub.eu/index.php?title=User:Fred </ins>fred<ins style="font-weight: bold; text-decoration: none;">]</ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40180:rev-40181 -->
</table>
Fred
https://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_TSV/224/2023&diff=40180&oldid=0
Tietosuojavaltuutetun toimisto (Finland) - TSV/224/2023
2024-03-04T08:42:47Z
<p>Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland) |Case_Number_Name=TSV/224/2023 |ECLI= |Original_Source_Name_1=Finlex |Original_Source_Link_1=https://www.finlex.fi/fi/viranomaiset/tsv/2024/20242103 |Original_Source_Language_1=Finnish |Original_Source_Language__Code_1=FI |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_La..."</p>
<p><b>New page</b></p><div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Finland<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFI.png<br />
|DPA_Abbrevation=Tietosuojavaltuutetun toimisto<br />
|DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland)<br />
<br />
|Case_Number_Name=TSV/224/2023<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Finlex<br />
|Original_Source_Link_1=https://www.finlex.fi/fi/viranomaiset/tsv/2024/20242103<br />
|Original_Source_Language_1=Finnish<br />
|Original_Source_Language__Code_1=FI<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=07.06.2023<br />
|Date_Decided=19.02.2024<br />
|Date_Published=29.02.2024<br />
|Year=2024<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 5(1)(e) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1e<br />
|GDPR_Article_2=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1c<br />
|GDPR_Article_3=Article 12(2) GDPR<br />
|GDPR_Article_Link_3=Article 12 GDPR#2<br />
|GDPR_Article_4=Article 12(6) GDPR<br />
|GDPR_Article_Link_4=Article 12 GDPR#6<br />
|GDPR_Article_5=Article 25(2) GDPR<br />
|GDPR_Article_Link_5=Article 25 GDPR#2<br />
|GDPR_Article_6=Article 58(2)(c) GDPR<br />
|GDPR_Article_Link_6=Article 58 GDPR#2c<br />
|GDPR_Article_7=Article 58(2)(d) GDPR<br />
|GDPR_Article_Link_7=Article 58 GDPR#2d<br />
|GDPR_Article_8=<br />
|GDPR_Article_Link_8=<br />
|GDPR_Article_9=<br />
|GDPR_Article_Link_9=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=fred<br />
|<br />
}}<br />
<br />
The Finnish DPA ordered a provider of first aid training to facilitate the exercise of data subject rights by no longer requesting a copy of the identity document as a means of identification.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The Finnish DPA was notified that a provider of first aid training (the controller) had requested the data subject to submit a signed information request form and a copy of their identity document by email in order to exercise the right of access.<br />
<br />
The DPA had asked the controller to explain how it facilitated the exercise of data subject rights and how long it retained personal data.<br />
<br />
In response to the request, the controller clarified that it could not confirm the identity of the data subject because the access request had been submitted by email, which only contained the name and email address of the data subject. Therefore, the controller could not fulfil the request, because the data subject had not agreed to submit the signed information request form or to identify themselves as requested by the controller.<br />
<br />
The controller stated that the completed training was valid for three years and that the personal data would be erased two years after the end of the validity period.<br />
<br />
=== Holding ===<br />
On the basis of the information provided by the controller, the DPA considered that the controller's method of identifying the data subject was not based on a case-by-case assessment and that requesting a copy of the identity document was a standard means of identification.<br />
<br />
The DPA emphasised that the controller's possibility to request additional information to confirm the identity of the data subject in accordance with [[Article 12 GDPR#6|Article 12(6) GDPR]] must not lead to unreasonable requirements and the collection of personal data that is not necessary to verify the connection between the data subject and the personal data requested.<br />
<br />
The DPA found that the controller had not facilitated the exercise of data subject rights in accordance with [[Article 12 GDPR#2|Article 12(2) GDPR]], as the data subject incurred an unreasonable amount of trouble when they had to submit a signed information request form in addition to a copy of their identity document.<br />
<br />
The DPA also noted that, based on the retention period determined by the controller, it should have erased the data subject's personal data even before the data subject's access request.<br />
<br />
On the basis of the information gathered, the DPA held that the controller had violated [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]], [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]], [[Article 12 GDPR#2|Article 12(2) GDPR]], [[Article 12 GDPR#6|Article 12(6) GDPR]] and [[Article 25 GDPR#2|Article 25(2) GDPR]]. As a result, and in accordance with [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]], the DPA ordered the controller to comply with the data subject's access request.<br />
<br />
Pursuant to [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], the DPA also ordered the controller to amend its identity verification policy to comply with the aforementioned provisions of the GDPR and to erase personal data older than the specified retention period without undue delay.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.<br />
<br />
<pre><br />
Decision of the Deputy Data Protection Commissioner<br />
Thing<br />
<br />
Submitting a request for the registered right of inspection and confirming the registered person's identity, as well as the legality and storage period of the processing of the registered person's personal data<br />
Registrar<br />
<br />
First aid training organizer<br />
The requirements of the registered person with reasons<br />
<br />
The data subject has asked the data protection commissioner's office to assess whether the data controller is acting in accordance with the General Data Protection Regulation of the European Parliament and of the Council ((EU) 2016/679) when asking the data subject to send a signed information request form and a copy of the identity document by email in order to exercise the right of inspection to confirm the identity of the data subject.<br />
<br />
The data subject has considered that the additional information required by the data controller to confirm the identity is not justified and appropriate in relation to the personal data of the data subject that the data controller processes. The registered person has considered that the procedure of the controller is not in accordance with the principles regarding the processing of personal data. According to the registered opinion, the controller has also not made it easier for the data subject to exercise his rights.<br />
<br />
The registered person has also stated that, in his opinion, he has not received an appropriate explanation from the controller on the basis of the processing of his personal data. The registered person has doubts about the legality of the processing of his personal data. According to the information given by the controller to the registered person by e-mail, the basis for processing personal data is either a contract or a legitimate interest. The registered person has considered that neither of these processing grounds is applicable in his case.<br />
Statement received from the registrar<br />
<br />
The registrar has been requested to clarify the matter on June 7, 2023. The controller has submitted his report to the data protection commissioner's office on June 20, 2023.<br />
<br />
The controller has confirmed that he has received the information request submitted by the data subject. According to the controller, it has not been able to confirm the identity of the data subject, because the data subject has submitted a request for information by e-mail, which only shows the first and last name and e-mail address of the data subject. The registrar has stated that he instructed the registrant to send a signed information request form and to identify himself by sending a copy of his identity card by e-mail. The registrant has stated that he has offered the registrant an alternative option to identify himself electronically in the Visma Sign service. The data controller has stated that it has not been able to fulfill the data subject's request for access to the data, because the data subject has not agreed to submit a signed information request form and to identify himself as required by the data controller.<br />
<br />
The registrar has stated that requesting an identity document ensures that the requester is registered and that the request for information is addressed to the right person. The operation method of the registrar is evident from the register information request form submitted as an attachment to the registrar's statement, where it is stated that a copy of the identity document must be attached to the request.<br />
<br />
The controller has further stated that the processing of the personal data of the registered person is based on the contract. According to the registrar's report, the data subject has entered into a customer relationship when registering for training organized by the registrar. In addition, the controller has provided copies of the personal data of the data subject it processes to the data protection commissioner's office. According to its report, the controller processes the following information about the registered person: first and last name, address, e-mail address, telephone number and information about the completion of the training.<br />
<br />
The data protection commissioner's office has requested additional clarification from the data controller on 31 August 2023. The data controller has been asked whether and how the data controller has defined the retention period of personal data according to the data processing purposes. The controller has submitted his additional explanation to the data protection commissioner's office on 22 September 2023.<br />
<br />
The controller has stated in his supplementary report that he has determined the retention periods for the processing of personal data according to processing purposes. According to the registry keeper, information on storage periods is provided in the registry-specific privacy statements. The controller has stated that he considers that the necessity requirement for the processing of personal data ends when two years have passed since the expiration of the training course, or three years have passed since the last product purchase, or when the statutory retention period expires. According to the controller, the personal data will be anonymized or deleted at the end of the aforementioned retention period. The registrar has further stated that the trainings are valid for three years.<br />
The registered equivalent<br />
<br />
In this case, no consideration has been requested from the registered person. Based on the applicable legislation and the established interpretation practice, the matter is so clear that a decision can be given without the registrant's compensation based on Section 34, Subsection 2, Clause 5 of the Administrative Act. The matter can be resolved on the basis of the applicable legislation and the request brought to the attention of the data protection officer's office, as well as the explanations received from the data controller.<br />
Applicable legislation<br />
<br />
The processing of personal data is regulated in the General Data Protection Regulation. The Data Protection Regulation is specified in the Data Protection Act (1050/2018).<br />
<br />
According to Article 6 of the General Data Protection Regulation, the processing of personal data is lawful only when there is a basis for processing according to Article 6, paragraph 1. The principles regarding the processing of personal data are stipulated in Article 5 of the General Data Protection Regulation. Article 25 provides for built-in and default data protection. The right to access information is regulated in Article 15 and the procedure to be followed in exercising the right in Article 12.<br />
<br />
Paragraph 2 of Article 58 of the General Data Protection Regulation provides for the remedial powers of the supervisory authority. According to paragraph 2, subparagraph c of the article, the supervisory authority has the authority to order the controller or personal data processor to comply with the data subject's requests regarding the use of the data subject's rights based on the regulation. According to paragraph 2, subparagraph d of the article, the supervisory authority has the authority to order the controller or personal data processor to bring the processing activities into compliance with the provisions of the General Data Protection Regulation, if necessary, in a certain way and within a certain deadline.<br />
A legal question<br />
<br />
The issue is, first of all, whether the controller's procedure for submitting a request for the data subject's inspection right and identifying the data subject is in accordance with Article 12 paragraphs 2 and 6 and Article 5 paragraph 1 subparagraph c of the General Data Protection Regulation.<br />
<br />
This decision does not apply to the operations of the data controller in so far as it concerns an alternative method of identification of the data subject. It can be stated that if the data controller has different ways to confirm the identity of the registered person, the data controller must ensure that these methods are in accordance with the General Data Protection Regulation. In particular, it should be taken into account that alternative identification methods do not make it difficult to use the rights of the registered person.<br />
<br />
The Deputy Data Protection Commissioner must also assess whether the data controller has had a basis for processing the personal data of the registered person in accordance with Article 6, Paragraph 1 of the General Data Protection Regulation.<br />
<br />
The Deputy Data Protection Commissioner must also decide whether the procedure for storing the registered person's personal data has been in accordance with Article 5(1)(e) and Article 25(2) of the General Data Protection Regulation.<br />
<br />
The Deputy Data Protection Commissioner must decide whether an order according to Article 58(2)(d) of the General Data Protection Regulation must be issued to the data controller to bring the processing operations in line with the provisions of the General Data Protection Regulation and whether an order issued to the data controller pursuant to Article 58(2)(c) must comply with the data subject's request. In addition, the deputy data protection commissioner must assess whether other powers belonging to the data protection commissioner should be used in the case.<br />
Decision and reasons of the Deputy Data Protection Commissioner<br />
<br />
The Deputy Data Protection Commissioner gives the data controller an order in accordance with Article 58(2)(d) of the General Data Protection Regulation to change its policy regarding submitting a request for the registered person's right of inspection and confirming the registered person's identity to comply with Article 5(1)(c) and Article 12(2) and (6) of the General Data Protection Regulation.<br />
<br />
The deputy data protection commissioner leaves the appropriate measures to the discretion of the data controller, but orders a report on the measures taken to be submitted to the data protection commissioner's office by April 15, 2024, unless the data controller applies for an amendment to this decision.<br />
<br />
The Deputy Data Protection Commissioner also gives the data controller an order in accordance with Article 58, paragraph 2, subparagraph c of the General Data Protection Regulation to comply with the data subject's request, which concerns the data subject's right to access information about him/her.<br />
<br />
In addition, the Deputy Data Protection Commissioner gives the data controller an order in accordance with Article 58, paragraph 2, subsection d of the General Data Protection Regulation to delete customer data older than the retention period defined by the data controller without undue delay, including data of the data subject. Pursuant to § 25 subsection 3 of the Data Protection Act, the Deputy Data Protection Commissioner orders the data controller to comply with the order regarding the deletion of customer data despite the appeal. However, the deputy data protection commissioner draws the controller's attention to the fact that the controller must exercise the data subject's right to access information about him/herself before deleting the data.<br />
Reasoning<br />
Confirmation of the registered identity<br />
<br />
The General Data Protection Regulation has no provisions on how the identity of the data subject must be verified. The General Data Protection Regulation also does not regulate the way in which the data subject must make requests regarding his rights.<br />
<br />
According to Article 12, paragraph 2 of the General Data Protection Regulation, the data controller must facilitate the exercise of the data subject's rights according to Articles 15–22. If the controller has reasonable grounds to suspect the identity of the natural person who made the request, the controller can, according to Article 12, paragraph 6, ask the requester to provide additional information that is necessary to confirm the identity. If the data subject provides additional information that can be used to identify him, the controller may not refuse to perform the requested action.<br />
<br />
Personal data that has been used to register the person in question can also be used to confirm the identity of the registered person when the registered person exercises his rights. The possibility for the controller to request additional information for identity assessment cannot lead to unreasonable demands and the collection of personal data that are not essential or necessary to verify the connection between the person and the requested personal data. The European Data Protection Board has stated in its guideline on the right of inspection provided for in the General Data Protection Regulation (European Data Protection Board, Guidelines 01/2022 on data subject rights – Right of access. Version 2.0, Adopted on 28 March 2023.), that requesting additional information must not lead to irrelevant or to collect unnecessary personal data. (Ibid, p. 26.)<br />
<br />
The European Data Protection Board has further stated that, although identity is verified in some contexts with the help of an identity card, requiring the person who made the request to provide a copy of their identity card cannot generally be considered as a regular procedure for confirming the identity of the registered person. (Ibid, p. 27.)<br />
<br />
According to Article 5(1)(c) of the General Data Protection Regulation, personal data must be appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimization"). The principle of data minimization must also be followed when the data controller requires the data subject to provide additional information to confirm his identity.<br />
<br />
In this case, the practice of the registrar has been that in order to exercise the right to inspect the data, the registered person must submit a register information request form, which must be filled with name, date of birth, telephone number, e-mail address and local address. Such a form must also be signed. In order to identify the registrant, the registrant must attach a copy of his identity card to this form. The register information request form has instructions on the above-mentioned practice. Requesting a copy of the identity document has thus been the usual procedure of the registrar to implement the registered person's inspection right.<br />
<br />
Taking into account Article 5(1)(c), the data controller shall not request more information from the data subject than is necessary for his identification. In order for the controller not to collect information that is unnecessary for processing, it must carry out a necessity assessment, which can take into account, for example, the type of personal data being processed. In this case, the data controller mainly carries out first aid training activities. Due to its industry, the controller does not, as a rule, process information belonging to special personal data groups concerning customers. When assessing the necessity of the data to be collected, the controller should avoid excessive collection of personal data.<br />
<br />
The information on the identity card must be counted as additional information in accordance with Article 12, paragraph 6, which the controller should only request if it has reasonable grounds to suspect the identity of the data subject who made the request. According to the Deputy Data Protection Commissioner's assessment, the controller's method of identifying the data subject has not been based on a case-by-case consideration, but requiring a copy of the identity document has been a regular means of identification. A copy of the identity card has been required from all registered users who have wanted to exercise their right to access data according to the General Data Protection Regulation.<br />
<br />
The Deputy Data Protection Commissioner also draws attention to the fact that the data controller has not brought out the reasons why it has not been able to identify the data subject based on the information provided by the data subject in its report.<br />
<br />
The Deputy Data Protection Commissioner considers that the data controller has processed a wider set of personal data to identify the data subject than is necessary to identify the data subject, especially taking into account the fact that the data controller has not provided reasons why it has not been able to identify the data subject based on the information provided by the data subject, and thus has acted contrary to the General Data Protection Regulation the data minimization principle provided for in Article 5(1)(c). The Deputy Data Protection Commissioner considers that the data controller has processed personal data in violation of Article 5(1)(c) and Article 12(6) of the General Data Protection Regulation.<br />
<br />
The registrar has also required the form to be submitted signed. The deputy data protection commissioner considers that the controller's way of operating has resulted in an unreasonable burden for the data subject, when the data subject had to submit a copy of his or her identity card along with the signed register information request form.<br />
<br />
The deputy data protection commissioner considers that the method in question has not been a means in accordance with Article 12, paragraph 2, by which the controller could be considered to have tried to facilitate the use of the data subject's rights. The operation method of the register holder can therefore be considered to have made it unreasonably difficult to exercise the rights of the registered person.<br />
<br />
Based on the above, the Deputy Data Protection Commissioner gives the data controller an order in accordance with Article 58(2)(d) of the General Data Protection Regulation to change its policy regarding submitting a request for the data subject's inspection right and identifying the data subject to comply with Article 5(1)(c) and Article 12(2) and (6) of the General Data Protection Regulation.<br />
<br />
Finally, the deputy data protection commissioner notes that the data controller has delivered to the data protection commissioner's office copies of the data subject's personal data it processes. The deputy data protection commissioner therefore considers that the controller has been able to identify the data subject. According to the information provided to the Data Protection Commissioner's office, the data controller has not provided this information to the data subject. For this reason, the deputy data protection commissioner gives the data controller an order in accordance with Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation to deliver the data to the data subject as well.<br />
Lawfulness of the processing of registered personal data<br />
<br />
The data subject has stated that, in his opinion, the agreement or legitimate interest determined as the basis for processing based on the information provided by the controller is not applicable in his case. The registered person has therefore doubted the legality of the processing of his personal data. Based on the registrar's report, the data subject has only been given general information about the grounds for personal data processing, because according to his statement, the registrar has not been able to confirm the identity of the data subject and thus check whether the data subject's personal data can be found in the data controller's registers. The data controller's privacy statement states that the basis for processing personal data is either a contract or a legitimate interest.<br />
<br />
The processing of personal data is legal only when there is a basis for processing according to Article 6, paragraph 1 of the General Data Protection Regulation. According to the report given to the office by the data protection officer of the data controller, the basis for processing the personal data of the registered person is the contract that was created based on the customership when the registered person registered for the training. According to Article 6, paragraph 1, subparagraph b of the General Data Protection Regulation, the processing of personal data is lawful when the processing is necessary for the implementation of an agreement to which the data subject is a party.<br />
<br />
The deputy data protection commissioner considers that the data controller has had grounds to process the data subject's personal data, because the data subject has registered and participated in the training organized by the data controller. The Deputy Data Protection Commissioner therefore considers that the data controller had a basis for processing the personal data of the registered person in accordance with Article 6, Paragraph 1 of the General Data Protection Regulation.<br />
Storage period of personal data concerning the registrant<br />
<br />
Paragraph 39 of the introductory paragraph of the General Data Protection Regulation states that personal data should be sufficient and relevant and limited to what is necessary for the purposes of their processing. This requires in particular that the storage period of personal data is as short as possible. The controller must set deadlines for the deletion of personal data or for periodic review of the necessity of their storage, in order to ensure that personal data is not stored longer than necessary.<br />
<br />
Article 5(1)(e) of the General Data Protection Regulation provides for the principle of limiting storage. According to the article, personal data must be stored in a form from which the data subject can be identified only as long as it is necessary to fulfill the purposes of the data processing. The storage period for personal data must always be as short as possible, and the data subject must be informed of the storage period when personal data is collected, i.e. the controller must define the storage period for personal data even before taking steps to process personal data.<br />
<br />
Article 25 of the General Data Protection Regulation provides for built-in and default data protection. According to paragraph 1 of the article, taking into account the latest technology and implementation costs, as well as the nature, scope, context and purposes of the processing, as well as the varying probability and seriousness of the risks to the rights and freedoms of natural persons caused by the processing, the controller must, in connection with determining the processing methods and the processing itself, effectively implement data protection principles such as data minimization appropriate technical and organizational measures, such as pseudonymization of data and the necessary protective measures, so that they can be included as part of the processing and so that the processing complies with the requirements of the General Data Protection Regulation and the rights of data subjects are protected. According to Article 25, paragraph 2 of the General Data Protection Regulation, the controller must implement appropriate technical and organizational measures to ensure that by default only personal data necessary for each specific purpose of the processing is processed. This obligation applies to the amount of personal data collected, the extent of processing, storage time and availability. Article 25, paragraph 2 of the General Data Protection Regulation, together with Article 5, paragraph 1, subparagraph e, concerning the limitation of storage, imposes a clear obligation on the controller to make sure that personal data is stored only for the time necessary for the purpose of its processing.<br />
<br />
According to his report, the controller has defined the retention periods for the processing of personal data by purpose of use. The controller considers that the necessity requirement for the processing of personal data ends when two years have passed since the validity of the training completed or three years have passed since the last product purchase.<br />
<br />
According to the data controller's report, the processing of the data subject's personal data has been based on an agreement that was created when the data subject signed up for training organized in April 2017. Based on the report received, the data subject has not used other services provided by the data controller, i.e. the customership can be considered to be based only on the training organized in April 2017. The registrar has stated in his report that the attended trainings are valid for three years.<br />
<br />
The Deputy Data Protection Commissioner considers that, based on the retention period specified by the above-mentioned data controller, the data controller should have deleted the data subject's personal data five years after the organized training, i.e. in April 2022. However, according to the data protection commissioner's report to the office of the Data Protection Commissioner on 20 June 2023, the validity of the data subject's training would have been valid until the end of 2020, i.e. longer like three years. Based on this information, the personal data of the registered person should have been deleted at the end of 2022. The Deputy Data Protection Commissioner considers that the data controller has therefore not complied with the retention period he defined himself for the processing of personal data. Based on the information received by the Office of the Data Protection Commissioner, the data subject submitted a request to the data controller in February 2023. The Deputy Data Protection Commissioner considers that the processing of the data subject's request for the right of inspection could not therefore have been the basis for the prolonged storage of the data, but the data should have been deleted earlier.<br />
<br />
The Deputy Data Protection Commissioner therefore considers that the data controller has processed the data subject's personal data in violation of Article 5(1)(e) and Article 25(2) of the General Data Protection Regulation. The Deputy Data Protection Commissioner gives the data controller an order in accordance with Article 58, paragraph 2, subsection d of the General Data Protection Regulation to delete customer data older than the retention period defined by the data controller without undue delay, including data of the data subject. However, the deputy data protection commissioner draws the controller's attention to the fact that the controller must exercise the data subject's right to access information about him/herself before deleting the data.<br />
</pre></div>
Fred
https://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Findland)_-_8393/161/2019&diff=40161&oldid=0
Tietosuojavaltuutetun toimisto (Findland) - 8393/161/2019
2024-03-03T13:08:28Z
<p><a href="/index.php?title=User:Fred" class="mw-userlink" title="User:Fred"><bdi>Fred</bdi></a> moved page <a href="/index.php?title=Tietosuojavaltuutetun_toimisto_(Findland)_-_8393/161/2019&redirect=no" class="mw-redirect" title="Tietosuojavaltuutetun toimisto (Findland) - 8393/161/2019">Tietosuojavaltuutetun toimisto (Findland) - 8393/161/2019</a> to <a href="/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_8393/161/2019" title="Tietosuojavaltuutetun toimisto (Finland) - 8393/161/2019">Tietosuojavaltuutetun toimisto (Finland) - 8393/161/2019</a></p>
<a href="https://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Findland)_-_8393/161/2019&diff=40161">Show changes</a>
Fred
https://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Findland)_-_8235/154/18&diff=40159&oldid=0
Tietosuojavaltuutetun toimisto (Findland) - 8235/154/18
2024-03-03T13:07:42Z
<p><a href="/index.php?title=User:Fred" class="mw-userlink" title="User:Fred"><bdi>Fred</bdi></a> moved page <a href="/index.php?title=Tietosuojavaltuutetun_toimisto_(Findland)_-_8235/154/18&redirect=no" class="mw-redirect" title="Tietosuojavaltuutetun toimisto (Findland) - 8235/154/18">Tietosuojavaltuutetun toimisto (Findland) - 8235/154/18</a> to <a href="/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_8235/154/18" title="Tietosuojavaltuutetun toimisto (Finland) - 8235/154/18">Tietosuojavaltuutetun toimisto (Finland) - 8235/154/18</a> corrected the name</p>
<p><b>New page</b></p><div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Finland<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFI.png<br />
|DPA_Abbrevation=Tietosuojavaltuutetun toimisto<br />
|DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland)<br />
<br />
|Case_Number_Name=8235/154/18<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Finlex<br />
|Original_Source_Link_1=https://finlex.fi/fi/viranomaiset/tsv/2021/20210723#OT10<br />
|Original_Source_Language_1=Finnish<br />
|Original_Source_Language__Code_1=FI<br />
<br />
|Type=Complaint<br />
|Outcome=Partly Upheld<br />
|Date_Decided=<br />
|Date_Published=16.02.2021<br />
|Year=<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1c<br />
|GDPR_Article_2=Article 6 GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR<br />
|GDPR_Article_3=Article 12 GDPR<br />
|GDPR_Article_Link_3=Article 12 GDPR<br />
|GDPR_Article_4=Article 17 GDPR<br />
|GDPR_Article_Link_4=Article 17 GDPR<br />
|GDPR_Article_5=Article 58(2)(c) GDPR<br />
|GDPR_Article_Link_5=Article 58 GDPR#2c<br />
<br />
<br />
|National_Law_Name_1=Data Protection Act (Tietosuojalaki) 1050/2018<br />
|National_Law_Link_1=https://www.finlex.fi/fi/laki/alkup/2018/20181050<br />
|National_Law_Name_2=Sosiaali- ja terveysministeriön asetus potilasasiakirjoista 298/2009<br />
|National_Law_Link_2=https://www.finlex.fi/fi/laki/alkup/2009/20090298<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=V<br />
|<br />
}}<br />
<br />
The Finnish DPA (Tietosuojavaltuutetun Toimisto) ordered a data controller to comply with the customer's request to have their personal data deleted in so far as their processing is not required by Finland's national legislation concerning patient records and the rights of patients.<br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
<br />
In November, 2018, a customer (data subject) purchased glasses from an optician (data controller), and later noticed that the optician had stored his personal data in their system. Data subject requested the controller to delete his data, on the basis that he had not given his consent for storing the data.<br />
To proceed with his request for deletion, data subject was asked to fill in an online form where data subject had to provide even more personal data. Data subject refused and instead, wrote a public blog post which was accepted by the DPAs as a valid data subject request.<br />
<br />
===Dispute===<br />
<br />
<br />
===Holding===<br />
Finnish Data Protection Ombudsman considered that the data controller had a legal basis for processing the data subject' personal data under national law which requires retention of certain personal data of their customers for a period determined by the Patient Data Record Act.<br />
Controller also had legal basis to process patient data which were necessary for their identification when data subject wishes to use their rights. However, the controller had not adequately informed the data subject about the processing of requests for deletion, nor about reasons behind rejection of the data subject's request.<br />
<br />
==Comment==<br />
''Share your comments here!''<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.<br />
<br />
<pre><br />
Customer's request for deletion of personal data and the basis for processing personal data<br />
<br />
Thing<br />
<br />
The applicant has asked the optician to delete his information, but has not received a response to his request.<br />
Applicant 's claims and reasons<br />
<br />
The applicant has been in contact with the Office of the Data Protection Commissioner on 19 November 2018 regarding the processing of personal data in the activities of the optician's shop (later also the “registrar”).<br />
<br />
The applicant has done business with the controller's business and noticed that information about him or her has been stored in the controller's system. The applicant has contacted the registrar on 8 November 2018 and stated that he has not given his consent to the storage of his data.<br />
<br />
The applicant has asked the controller to delete all his data. The applicant has inquired from the registrar why the online form collects information that the applicant says customers do not want to provide to the company. According to the applicant, the registrar's online form has asked for the first name, surname, e-mail address, address, post office, postal code, personal identity number, as well as information on the store in which the person has done business and what services he has purchased. In addition, the data subject has been asked to indicate freely what his request is about.<br />
<br />
The applicant has stated that it should be possible to control the rights without filling in all the fields marked as mandatory on that form.<br />
<br />
The applicant has not received a response to his / her inquiry from the controller and asks the EDPS to assess whether the controller has acted correctly.<br />
Statement received from the controller<br />
<br />
The Office of the Data Protection Commissioner has sent a request for clarification to the optics group's Finnish country company on 1 July 2019, to which the company declared to be the optics group's head office has submitted the report on 13 August 2019. The Office of the Data Protection Commissioner has requested an additional report from the Finnish country company on 23 April 2020, to which the head office of the optics group has submitted the report on 25 May 2020.<br />
<br />
A report on the online form has been requested from the optics group's head office on October 1, 2020. A report has been requested from the local optician's shop on the exercise of the applicant's right on 1.10.2020. The head office of the Optician Group has submitted a response to the requests for clarification on 9 October 2020.<br />
Cross - border nature of the case<br />
<br />
The local office of the optician's shop is part of an international optician's group, which has made it necessary to determine whether the Data Protection Officer or the data protection authority of another country is the competent supervisory authority.<br />
<br />
Based on the report received from the head office of the optician group, the local optician's company, the Finnish country company and the company defined as the head office of the optician group are responsible for making decisions on the processing of personal data in the applicant's case. The Registrar shall have its principal place of business in Guernsey.<br />
<br />
Based on the explanation received, the local store is the registrar when the customer orders the product from the local store. The company, which has been declared the head office of the Optician Group, participates in the processing of personal data as a joint registrar and provides IT, marketing and other support services to local stores. The Group Data Protection Officer is a shared resource of the optician group that supports local entrepreneurs in enforcing the data subject’s rights. The online form is a mechanism by which the data subject's rights can be exercised on behalf of the local movement.<br />
<br />
The optician group is not headquartered in the EU, so the procedure for cooperation between data protection authorities under Article 56 of the General Data Protection Regulation does not apply.<br />
Basis for processing personal data<br />
<br />
According to the explanation received from the controller, the processing of the applicant's personal data was based on an agreement under Article 6 (b) and a legitimate interest of the controller under Article 6 (f) to continue processing the data in order to provide a service to the customer.<br />
Informing data subjects<br />
<br />
According to the controller's report, data subjects are provided with the information required by Articles 12 to 14 of the General Data Protection Regulation on a sign placed on the counter of the shop and on cards indicating what information is collected, by whom and for what purpose. According to the controller, the customer goes through several privacy clauses at the time of booking and the controller states that he is referring to his data protection policy, which provides customers with additional information in accordance with Articles 12-14 of the General Data Protection Regulation.<br />
The data subject's right to have his data deleted<br />
<br />
According to the statement provided by the registrar, the applicant has ordered reading glasses through the registrar's local store. According to the registrar, the applicant has returned to the circulation and questioned the amount of data collected to execute the order. According to the registrar, the applicant has requested the deletion of his data but has refused to use the online form provided. The applicant has sent the business entrepreneur the message described above in connection with the applicant's claims, in which he requests, among other things, the deletion of his data.<br />
<br />
According to a report from the registrar, the entrepreneur of the business has told the applicant that health care legislation requires the registrar to keep health records for a certain period of time. Retention of health information enables clients, health care providers, and authorities to evaluate the care they receive if they encounter problems in the future. According to the registrar, the business operator has informed the applicant that, at the request of the applicant, it can only anonymise the applicant's data within the retention period.<br />
<br />
Based on the report provided by the registrar, the applicant has written a blog post about the incident, to which the Finnish country manager of the optics group has published a response. In his reply, the Finnish Country Director states that the registrar sells spectacles on the basis of a thorough examination carried out by an optician or an optician or ophthalmologist. According to the answer, many customers do not seem to know that dealing with an optician is equivalent to doing business with a healthcare professional.<br />
<br />
The Finnish country manager of the optician's movement says that opticians have an obligation to collect information that is considered patient data and keep it for the period required by law. According to the writing, it is not possible for customers to sell individual glasses without processing their personal information.<br />
<br />
In response, the Finnish country manager of the optician's store states that they process personal data as required by the general data protection regulation only for the purposes for which they were collected and about which customers have been informed in the store and on the registrar's website. If customers wish to exercise their rights under the General Data Protection Regulation, such as the right to have their data deleted, the controller has a process set up for this purpose on its website. The reason why the controller collects data again in this process is that the controller has a duty to verify the identity of the data subject. Without this, there could be a risk of data being erased incorrectly.<br />
<br />
According to the reply, the applicant will be informed of the deletion of the data and the data collected on the online form will also be deleted.<br />
Processing of personal data in connection with the online form<br />
<br />
Based on the report received, not all customers have a default email address, so the registrar needs other information in addition to the email address to ensure customer service. The registrar uses customer data for this purpose. According to the registrar, it requests identifying information on the online form, which it can compare with the information in its possession. Usually, the information used for comparison is name, phone number, and email address. If at least three items of the information provided on the form match the customer data held by the controller, the controller considers this to be a sufficient reason to proceed with the customer's request.<br />
<br />
If any of the information does not match the customer information, the registrar may call the customer to verify their identity. This may be the case, for example, when a customer sends a request online and the email address matches the customer information, but the phone number does not. If the controller is still unable to verify the identity, it may require the customer to present an identity card at the store.<br />
<br />
According to the registrar, in most cases the identity of the data subject can be easily established without formal identification. The controller shall consider that the information it collects for this purpose is relevant, adequate, necessary and proportionate. The goal of the registrar has been to create an authentication process that is not intrusive to customers. The controller wants to point out that it does not collect information about customers that it does not already have in its register.<br />
<br />
According to the explanation received, the data subject may make his request orally or in writing. The majority (approx. 99%) of the data subject's requests have been made via the online form. Since May 2018, the controller has reported a total of 12,547 requests across Europe.<br />
<br />
According to the report provided by the registrar, the online form has changed after 2018. In the current form, the free-form field for specifying the request has been replaced by check boxes and the registrant will be asked to specify his relationship with the controller. In addition, looking at the updated form, it can be seen that instead of a personal identity number, the registrant is asked to fill in the date of birth.<br />
<br />
The required information is marked with an asterisk. When at least three of the data completed in the request match the customer data, the controller considers this to be a sufficient reason to proceed with the customer's request. Surname, address, e-mail address and date of birth are used for this purpose.<br />
<br />
Information on the store in which the data subject has transacted and what services the data subject has purchased will help the registrar to link the request to the local optician and the service used to execute the request.<br />
<br />
The registrar considers that all the mandatory information on the form is necessary and that the form is simple and easy to use. The data subject's rights are exercised by the controller's data protection team and the data is used only to enforce the rights. The information is not available to other teams in the Group.<br />
Applicant 's reply<br />
<br />
The applicant is given the opportunity to respond in the matter. The applicant submitted the defense on 19.11.2020. In his defense, the applicant states that the report sent to the Office by the Data Protection Officer contains a number of errors.<br />
<br />
The applicant states that he has not received any emails or other contacts from the controller throughout the process, with the exception of the reply received from the controller's employee in October 2020.<br />
<br />
On 2 September 2020, the applicant has been in contact with the CEO of the optics group in Finland and has inquired about the response to the personal data deletion request made to the data protection officer in November 2018. The applicant has re-inquired on 11.9.2020. The applicant has received a reply from the Finnish CEO on 23.10.2020, regretting that the matter has not been confirmed and stating that the matter will be confirmed separately.<br />
<br />
According to the applicant, the controller has recorded information without asking the applicant, which the applicant would not have wanted to provide to the controller even with his consent. According to the applicant, that information appears to have been obtained from a prescription written by an ophthalmologist. According to the applicant, the consent of the applicant has not been sought for the recording of the data.<br />
<br />
On 25 November 202020, the applicant was asked what errors the report submitted by the data controller to the Office of the Data Protection Officer contains. According to the applicant, he orally requested the deletion of his data on his second visit to the store, about a week after the original purchase transaction, i.e. in November 2018.<br />
<br />
According to the applicant, the movement claimed, numerous times and by several persons, that the data could not be deleted. According to the applicant, no reasons were given for this. According to the applicant, he was instead given a note with the contact details of the data protection officer of the controller. The applicant had sent an e-mail to this party, the content of which has been described above in connection with the applicant's claims.<br />
<br />
According to the applicant, he has not been advised to use the form on the website. According to the applicant, he has still also sent the request via an electronic form. According to the applicant, the controller has not responded to either request sent by the applicant in a way that the applicant could have detected.<br />
<br />
According to the applicant, he was never informed of the statutory obligation of opticians and ophthalmologists to draw up and keep patient records. The applicant denies being a patient of the controller. According to the applicant, he is an ordinary customer who has purchased an object from the registrar without receiving, for example, medical measurement services. According to the applicant, he did not know that the controller would set up a document containing information about him. According to the applicant, he was not informed that his data would be stored.<br />
Legal issue<br />
<br />
The Data Protection Officer assesses and decides on the applicant's case on the basis of the General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018). The following issues remain to be resolved:<br />
1) whether there has been a ground for processing the applicant's personal data in accordance with Article 6 of the General Data Protection Regulation;<br />
2) whether the processing of personal data by the controller in connection with the online form has complied with the principle of minimization in accordance with Article 5 (1) (c) of the General Data Protection Regulation; and<br />
(3) whether the controller should be ordered in accordance with Article 58 (2) (c) of the General Data Protection Regulation to comply with the applicant's request for his data to be deleted.<br />
Decision of the EDPS<br />
<br />
The EDPS considers that the controller has had the grounds for processing personal data required by Article 6 of the General Data Protection Regulation.<br />
<br />
The EDPS considers that the processing of personal data by the controller in the context of the online form is not contrary to the principle of minimization set out in Article 5 (1) (c) of the General Data Protection Regulation.<br />
<br />
The EDPS shall issue a notice to the controller in accordance with Article 58 (2) (b) of the General Data Protection Regulation. The EDPS notes that the activities of the controller have not complied with the obligations set out in Article 12 of the General Data Protection Regulation. The controller has not responded to the applicant's request as required by Article 12 (3) and (4) of the General Data Protection Regulation.<br />
<br />
The EDPS instructs the controller to comply with the applicant's request to have his data deleted in accordance with Article 58 (2) (c) of the General Data Protection Regulation insofar as it does not concern patient records under section 2 of the Patient Status and Rights Act.<br />
Reasoning<br />
The basis for the processing of personal data<br />
<br />
The processing of personal data must be subject to the grounds set out in Article 6 of the General Data Protection Regulation. It should be noted that consent is only one of the grounds for processing personal data provided for in Article 6. According to the controller 's explanation, the processing of the applicant' s personal data has been based on an agreement in accordance with Article 6 (b) and a legitimate interest of the controller in accordance with Article 6 (f).<br />
<br />
If the data subject has used the services of an optician or ophthalmologist, the processing of personal data may also have been based on the data subject's legal obligation under Article 6 (c) of the General Data Protection Regulation.<br />
<br />
According to a report received from the registrar, the applicant has ordered reading glasses through a local store. It should be noted that the determination of suitable lenses on the basis of an eye examination is a task which requires the professional competence of an optician (Consumer Law Practices in the Optical Sector, p. 5). Pursuant to section 5 of the Health Care Professionals Act (559/1994), an optician is a health care professional. As a health care professional, an optician must, in accordance with section 12 of the Act on the Status and Rights of Patients (785/1992), enter in patient documents the information necessary to ensure the organization, planning, implementation and monitoring of patient care.<br />
<br />
According to Section 2 (5) of the Act on the Status and Rights of Patients, patient records refer to documents or technical records used, prepared or received for the organization and implementation of patient care, which contain information about his or her state of health or other personal information. The preparation of patient documents, the more detailed content of the information to be recorded in them and the data retention periods are regulated in more detail by the Decree of the Ministry of Social Affairs and Health on Patient Documents (298/2009; later the Patient Document Decree). Section 10 of the Patient Documentation Decree defines the basic information to be defined in patient records. According to subsection 1 (1) of the said section, the information to be retained is the patient's name, date of birth, personal identity number, place of residence and contact information.In accordance with section 23 of the Patient Documentation Decree, the data must be kept for the period referred to in the annex to the said decree.<br />
<br />
For the reasons set out above, the EDPS considers that the controller has had the basis for the processing of personal data required by Article 6 of the General Data Protection Regulation.<br />
On the processing of personal data in connection with the online form<br />
<br />
In accordance with Article 5 (1) (f) of the General Data Protection Regulation, the controller must ensure the confidentiality of personal data. Therefore, when exercising the data subject's rights, the controller must verify the identity of the requesting person. If the controller has reasonable grounds to doubt the identity of the natural person who made the request, the controller may, in accordance with Article 12 (6), request the provision of additional information necessary to establish the identity.<br />
<br />
In accordance with Article 5 (1) (c) of the General Data Protection Regulation, the processing of personal data must comply with the principle of minimization. Personal data processed in accordance with the principle of minimization shall be appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed.<br />
<br />
Given the principle of minimization of personal data, the controller should not ask the data subject for more information than is necessary to identify him or her.<br />
According to the applicant, the registrar's online form has asked for the first name, surname, e-mail address, address, post office, postal code, personal identity number, as well as information on the store in which the person has done business and what services he has purchased. In addition, the data subject has been asked to indicate freely what his request is about.<br />
<br />
According to the report provided by the registrar, the same information that customers have provided when registering as a customer of an optician is processed in connection with the online form. According to the registrar, it uses the information in the form to verify the registered identity by comparing the information with the information in the customer register. The registrar has also stated that he updated the form used after 2018.<br />
<br />
The information collected by the registrar on the online form for identification purposes is the same information that the registrar normally processes from registrants in its customer register. The EDPS therefore considers that the processing of personal data by the controller in the context of an online form is not contrary to the principle of minimization set out in Article 5 (1) (c) of the General Data Protection Regulation.<br />
The data subject's right to have his data deleted<br />
<br />
Article 17 of the General Data Protection Regulation provides for the right of the data subject to have his or her personal data deleted. According to this provision, the data subject has the right, under certain conditions, to have the controller delete personal data concerning the data subject without undue delay, and the controller has the obligation to delete personal data without undue delay.<br />
Article 12 (3) of the General Data Protection Regulation requires the controller to inform the data subject of the action taken on a request under Articles 15 to 22 without undue delay and in any case within one month of receipt of the request.<br />
<br />
If the controller does not act on the data subject's request, Article 12 (4) of the General Data Protection Regulation requires the controller to inform the data subject of the reasons without delay and at the latest within one month of receiving the request. In that case, the controller shall also inform about the possibility to lodge a complaint with the supervisory authority and to seek other legal remedies.<br />
<br />
According to the registrar, the applicant had requested the deletion of his data in the shop, but had refused to use the online form created to make the request. According to the registrar, the applicant had sent a request for deletion to the e-mail address of the optician's entrepreneur.<br />
<br />
According to the registrar, the business entrepreneur told the applicant that health care legislation requires the registrar to keep health information for the period required by the legislation.<br />
According to the registrar, the applicant had written a blog post about the incident, to which the Finnish country manager of the optics group had published a response. In the reply, the Finnish Country Director generally describes the registrar's obligation to collect and store information that is considered to be patient data for the period required by law.<br />
<br />
According to the applicant, he had requested the deletion of his personal data at a shop where he had been informed that the data could not be deleted. The reason for this was not stated according to the applicant. According to the applicant, he was given a piece of paper with the contact details of the data protection officer of the controller. The applicant sent their removal request to the email address provided to them. According to the applicant, he was not advised to use the form on the website. Nevertheless, the applicant also sent a deletion request to the controller using the online form.<br />
<br />
According to the applicant, the controller has not responded to either request sent by the applicant in a way that the applicant could have detected.<br />
<br />
It is still unclear what information was provided to the applicant when he requested the deletion of his information. It is also not clear from the information received whether the applicant's data has been deleted. It is clear, on the other hand, that the applicant has been unaware of the conditions under which healthcare legislation retains data. It should also be noted that the general reply of the Finnish country manager of the optician group published in response to the applicant's blog post cannot be considered as a notification within the meaning of Article 12 (3) and (4) of the General Data Protection Regulation.<br />
<br />
On the basis of the above, the EDPS will issue a notice to the controller in accordance with Article 58 (2) (b) of the General Data Protection Regulation. In view, in particular, of the controller 's obligation to provide evidence laid down in Article 5 (2) of the General Data Protection Regulation, the controller' s conduct must be considered not to comply with the obligations laid down in Article 12 of the General Data Protection Regulation. In particular, also taking into account the provisions of Article 5 (2) of the General Data Protection Regulation, the controller cannot be considered to have responded to the applicant's request as required by Article 12 (3) and (4) of the General Data Protection Regulation.<br />
<br />
On the basis of the above, the EDPS orders the controller to comply with the applicant's request for deletion of his data in accordance with Article 58 (2) (c) of the General Data Protection Regulation insofar as it does not concern patient records under Section 2 of the Patient Status and Rights Act.<br />
Applicable law<br />
<br />
Mentioned in the explanatory memorandum.<br />
Appeal<br />
<br />
According to section 25 of the Data Protection Act (1050/2018), this decision may be appealed to an administrative court in accordance with the provisions of the Act on Administrative Proceedings (808/2019).<br />
<br />
The decision is not yet final.<br />
<br />
</pre></div>
Fred
https://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Findland)_-_6609/163/19&diff=40151&oldid=0
Tietosuojavaltuutetun toimisto (Findland) - 6609/163/19
2024-03-03T13:06:57Z
<p><a href="/index.php?title=User:Fred" class="mw-userlink" title="User:Fred"><bdi>Fred</bdi></a> moved page <a href="/index.php?title=Tietosuojavaltuutetun_toimisto_(Findland)_-_6609/163/19&redirect=no" class="mw-redirect" title="Tietosuojavaltuutetun toimisto (Findland) - 6609/163/19">Tietosuojavaltuutetun toimisto (Findland) - 6609/163/19</a> to <a href="/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_6609/163/19" title="Tietosuojavaltuutetun toimisto (Finland) - 6609/163/19">Tietosuojavaltuutetun toimisto (Finland) - 6609/163/19</a> corrected the name</p>
<p><b>New page</b></p><div><!-- Any Content? --><br />
{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Finland<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFI.png<br />
|DPA_Abbrevation=Tietosuojavaltuutetun toimisto<br />
|DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland)<br />
<br />
|Case_Number_Name=6609/163/19<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Finlex<br />
|Original_Source_Link_1=https://finlex.fi/fi/viranomaiset/tsv/2021/20210743#OT6<br />
|Original_Source_Language_1=Finnish<br />
|Original_Source_Language__Code_1=FI<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=08.02.2021<br />
|Date_Published=19.02.2021<br />
|Year=2021<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1c<br />
|GDPR_Article_2=Article 25(2) GDPR<br />
|GDPR_Article_Link_2=Article 25 GDPR#2<br />
|GDPR_Article_3=Article 58(2)(d) GDPR<br />
|GDPR_Article_Link_3=Article 58 GDPR#2d<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=V<br />
|<br />
}}<br />
<br />
== English Summary ==<br />
The Finish DPA rendered a decision in a case opposing a parent (the applicant) to a company specialized in kindergarten and school photography (the controller). The applicant complained about the fact that a picture of his children was appearing in miniature on the invoice sent by the controller. The Finish DPA ruled that including a miniature of the children's pictures on the invoice was not necessary for the purpose of payment or security, and that the controller had therefore infringed the principle of data minimization enshrined in Article 5(1)(c) GDPR. The Finish DPA further ordered the controller to bring its processing activities into compliance under Article 58(2)(d) GDPR.<br />
<br />
=== Facts ===<br />
The controller is a Finish company specialized in taking pictures of children at kindergarten and schools. The controller was printing and sending pictures of about 400,000 pupils each year. For several years, the controller had adopted a practice consisting in printing a miniature of the pictures on the invoice to be sent to the parents. After receiving an invoice on which a miniature of his children's picture was printed, a parent decided to contact the customer service of the controller to complaint about that practice. The controller did not agree with the parent. As a consequence, the parent lodged a complaint with the Finish DPA.<br />
<br />
=== Dispute ===<br />
The dispute concerned whether or not printing the children's pictures in miniature on the invoice was complying with the GDPR, and in particular with the principle of data minimisation enshrined in Article 5(1)(c) GDPR. According to the company, printing the pictures in miniature on the invoice was enabling its employees to make sure that the correct pictures and invoices were sent together to each customer. The controller also argued that such a practice was justified from the point of view of data security. According to the parent, such practice was not necessary for the purposes pursued by the controller, and violated the principle of data minimisation according to which the processing of personal data must be "''adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed''" (Article 5(1)(c) GDPR).<br />
<br />
=== Holding ===<br />
The Finish DPA ruled that the controller did not comply with the principle of data minimization set out in Article 5(1)(c) GDPR when processing personal data in connection with invoices. The Finish DPA furthermore required under its enforcement officer to instruct the controller to bring the processing of personal data into compliance by no longer printing or including miniatures of the children's picture on the invoices.<br />
<br />
== Comment ==<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.<br />
<br />
<pre><br />
Decision of the Assistant Supervisor<br />
<br />
Thing<br />
<br />
Data minimization<br />
<br />
Applicant 's claims and reasons<br />
<br />
On 30 August 2019, the applicant brought an action in the Office of the Data Protection Officer concerning the fact that the pictures of his children appear in miniature on the data controller's invoice. The registrar specializes in kindergarten and school photography. The applicant has contacted the controller's customer service, and according to the customer service message sent to the DPO's office, the controller's data security officer is to consider covering the images in the invoices sent to the collection agency.<br />
<br />
Statement received from the controller<br />
<br />
On 12 January 2021, a clarification was requested from the data controller. The request for clarification has been answered on 21 January 2021. The report provided states that the registrar prints the photos on photo printers and the invoices on normal paper printers. According to the report, the invoices also act as packing lists, and the registrar prints black-and-white images on them in addition to the customer's home address. According to the study, the size of a single image is 1.4 x 2 cm. According to the report, the images on the invoice enable the controller's staff to ensure that the images to be sent and the invoice match, which, according to the report, ensures that the controller does not send photographs to incorrect addresses.<br />
<br />
According to the report, the images will not be added to the collection invoice, but the customer may want to see the original invoice because the customer who ordered the images may have lost or destroyed the original invoice and wants to see it after receiving the collection invoice. Furthermore, according to the report, the registrar submits a pdf copy of the original invoice to the collection agency, if necessary.<br />
<br />
The report states that the controller has not taken any appropriate action. According to the study, the registrar prints and sends photos of about 400,000 students each year, and this is the first time the registrar has received customer feedback. According to the report, the registrar has been printing the images on the invoices for several years. According to the registrar, images significantly improve security of supply and, in its view, the current practice is justified from the point of view of data security related to the supply of images.<br />
<br />
Applicant 's reply<br />
<br />
On 22 January 2021, the Office of the Data Protection Officer requested a reply and address information from the applicant. In his defense, received on 27 January 2021, the applicant stated that he did not consider that the collection agency should see the pictures of his children under any circumstances.<br />
<br />
Applicable law<br />
<br />
The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (the Data Protection Regulation) has been applicable since 25 May 2018. The act is a regulation of directly applicable law in the Member States. The General Data Protection Regulation contains a national margin of maneuver, on the basis of which national law may supplement and clarify matters specifically defined in the Regulation. The General Data Protection Regulation is specified in the National Data Protection Act (1050/2018), which has been applied since 1 January 2019. The Data Protection Act repealed the previously valid Personal Data Act (523/1999).<br />
<br />
Legal issue<br />
<br />
The Assistant Data Protection Supervisor will assess and resolve the applicant's case on the basis of the above-mentioned General Data Protection Regulation (EU) 2016/679 and the Data Protection Act. The matter needs to be resolved<br />
<br />
1. whether the controller has complied with the principle of data minimization set out in Article 5 (1) (c) and Article 25 (2) of the General Data Protection Regulation when processing personal data in connection with invoices; and<br />
<br />
2. whether an order must be made to the controller in accordance with Article 58 (2) (d) of the General Data Protection Regulation to bring its processing operations in line with the provisions of the General Data Protection Regulation.<br />
<br />
Decision and reasons of the Assistant Data Protection Supervisor<br />
<br />
Decision<br />
<br />
The controller has not complied with the principle of data minimization set out in Article 5 (1) (c) and Article 25 (2) of the General Data Protection Regulation when processing personal data in connection with invoices.<br />
<br />
Regulation<br />
<br />
The Assistant DPO shall instruct the controller in accordance with Article 58 (2) (d) of the General Data Protection Regulation to bring the processing of personal data in connection with invoices into line with Articles 5 (1) (c) and 25 (2) of the General Data Protection Regulation, ensuring that invoices no longer unnecessary personal data.<br />
<br />
Reasoning<br />
<br />
The principle of data minimization<br />
<br />
Article 5 (1) (c) of the General Data Protection Regulation lays down the principle of data minimization. Personal data must be adequate, relevant and not excessive in relation to the purposes for which they are processed.<br />
<br />
The personal data processed must, as mentioned above, be necessary for the purpose for which the personal data are processed. It should be noted that the content of the so-called necessity requirement had already been specified in the Government's proposal concerning the Personal Data Act. Personal data may be considered necessary for the purpose of processing when they are relevant and relevant and not excessive in relation to the purpose for which they were collected and for which they are subsequently processed (HE 96/1998 vp, p.42). Recital 39 of the General Data Protection Regulation also states that personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. It can therefore be concluded that personal data may only be processed ifif the purpose of the processing cannot reasonably be achieved by other means.<br />
<br />
As mentioned above, this is a matter of the principle of data minimization, which has also been the subject of practical guidance by the European Data Protection Board in the context of its guidelines. According to these guidelines, it should first be clarified whether the processing of personal data is necessary at all. The processing of personal data is explicitly advised to be avoided whenever possible. In addition, it has been specifically emphasized that the personal data processed must be relevant to the purpose of the processing in question. All personal data processed should also be necessary for a specific purpose. The processing of certain personal data should only be allowed if the purpose of the processing cannot be achieved by other means.In practice, therefore, as little personal data as possible should be collected in each situation.<br />
<br />
In addition, Article 25 (2) of the General Data Protection Regulation is relevant. The controller shall take appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each specific purpose of the processing are processed. This obligation applies to the amounts of personal data collected, the extent of the processing, the retention period and the availability. These measures shall in particular ensure that, by default, personal data are not made available to an unlimited number of persons without the consent of the natural person.<br />
<br />
On the present case<br />
<br />
It should be noted that nothing has been put forward in the case to show that small black and white images are necessary to ensure that photographs are not sent to incorrect addresses. The EDPS also considers that, on the basis of the explanation received, the transmission of a document showing the thumbnails to the debt collection agency is not necessary for the recovery of the claim.<br />
<br />
The EDPS considers that the purpose of the processing could reasonably be achieved by other means. As stated in the guidelines issued by the European Data Protection Board, the processing of personal data must be avoided. In addition, the EDPS draws attention to the fact that this has been the processing of children's personal data and emphasizes in this respect that, according to recital 38 of the General Data Protection Regulation, special efforts must be made to protect children's personal data.<br />
<br />
For the reasons set out above, the Assistant EDPS instructs the controller, in accordance with Article 58 (2) (d) of the General Data Protection Regulation, to bring the processing of personal data in connection with invoices in line with the General Data Protection Regulation.<br />
<br />
Applicable law<br />
<br />
Mentioned in the explanatory memorandum.<br />
<br />
Appeal<br />
<br />
According to section 25 of the Data Protection Act (1050/2018), this decision may be appealed to an administrative court in accordance with the provisions of the Act on Administrative Proceedings (808/2019).<br />
<br />
The decision is not yet final.<br />
</pre></div>
Fred
https://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Findland)_-_6465/182/2018&diff=40149&oldid=0
Tietosuojavaltuutetun toimisto (Findland) - 6465/182/2018
2024-03-03T13:05:45Z
<p><a href="/index.php?title=User:Fred" class="mw-userlink" title="User:Fred"><bdi>Fred</bdi></a> moved page <a href="/index.php?title=Tietosuojavaltuutetun_toimisto_(Findland)_-_6465/182/2018&redirect=no" class="mw-redirect" title="Tietosuojavaltuutetun toimisto (Findland) - 6465/182/2018">Tietosuojavaltuutetun toimisto (Findland) - 6465/182/2018</a> to <a href="/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_6465/182/2018" title="Tietosuojavaltuutetun toimisto (Finland) - 6465/182/2018">Tietosuojavaltuutetun toimisto (Finland) - 6465/182/2018</a> corrected the name</p>
<p><b>New page</b></p><div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Finland<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFI.png<br />
|DPA_Abbrevation=Tietosuojavaltuutetun toimisto (Finland)<br />
|DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland)<br />
<br />
|Case_Number_Name=<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Tietosuoja.fi<br />
|Original_Source_Link_1=https://tietosuoja.fi/artikkeli/-/asset_publisher/apulaistietosuojavaltuutettu-antoi-finnkinolle-huomautuksen-ja-maarayksen-muuttaa-henkilotietojen-kasittelyn-toimintatapoja<br />
|Original_Source_Language_1=Finnish<br />
|Original_Source_Language__Code_1=FI<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=<br />
|Year=<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1c<br />
|GDPR_Article_2=Article 6(1)(a) GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR#1a<br />
|GDPR_Article_3=Article 13 GDPR<br />
|GDPR_Article_Link_3=Article 13 GDPR<br />
|GDPR_Article_4=Article 21(2) GDPR<br />
|GDPR_Article_Link_4=Article 21 GDPR#2<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
|GDPR_Article_6=<br />
|GDPR_Article_Link_6=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Finnkino<br />
|Party_Link_1=<br />
|Party_Name_2=Anonymous<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=<br />
|<br />
}}<br />
<br />
The Tietosuojavaltuutetun toimisto ordered Finnkino to change its privacy policy and to change its practices to guarantee the right to object in accordance with the GDPR. <br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
The DPA received 40 complaints against the cinema company Finnkino regarding its direct marketing communications, the information about the collection of data and the data subject's rights. <br />
===Dispute===<br />
In addition to the issue regarding the lack of information about the collection of data and the data subject's rights, the Tietosuojavaltuutetun toimisto had to determine if a controller pursue direct marketing communications without the data subjects' consent? <br />
<br />
===Holding===<br />
The Tietosuojavaltuutetun toimisto found that Finnkino was pursuing direct marketing communications without having obtained customers’ valid consent. Moreover, it didn’t inform the data subjects that their calls are recorded and that they have the right to object to data processing. Finally, it collected more data than necessary for its purposes. Thus, Finnkino was ordered to change its privacy policy according to the GDPR requirements. The decisions on all complaints are not final since they are subject to appeal before the Administrative Court.<br />
<br />
==Comment==<br />
<br />
''Share your comments articles here!''<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
<br />
The decision below is a machine translation of the original. Please refer to the Finnis original for more details.<br />
<br />
<pre><br />
Assistant Data Protection Officer gave Finnkino a note and order to change the way personal data are processed<br />
12.12.2019 9.04<br />
Release<br />
<br />
The Assistant Data Protection Commissioner has ordered Finnkino Oy to change its privacy policy. Incorrect practices include, but are not limited to, enforcing customer privacy rights and sending direct email marketing. The Office of the Data Protection Ombudsman has dealt with 40 Finnmark cases.<br />
<br />
The Assistant Data Protection Officer gave Finnkin a note on the forced consent to electronic direct marketing. If a customer wanted to buy Finnkino e-tickets or book tickets online, they had to join the Finnkino Lab customer program and agree to receive direct marketing. The client program could not be joined without ticking the box that indicated its consent to direct marketing. This policy does not meet the requirements of the General Data Protection Regulation on voluntary consent as a basis for processing personal data.<br />
<br />
In his decision, the Assistant Data Protection Officer also noted that Finnkino has not exercised the data subject's right to object to the processing of personal data. Under data protection law, a data subject may at any time object to the processing of their personal data for direct marketing purposes. The Assistant Data Protection Supervisor states that the data subject must be able to object to the processing of personal data even when his or her personal data are collected. Therefore, it is not sufficient for the customer to subsequently request the company to stop sending electronic direct mail.<br />
<br />
In addition, the Assistant Data Protection Officer gave Finnkino a note on the procedures for identifying the data subject, which have caused unreasonable inconvenience to customers. Finnkino has required customers to send a photo of their passport or both sides of their identity card for identification. In addition, a photo of the person's face next to the ID is required for identification. Finnkino has demanded more information for identification than it originally had.<br />
<br />
The Assistant Data Protection Officer's note also applies to the fact that Finnkino had not told its customers about the recording of calls. However, even before the note from the Assistant Data Protection Officer, Finnkino has changed this approach.<br />
<br />
As the legal situation has been unclear since the date of application of the General Data Protection Regulation, the Assistant Data Protection Supervisor considers that Finnkino's reprehensible conduct does not require a heavier penalty than the comment. The decision is also influenced by the fact that, based on the feedback received, Finnkino has spontaneously taken action to comply with the General Data Protection Regulation.<br />
<br />
Of the cases now closed, 34 concerned forced consent for direct electronic marketing and six concerned data subject identification practices. In addition, in one case it was complained that Finnkino had not told the customer about the recording of the calls.<br />
<br />
The decisions are subject to appeal to the Administrative Court, so they are not yet final.<br />
<br />
Decision of the Assistant Data Protection Supervisor on consent for direct marketing purposes and the exercise of the right of objection (Finlex)<br />
Assistant Data Protection Officer's decision to identify the data subject and record calls (Finlex)<br />
<br />
For more information:<br />
Assistant Data Protection Officer Anu Talus, tel. +358 29 566 6766, anu.talus (at) om.fi<br />
</pre></div>
Fred