https://gdprhub.eu/api.php?hidemyself=1&hidebots=1&hideminor=1&urlversion=1&tagfilter=OAuth+CID%3A+1&days=14&limit=50&action=feedrecentchanges&feedformat=atomGDPRhub - Recent changes [en]2024-03-28T18:11:33ZTrack the most recent changes to the wiki in this feed.MediaWiki 1.39.6https://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_TSV/29/2020&diff=40638&oldid=0Tietosuojavaltuutetun toimisto (Finland) - TSV/29/20202024-03-28T15:34:42Z<p>Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland) |Case_Number_Name=TSV/29/2020 |ECLI= |Original_Source_Name_1=Finlex |Original_Source_Link_1=https://www.finlex.fi/fi/viranomaiset/tsv/2024/20242123 |Original_Source_Language_1=Finnish |Original_Source_Language__Code_1=FI |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Lan..."</p>
<p><b>New page</b></p><div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Finland<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFI.png<br />
|DPA_Abbrevation=Tietosuojavaltuutetun toimisto<br />
|DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland)<br />
<br />
|Case_Number_Name=TSV/29/2020<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Finlex<br />
|Original_Source_Link_1=https://www.finlex.fi/fi/viranomaiset/tsv/2024/20242123<br />
|Original_Source_Language_1=Finnish<br />
|Original_Source_Language__Code_1=FI<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=27.01.2020<br />
|Date_Decided=12.03.2024<br />
|Date_Published=27.03.2024<br />
|Year=2024<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1c<br />
|GDPR_Article_2=Article 25(2) GDPR<br />
|GDPR_Article_Link_2=Article 25 GDPR#2<br />
|GDPR_Article_3=Article 58(2)(d) GDPR<br />
|GDPR_Article_Link_3=Article 58 GDPR#2d<br />
|GDPR_Article_4=Article 87 GDPR<br />
|GDPR_Article_Link_4=Article 87 GDPR<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
|GDPR_Article_6=<br />
|GDPR_Article_Link_6=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=§ 29(4) Data Protection Act<br />
|National_Law_Link_1=https://www.finlex.fi/fi/laki/ajantasa/2018/20181050#L5P29<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
|National_Law_Name_3=<br />
|National_Law_Link_3=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=fred<br />
|<br />
}}<br />
<br />
The DPA found a hospital to have breached the principle of data minimisation and data protection by design and by default by including personal identification codes in text messages.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The Finnish DPA was notified that a hospital had sent test results to its patients by SMS, including the patient's personal identification code. The DPA then asked the controller to explain the purpose of including personal identification codes in text messages.<br />
<br />
In response to the request, the controller clarified that its mobile service automatically sent test results, treatment instructions and a proposal for the next monitoring date to patients via SMS. The controller stated that the inclusion of the personal identification code in the SMS ensured that the patient information was not inadvertently disclosed to the wrong people.<br />
<br />
The controller considered that the risk related to the processing of the personal identification code was minimal when the personal identification code was sent as an SMS to the patient's mobile phone. The controller claimed that if the SMS was sent to the wrong person, the risks to the life and health of the data subject could be significant.<br />
<br />
=== Holding ===<br />
On the basis of the information provided by the controller, the DPA noted that the purpose of [https://www.finlex.fi/fi/laki/ajantasa/2018/20181050#L5P29 Section 29 of the Finnish Data Protection Act] is to protect the personal identification code and to prevent its unnecessary processing. In addition, according to [https://www.finlex.fi/fi/laki/ajantasa/2018/20181050#L5P29 Section 29(4) of the Finnish Data Protection Act], the personal identification number code should not be unnecessarily included in documents printed from or created on the basis of a filing system. The DPA was of the opinion that SMS should be considered as such a document.<br />
<br />
The DPA emphasised that, in accordance with [[Article 87 GDPR]], the national identity number shall be used only under appropriate safeguards for the rights and freedoms of the data subject. The DPA noted that the personal identification number is a unique and virtually permanent identifier, the access to which by third parties may cause significant harm to the data subject, such as identity theft. Furthermore, the SMS messaging system does not provide for the encryption of message content or traffic data. <br />
<br />
In light of this, the DPA considered that the inclusion of the personal identity code in the SMS does not in fact affect the fact that the SMS is addressed to the right person. The DPA stated that the controller should not process personal identification codes for the sole purpose of facilitating its operations. Therefore, the controller should not have unnecessarily included the personal identity code in the SMS.<br />
<br />
On the basis of the information gathered, the DPA held that the controller had violated [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]], [[Article 25 GDPR#2|Article 25(2) GDPR]] and [https://www.finlex.fi/fi/laki/ajantasa/2018/20181050#L5P29 Section 29(4) of the Finnish Data Protection Act]. As a result, and in accordance with [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], the DPA ordered the controller to bring its processing operations into compliance with the aforementioned provisions.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.<br />
<br />
<pre><br />
Thing<br />
<br />
Sending personal ID and laboratory test data to the patient via text message<br />
Registrar<br />
<br />
Welfare district (At the time the matter was initiated, the hospital district was the data controller. From January 1, 2023, responsibility for the register has been transferred from the hospital district to the welfare district.)<br />
Notification made to the office of the Data Protection Commissioner<br />
<br />
The person who contacted the Data Protection Commissioner's office on January 27, 2020 stated in his report that he had received a text message from the central hospital that started with his personal identification number and in which he was told that his PSA sample had failed. The text message asked to contact the laboratory.<br />
<br />
The initiator inquires about the compliance of the operating method with data protection legislation.<br />
Statement received from the registrar<br />
<br />
The Office of the Data Protection Commissioner has requested an explanation from the data controller with an explanation request dated August 2, 2022. On August 23, 2022, the registrar has issued a written statement on the matter.<br />
<br />
The controller has presented in his report that the inclusion of the personal identification number in text messages ensures that, for example, information is not accidentally directed to wrong persons with the same name.<br />
<br />
According to the registrar, the mobile service automatically sends the patient a text message with the value measured in the test, treatment instructions and a proposal for the next control day. The contents of automatic text messages can be, for example, the following:<br />
<br />
“[Patient ID]: [Test X] score is [Y] and everything is fine. Your next checkup is on [date]”<br />
<br />
“[Patient ID]: The value of [Test X] is [Y]. To check the situation, please contact us"<br />
<br />
According to the registrar, in a service where the personal identification number is transmitted as a text message to the patient's own mobile phone, the risk related to the processing of the personal identification number is estimated to be low. On the other hand, in a situation where a message after a laboratory test is targeted to the wrong person, the risks to the registered person's life and health can be considerably high.<br />
On applicable legislation<br />
<br />
The General Data Protection Regulation (EU) 2016/679 of the European Parliament and the Council (General Data Protection Regulation) and the specifying national data protection act (1050/2018) apply in this case.<br />
<br />
Article 5(1)(c) of the General Data Protection Regulation provides for the principle of data minimization. According to the article, personal data must be relevant and relevant and limited to what is necessary in relation to the purposes for which they are processed.<br />
<br />
Article 25 of the General Data Protection Regulation provides for built-in and default data protection. According to paragraph 1 of the article, taking into account the latest technology and implementation costs, as well as the nature, scope, context and purposes of the processing, as well as the varying probability and seriousness of the risks to the rights and freedoms of natural persons caused by the processing, the controller must, in connection with determining the processing methods and the processing itself, effectively implement data protection principles such as data minimization appropriate technical and organizational measures, such as pseudonymization of data and the necessary protective measures, so that they can be included as part of the processing and so that the processing complies with the requirements of the General Data Protection Regulation and the rights of data subjects are protected. According to paragraph 2 of the article, the controller must implement appropriate technical and organizational measures to ensure that by default only personal data necessary for each specific purpose of the processing is processed. This obligation applies to the amount of personal data collected, the extent of processing, storage time and availability. With the help of these measures, it must be ensured in particular that personal data is not, by default, made available to an unlimited number of people without the contribution of a natural person.<br />
<br />
Article 32 of the General Data Protection Regulation provides for the security of processing. According to paragraph 1 of the article, taking into account the latest technology and implementation costs, the nature, scope, context and purposes of the processing, as well as the risks to the rights and freedoms of natural persons, which vary in their probability and severity, the controller and the personal data processor must implement appropriate technical and organizational measures to ensure a level of security corresponding to the risk. According to paragraph 2 of the article, when assessing the appropriate level of security, special attention must be paid to the risks involved in the processing, especially due to the accidental or illegal destruction, loss, alteration, unauthorized disclosure or access to personal data of transferred, stored or otherwise processed personal data.<br />
<br />
Article 87 of the General Data Protection Regulation provides for the handling of the national identity number. According to the article, member states can define in more detail the special conditions for processing a national identity number or other general identifier. In this case, the national identity number or other general identifier must be used only in compliance with appropriate safeguards regarding the rights and freedoms of the data subject in accordance with the General Data Protection Regulation.<br />
<br />
At the time of the event of the matter to be resolved, Section 29 of the Data Protection Act provides for the processing of personal identification numbers as follows: According to Section 29, subsection 1, personal identification numbers may be processed with the consent of the data subject or, if the processing is stipulated by law. In addition, the personal identification number may be processed if unambiguous identification of the registered person is important: 1) in order to perform a task stipulated by law; 2) to implement the rights and obligations of the registered or data controller; or 3) for historical or scientific research or statistics. According to section 29 subsection 2 of the Data Protection Act, the personal identification number may be processed in the granting of credit or debt collection, insurance, credit institution, payment service, rental and lending activities, credit information activities, health care, social care and other social security or official, employment and other service relationships and related to them in matters concerning related interests. According to section 29 subsection 4 of the Data Protection Act, the personal identification number should not be entered unnecessarily in documents printed or drawn up based on the personal register.<br />
<br />
The regulation of Section 29 of the Data Protection Act has been tightened with a legal amendment that entered into force on January 1, 2024. In this decision of the Deputy Data Protection Commissioner, the regulation in force at the time of the event is applied.<br />
A legal issue<br />
<br />
The Deputy Data Protection Commissioner assesses and resolves the matter on the basis of the aforementioned General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018).<br />
<br />
The Deputy Data Protection Commissioner must resolve:<br />
<br />
Has the controller's procedure, in which it has usually sent automated text messages regarding laboratory visits to registered users, including personal identification numbers, been in accordance with Article 5(1)(c), Article 25(2) and Section 29.4 of the Data Protection Act of the General Data Protection Regulation.<br />
<br />
In the case that is now the subject of the decision, it is also a question of matters related to the use of text messages, related to the security of processing, in accordance with Article 32, paragraphs 1 and 2 of the General Data Protection Regulation. Regarding the protection of personal data sent by text message, the deputy data protection officer gives guidance to the controller.<br />
Decision of the Deputy Data Protection Commissioner<br />
Decision<br />
<br />
The registrant's usual procedure, in which it has sent automated text messages regarding laboratory visits to registered users that include personal identification numbers, has not been in accordance with Section 29.4 of the Data Protection Act (personal identification processing), Article 5 paragraph 1 subsection c (minimization of data) of the General Data Protection Regulation and Article 25 According to section 2 (default data protection).<br />
<br />
The controller is given an order in accordance with Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation to bring the processing activities regarding the processing of the personal identification number into compliance with the provisions of the General Data Protection Regulation and the Data Protection Act.<br />
<br />
The deputy data protection commissioner orders the data controller to submit a report on the measures taken to the data protection commissioner's office by May 13, 2024, unless it applies for an amendment to this decision.<br />
<br />
Regarding the procedure for sending laboratory research data by text message, the deputy data protection commissioner gives guidance to the data controller.<br />
Reasoning<br />
The necessity of a personal ID in text messages<br />
<br />
In the case being evaluated now, the person who reported to the data protection commissioner's office has been sent a text message about the failure of the laboratory test. In addition, the personal identification number of the person who made the report was mentioned in the text message and he was urged to contact the laboratory. The text message was about a message sent to the patient automatically, via a mobile service.<br />
<br />
In its report, the registrar has stated that by including the social security number in text messages, it is ensured that, for example, information is not mistakenly directed to persons with the same name but different social security numbers.<br />
<br />
The purpose of Section 29 of the Data Protection Act is to protect the personal identification number and to try to prevent its unnecessary processing. (HE 96/1998, p. 48.) According to Section 29.4 of the Data Protection Act, the personal identification number must not be entered unnecessarily in documents printed or drawn up based on the personal register.<br />
<br />
The concept of a document is broad. In legislation, the concept of a document is defined, for example, in Section 5.1 of the Publicity Act (621/1999). According to the law, in the law in question, a document means, in addition to a written and pictorial representation, a message made up of signs intended to belong together due to its use, about a specific object or matter, which can only be found out with the help of automatic data processing or audio and video reproduction devices or other aids. (It should also be remembered that the protection of natural persons should be technology-neutral, i.e. it should not depend on the technology used, see e.g. introductory paragraph 15 of the General Data Protection Regulation.) What is stipulated in Section 29.4 of the Data Protection Act is not limited to certain types of documents. In the case being evaluated now, the text message must be considered a document referred to in Section 29.4 of the Data Protection Act, in which the personal identification number should not be entered unnecessarily.<br />
<br />
In addition to Section 29 of the Data Protection Act, other relevant provisions of the General Data Protection Regulation, such as Article 5(1)(c) and Article 25(2) of the General Data Protection Regulation, apply to the processing of personal identification numbers. (The national identity number must only be used in compliance with the appropriate safeguards regarding the rights and freedoms of the data subject in accordance with the General Data Protection Regulation, see Article 87 of the General Data Protection Regulation and HE 9/2018 vp, p. 113. See also e.g. the decision of the Court of Justice of the European Union in case C -439/19, point 96 of the decision.) It follows from the aforementioned provisions that the data controller must build its information systems so that the personal identification number is processed only in situations where it is necessary.<br />
<br />
The deputy data protection commissioner states that the reasons presented by the controller for the necessity of processing the personal identification number are essentially related to the identification of the registered person at the stage when the information of the right patient is retrieved from the information system. It is possible for the registrar to process the personal identification number in its background system for the purpose of identifying the patient and to ensure that it is the right person to whom the text message will be forwarded.<br />
<br />
The Deputy Data Protection Commissioner states that although the personal identification number can be processed to identify the person to whom the text message is intended to be forwarded, the personal identification number should not be unnecessarily included in the content of the text message.<br />
<br />
The deputy data protection commissioner considers that entering a personal identification number in a text message does not actually affect the fact that the message is directed to the right person. The registrar has not brought forward any other grounds for processing the personal identification number, and the Deputy Data Protection Commissioner is not aware of any other grounds on the basis of which it would be necessary to include the personal identification number in the text message. The procedure of the data controller has therefore not been in accordance with Articles 5(1)(c) and 25(2) of the General Data Protection Regulation or Section 29.4 of the Data Protection Act, based on the reasons presented above.<br />
<br />
In this connection, the Deputy Data Protection Commissioner reminds that the personal identification number should not be used, for example, solely for the purpose of making the operations of the data controller smoother, and the data controller should not process the personal identification number only because data processing is easier with the personal identification number. (See also HE 9/2018 vp, pp. 113–114.) Information systems must be built in such a way that text messages sent automatically do not include personal identification numbers unnecessarily. The personal identification number must also be processed in such a way that it does not become improperly available to outsiders.<br />
<br />
With regard to this procedure, the Deputy Data Protection Commissioner issues an order to the data controller to bring the processing operations into compliance with data protection regulations.<br />
Protection of personal data sent by text message<br />
<br />
With regard to the protection of personal data sent by text message, the deputy data protection commissioner provides general guidance to the data controller.<br />
<br />
The person initiating the case has been sent a text message with their personal identification number and information about the failure of a specific, separately named laboratory test. It has been about text messages sent to registrants in the usual way.<br />
<br />
The following can be stated about the data security of text messages: SMS messages travel unprotected in the mobile phone network between telecom companies. The content of SMS messages is not protected during transmission, for example with encryption, except for the radio traffic between the mobile device and the base station of the mobile phone network. The SMS message system (SS7) does not provide conditions for encrypting message content or message transmission information.<br />
<br />
In the case of text messages, it can also be noted that vulnerabilities have been identified in the SS7 protocol suite that implements the transmission mechanisms of SMS messages, which pose a threat to the confidentiality of communications and which cannot be repaired or properly managed. Because of these vulnerabilities, it is possible, for example, to direct SMS messages sent to a certain subscriber interface to a telecommunications company that is not involved in the transmission of communications in the mobile phone network and read them there in plain language. It is also possible to extract data through malware that is injected into mobile devices. In addition, misuse of the roaming feature of the SS7 protocol group may enable, for example, the eavesdropping of traffic between a mobile device and a cellular network. SMS messages can also be intercepted locally using fake access points or malicious applications.<br />
<br />
The personal identification number is a strongly identifying and originally intended to be a permanent identifier, the identification of which bystanders can cause significant harm to the registered person, such as becoming a victim of identity theft. The personal identification number must only be used in compliance with appropriate protective measures regarding the rights and freedoms of the data subject in accordance with the General Data Protection Regulation.<br />
<br />
Information about a medical procedure performed on a specific person is, on the other hand, health-related information belonging to special personal data groups (Article 9 of the General Data Protection Regulation). The controller must protect data belonging to special personal data groups particularly well. (See, e.g., introductory paragraph 51 of the General Data Protection Regulation. The legislation also provides for special confidentiality obligations when the health care unit processes the patient's health data.)<br />
<br />
The Deputy Data Protection Commissioner directs the data controller to note that the data security risks associated with the data controller's procedure as described above, which it must take into account in order to meet the requirements of Article 32, paragraphs 1 and 2 of the General Data Protection Regulation, such as the appropriate management of risks related to access to personal data. Due to the general implementation method of text message protection, it is not practically possible for the data controller to improve this protection with technical measures, but must ensure that the appropriate protection of personal data is implemented by limiting the personal data that can be included in text messages sent unilaterally to registered users.<br />
<br />
The data content of text messages sent to registrants must therefore be formed in accordance with the processing security requirement and the requirements of built-in and default data protection (Article 25 of the General Data Protection Regulation), following a risk-based approach. Likewise, when defining the content of text messages, the controller must properly take into account the shortcomings related to the protection of text messages and the nature of the information delivered by text message.<br />
<br />
Based on the above, the deputy data protection commissioner directs the data controller to limit the data content of text messages appropriately as a default method of operation. For example, in the case of a person who reported to the data protection authorized officer's office, it would have been possible to limit the content of the text message so that the text message would have told about the failure of the laboratory test at a general level and asked the person to contact the laboratory.<br />
<br />
When determining its procedures, the controller should also evaluate the possibilities for alternative methods of operation in the usual way of bringing personal data to the knowledge of the data subjects.<br />
</pre></div>Fredhttps://gdprhub.eu/index.php?title=CJEU_-_C%E2%80%9137/20_and_C%E2%80%91601/20,_-_WM_and_Sovim_SA_v_Luxembourg_Business_Registers&diff=40614&oldid=0CJEU - C‑37/20 and C‑601/20, - WM and Sovim SA v Luxembourg Business Registers2024-03-27T15:16:59Z<p>Created page with "{{CJEUdecisionBOX |Case_Number_Name=C‑37/20 and C‑601/20, WM and Sovim SA v Luxembourg Business Registers |ECLI=ECLI:EU:C:2022:912 |Opinion_Link= |Judgement_Link=https://curia.europa.eu/juris/document/document.jsf;jsessionid=7822E0491037A3F35E2A8E87BF4C8A78?text=&docid=268059&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=5227097 |Date_Decided=22.11.2022 |Year=2022 |GDPR_Article_1=Article 5(1) GDPR |GDPR_Article_Link_1=Article 5 GDPR#1 |GDPR_Article_2=..."</p>
<p><b>New page</b></p><div>{{CJEUdecisionBOX<br />
<br />
|Case_Number_Name=C‑37/20 and C‑601/20, WM and Sovim SA v Luxembourg Business Registers<br />
|ECLI=ECLI:EU:C:2022:912<br />
<br />
|Opinion_Link=<br />
|Judgement_Link=https://curia.europa.eu/juris/document/document.jsf;jsessionid=7822E0491037A3F35E2A8E87BF4C8A78?text=&docid=268059&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=5227097<br />
<br />
|Date_Decided=22.11.2022<br />
|Year=2022<br />
<br />
|GDPR_Article_1=Article 5(1) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=Article 30 Directive 2015/849<br />
|EU_Law_Link_1=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%253A32015L0849<br />
|EU_Law_Name_2=Article 7 and 9 Charter of Fundamental Rights<br />
|EU_Law_Link_2=https://www.europarl.europa.eu/charter/pdf/text_en.pdf<br />
|EU_Law_Name_3=Directive 2018/843<br />
|EU_Law_Link_3=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%253A32018L0843<br />
|EU_Law_Name_4=<br />
|EU_Law_Link_4=<br />
|EU_Law_Name_5=<br />
|EU_Law_Link_5=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=SOVIM SA <br />
|Party_Link_1=<br />
|Party_Name_2=WM<br />
|Party_Link_2=<br />
|Party_Name_3=Luxembourg Business Registers<br />
|Party_Link_3=https://www.lbr.lu/mjrcs-lbr/jsp/IndexActionNotSecured.action?time=1710010265362&loop=3#ANCHOR_TO_MESSAGES<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Reference_Body=<br />
|Reference_Case_Number_Name=<br />
<br />
|Initial_Contributor=Mgrd<br />
|<br />
}}<br />
<br />
The CJEU ruled that Directive 2018/843, determining public access to EU beneficial ownership data of companies on Member State registers, violates privacy rights under the EU Charter of Fundamental Rights.<br />
<br />
==English Summary==<br />
<br />
=== Facts ===<br />
In Case C-37/20, YO, a real estate company, lodget a request to Luxembourg Business Registers (LBR) pursuant Article 15 Law of 13 January 2019 (Law of 13 January 2019 of Luxembourg establishing the Beneficial Owner Register - transposing the provisions of Article 30 Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing) requesting that access to the information concerning WM, its beneficial owner, contained in the register, to be restricted solely to the entities mentioned in that provision, on the ground that the general public’s access to that information would seriously, actually and immediately expose WM and his family to a disproportionate risk and risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation.<br />
<br />
On November 20, 2019 the request was rejected by LBR arguing that WM’s situation does not meet the requirements of Article 15 Law of 13 January 2019, since WM cannot rely either on ‘exceptional circumstances’ or on any of the risks referred to in that article.<br />
<br />
On 5 December 2019, WM brought an action before the tribunal d’arrondissement de Luxembourg (Luxembourg District Court, Luxembourg), maintaining that his position as executive officer and beneficial owner of YO and of a number of commercial companies requires him frequently to travel to countries whose political regime is unstable and where there is a high level of crime, which creates a significant risk of his being kidnapped, abducted, subjected to violence or even killed.<br />
<br />
In that regard, the referring court raised the question of the interpretation to be given to the concepts of ‘exceptional circumstances’, ‘risk’ and ‘disproportionate’ risk within the meaning of Article 30(9) Directive 2015/849, as amended.<br />
<br />
In Case C‑601/20, Sovim lodged a request to LBR, pursuant to Article 15 Law of 13 January 2019, requesting that access to the information concerning its beneficial owner, contained in the register, be restricted solely to the entities mentioned in that provision. On February 6, 2020, the request was rejected by LBR.<br />
<br />
On 24 February 2020, Sovim brought an action before the referring court seeking a declaration that Article 12 Law of 13 January 2019, pursuant to which access to certain information contained in the register is open to ‘any person’, and/or Article 15 Law of 13 January 2019 are inapplicable and an order for the information provided by Sovim pursuant to Article 3 Law of 13 January 2019 not to be made publicly accessible.<br />
<br />
Sovim argued that granting public access to the identity and personal data of its beneficial owner would infringe the right to respect for private and family life and the right to the protection of personal data, enshrined respectively in Articles 7 and 8 EU Charter of Fundamental Rights.<br />
<br />
They also stated that the aim of Directive 2015/849, on the basis of which the Law of 13 January 2019 was introduced into Luxembourg law, are to identify the beneficial owners of companies used for the purposes of money laundering or terrorist financing, as well as to ensure certainty in commercial relationships and market confidence. However, it has not been shown how granting the public entirely unrestricted access to the data held in the register enables those aims to be attained.<br />
<br />
Sovim highlighted that public access to personal data contained in the register constitutes an infringement of several provisions of the GDPR, in particular a number of fundamental principles set out in Article 5(1) thereof.<br />
<br />
In the alternative, Sovim claims that the referring court should hold that there is a disproportionate risk in the present case, within the meaning of Article 15(1) Law of 13 January 2019, and accordingly make an order requiring LBR to restrict access to the information referred to in Article 3 Law of 13 January 2019.<br />
<br />
=== Holding ===<br />
CJEU examined if Directive 2018/843's amendment, mandating public access to beneficial ownership data, was valid under Articles 7 and 8 EU Charter of Fundamental Rights.<br />
<br />
This amendment requires Member States to ensure that information on beneficial ownership is accessible to the general public. The Court identified that making beneficial ownership information publicly accessible does indeed constitute an interference with these fundamental rights.<br />
<br />
CJEU emphasized the potential for creating detailed profiles on individuals based on their economic activities and the unlimited access by potentially any person, which could lead to misuse of this information. Despite recognizing that such transparency aims to deter money laundering and terrorist financing, the Court questioned whether this broad access is strictly necessary and proportionate to the objectives pursued.<br />
<br />
The CJEU questioned the justification for this interference, considering whether the measures respect the essence of the fundamental rights under the Charter, whether they genuinely meet objectives of general interest recognized by the EU, and whether they are necessary and proportionate.<br />
<br />
Despite acknowledging the importance of combating financial crimes, CJEU found that the directive's approach to providing unrestricted public access to beneficial ownership information did not guarantee a proper balance between the objective of general interest and the protection of fundamental rights, such as privacy. The Court highlighted the lack of clear and precise rules on the scope and application of this measure, raising concerns over the adequacy of safeguards against the risk of abuse and the difficulty for individuals to control or challenge the use of their data.<br />
<br />
Ultimately, the CJEU declared Article 1(15)(c) Directive 2018/843 invalid, concluding that making beneficial ownership information universally accessible to the public constitutes a serious interference of the rights pursuant Articles 7 and 8 EU Charter of Fundamental Rights that is not justified by the objectives of general interest it seeks to achieve.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''</div>Imhttps://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9996609&diff=40608&oldid=40606Garante per la protezione dei dati personali (Italy) - 99966092024-03-27T15:08:01Z<p></p>
<a href="https://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9996609&diff=40608&oldid=40606">Show changes</a>Lmhttps://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9996609&diff=40606&oldid=0Garante per la protezione dei dati personali (Italy) - 99966092024-03-27T15:01:24Z<p>Created page with "{{DPAdecisionBOX |Jurisdiction=Italy |DPA-BG-Color=background-color:#095d7e; |DPAlogo=LogoIT.png |DPA_Abbrevation=Garante per la protezione dei dati personali |DPA_With_Country=Garante per la protezione dei dati personali (Italy) |Case_Number_Name=9996609 |ECLI= |Original_Source_Name_1=Garante Per La Protezione Dei Dati Personali |Original_Source_Link_1=https://gdprhub.eu/images/1/1c/IT_DPA_9996009_08.02.2024.pdf |Original_Source_Language_1=Italian |Original_Source_La..."</p>
<p><b>New page</b></p><div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Italy<br />
|DPA-BG-Color=background-color:#095d7e;<br />
|DPAlogo=LogoIT.png<br />
|DPA_Abbrevation=Garante per la protezione dei dati personali<br />
|DPA_With_Country=Garante per la protezione dei dati personali (Italy)<br />
<br />
|Case_Number_Name=9996609<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Garante Per La Protezione Dei Dati Personali<br />
|Original_Source_Link_1=https://gdprhub.eu/images/1/1c/IT_DPA_9996009_08.02.2024.pdf<br />
|Original_Source_Language_1=Italian<br />
|Original_Source_Language__Code_1=IT<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=<br />
|Year=<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 4(11) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#11<br />
|GDPR_Article_2=Article 5 GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR<br />
|GDPR_Article_3=Article 7 GDPR<br />
|GDPR_Article_Link_3=Article 7 GDPR<br />
|GDPR_Article_4=Article 12 GDPR<br />
|GDPR_Article_Link_4=Article 12 GDPR<br />
|GDPR_Article_5=Article 13 GDPR<br />
|GDPR_Article_Link_5=Article 13 GDPR<br />
|GDPR_Article_6=Article 24 GDPR<br />
|GDPR_Article_Link_6=Article 24 GDPR<br />
|GDPR_Article_7=Article 25 GDPR<br />
|GDPR_Article_Link_7=Article 25 GDPR<br />
|GDPR_Article_8=Article 28 GDPR<br />
|GDPR_Article_Link_8=Article 28 GDPR<br />
|GDPR_Article_9=<br />
|GDPR_Article_Link_9=<br />
|GDPR_Article_10=<br />
|GDPR_Article_Link_10=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Maggioli S.p.A.<br />
|Party_Link_1=https://www.maggioli.com/it-it<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=<br />
|<br />
}}<br />
<br />
The DPA found that a controller violated transparency and processing oversight obligations in using cookies on several websites, and determined that using an ‘X’ rather than a 'reject' button is permissible when it is discussed in the cookie banner.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
In August 2021, several data subjects represented by noyb (European Centre for Digital Rights) filed complaints against Maggioli S.p.A. (controller) concerning its use of cookies and other tracking tools. The complaint alleged several violations across a number of the controller’s webpages, including: <br />
<br />
• the absence of a ‘reject’ button at the first level of the cookie banner; <br />
• the use of pre-ticked boxes at the second level of the cookie banner; <br />
• the use of a cookie rejection mode that consisted of a link instead of a button (unlike the ‘accept all’ button); <br />
• the use of misleading button colors and contrasts; <br />
• the improper reliance on legitimate interest as a legal basis for cookie processing; <br />
• a procedure for revoking consent that was not easily accessible. <br />
<br />
The Italian DPA (Garante) carried out an investigation. During its investigation, it noted that the controller contracted with OneTrust (processor), a service that classified cookies and reported them in the controller’s cookie banner and cookie policy. Notably, only the processor could directly modify the cookie banner and cookie policy. The Garante also observed that the controller used only technical, non-tracking cookies. The processor, however, had erroneously attributed third parties’ tracking cookies that were on the controller’s webpage to the controller. <br />
On 30 May 2023, the DPA notified the controller of the alleged violations and that it was initiating the procedure pursuant to Article 166(5) of the Code on Protection of Personal Data. <br />
<br />
On 29 June 2023, the controller replied with a defensive brief. It noted that, upon discovering the processor’s erroneous cookie categorizations, the controller requested that the error be corrected. When the processor failed to do so in breach of their contract, the controller withdrew from the contract and entered into an agreement with a new supplier to alter the cookie banner. The controller also argued that the failure to inform users about the meaning of the X had not resulted in any violation because the controller only used technical non-tracking cookies.<br />
<br />
=== Holding ===<br />
The Garante found that the controller’s conduct breached Articles 4(11), 5, 7, 12, 13, 24, 25, and 28 GDPR as well as Article 122 of the Code. The DPA focused on three core issues with the controller’s processing.<br />
<br />
First, the controller failed to indicate the meaning of the command marked by the ‘X’ graphic in the cookie banner. The Garante considered this a violation of Articles 5(1)(a), 12 and 13 GDPR because it failed to provide data subjects the fullest possible awareness regarding the processing of their personal data and choices they are entitled to make under the law. <br />
<br />
Second, the Garante found that the controller violated Articles 4(11) and 7 GDPR by erroneously citing legitimate interest as its legal basis for processing via cookies when such processing requires consent as a legal basis. The Garante noted, however, that the controller only actually relied on legitimate interest as a legal basis for its own use of cookies, which were technical and non-tracking. As technical cookies do not require user consent, the Garante found that despite qualifying the incorrect legal basis in the cookie banner, its own processing in fact complied with rules and did not harm data subjects. Nonetheless, the erroneous naming of legitimate interest as the legal basis in the cookie banner was unlawful under Articles 5(1)(a), 12 and 13 GDPR because it misled consumers.<br />
<br />
Finally, the Garante noted that the relationship between the controller and processor, and namely the controller’s inability to modify the cookie banner and cookie policy, resulted in violations of Articles 24, 25, and 28 GDPR. It emphasized that Articles 24 and 25 GDPR impose a responsibility on the controller to oversee processing and guarantee that processor activities comply with the GDPR. <br />
<br />
In light of these violations, the Garante issued a warning, deciding not to impose a fine. It took into account the controller’s changes to banners following receipt of noyb’s complaints, lack of harm to users’ data since the controller itself only used technical cookies, lack of fraudulent intent, and withdrawal from the contract with its supplier after it failed to comply with the controller’s requests, cooperation with the DPA, and the lack of further complaints.<br />
<br />
== Comment ==<br />
‘X’ button: The Garante concluded that the ‘X’ function was sufficient where the cookie banner defined the effect of clicking ‘X.’ The issue thus was not the use of the ‘X’ (as opposed to something like a ‘reject’ button), but rather the lack of explanation within the cookie banner. In coming to this conclusion, the Garante rejected the data subjects’ arguments that a mere ‘X’ somewhere on the cookie banner was insufficient and a ‘reject’ button was required.<br />
<br />
Cookie usage: The Garante noted that the controller did not itself use profiling cookies. As a result, it found that the controller itself only resorted to the legal basis of legitimate interests in relation to this use of technical cookies, which is a proper legal basis for such cookies, and thus did not harm consumers. Notably, third parties do use tracking cookies to carry out profiling on the controller’s webpage. By concluding that the controller itself processed data in compliance with the Garante’s Guidelines, the DPA implicitly determined that the controller is not responsible for third party cookies that are used on its webpage.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>Lmhttps://gdprhub.eu/index.php?title=Upravni_sud_u_Zagrebu_-_Usl-4017/23-6&diff=40579&oldid=0Upravni sud u Zagrebu - Usl-4017/23-62024-03-27T12:47:11Z<p>Created page with "{{COURTdecisionBOX |Jurisdiction=Croatia |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=Upravni sud u Zagrebu |Court_Original_Name=Republika Hrvatska Upravni sud u Zagrebu |Court_English_Name=Administrative Court of Zaghreb |Court_With_Country=Upravni sud u Zagrebu (Croatia) |Case_Number_Name=Usl-4017/23-6 |ECLI= |Original_Source_Name_1=Republika Hrvatska Upravni sud u Zagrebu |Original_Source_Link_1=https://sudskapraksa.vsrh.hr/decisionPdf?id=090216b..."</p>
<p><b>New page</b></p><div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Croatia<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=Upravni sud u Zagrebu<br />
|Court_Original_Name=Republika Hrvatska Upravni sud u Zagrebu<br />
|Court_English_Name=Administrative Court of Zaghreb<br />
|Court_With_Country=Upravni sud u Zagrebu (Croatia)<br />
<br />
|Case_Number_Name=Usl-4017/23-6<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Republika Hrvatska Upravni sud u Zagrebu<br />
|Original_Source_Link_1=https://sudskapraksa.vsrh.hr/decisionPdf?id=090216ba80eeeb22%09<br />
|Original_Source_Language_1=Croatian<br />
|Original_Source_Language__Code_1=HR<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Date_Decided=05.02.2024<br />
|Date_Published=<br />
|Year=2024<br />
<br />
|GDPR_Article_1=Article 57(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 57 GDPR#1a<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=Zakon o općem upravnom postupku (Croatian Act on General Administrative Procedure)<br />
|National_Law_Link_1=https://www.zakon.hr/z/65/Zakon-o-op%25C4%2587em-upravnom-postupku<br />
|National_Law_Name_2=Zakon o provedbi Opće uredbe o zaštiti podataka (National Law Implementing the GDPR)<br />
|National_Law_Link_2=https://www.zakon.hr/z/1023/Zakon-o-provedbi-Op%25C4%2587e-uredbe-o-za%25C5%25A1titi-podataka<br />
|National_Law_Name_3=<br />
|National_Law_Link_3=<br />
|National_Law_Name_4=<br />
|National_Law_Link_4=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=nz, lm<br />
|<br />
}}<br />
<br />
The Administrative Court found that, although the DPA failed to enforce its decision contrary to the GDPR, the statute of limitations for enforcing an order under national law had expired and the DPA could not be ordered to enforce its decision.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The data subjects’ yard was filmed by a third-party. The data subject lodged a complaint with the Croatian DPA (“AZOP”). The AZOP considered that this processing operation had no valid legal basis. On 3 October 2018, it ordered the deletion of every recording of the yard or public road and prohibited the third party from recording the yard in question. The decision indicated that “No appeal is allowed against this decision”. In accordance with Article 133(2) of the Croatian Act on General Administrative Procedure, the decision became enforceable by delivery of the decision to the party. <br />
<br />
The controller did not act on the decision. The data subjects thus submitted a request to the AZOP to adopt an enforcement decision. Meanwhile, a third party initiated an administrative dispute against the initial decision taken by the AZOP. The AZOP responded to the data subjects that the conditions for execution of the decision were not met because that decision faced an ongoing procedure before an Administrative Court. <br />
<br />
Following the conclusion of the administrative dispute, the data subjects asked the AZOP to adopt a decision on the enforcement of the decision. The AZOP did not take any action. <br />
<br />
The data subjects submitted a complaint with the Administrative Court of Zaghreb against the AZOP. The AZOP stated that it did not take any action because the controller indicated that the recordings were deleted and the data subjects did not prove the contrary. It made two arguments pursuant to the Croatian Act on General Administrative Procedure. First, it noted that Article 139(1) of this Act establishes an obligation to issue a decision when the executed party does not act according the enforcement decision. Second, the AZOP argued that the decision cannot be enforced because the statute of limitations period granting 5 years to bring an enforcement action under Article 135(3) of the Croatian Act on General Administrative Procedure had expired. According to this provision, after five years from the data that an order became enforceable, its enforcement may no longer be requested.<br />
<br />
=== Holding ===<br />
The Upravni Sud u Zagrebu (Administrative Court of Zaghreb) noted that pursuant to [[Article 52 GDPR|Article 52 GDPR]], a supervisory authority’s task is not simply to establish a violation of legal provisions, but also to ensure the removal of such violation. Thus, the AZOP is obliged to issue an enforcement decision under Articles 138 and 139 of the Croatian Act on General Administrative Procedure. <br />
<br />
Nonetheless, the Administrative Court agreed with the AZOP that the statute of limitations period under Article 135(3) of the Croatian Act on General Administrative Procedure applied and had expired in this case. As a result, the administrative court could not order the AZOP to issue an enforcement decision. <br />
<br />
The Administrative Court ordered the defendant to compensate the data subject EUR 684.10 within 15 days for the costs of the administrative dispute.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.<br />
<br />
<pre><br />
REPUBLIC OF CROATIA<br />
ADMINISTRATIVE COURT IN ZAGREB<br />
Avenija Dubrovnik 6 and 8<br />
<br />
Business number: UsI-4017/23-6<br />
<br />
IN I M E R E P U B L I K E H R V A T S K E<br />
<br />
P R E S U D A<br />
<br />
The Administrative Court in Zagreb, according to the judge of that court, Anti Drezga and Slobodanka<br />
<br />
Gorsensky, recorder, in the administrative dispute plaintiff 1. M. N. from Z., OIB:... and 2. T. I.-<br />
P. from Z., OIB: ..., represented by attorney N. O., attorney at O., H. and partners,<br />
law firm d.o.o. from Z., against the defendant Agency for the Protection of Personal Data,<br />
Z., OIB: ..., due to the management's silence, February 5, 2024,<br />
<br />
he decided<br />
<br />
<br />
The claim that reads:<br />
"I The claim of plaintiff I-M is approved. N. and II-T. I. P. and is ordered to the defendant<br />
to the Personal Data Protection Agency within 30 days from the date of delivery<br />
judgment to issue a decision on the execution of the decision of the Agency for the Protection of Personal Data<br />
CLASS: UP/I-041-02/17-08/20, URBROJ: 567-02/03-18-01 from 03.10.2018.<br />
II The defendant is ordered to compensate the plaintiffs for the costs of this administrative dispute in<br />
<br />
in the amount of EUR 684.10, all within 15 days."<br />
<br />
Explanation<br />
<br />
1.1. The plaintiffs in the lawsuit essentially state that it is about the request for protection<br />
the right plaintiff, proceedings were conducted before the defendant, CLASS: UP/I-041-02/17-<br />
08/20, URBROJ: 567-02/03-18-01, in which on October 3, 2018, it was adopted<br />
<br />
a decision establishing that the processing of personal data by a third party<br />
filmed yard co-owned by the plaintiffs, without a legal and appropriate purpose<br />
legal basis. The decision in question prohibits a third person from recording<br />
of the yard in question and ordered to delete all records created by recording the yard<br />
that is, public roads, which were collected without a legal basis. As an instruction on legal<br />
the remedy of the decision in question reads "No appeal is allowed against this decision", so,<br />
in accordance with Article 133, Paragraph 2 of the Act on General Administrative Procedure, the decision became<br />
<br />
executory but by delivery of the solution to the party, and the third party is not voluntary according to the same<br />
acted, the plaintiffs submitted a request to the defendant on July 12, 2021<br />
of making a decision on enforcement. However, as a third party initiated an administrative dispute<br />
against the aforementioned decision, the defendant responded to the plaintiff's request<br />
by letter CLASS: UP/I-041-02/17-08/20, UR NO: 567-02/03-21-14 dated October 10<br />
2021 as "in relation to the specific case, we state that at this moment they are not<br />
the conditions for the execution of the aforementioned decision of this Agency have been met. In this sense, we state how 2 Business number: UsI-4017/23-6<br />
<br />
<br />
this Agency will carry out the execution of the decision after the completion of the procedure conducted before<br />
by the said competent court", although citing the article of the Law on General<br />
<br />
administrative procedure indicating that the conditions for execution have been met, given that<br />
decision against which no appeal is allowed, delivered to the party. Continuing on<br />
termination of the administrative dispute, the plaintiffs filed again on October 18, 2022<br />
to the defendant, a proposal for the adoption of a decision on execution, at a time when it is undoubtedly,<br />
even according to the defendant's illegal interpretation of the legal provision, the solution became<br />
executive. However, the defendant has not taken any action on the occasion to date<br />
of the defendant's proposal, nor did he issue a decision on enforcement.<br />
<br />
1.2. The plaintiffs are submitting this administrative complaint to the title court based on the article<br />
Paragraph 3, paragraph 1, point 3 of the Administrative Disputes Act for the purpose of assessing illegality<br />
failure of the defendant to act according to the regulation, in the specific case according to<br />
provisions of the Law on General Administrative Procedure. In the specific case, how is it<br />
on the occasion of the request for the protection of the plaintiff's rights, a procedure was conducted before the Agency for<br />
protection of personal data, CLASS: UP/I-041-02/17-08/20, UR NO: 567-02/03-18-<br />
<br />
01, in which the aforementioned decision was adopted, which established that the processing<br />
personal data by L. K. through the video surveillance system recorded yard in<br />
co-owned by the applicant at the address R. 5, without a lawful and appropriate purpose<br />
legal basis, the plaintiffs point out that it is undoubtedly the case in this particular case<br />
on administrative procedure, so the provisions of the Act on<br />
general administrative procedure on the manner and time of issuing enforceability for the first instance<br />
administrative act. According to the decision of L. K., filming of the yard in question is prohibited<br />
<br />
and the ordered deletion of all records created by recording the yard or public road, a<br />
which were collected without a legal basis. Since she did not act according to the decision, and the instruction of Fr<br />
the legal remedy of the decision in question reads "No appeal is allowed against this decision",<br />
in accordance with Article 133 paragraph 2 of the Act on General Administrative Procedure, the decision is<br />
became enforceable already by delivery of the decision to the party, the plaintiffs were therefore established on 12<br />
July 2021 submitted a request to the defendant for the adoption of a decision on enforcement.<br />
1.3. Pursuant to Article 52 of the Act on the Implementation of the General Regulation on Data Protection,<br />
<br />
The Personal Data Protection Agency is defined as a state body, and as such,<br />
has the right and duty to monitor the implementation of the General Data Protection Regulation. After<br />
established gross violation of the plaintiff's legal rights, by his passive behavior<br />
the defendant himself participates in the repeated violation of the very provisions that he is obliged to protect.<br />
Agency - which should play a key role in protecting privacy and personal data<br />
citizens, which is the fundamental right of individuals in the territory of the European Union. Her<br />
the task is not and should not be a simple determination of a violation of the legal provisions on processing<br />
<br />
of personal data, must also ensure the elimination of such violation, as determined violation<br />
the rights of individuals whose personal information is threatened would not just remain "dead<br />
letter on paper". However, to this day, almost a year after<br />
of the submitted request for the adoption of a decision on enforceability, the plaintiffs still have not<br />
received the decision on execution, which the defendant in accordance with Articles 138 and 139 of the Act on<br />
general administrative procedure is obliged to pass, thus denying them protection from abuse<br />
<br />
personal data, guaranteed by international and national regulations. Such as<br />
stated in the basic treaties of the EU, public authorities and courts of the member states in<br />
to the greatest extent, they are responsible for the application of Union law. Therefore, without entering into<br />
autonomy and independence of the defendant's scope, national authorities are obliged to enable<br />
to the individual the full protection of his rights guaranteed at the EU level, and they are on the same<br />
obliged by the General Data Protection Regulation, which is directly applicable in the Republic<br />
To Croatia and all member states of the European Union from May 25, 2018. The largest<br />
<br />
the threat to the protection of personal data and the plaintiff's rights is reflected in the preclusion of protection 3 Business number: UsI-4017/23-6<br />
<br />
<br />
of their rights, which is defined by Article 135, Paragraph 3 of the General Administrative Law<br />
procedure: Therefore, the situation regarding the defendant's guilt is completely absurd<br />
<br />
interpretation of the Law on General Administrative Procedure, that is, provisions on enforceability<br />
decision, as a result of which, due to such an interpretation, the plaintiffs in this October, 2023.<br />
year, the 5-year limitation period for execution from Article 135, paragraph 3 of the Act has passed,<br />
because of which L. K. will have a well-founded right to file an appeal against the execution decision<br />
(if the same is ever passed, even if it is out of date). So, it is undoubtedly<br />
the defendant, as a public law body within the meaning of the Law on General Administrative Procedure, despite<br />
fulfillment of the assumptions provided by law, failed to act in accordance with his own<br />
<br />
legal obligations and to decide on the plaintiff's request for a ruling on<br />
execution.<br />
1.4. They propose to adopt the claim and order the defendant within 30 days from<br />
on the date of delivery of this verdict, to issue a decision on the execution of the decision of the Protection Agency<br />
personal data CLASS: UP/I-041-02/17-08/20, UR NO: 567-02/03-18-01 of 3.<br />
October 2018 and order the defendant to compensate the plaintiffs for the costs of the administrative dispute in<br />
<br />
in the amount of 684.10 euros, all within 15 days.<br />
2. In the response to the complaint, the defendant essentially states that the resolution in question<br />
cannot perform since it is based on Article 135, paragraph 3 of the General Law<br />
administrative procedure, the period of five years has expired from the day when the decision became<br />
executory since L. K. received the decision on October 19, 2018. It points out that the plaintiffs in both<br />
of the proposal for execution that they submitted to the defendant, they did not submit the evidence by which<br />
confirm or prove that L. K. did not act according to the relevant decision or<br />
<br />
to act contrary to the obligation. He believes that the allegations that the defendant did not spend any time are incorrect<br />
one action regarding the proposal of the plaintiff, the future defendant, on August 2, 2023.<br />
carried out control supervision, about which the Minutes of conducted supervision were drawn up<br />
CLASS: 042-02/23-01/25, ID number: 567-12/13-23-05 from August 2, 2023.<br />
was notified by email on August 24, 2023 to the plaintiffs' law office<br />
and at the same time they were provided with the Minutes of the conducted supervision. Subject supervision<br />
according to the statement of N. K., mother of L. K., the two cameras placed under the window are not working<br />
<br />
because the recording storage device was destroyed, by direct inspection the authorized officer<br />
it was determined that the cameras were not connected to any storage device or to the Internet and<br />
N. K. stated that the recordings were deleted/removed. Therefore, the defendant does not see grounds for<br />
issuing a decision on enforcement since the supervisory activities did not establish that L.<br />
K. did not comply with the obligation imposed by the decision, and neither did the plaintiffs to the contrary<br />
proved. He points out that the obligation to pass a decision on execution by which the proposal for<br />
execution refused is not prescribed by the Law on General Administrative Procedure since<br />
<br />
according to what was presented, it was not established that the obligation from the decision in question was not fulfilled.<br />
He states that the Law on General Administrative Procedure prescribes in Article 139 paragraph 1.<br />
only the obligation to issue a decision when the executor fails to comply with the enforcement decision<br />
that is, in Article 140, paragraph 4, the obligation to issue a decision is prescribed when<br />
postpones its execution, therefore the adoption of a decision on rejection is not prescribed<br />
proposals. He proposes to reject the claim as unfounded.<br />
<br />
3. Assessing the legality of the contested decision, the Court reviewed the court file and<br />
file of the defendant. The court decided on the plaintiff's claim without holding a hearing<br />
(Article 36, Paragraph 4 of the Administrative Disputes Act, Official Gazette, No. 20/10,<br />
143/12., 152/14., 94/16., 29/17. and 110/21.; hereinafter ZUS).<br />
4. The claim is unfounded.<br />
5. According to the provisions of Article 135 of the Law on General Administrative Procedure (National<br />
newspaper, number 47/09. and 110/21, hereinafter ZUP) execution is carried out ex officio<br />
<br />
when the public interest dictates it. Enforcement that is in the interest of the party is carried out on 4 Business number: UsI-4017/23-6<br />
<br />
<br />
proposal of the party (proposer of execution). Execution can also be carried out on the basis of<br />
settlements of the parties. After the expiry of the period of five years from the day when the decision became<br />
<br />
executory, the decision cannot be enforced, unless otherwise prescribed by law.<br />
6. If it is an administrative matter passed ex officio, it shall be executed<br />
as a rule, it is carried out ex officio. However, the decision was made according to the request<br />
as a rule, it is carried out on the proposal of the party in whose interest it was adopted<br />
decision that is the subject of execution (proposer of execution). It cannot be denied<br />
identification for the initiation of the enforcement procedure for the person whose request is being processed<br />
the procedure in which the executive title was passed. If it is not adopted according to the party's proposal<br />
<br />
decision on execution, it is about the silence of the administration in the execution procedure.<br />
7. An administrative dispute due to the silence of the administration can be initiated only by the party to whom<br />
the competent authority did not make a decision on the request or appeal. If the competent authority does not<br />
a decision on execution has been made, the party in whose interest the execution is carried out may,<br />
under the assumptions of Article 23, paragraph 5 of the ZUS and Article 24, paragraph 2.<br />
ZUS, file a lawsuit for failure to issue a decision.<br />
<br />
8. In the specific case, the defendant, in the administrative matter regarding the request<br />
plaintiff, issued a decision CLASS: UP/I-041-02/17-08/20, UR NO: 567-02/03-18-<br />
01 of October 3, 2018, by which a third person is prohibited from filming the yard in<br />
co-ownership of the plaintiffs and ordered to delete all records created by recording the yard,<br />
and which were collected without a legal basis. The solution in question was submitted to the third party<br />
to a person on October 19, 2018, when it became enforceable.<br />
9. The plaintiffs proposed the adoption of a decision in a motion dated July 12, 2021<br />
<br />
on execution with the claim that the said decision was not followed, after which<br />
the defendant in the form of a letter, CLASS: UP/I-041-02/17-08/20, ID number: 567-02/03-21-14 from<br />
October 10, 2021, stated that the conditions for execution were not met, referring to<br />
the circumstance that the proceedings before the competent court (High Administrative Court of the Republic<br />
Croatian).<br />
10. The plaintiffs proposed again with the proposal of October 18, 2022<br />
issuing a decision on execution stating that it is a judgment of the High Administrative Court<br />
<br />
of the Republic of Croatia, business number Usž-2892/20 of September 15, 2022, rejected appeal by L.<br />
K. and confirmed judgment of the Administrative Court in Zagreb, business number UsI-3777/18-14 dated<br />
January 21, 2020<br />
11. From the Minutes of the conducted supervision, CLASS: 042-02/23-01/25, CODE:<br />
567-12/13-23-05 of August 2, 2023, it follows that the defendant carried out the control supervision<br />
proceeding according to the aforementioned decision of October 3, 2018. The defendant on August 24<br />
2023 informed the plaintiff's proxies about the results via electronic mail<br />
<br />
control supervision, and the Minutes in question were delivered to them.<br />
12. Without going into the question of whether on the occasion of the mentioned proposal of October 18<br />
In 2022, the defendant should have made a decision on the rejection of the proposal for execution, after he<br />
established that the executor acted according to the executive decision, it is obvious that it is in the sense of the article<br />
135, paragraph 3 of the ZUP expired five years from the day the decision became<br />
enforceable and that the defendant cannot issue a decision on execution, and therefore neither can the administrative court<br />
<br />
cannot order the adoption of a decision on enforcement.<br />
13. Considering all the above, it was decided as in the sentence of this judgment<br />
applying the provisions of Article 57, paragraph 1 of the ZUS.<br />
<br />
In Zagreb, February 5, 2024.<br />
<br />
Referee:<br />
<br />
Ante Drezga, Acting Director 5 Business number: UsI-4017/23-6<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Legal remedy:<br />
An appeal to the High Administrative Court of the Republic of Croatia is allowed against this verdict.<br />
The appeal is filed through this court in a sufficient number of copies for the court and all parties<br />
in the dispute, within 15 days from the date of delivery of the judgment.<br />
</pre></div>Lmhttps://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9991064&diff=40573&oldid=0Garante per la protezione dei dati personali (Italy) - 99910642024-03-27T10:49:27Z<p>Created page with "{{DPAdecisionBOX |Jurisdiction=Italy |DPA-BG-Color=background-color:#095d7e; |DPAlogo=LogoIT.png |DPA_Abbrevation=Garante per la protezione dei dati personali |DPA_With_Country=Garante per la protezione dei dati personali (Italy) |Case_Number_Name=9991064 |ECLI= |Original_Source_Name_1=Garante per la protezione dei dati personali |Original_Source_Link_1=https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9991064 |Original_Source_Language_1=Italian |Origi..."</p>
<a href="https://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9991064&diff=40573">Show changes</a>Imhttps://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202301323&diff=40557&oldid=0AEPD (Spain) - EXP2023013232024-03-27T08:57:41Z<p>Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202301323 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/reposicion-ai-00057-2023.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Lan..."</p>
<p><b>New page</b></p><div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=EXP202301323<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEPD<br />
|Original_Source_Link_1=https://www.aepd.es/documento/reposicion-ai-00057-2023.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Rejected<br />
|Date_Started=10.08.2021<br />
|Date_Decided=15.03.2024<br />
|Date_Published=<br />
|Year=2024<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=<br />
|GDPR_Article_Link_1=<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1= Ley 34/2002, de 11 de julio, de servicios de la sociedad de la información y de comercio electrónico (LSSI) (Spanish ePrivacy Law)<br />
|National_Law_Link_1=https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
|National_Law_Name_3=<br />
|National_Law_Link_3=<br />
<br />
|Party_Name_1=Turner Broadcasting System España<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=AEPD - Internal Appeal<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Appealed - Confirmed<br />
|Appeal_To_Link=https://www.aepd.es/documento/reposicion-ai-00057-2023.pdf<br />
<br />
|Initial_Contributor=lm<br />
|<br />
}}<br />
<br />
The Spanish DPA dismissed an internal appeal challenging its decision that it was not necessary for a controller to provide a reject button on its webpage, finding that the question arose under Spain’s ePrivacy Law rather than the GDPR.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A data subject lodged a complaint with the Austrian DPA after it tried to access one of Turner Broadcasting System España’s (controller’s) websites but was redirected to a new webpage that did not offer an option to reject cookies. Additionally, once the cookies were accepted, it was not possible to access the cookie control panel to revoke consent. Instead, consent could only be revoked by taking a number of additional steps, including entering an English-language portal and sending the controller an email requesting to withdraw consent. <br />
<br />
The data subject lodged a complaint with the Austrian DPA. On 26 January 2023, the Austrian DPA communicated the case to the Spanish DPA (AEPD) pursuant to the Internal Market Information System.<br />
<br />
The AEPD initiated an investigation. Through its own investigation of the webpage, the AEPD confirmed that on the redirected page, only technical or necessary cookies were used. Additionally, it noted that the information noted in the Cookie Policy was accurate. The AEPD concluded that it was not necessary to provide a ‘Reject’ button under these circumstances. <br />
<br />
The data subject filed an internal appeal focusing on three claims. First, the data subject argued that the Austrian DPA should have been the authority concerned and at the least failed to notify the data subject of the AEPD’s decision in violation of [[Article 60 GDPR#8|Article 60(8) GDPR]]. Second, the data subject argued that the AEPD failed to consider the data subject’s complaint and instead decided the case based on its own interaction with the webpage. Third, the data subject claimed that upon selecting ‘accept’ on the cookie banner, Google Analytics cookies which are not strictly necessary are installed. Such cookies can only be installed where valid consent has been obtained – the cookie banner, however, offered no permanently visible option to withdraw consent and required multiple steps (as discussed above) in violation of [[Article 7 GDPR#3|Article 7(3) GDPR]].<br />
<br />
=== Holding ===<br />
The AEPD dismissed the appeal, concluding that only the Spanish ePrivacy Law is relevant to the case, not the GDPR. <br />
<br />
First, the AEPD rejected the data subject’s argument that the complaint should have been heard by the Austrian DPA. The AEPD noted that the Spanish ePrivacy Law regulates information society services established in Spain. Since the controller’s headquarters and website domain were in Spanish territory, the ePrivacy Law applied and the AEPD was competent to hear the case. Further, the AEPD concluded that only the ePrivacy Law, not the GDPR, applied in this case because it was more specific to the facts at issue. <br />
<br />
The AEPD also rejected the data subject’s second argument. It noted that the presumption of innocence protects entities from sanctions not based on prior evidentiary activity ‘on which the competent body can base a reasonable judgment of guilt.’ This presumption, the DPA reasoned, obliged it to prove the controller’s offence and guilt. The AEPD’s visit to the page was an attempt to verify the veracity of the data subject’s claims, and it was insufficient to do so. <br />
<br />
Finally, the DPA dismissed the third argument because it was not raised in the initial claim.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
1/8<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Procedure No.: EXP202301323 (AI/00057/2023)<br />
<br />
Replacement Appeal No. RR/00111/2024<br />
<br />
<br />
Examined the appeal for reconsideration filed by A.A.A. through the COMMISSION<br />
EUROPEAN INTERNAL MARKET EXCHANGE SYSTEMS (IMI-Austria),<br />
against the resolution issued by the Director of the Spanish Agency for the Protection of<br />
Data in the procedure AI/00057/2023, for violation of the provisions of the Law<br />
34/2002, of July 11, on Information Society Services and Commerce<br />
Electronic (LSSI) and based on the following:<br />
<br />
<br />
FACTS<br />
<br />
FIRST: On 01/25/24, the Director of the Spanish Agency for the Protection of<br />
Data issued Resolution to File Actions in procedure AI/00057/2023,<br />
open to the entity TURNER BROADCASTING SYSTEM ESPAÑA, S.L. with CIF.:<br />
<br />
B82320227, owner of the website https://www.canaltnt.es, for the alleged<br />
violation of article 22 of the LSSI.<br />
<br />
The resolution was notified to the EUROPEAN COMMISSION SYSTEMS OF<br />
INTERNAL MARKET EXCHANGE (IMI-Austria) on 01/29/24, as recorded<br />
on the record.<br />
<br />
<br />
SECOND: As proven facts of the aforementioned procedure, there was evidence of<br />
the following:<br />
<br />
- When trying to enter the website that is the subject of the claim, https://www.canaltnt.es,<br />
<br />
It was found that this no longer existed, redirecting the user to a new page<br />
website, https://www.warnertv.es whose owner is the entity Discovery Networks SL,<br />
with CIF B-86815560, different from the entity initially claimed, (Turner<br />
Broadcasting System España, with CIF.: B82320227).<br />
<br />
THIRD: On 02/14/24, this Agency has received a written appeal for<br />
<br />
replacement presented by the appellant, in which it stated the following:<br />
<br />
FIRST – Lack of notification by the DSB<br />
<br />
1. On January 24, 2024, the AEPD adopted its resolution, which was notified<br />
to this part on January 29, 2024. However, according to the<br />
<br />
article 60(8) GDPR is the supervisory authority to which the<br />
claim, i.e. the DSB, who should have adopted and notified the<br />
resolution to the person interested in this case.<br />
<br />
2. Therefore, the resolution adopted by the AEPD must be considered null<br />
of right, as provided in article 47(1)(b) LPACAP.<br />
<br />
<br />
SECOND – The AEPD did not consider the facts or the petition of the claim<br />
<br />
3. The AEPD did not consider the specific circumstances of the visit of the<br />
website of this party, set forth in the claim in detail. In fact,<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 2/8<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
It seems that the AEPD decided based on the banner that appeared on the<br />
website of the controller during your own visit.<br />
<br />
4. However, the control authority must provide an effective response to the<br />
individual situation of the interested party, taking into account the circumstances<br />
<br />
individuals and the facts about which the claim presented by the<br />
interested. This follows from Considering 141 GDPR, from Article 77.<br />
RGPD and Article 65(3)(b) of the LOPDGDD.<br />
<br />
5. In addition, this party requested in its complaint various measures to be adopted<br />
by the AEPD (see First Fact). The formulated petitum determines<br />
<br />
specifically requested and underlines the need for an evaluation of the<br />
individual situation of this part. In particular, the person responsible continues to try<br />
the personal data of this party unlawfully.<br />
<br />
6. In light of the configuration of the claim ex article 77(1) GDPR that<br />
<br />
“is conceived as a mechanism capable of effectively protecting the<br />
rights and interests of the interested parties” it is beyond any doubt that the<br />
AEPD should have responded to what was requested by this party. It<br />
directly agrees with the provisions of article 88(2) LPACAP. No<br />
However, the AEPD resolution does not provide a concrete response to this petition.<br />
part.<br />
<br />
<br />
7. Therefore, the resolution must be annulled in accordance with art 48(1)<br />
LPACAP.<br />
<br />
B. MATERIAL ASPECTS<br />
<br />
<br />
THIRD – The AEPD applies an erroneous criterion<br />
<br />
8. As stated above, this party visited the website of the controller and,<br />
in addition to not having an equivalent option to reject the use of the<br />
cookies in the first layer of the banner (violation type A, C, D, E), checked<br />
that there was no easy possibility to withdraw consent<br />
<br />
awarded (type K violation).<br />
<br />
9. On the other hand, in the appealed resolution the AEPD states that during its own<br />
visit the person responsible only installed strictly necessary cookies, so no<br />
It was not necessary to offer an option to reject cookies, nor an option<br />
to withdraw consent.<br />
<br />
<br />
10. However, upon checking this part again on the website<br />
https://www.warnertv.es/, it is observed that after selecting “Accept” in the<br />
banner the cookies “_ga” and “_ga_1PMD2PL02L” from Google are installed<br />
Analytics. These are cookies that can only be installed in the case of<br />
<br />
have obtained valid consent (Annex 1).<br />
<br />
11. Although the person responsible has implemented two equivalent options in<br />
its banner cookie, does not offer a permanently visible option that allows<br />
withdrawal of consent. At the bottom of the main page there is only one link<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 3/8<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
to the privacy policy, in which there is a link to the “Portal of<br />
request for individual rights” (in English). On this portal you can then<br />
send an email to withdraw consent. This does not represent<br />
<br />
a possibility to “revoke consent easily” and “at any time”<br />
moment” as required by article 7(3) GDPR and as provided in the<br />
AEPD in relation to the withdrawal of consent.2<br />
<br />
12. From the above it follows that the AEPD is based on a verification<br />
which turns out to be wrong. The controller uses Google Analytics cookies that do not<br />
<br />
They are strictly necessary. However, the person responsible still does not offer<br />
a simple possibility to withdraw consent once given.<br />
<br />
13. From what is stated in this FJ it follows that the criterion adopted in the resolution<br />
appealed is contrary to the legal system and must be annulled.<br />
<br />
<br />
By virtue of what is stated in this writing, and in accordance with the<br />
mentioned provisions, this part<br />
<br />
REQUESTS: I. That an APPEAL OF<br />
REPLACEMENT against the resolution of the Director of the Spanish Agency of<br />
<br />
Data Protection of January 24, 2024 within the framework of the procedure<br />
with file number EXP202301323, and, after admitting it, the<br />
investigative actions that are necessary, in accordance with the<br />
applicable procedural and material standards. II. That the nullity be declared<br />
of the resolution appealed for the reason stated in the<br />
<br />
legal basis first and that the continuation of the<br />
procedure. III. That, if full nullity is not declared,<br />
the appealed resolution is annulled for the reasons set out in the grounds.<br />
<br />
FOUNDATIONS OF LAW<br />
<br />
<br />
Yo<br />
Competence.<br />
<br />
The Director of the Spanish Agency is competent to resolve this appeal.<br />
of Data Protection, in accordance with the provisions of article 123 of the Law<br />
<br />
39/2015, of October 1, of the Common Administrative Procedure of the<br />
Public Administrations (LPACAP) and art. 43.1, second paragraph, of the LSSI.<br />
<br />
II<br />
Response to the allegations<br />
<br />
<br />
In relation to the statements made by the appellant, it is worth noting the<br />
following:<br />
<br />
First: The appellant alleges in the section “First, points 1-2”, of the FJ of<br />
<br />
his writing that the resolution should have been made by the Austrian supervisory authority,<br />
in accordance with article 60(8) RGPD and therefore, the resolution adopted by the AEPD<br />
must be considered null and void, according to article 47(1)(b) LPACAP.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 4/8<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Well, with respect to this allegation, it must be clarified that Spanish Law governs<br />
the “Principle of Regulatory Specialty”, which, in essence, refers to the fact that,<br />
There is a special standard (LSSI) and a general standard (RGPD) that regulate a<br />
<br />
concrete fact, the first prevails over the second.<br />
<br />
This principle does not mean that, in the event of application of both standards (one<br />
general rule and another special one), the first is repealed, but the<br />
simultaneous validity of both rules, although the special rule will be applied with<br />
preference to the general rule in those cases contemplated in it.<br />
<br />
<br />
Regarding the case at hand, there is such a coincidence, that is, in the Ordinance<br />
Spanish Legal System, two regulations coexist, one of a general nature such as the RGPD and<br />
another of a special nature, such as the LSSI that regulates the same facts.<br />
<br />
<br />
If we look at what Article 1 of the GDPR establishes, its purpose is the following:<br />
<br />
1.This Regulation establishes the rules relating to the protection of<br />
natural persons with regard to the processing of personal data and<br />
rules relating to the free circulation of such data.<br />
<br />
<br />
2.This Regulation protects the fundamental rights and freedoms of<br />
natural persons and, in particular, their right to data protection<br />
personal.<br />
<br />
3.The free circulation of personal data in the Union may not be<br />
<br />
restricted or prohibited for reasons related to the protection of<br />
natural persons with regard to the processing of personal data.<br />
<br />
While the object of the LSSI, established in its article 1, indicates that:<br />
<br />
<br />
1. The object of this Law is the regulation of the legal regime of the<br />
services of the information society and contracting via<br />
electronic, regarding the obligations of service providers<br />
including those who act as intermediaries in the transmission of content<br />
through telecommunications networks, commercial communications via<br />
electronic, information before and after the conclusion of contracts<br />
<br />
electronic devices, the conditions relating to their validity and effectiveness and the regime<br />
sanction applicable to service providers of the society of the<br />
information.<br />
<br />
2. The provisions contained in this Law will be understood without prejudice to the<br />
<br />
provided in other state or regional regulations outside the regulatory scope<br />
coordinated, or that have as their purpose the protection of health and safety<br />
public, including the safeguarding of national defense, the interests of the<br />
consumer, the tax regime applicable to the services of the society of the<br />
information, the protection of personal data and the regulations governing<br />
<br />
competition defense.<br />
<br />
For its part, article 2 of the aforementioned standard (LSSI) establishes that:<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 5/8<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
1. This Law will apply to the service providers of the society of<br />
the information established in Spain and the services provided by them.<br />
<br />
<br />
It will be understood that a service provider is established in Spain<br />
when your residence or registered office is in Spanish territory,<br />
as long as these coincide with the place where it is actually<br />
centralized administrative management and direction of its businesses. In other<br />
case, the place where said management or direction is carried out will be taken into account.<br />
<br />
<br />
Therefore, in application of the “Principle of Regulatory Specialty”, the<br />
application of the specific standard, that is, the LSSI, on the general standard, the RGPD,<br />
by having the entity TURNER BROADCASTING SYSTEM ESPAÑA, S.L. with CIF.:<br />
B82320227, its headquarters in Spanish territory, as well as the domain of its website (.es).<br />
<br />
<br />
Regarding the jurisdiction to hear the case, article 43.1 of the LSSI,<br />
establishes the following: (…) Likewise, it will be up to the Human Rights Protection Agency<br />
Data on the imposition of sanctions for the commission of infractions classified in the<br />
articles 38.3 c), d) and i) and 38.4 d), g) and h) of this Law (…). and what is established in the<br />
articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD,<br />
<br />
<br />
While article 63.2 of the LOPDGDD determines that: "The procedures<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
regulations dictated in its development and, insofar as they do not contradict them, with a<br />
subsidiary, by the general rules on administrative procedures."<br />
<br />
<br />
And the fourth additional provision of said standard establishes, with respect to the<br />
powers attributed to the AEPD by other laws, which: "The provisions of Title VIII<br />
and in its development regulations will be applicable to the procedures that the Agency<br />
Spanish Data Protection Agency had to process in exercise of its powers<br />
<br />
that were attributed to it by other laws."<br />
<br />
Therefore, since the claimed entity has its registered office in Spanish territory, it is<br />
competent to hear the claim, the Spanish Data Protection Agency,<br />
based on the provisions of 43.1 of the LSSI, article 63.2 of the LOPDGDD and<br />
Fourth additional provision of said rule to the detriment of the control authority<br />
<br />
Austrian<br />
<br />
Second: The appellant states in the section “Second, points 3-7” of the<br />
FJ of his appeal brief, in essence, that, “the AEPD did not consider the circumstances<br />
specific to the visit to the appellant's website, based solely,<br />
<br />
for the resolution of the file, in the verification that the AEPD itself made of the<br />
information banner that appears on the website, without responding to what was requested<br />
in the claim, forgetting the requests made by the appellant…”<br />
<br />
To respond to this allegation, we must start from the principle that governs all<br />
<br />
judicial or administrative procedure such as the “Principle of Presumption of<br />
Innocence”, which guarantees, in Spanish law, not to suffer a sanction that does not<br />
is based on a previous evidentiary activity on which the body<br />
competent person can base a reasonable judgment of guilt, and entails, among<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 6/8<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
other demands, that of the Administration proving and, therefore, motivating, not only the<br />
facts constituting the infringement, participation in such facts and the<br />
circumstances that constitute a graduation criterion, but also guilt<br />
<br />
that justifies the imposition of sanction (among others, SSTC 76/1990, of April 26;<br />
14/1997, January 28; 209/1999, of November 29 and 33/2000, of November 14<br />
February).<br />
<br />
Likewise, the STS of July 10, 2007 (rec.306/2002) specifies that it must be the<br />
administration that proves guilt because "it is not the interested party who has to<br />
<br />
prove lack of guilt."<br />
<br />
The presumption of innocence, a fundamental right of citizenship according to art 24.2<br />
of the Spanish Constitution and art. 6.2 of the European Convention on Human Rights,<br />
It is expressly included in our regulations for the procedures<br />
<br />
administrative sanctions where among the rights of the interested party in the<br />
disciplinary administrative procedure will have the right "To the presumption of not<br />
existence of administrative responsibility until the contrary is proven."<br />
<br />
And as the STS 04/28/2016 (RC 677/2014) said: "it may mean that the<br />
right to the presumption of innocence, which applies without exception in the field of<br />
<br />
administrative sanctioning procedure, according to the Constitutional Court in<br />
ruling 66/2007, of March 27, means that "no sanction can be imposed<br />
"any that is not based on a previous lawful evidentiary activity", and implies<br />
also the recognition of the right to an administrative sanctioning procedure<br />
due or with all the guarantees, that respects the principle of contradiction and in which the<br />
<br />
alleged perpetrator has the opportunity to defend his own positions,<br />
prohibiting the initiation of disciplinary proceedings when it is appreciable<br />
unequivocally or manifests the absence of rational indications that it has been<br />
committed an infringing conduct, or in which illegality or illegality is absent.<br />
culpability"<br />
<br />
<br />
What the Public Administration cannot is raise administrative responsibility in<br />
the facts presented by the complaining party, without first verifying the veracity of the<br />
themselves. In the case at hand, this verification was based on the review of the<br />
website object of the claim (https://www.canaltnt.es), where it was verified<br />
that it no longer existed, redirecting the user to a new web page<br />
<br />
belonging to a different owner.<br />
<br />
Third: The appellant states in the section “Third.- points 8 to 13” that at<br />
check the new website https://www.warnertv.es/, it is observed that after<br />
Select “Accept” in the banner and the cookies “_ga” and “_ga_1PMD2PL02L” are installed<br />
<br />
of Google Analytics, which are not strictly necessary and that there is no<br />
possibility of withdrawing consent once given.<br />
<br />
First of all, we must mention that the website https://www.warnertv.es, to which<br />
which the appellant mentions in her appeal for reconsideration, the website was not the object of<br />
<br />
initial claim, so its analysis is not appropriate within the scope of this appeal.<br />
replacement.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 7/8<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
However, having said the above, it is worth remembering that, although this new website<br />
(https://www.warnertv.es) comes up due to the fact that when trying to access the<br />
web page that was the subject of the initial claim https://www.canaltnt.es, this redirected to the<br />
user to the new page.<br />
<br />
<br />
Now, the appellant states that, on this new web page<br />
https://www.warnertv.es observes that, when the user gives consent, the<br />
website begins to use two new cookies that are not of a technical nature (“_ga” and<br />
“_ga_1PMD2PL02L”) whose domain belongs to Google Analytics, and that the<br />
possibility of withdrawing consent once given by requesting this Agency<br />
that the investigative actions that are necessary to be carried out<br />
<br />
clarify the facts you claim.<br />
<br />
Therefore, this is a new fact not mentioned in the initial claim. The<br />
The appellant cannot claim that at the appeal stage the<br />
facts that he did not express in a previous procedural phase.<br />
<br />
<br />
The LPACAP provides in its article 118 the following procedural rule: “No<br />
account in the resolution of the resources, facts, documents or allegations of the<br />
appellant, when, having been able to provide them in the processing of allegations, he does not<br />
I've done. Nor may the taking of evidence be requested when the lack of<br />
realization in the procedure in which the appealed resolution was issued outside<br />
<br />
attributable to the interested party.” This standard contains a rule that is nothing more than the<br />
positive concretion for the common administrative sphere of the general principle that the<br />
The law does not protect the abuse of rights (article 7.2 of the Civil Code). This principle<br />
Its purpose, among others, is to prevent the processing of allegations from being useless and<br />
evidence of the application procedures, as would result if the interested parties<br />
could choose, at their discretion, the moment at which to present evidence and allegations,<br />
<br />
since this would be contrary to an elementary procedural order.<br />
<br />
All of this, without prejudice to the possibility of submitting a new claim if you consider<br />
that such events violate regulations that confer powers on the Spanish Agency<br />
of Data Protection.<br />
III<br />
<br />
Conclusion<br />
<br />
Consequently, in the present appeal for reconsideration, the appellant has not<br />
provided new facts or legal arguments that allow reconsideration of the validity<br />
of the contested resolution.<br />
<br />
<br />
Considering the aforementioned precepts and others of general application, the Director of the Agency<br />
Spanish Data Protection<br />
RESOLVES:<br />
<br />
FIRST: DISMISS the appeal for reconsideration filed by A.A.A., through<br />
<br />
THE EUROPEAN COMMISSION INTERNAL MARKET EXCHANGE SYSTEMS<br />
(IMI- Austria), against the archiving resolution issued by the Director of the Agency<br />
Spanish Data Protection Agency on 01/25/24, in procedure AI/00057/2023,<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 8/8<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
SECOND: NOTIFY this resolution to A.A.A. and to the EUROPEAN COMMISSION<br />
INTERNAL MARKET EXCHANGE SYSTEMS (IMI-Austria), in accordance with the<br />
art. 77.2 of the GDPR.<br />
<br />
<br />
In accordance with the provisions of article 50 of the LOPDGDD, this<br />
Resolution will be made public once it has been notified to the interested parties.<br />
<br />
Against this resolution, which puts an end to the administrative route, it may be filed in the<br />
<br />
period of two months counting from the day following the notification of this act<br />
as provided in article 46.1 of Law 29/1998, of July 13, regulating the<br />
Contentious-administrative jurisdiction, contentious-administrative appeal before the<br />
Contentious-administrative Chamber of the National Court, in accordance with the<br />
<br />
provided in article 25 and in section 5 of the fourth additional provision of the<br />
referred legal text.<br />
<br />
<br />
<br />
Sea Spain Martí<br />
Director of the Spanish Data Protection Agency.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
</pre></div>Lmhttps://gdprhub.eu/index.php?title=IP_(Slovenia)_-_07106-8-2023&diff=40546&oldid=0IP (Slovenia) - 07106-8-20232024-03-26T18:38:33Z<p>Created page with "{{DPAdecisionBOX |Jurisdiction=Slovenia |DPA-BG-Color= |DPAlogo=LogoSI.png |DPA_Abbrevation=IP |DPA_With_Country=IP (Slovenia) |Case_Number_Name=07106-8-2023 |ECLI= |Original_Source_Name_1=IP website |Original_Source_Link_1=https://gdprhub.eu/images/0/0a/07106-8-2023-9_odlo%25C4%258Dba_po_42_%25C4%258Dlenu_ZPacP_vrnjeno_v_novo_odlo%25C4%258Danje_24012024.pdf |Original_Source_Language_1=Slovenian |Original_Source_Language__Code_1=SL |Original_Source_Name_2= |Original_S..."</p>
<p><b>New page</b></p><div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Slovenia<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoSI.png<br />
|DPA_Abbrevation=IP<br />
|DPA_With_Country=IP (Slovenia)<br />
<br />
|Case_Number_Name=07106-8-2023<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=IP website<br />
|Original_Source_Link_1=https://gdprhub.eu/images/0/0a/07106-8-2023-9_odlo%25C4%258Dba_po_42_%25C4%258Dlenu_ZPacP_vrnjeno_v_novo_odlo%25C4%258Danje_24012024.pdf<br />
|Original_Source_Language_1=Slovenian<br />
|Original_Source_Language__Code_1=SL<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=24.10.2023<br />
|Date_Decided=24.01.2024<br />
|Date_Published=15.03.2024<br />
|Year=2024<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=<br />
|GDPR_Article_Link_1=<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=42. člen ZPacP<br />
|National_Law_Link_1=https://pisrs.si/pregledPredpisa?id=ZAKO4281<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
|National_Law_Name_3=<br />
|National_Law_Link_3=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=im<br />
|<br />
}}<br />
<br />
The DPA found that the data subject should have access to medical records of her deceased father as the information might have a significant impact on her health.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The data subject filed a complaint with the DPA against a healthcare provider regarding the denial of access to the medical records of her deceased father. The data subject requested access to her father's medical records after his death on 24 October 2023. <br />
<br />
The healthcare provider denied the request based on a document purportedly signed by the deceased father, which prohibited the disclosure of his medical information to his daughter. <br />
<br />
However, according to the data subject the document did not explicitly prohibit access to medical records after the father's death. <br />
<br />
She also argued it could be assumed that her father lacked the capacity to understand the implications of the document due to his dementia. On this account, she provided evidence of her father’s medical condition and claimed that it was produced during a period when he was not of sound mind. <br />
<br />
The healthcare-provide argued that that it possessed a document which clearly prohibited the disclosure of the data to the data subject and therefore respected the deceased persons’ clearly expressed wishes even after his death, since he had clearly expressed an interest, while he was still alive, in enjoying certain fundamental rights protections as a person after his death.<br />
<br />
=== Holding ===<br />
The DPA found that the evidence presented by the healthcare provider, the document signed by the deceased person, did not clearly and unambiguously prohibit the daughter’s access to her father’s medical records after his death. <br />
<br />
The DPA referred to the right to be informed of the patient's medical records after the patient's death which is regulated in Article 42 of the Act on Patient Rights (‘ZPacP’). After the patient's death, the right to be informed of the patient's medical records includes, among others, the patient's spouse, common-law partner, same-sex partner, children and adopted children, and, in the absence of these persons, the patient's parents. These persons shall only be granted access to the information necessary to achieve the legitimate purpose of the consultation. <br />
<br />
The DPA further clarified that pursuant to Article 42(4) ZPacP, the data subject is indeed entitled to be informed of her deceased father's medical records in so far as they related to reasons which might have a significant impact on her health.<br />
<br />
As a result, the DPA referred the case back to the healthcare provider and was instructed to reconsider the data subject’s request for access to her deceased father’s medical records.<br />
<br />
== Comment ==<br />
This ruling relates to the wording of Recital 27 GDPR which states that “This Regulation [GDPR] does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons.”<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.<br />
<br />
<pre><br />
Information Commissioner according to Information Commissioner Mojca Prelesnik (hereinafter IP) on the basis of the fifth paragraph of Article 42 in relation to the tenth paragraph of Article 41 of the Act on Patient Rights (Official Gazette of the Republic of Slovenia, No. 15/08, 55/17, 177/20 and 100/22 – ZNUZSZS; hereafter ZPacP) and on the basis of the third paragraph of Article 251 of the General Administrative Procedure Act (Official Gazette of the Republic of Slovenia, No. 24/06 – official consolidated text, 105/06 – ZUS-1, 126/07, 65/08, 8/10, 82/13, 175/20 – ZIUOPDVE and 3/22 – ZDeb; hereinafter ZUP), on the applicant's appeal: .... of 12 November 2023, against the decision of the healthcare provider: ...., no. …. of 3 November 2023, in the matter of familiarization with medical documentation after the patient's death, issues the following<br />
<br />
<br />
O D L O C B O<br />
<br />
1. Complaints of the applicant... of 12/11/2023 against the decision of the health care provider.... no. …. dated November 3, 2023, is accepted, the challenged decision is canceled and the case is returned to the healthcare provider as a first-level authority for a new procedure.<br />
<br />
The healthcare provider must make a decision on the applicant's request for familiarization with the medical documentation after the patient's death on October 24, 2023 at the latest within 30 days of receiving this decision.<br />
<br />
2. No special costs were incurred in this procedure. The applicant covers her own costs of the procedure.<br />
<br />
<br />
Place the page in:<br />
<br />
On October 24, 2023, the applicant submitted a request to the provider of health care to get acquainted with the medical documentation of her deceased father.... .<br />
<br />
With decision no. …. of 3 November 2023 rejected this request. He based his decision on the existence of a certified power of attorney of the deceased..., with which he prohibits giving his personal data, sending him to various specialist examinations, ordering, etc. daughters - applicants in this procedure. He explained that this authorization was given to the personal physician of the deceased, and he himself received it from the lawyer of the deceased.<br />
<br />
The applicant filed an appeal against this decision on 12 November 2023. In essence, she stated that the healthcare provider did not attach a copy of the written authorization to the decision, which he referred to and which allegedly contained a prohibition on the transmission of personal data. She pointed out that the power of attorney was given to his doctor, not to the provider of medical activities in this procedure, and that it does not contain any indication that after his death, the father forbids her to see the psychiatric medical record that he keeps. She added that the same authorization was given from 27/07/2022 to 13/08/2022 to the patient.... . She further emphasized that already in 2016, her father was receiving strong medication for the treatment of dementia, that he did not have a guardian appointed, and that the lifetime maintenance contract is void, which will be resolved in the probate process. At the same time, the applicant also pointed out that Parkinson's dementia, vascular dementia, cortical and subcortical dementia are hereditary. If the father had a chromosomal mutation for Parkinson's dementia and as his heir has inherited it, this is important for her health. Therefore, he wants to get acquainted with all the results, records, findings regarding the treatment of his father, what health problems he had, etc.<br />
<br />
On 11/13/2023, the IP called on the provider of medical activities, based on 34.a, 139. and the second paragraph of Article 245 of the ZUP, to forward a copy of the express prohibition regarding familiarization with the medical documentation provided by the deceased, a definition of the complaint statements and to provide other relevant explanations and evidence.<br />
<br />
The health care provider is in answer no. …. dated 20 November 2023 explained again that the reason for rejecting the applicant's request for access to the medical records of the deceased father was a copy of the power of attorney provided to the hospital by the lawyer, which clearly states that the deceased applicant is prohibited from providing her personal information. He pointed out that this authorization was given to his personal physician and was authenticated. He explained that until receiving the letter from the deceased's lawyer, he did not have the information about the prohibition to pass on the deceased's data to the applicant, as the deceased was treated by a psychiatrist who also performs home visits as part of community psychiatric treatment. The visit was carried out on 6 October 2021, both daughters were informed about the visit, but the deceased did not in any way announce that he forbids the sharing of information. The health care provider concluded that he has a document that unequivocally prohibits the transmission of data.... the applicant, therefore he respected his clearly expressed wish even after his death, since even while he was alive, he clearly expressed his interest in enjoying certain protection of fundamental rights as a person even after his death. Furthermore, the healthcare provider pointed out that the applicant did not provide any information regarding possible harmful diseases of the applicant's late father in the request for information, so he could not assess or consider them. Based on this, he decided as follows from decision no. …. dated 3 November 2023, in which he took into account the purpose of the law governing the protection of personal data and the will of the deceased, which he expressed clearly and unambiguously. He also attached all relevant documentation to the answer.<br />
<br />
The applicant responded to the IP's request for clarification dated 12/12/2023 on 17/12/2023. As the response is quite extensive, the IP summarizes only the essential statements that are relevant to the decision in this appeal procedure. These are:<br />
- the power of attorney was written by her own hand for her purposes. …. (the applicant's sister) and gave it to her sick, demented father to sign because she was afraid of the life support contract they concluded during the father's illness;<br />
- after the death of his father, he is from …. has received a copy of the "mandate" with all other medical documents;<br />
- only the father's signature is certified on the power of attorney;<br />
- the power of attorney does not say that the father "expressly" forbids access to medical documentation;<br />
- the authorization is addressed to dr. honey …. and nurse ..., who are employed in the health center .... ;<br />
- the legal purpose of familiarization with the medical record and all specialist findings is demonstrated by the attached invitation to the probate hearing on 11/19/2023;<br />
- the ban can also be recorded in the central record of medical documentation, which was not implemented in this case, but the provider of medical activity had to physically inspect the medical record;<br />
- the applicant IP asks to immediately allow her to photocopy and familiarize herself with all the contents of the medical record for the purpose of the inheritance procedure, otherwise she will not be able to deliver the documents to the court in time.<br />
<br />
In the telephone interview with the IP on 19/01/2024 and in the applications from that day and from 20/01/2024, the applicant described in more detail the circumstances of signing the disputed document (power of attorney), especially that the father signed it during dementia, when he was sick and unsound, and therefore cannot constitute a valid prohibition of acquaintance. She pointed out that, despite the existence of this document, she received the medical documentation of her deceased father from other managers (e.g.... and...). As proof that the father was really ill, she attached a psychiatric report and a professional opinion.... dated 16 January 2023, which summarized the content of the available medical documents. She pointed out that the father had been on medication since 2016 and had been diagnosed with dementia, which made him unable to understand his will statements and the legal consequences. She also attached the minutes on the inheritance case and the decision on the suspension of the inheritance proceedings dated 12/19/2023, as well as the decision of the Ministry.... from 2 June 2022.<br />
<br />
The appeal is justified.<br />
<br />
Procedural explanations<br />
<br />
At the outset, the IP explains that, as a second-level authority, in accordance with Article 247 of the ZUP, which, based on the tenth paragraph of Article 41 in connection with the fifth paragraph of Article 42 of the ZPacP, is applicable mutatis mutandis in this appeal procedure, it is obliged to examine the decision in part, in which the applicant disputes. He examines the decision within the limits of the appeal's statements, and ex officio examines whether there were no significant violations of the procedure in the first instance procedure and whether the substantive law was not violated.<br />
<br />
The IP was convinced of the actual situation on the basis of the available material, taking into account Article 10 of the ZUP. On the basis of Article 139 of the ZUP, he assessed that additional procedural actions to determine the actual situation are not necessary.<br />
<br />
General information on the right to access medical documentation after the patient's death<br />
<br />
The right to access medical documentation after the patient's death is regulated in Article 42 of the ZPacP. After the patient's death, the patient's spouse, common-law partner, partner from the same-sex community, children and adopted children, and when these persons are not available, the patient's parents have the right to get acquainted with the patient's medical documentation. These persons are only given access to the data that is necessary to achieve the legitimate purpose of the information. However, if these persons want to get acquainted with the medical documentation that was created at a time when the deceased patient was not capable of making decisions about himself and this situation continued without interruption until his death, they must demonstrate a legal interest in getting acquainted (paragraph two). The request for familiarization of persons is partially or fully rejected if the law stipulates so or if the patient has expressly forbidden the familiarization in writing or orally in the presence of two witnesses before death (third paragraph). Regarding the prohibition, the law also provided for an exception: despite the patient's prohibition, the patient's parents, descendants, spouse, common-law partner, partner from the same-sex community, brothers and sisters or other persons close to the patient may, through the doctor, become familiar with those personal data that are or could be important for their health (fourth paragraph). The healthcare provider decides on the request for information within 15 days of receiving the reasoned request. If the request is partially or fully rejected, the entitled persons have the right to file a complaint with the IP (fifth paragraph).<br />
<br />
The applicant can therefore become familiar with the medical documentation of the deceased patient under the following conditions:<br />
- the request for familiarization is explained in such a way that it is clear what the purpose of the familiarization is,<br />
- the claimed purpose of familiarization is not illegal,<br />
- the kinship relationship with the deceased patient is demonstrated in an appropriate manner and<br />
- the deceased patient did not prohibit access to his medical documentation during his lifetime.<br />
<br />
At the same time, it must be taken into account that the right to access the medical documentation after the patient's death is the right of persons from Article 42 of the ZPacP, which is opposed by the patient's right to prohibit such access, and both rights can be granted under the conditions set by law and in a certain measures limited.<br />
<br />
On the ability to judge<br />
<br />
A free and serious declaration of will cannot conceptually be given by a person who is not able to understand the meaning of the will he declares. The ability to judge is not specifically regulated in our legislation. It is the actual ability to understand the meaning of one's actions, or the ability to understand the meaning of a declaration of will and the legal consequences it causes. A necessary condition for the ability to judge is the actual psychophysical properties of the subject. For example, the ability to judge is a prerequisite for the validity of the declaration of business will. As a general rule, the capacity to judge is assumed in persons who have business capacity. However, this assumption is not irrefutable. There may be a discrepancy between business capacity and the ability to judge, especially when a full business person loses the actual capacity to judge (for example, due to dementia), and business capacity has not yet been formally taken away.<br />
<br />
ZPacP defines the capacity to make decisions about oneself in point 19 of Article 2, which is the ability of the patient to independently exercise the rights from this law. The patient is capable of making decisions about himself if, based on his age, maturity, state of health or other personal circumstances, he is able to understand the meaning and consequences of exercising the rights from this law, especially the consent, refusal or revocation of the refusal of medical intervention or medical treatment. The patient's right to prohibit access to his medical documentation during his lifetime to a person who, based on Article 42 of the ZPacP, is otherwise entitled to familiarize himself with this documentation after the patient's death, could also be understood as exercising the right from this law.<br />
<br />
The ZPacP does not specify more precisely what the prohibition of familiarization from the third paragraph of the ZPacP must be (except that it must be given explicitly and in writing or orally in the presence of two witnesses). Both from the general requirement for the ability to make judgments and from the definition of the ability to make decisions about oneself, it undoubtedly follows that at the time of giving such a prohibition, the patient must be able to understand the meaning of this statement and the consequences it causes, and it is not only the legal capacity that is relevant, but the actual the ability to form a valid will, taking into account age, maturity, state of health and other personal circumstances.<br />
<br />
Assessment of the merits of the appeal<br />
<br />
The healthcare provider justified the rejection of the applicant's request for access to her deceased father's medical documentation by the existence of a prohibition under the third paragraph of Article 42 of the ZPacP. This stipulates that the request for the familiarization of the persons from the previous paragraph shall be partially or completely rejected, if the law stipulates so or if the patient expressly prohibited the familiarization in writing or orally in the presence of two witnesses before death. Since the other conditions for familiarization were not disputed, the IP did not elaborate on them in this decision.<br />
<br />
In a specific case, it is essential whether the ban on familiarization according to the third paragraph of Article 42 of the ZPacP, which is referred to by the healthcare provider, meets all the conditions for validity. It is a document entitled "Authorization" and dated 3 June 2022. The addressees are identified as .... (according to the explanations of the deceased's medical provider, this was a personal physician) and a nurse.... . The document states that …. "I forbid giving my health information, sending it to various specialist examinations, ordering it for my daughter..." and that the information "can only be obtained by my daughter.... (...), because we have a contract of employment. on life support." On the other side of the document, there is a confirmation from the Administrative Unit... that... signed this document with his own hand.<br />
<br />
Based on the content of the document, the IP does not agree with the assessment given by the medical provider in the contested decision, that the deceased father clearly and unequivocally forbade the applicant to get acquainted with all the medical documentation relating to him. The will of the patient expressed during his lifetime must be interpreted taking into account all the circumstances that may be relevant in assessing the validity and scope of the ban on familiarization with his medical documentation relating to the period after death. The IP believes that the provider of health care in this specific case did not assess these circumstances, which are highlighted below, to a sufficient extent.<br />
<br />
First of all, the applicant's complaint that the late father did not "expressly" prohibit access to his medical documentation is important. For the prohibition to be valid according to the third paragraph of Article 42 of the ZPacP, it is not necessary that this term be directly stated in the document (or that the patient use it literally in the case of a verbal prohibition). According to the SSKJ, this word means that something is expressed clearly and definitely. The express prohibition must therefore be expressed unequivocally, whereby it must be clear that it is a prohibition of familiarization that takes effect after death, as well as to which medical documentation or to which provider of medical activity it refers and against whom it is effective.<br />
<br />
Therefore, in order to assess to whom a specific ban on familiarization applies, or how widely it has an effect, it is important who is the addressee of the ban. Given that the document containing the prohibition of "disclosing health information" is named "power of attorney" and is specifically addressed to the deceased's personal physician and nurse, it cannot automatically be considered that the prohibition applies to all health care providers who have with the deceased's documentation. The term power of attorney is usually understood to mean the right to represent, which is given by the authorizer through a legal transaction to the agent (first paragraph of Article 74 of the Code of Obligations; Official Gazette of the Republic of Slovenia, No. 97/07 – official consolidated text, 64/16 – Sec. US and 20/18 – OROZ631). From the title of the document, it could therefore be concluded that the deceased limited the prohibition of familiarization only to the medical documentation with which his personal doctor is at his disposal. The applicant's claims that the prohibition is not recorded in the central register of patient data (which is otherwise only a possibility, but not a condition for the validity of the prohibition), that the document was forwarded to the healthcare provider by a lawyer who also represents the applicant's sister (otherwise I wouldn't have known about him at all), that the document was written by the applicant's sister, who is in dispute with the applicant, and that, despite the existence of this document, the applicant obtained the medical documentation of her deceased father from other healthcare providers.<br />
<br />
The prerequisite for issuing a valid ban is, as already explained, the ability to judge. The medical condition of the deceased, which should have been known to the health care provider at least for the period of his treatment, shows doubt about the reality of the assumption of this type of ability when the disputed prohibition was issued (i.e. 3 June 2022). This essential question was not clarified in the proceedings at first instance. With her assertions in the request and even more explicitly in this appeal procedure, among other things with an expert opinion..., the applicant sufficiently demonstrated a well-founded suspicion that the late father was unable to understand the meaning of the content of the "power of attorney" at the time of the injunction due to dementia. who signed it and its consequences.<br />
<br />
The listed questions, which are important in assessing the validity of the rejection of the applicant's request, were not discussed in the first-level procedure, as a result of which the remaining factual situation was incompletely established. Based on the dementia of the deceased patient, the healthcare provider should determine his ability to issue a valid prohibition and, in the event of its existence, in addition to the narrow legal provisions, more critically assess the content of the document, which is said to contain the prohibition according to the third paragraph of Article 42 of the ZPacP.<br />
<br />
According to the applicant's statements, the IP also explains the following. On the basis of the fourth paragraph of Article 42 of the ZPacP, she could indeed be entitled to get acquainted with the health documentation of her deceased father in the part that relates to reasons that may significantly affect her health, but this was not mentioned in her request of 24 October 2023 claimed, but requested this documentation for the purposes of probate proceedings. The IP points out that the applicant can submit a new request and justify this exception more concretely in order to obtain the required documentation. In relation to the alleged errors in the appointment of the guardian and violations of Article 275 of the Family Code, the IP adds that its powers are defined in Article 2 of the ZInfP and only cover the areas of personal data protection and access to public information. Therefore, it cannot decide whether there has been a violation of the legislation for which it is not competent to supervise, and whether liability for damages may be given. The subject of this appeal procedure is limited to the assessment of whether the health care provider justifiably refused the applicant's request for access to her deceased father's medical records pursuant to Article 42 of the ZPacP. The IP also points out that it does not have the role of the proposer of the law in relation to the complaint statements regarding the need to amend the legislation, but must, in accordance with the principle of legality from Article 6 of the ZUP, make decisions according to the law, by-laws, regulations of local communities and general acts issued for the exercise of public powers. Regarding the claims that the applicant must bring the deceased father's medical documentation as evidence to the probate hearing, the IP merely remarks that the court can generally only obtain the information necessary for the decision and the documents, if the client cannot get them handed over to her.<br />
<br />
Return to re-procedure and instructions to the healthcare provider<br />
<br />
The first paragraph of Article 251 of the ZUP stipulates that when the authority of the second instance determines that the facts were incompletely or erroneously established in the procedure at the first instance, that there were significant violations of the procedural rules in the procedure, or that the wording of the challenged decision is unclear, or in contrary to the reasoning, complete the procedure and eliminate the mentioned deficiencies either by himself or through the authority of the first instance or through the requested authority. The third paragraph of the same article also stipulates that if the second-instance authority realizes that the shortcomings of the first-instance procedure will be eliminated faster and more economically by the first-instance authority, it cancels the first-instance decision with its own decision and returns the matter to the first-instance authority for a new procedure. In such a case, the authority of the second instance is obliged with its decision to warn the authority of the first instance regarding what the procedure needs to be supplemented, and the authority of the first instance must always act in accordance with this decision and issue a new decision without delay, but no later than within 30 days of receiving the case. The customer has the right to appeal against the new decision.<br />
<br />
The IP is obliged to respect the fundamental principles of the administrative procedure, therefore it must also take into account the principle of economy of the procedure from Article 14 of the ZUP and conduct the procedure quickly, which means with as little delay as possible for the clients and other participants in the procedure, but in such a way that everything that is necessary to determine the actual situation, protect the client's rights and legal interests, and issue a legal and correct decision. This will be most easily achieved by the healthcare provider at the first level, because the request for familiarization refers to the documentation that he has at his disposal and knows best. The set deadline for re-decision is in accordance with ZUP.<br />
<br />
It follows from the above findings that, in a repeated procedure based on the third paragraph of Article 42 of the ZPacP, the health care provider will have to assess whether there is a valid ban on familiarization with the medical documentation after the patient's death, explain this and make a new decision on the applicant's request. In doing so, he will have to primarily determine the patient's ability to judge at the time of the injunction and, on the condition that this assumption will not be challenged, also assess other relevant circumstances that the IP described in the previous section.<br />
<br />
Conclusive<br />
<br />
On the basis of the third paragraph of Article 251 of the ZUP, the IP upheld the appeal, eliminated the contested response of the healthcare provider and sent the matter back to him for retrial, because it was established that the facts were incompletely established in the first instance procedure, and the shortcomings will be more easily eliminated by the provider . He must make a decision on the applicant's request for information under Article 42 of the ZPacP no later than 30 days after receiving this decision (point 1 of the sentence of this decision).<br />
<br />
This decision is in accordance with the provisions of the Act on Administrative Fees (Official Gazette of the RS, No. 106/10 - official consolidated text, 14/15 - ZUUJFO, 84/15 - ZZelP-J, 32/16, 30/18 - ZKZaš and 189/20 – ZFRO) exempted from paying the administrative fee. No special costs were incurred in this appeal procedure (point 2 of the sentence of this decision).<br />
<br />
<br />
Lessons on the legal remedy:<br />
Neither an appeal nor an administrative dispute is allowed against this decision.<br />
<br />
<br />
Manager's procedure:<br />
………………………….. Mojca Prelesnik, Univ. B.Sc. right.,<br />
Information Commissioner<br />
</pre></div>Imhttps://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9993548&diff=40544&oldid=0Garante per la protezione dei dati personali (Italy) - 99935482024-03-26T17:40:42Z<p>Created page with "{{DPAdecisionBOX |Jurisdiction=Italy |DPA-BG-Color=background-color:#095d7e; |DPAlogo=LogoIT.png |DPA_Abbrevation=Garante per la protezione dei dati personali |DPA_With_Country=Garante per la protezione dei dati personali (Italy) |Case_Number_Name=9993548 |ECLI= |Original_Source_Name_1=Garante per la protezione dei dati personali |Original_Source_Link_1=https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9993548 |Original_Source_Language_1=Italian |Orig..."</p>
<a href="https://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9993548&diff=40544">Show changes</a>Imhttps://gdprhub.eu/index.php?title=Pers%C3%B3nuvernd_(Island)_-_2021051091&diff=40542&oldid=0Persónuvernd (Island) - 20210510912024-03-26T15:46:11Z<p>Created page with "{{DPAdecisionBOX |Jurisdiction=Iceland |DPA-BG-Color= |DPAlogo= |DPA_Abbrevation=Persónuvernd |DPA_With_Country=Persónuvernd (Island) |Case_Number_Name=2021051091 |ECLI= |Original_Source_Name_1=Persónuvernd |Original_Source_Link_1=https://www.personuvernd.is/urlausnir/voktun-med-vinnuskilum-starfsmanns-a-veitingastadnum-subway%20 |Original_Source_Language_1=Icelandic |Original_Source_Language__Code_1=IS |Original_Source_Name_2= |Original_Source_Link_2= |Original_So..."</p>
<p><b>New page</b></p><div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Iceland<br />
|DPA-BG-Color=<br />
|DPAlogo=<br />
|DPA_Abbrevation=Persónuvernd<br />
|DPA_With_Country=Persónuvernd (Island)<br />
<br />
|Case_Number_Name=2021051091<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Persónuvernd<br />
|Original_Source_Link_1=https://www.personuvernd.is/urlausnir/voktun-med-vinnuskilum-starfsmanns-a-veitingastadnum-subway%20<br />
|Original_Source_Language_1=Icelandic<br />
|Original_Source_Language__Code_1=IS<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=04.05.2021<br />
|Date_Decided=12.03.2024<br />
|Date_Published=20.03.2024<br />
|Year=2024<br />
|Fine=1,500,00<br />
|Currency=ISK<br />
<br />
|GDPR_Article_1=Article 5(1)(b) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1b<br />
|GDPR_Article_2=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1a<br />
|GDPR_Article_3=Article 6(1) GDPR<br />
|GDPR_Article_Link_3=Article 6 GDPR#1<br />
|GDPR_Article_4=Article 12 GDPR<br />
|GDPR_Article_Link_4=Article 12 GDPR<br />
|GDPR_Article_5=Article 13 GDPR<br />
|GDPR_Article_Link_5=Article 13 GDPR<br />
|GDPR_Article_6=Article 30 GDPR<br />
|GDPR_Article_Link_6=Article 30 GDPR<br />
|GDPR_Article_7=Article 58(2) GDPR<br />
|GDPR_Article_Link_7=Article 58 GDPR#2<br />
|GDPR_Article_8=Article 83 GDPR<br />
|GDPR_Article_Link_8=Article 83 GDPR<br />
|GDPR_Article_9=<br />
|GDPR_Article_Link_9=<br />
|GDPR_Article_10=<br />
|GDPR_Article_Link_10=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Stjörnuna ehf, the operator of Subway in Iceland<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=ec<br />
|<br />
}}<br />
<br />
The Icelandic DPA imposed a fine of €10,059.92 (ISK 1,500,00) on Stjörnuna ehf, the operator of Subway in Iceland for unlawfully monitoring its employees.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The data subject is an employee at Subway in Iceland. <br />
<br />
The controller is Stjörnuna ehf, the operator of Subway in Iceland.<br />
<br />
The data subject filed a complaint to the Icelandic DPA (Persónuvernd) on 4 May 2021.<br />
<br />
The data subject claimed that the store manager monitored him in real time at home, and thus outside the workplace, and called the workplace to give comments on the data subject’s work style based on the footage. This was done without the data subject’s knowledge. <br />
<br />
The controller argued in a letter to the DPA that it had installed the surveillance cameras for the sake of security and property protection. The purpose of the monitoring is factual, the surveillance camera system has been used in a reasonable manner and it has not been used for the control of workers or for monitoring work results. The controller claimed that the store manager went beyond the stated purpose of the monitoring and used the footage to monitor the work performance of the employees without the consent or knowledge of the company representatives. Immediate action was taken to prevent this from happening again.<br />
<br />
However, in a following letter, the controller denied that the store manager regularly monitored staff in real time through the restaurant's surveillance camera system and commented on their work style and behaviour. The controller argued that the store manager was looking at the surveillance camera system on the day in question out of fear that bread was running out. However, the store manager noticed that there was a big queue which did not change after 5 minutes, and therefore called the data subject who was in the rest area to request that the data subject serves the customers. <br />
<br />
Lastly, the controller argued that since there was no systematic collection of information, they had no obligation beyond the installation of signs about the surveillance cameras in the workplace to inform employees more about the monitoring.<br />
<br />
=== Holding ===<br />
Firstly, the DPA found the arguments of the controller conflicting as the purpose for processing was either in the interests of security and property protection or quality control. Regardless which argument should be taken into account, the DPA held that it is clear that the store manager’s use of the footage from the surveillance cameras does not fall under the stated purpose of the company’s monitoring for security and property protection. Moreover, the DPA held that monitoring for controlling the work of the employees is only possible if there are no other means available and it is necessary due to an agreement. The controller did not demonstrate this. Moreover, under Article 5(1)(b), monitoring must be carried out for specified, explicit and legitimate purpose. The DPA found that the controller did not demonstrate that quality control was the purpose of monitoring or that the objectives of quality control cannot be achieved with other and less intrusive measures. Therefore, the DPA found that there was no authorisation for processing under [[Article 6 GDPR#1|Article 6(1) GDPR]]. <br />
<br />
Secondly, the DPA explained that personal data must be processed in a fair and transparent manner in relation to the data subject under [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]. This means that data subjects should be aware when their personal data is collected, used, viewed or processed in another way. Moreover, in light of [[Article 13 GDPR|Article 13 GDPR]], information must be provided to the data subject and must be given a clear picture of the monitoring, including its purpose, how it is carried out, how access to monitoring material arranged and how long the data is stored. The DPA found that the data subject was not adequately informed about the monitoring or what his rights were concerning the monitoring. Moreover, the DPA rejected the controller’s claim that the installation of signs about the monitoring was satisfactory as these signs do not state who is responsible for the monitoring. <br />
<br />
Thirdly, the DPA found that the controller did not keep a record of the processing activities required under [[Article 30 GDPR|Article 30 GDPR]].<br />
<br />
Thus, the DPA ordered the controller under [[Article 58 GDPR#2|Article 58(2) GDPR]] to erase all screenshots of the data subject at work and to inform its data subject about the monitoring, including the purpose of the monitoring and their rights related to it, and to keep record of its processing activities. Moreover, the DPA imposed an administrative fine of €10,059.92 (ISK 1,500,00) on the controller under [[Article 83 GDPR|Article 83 GDPR]] due to the controller’s violations of [[Article 5 GDPR#1|Article 5(1) GDPR]], [[Article 6 GDPR|Article 6 GDPR]], [[Article 12 GDPR|Article 12 GDPR]] and [[Article 13 GDPR|Article 13 GDPR]].<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>Echttps://gdprhub.eu/index.php?title=Rb._Overijssel_-_ZWO_22/775&diff=40533&oldid=0Rb. Overijssel - ZWO 22/7752024-03-26T11:40:30Z<p>Created page with "{{COURTdecisionBOX |Jurisdiction=Netherlands |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=Rb. Overijssel |Court_Original_Name=Rechtbank Overijssel |Court_English_Name=District Court Overijssel |Court_With_Country=Rb. Overijssel (Netherlands) |Case_Number_Name=ZWO 22/775 |ECLI=ECLI:NL:RBOVE:2024:594 |Original_Source_Name_1=Rechtspraak |Original_Source_Link_1=https://uitspraken.rechtspraak.nl/details?id=ECLI:NL:RBOVE:2024:594 |Original_Source_Language..."</p>
<p><b>New page</b></p><div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Netherlands<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=Rb. Overijssel<br />
|Court_Original_Name=Rechtbank Overijssel<br />
|Court_English_Name=District Court Overijssel<br />
|Court_With_Country=Rb. Overijssel (Netherlands)<br />
<br />
|Case_Number_Name=ZWO 22/775<br />
|ECLI=ECLI:NL:RBOVE:2024:594<br />
<br />
|Original_Source_Name_1=Rechtspraak<br />
|Original_Source_Link_1=https://uitspraken.rechtspraak.nl/details?id=ECLI:NL:RBOVE:2024:594<br />
|Original_Source_Language_1=Dutch<br />
|Original_Source_Language__Code_1=NL<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Date_Decided=02.02.2024<br />
|Date_Published=02.02.2024<br />
|Year=2024<br />
<br />
|GDPR_Article_1=Article 4(1) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#1<br />
|GDPR_Article_2=Article 6(1) GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR#1<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Enschede municipality<br />
|Party_Link_1=<br />
|Party_Name_2=Autoriteit Persoonsgegevens (Dutch DPA)<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Appeal_From_Body=Autoriteit Persoonsgegevens<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=https://autoriteitpersoonsgegevens.nl/actueel/boete-gemeente-enschede-om-wifitracking<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Pending appeal<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Droogstoppel<br />
|<br />
}}<br />
<br />
A court ruled that the Dutch DPA did not prove that the MAC addresses constituted personal data (cf [[Article 4 GDPR#1|Article 4(1) GDPR]]), because it did not sufficiently prove that the controller would be able to identify persons connected to the MAC addresses.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
On 6 September 2017 the municipality of Enschede decided to start 24/7 WiFi tracking in the centre of the city. Its purpose was to measure the effectiveness of municipal investments, in view of the responsible use of public funds. The contract to execute this task was given to City Traffic B.V., now Bureau RMC. Bureau RMC then contracted an unnamed party to do the installation and maintenance of the sensors and to collect and validate the data gathered by the sensors. Information collected included hashed MAC-addresses, date and timestamp of exposure, signal strength and sensor ID. It was stored for a period between 6 and 7 months. Starting from 1 January 2019 the hashed MAC-addresses were also truncated. On 30 April 2020 the municipality gave an assignment to Bureau RMC to switch the tracking sensors off.<br />
<br />
The Dutch DPA concluded that the chosen anonymization method of truncating a small part of the hashed MAC address does not sufficiently exclude the risks of singling out, linking or deducing person’s identity based on a pseudonymous identifier + timestamp + location information (available via the sensor ID). Accofrding to the Dutch DPA employees of the controller could identify people in three ways:<br />
(a) When someone walks past sensor, their MAC address is registered and an employee in the vicinity of the sensor could see who is walking by and link the MAC address to the person walking by on that moment. <br />
(b) the moment that a device enters the range of the sensor and the moment when device leaves the range of the sensor were stored. If someone enters for a longer time but does not exit within range sensor, and employee could find out who is in the range of the sensor in the corresponding time-span and connect the MAC address to that person. <br />
(c) An employee could determine a movement pattern based on the readings of multiple sensors, and use this information to link the MAC address to a specific person.<br />
<br />
Because of these reasons the Dutch DPA held that the data processed by the controller constituted personal data. The Dutch DPA considered that the controller did not have an adequate legal basis for processing the personal data, and imposed a fine of €600,000.<br />
<br />
=== Holding ===<br />
The main question the court answered in the case was whether the Dutch DPA had proven that MAC addresses constitute personal data under [[Article 4 GDPR#1|Article 4(1) GDPR]]. <br />
<br />
The court held that the Dutch DPA had insufficiently substantiated their claim that employees of the company would be able to identify the natural person connected to a MAC address. The court noted that the Dutch DPA was using to many assumptions in their argumentation. (For example, the controller held that the range of the wifi-sensors was large, and the DPA assumed (without proof) that this claim by the controller was wrong). Because of the use of unproven assumptions the court concluded that the Dutch DPA has not proven that the MAC addresses constitute personal data. Therefore the Dutch DPA has not proven that the controller had infringed the GDPR. Therefore it overturned the DPA's previous decision and annulled the fine that the Duch DPA had imposed on the municipality.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.<br />
<br />
<pre><br />
Pronunciations<br />
<br />
Some of all judicial decisions are published on Rechtspraak.nl. This is done anonymously.<br />
This statement has been anonymized according to the anonymization guidelines.<br />
ECLI:NL:RBOVE:2024:594<br />
Share pronunciation<br />
Authority<br />
Overijssel District Court<br />
Judgment date<br />
02-02-2024<br />
Date of publication<br />
02-02-2024<br />
Case number<br />
ZWO 22/775<br />
Jurisdictions<br />
Administrative law<br />
Special characteristics<br />
First instance - multiple<br />
Content indication<br />
<br />
The court declares the appeal of the municipality of Enschede well-founded. The municipality appealed against an administrative fine of 600,000 euros imposed by the Dutch Data Protection Authority.<br />
Locations<br />
Rechtspraak.nl<br />
Sdu News Privacy Law 2024/105<br />
Sdu News Privacy Law 2024/20<br />
Enriched pronunciation<br />
Pronunciation<br />
<br />
OVERIJSSEL COURT<br />
<br />
Location Zwolle<br />
<br />
Administrative law<br />
<br />
case number: ZWO 22/775<br />
<br />
ruling of the multiple chamber in the case between<br />
<br />
the mayor and aldermen of Enschede, plaintiff,<br />
<br />
authorized representative: Mr. M.H. Elferink,<br />
<br />
and<br />
Dutch Data Protection Authority, hereinafter: AP,<br />
<br />
authorized representative: Mr. J.M.A. Koster.<br />
Introduction<br />
<br />
In this ruling, the court assesses the plaintiff's appeal against the administrative fine of €600,000 imposed on him by the AP.<br />
<br />
With the contested decision of April 6, 2022 on the plaintiff's objection to the fine decision of March 11, 2021, the AP has stood by that decision.<br />
<br />
The court heard the appeal on November 29, 2023. The plaintiff appeared before K.B.H. Ligthart-Kaalverink, assisted by the authorized representative and M.M. Shorter. The AP was represented by its representative, assisted by W. van Steenbergen and V. Klos.<br />
<br />
Furthermore, [name], hereinafter [name], was heard.<br />
Establishment of the decision<br />
1.1<br />
<br />
On September 5, 2017, the plaintiff decided to start 24/7 footfall counts via sensors in the city center of Enschede from September 6, 2017 to gain insight into visitor numbers. The contract for this has been awarded to [company 1] B.V., now [company 1]. This agency has appointed [company 2] B.V. for the technology. enabled.<br />
1.2<br />
<br />
On July 16, 2018, the AP received a complaint from [name] requesting enforcement action against the municipality of Enschede due to WiFi tracking that infringes the privacy of Enschede residents and visitors.<br />
1.3<br />
<br />
The AP received two more complaints about WiFi tracking from the plaintiff on December 2, 2018 and January 4, 2019.<br />
1.4<br />
<br />
The AP subsequently launched an investigation. In this context, information has been requested from the plaintiff, [company 1] and [company 2] B.V. On May 29, 2019, AP supervisors conducted a local investigation at a number of retailers in the city center of Enschede where a sensor was located.<br />
1.5<br />
<br />
On April 21, 2020, the AP released an investigation report, which concluded in summary that the processing of personal data of owners/users of mobile devices with Wi-Fi enabled in the city center of Enschede is unlawful. The defendant concludes that the plaintiff, as controller, has acted in violation of the General Data Protection Regulation (GDPR) from May 25, 2018 until the date of the report.<br />
1.6<br />
<br />
Following this report, the AP announced its intention on May 8, 2020 to impose a sanction on the claimant, namely an administrative fine and/or a penalty payment.<br />
1.7<br />
<br />
The plaintiff has submitted an opinion against this intention.<br />
1.8<br />
<br />
By decision of March 11, 2021, the AP imposed an administrative fine on the plaintiff of €600,000 because the plaintiff (from May 25, 2018 to April 30, 2020) processed personal data of owners/users of mobile devices with Wi-Fi enabled without any basis. in the city center of Enschede. The plaintiff has thus violated Article 5, first paragraph under a, jo. Article 6(1) of the GDPR is violated.<br />
1.9<br />
<br />
The plaintiff has appealed against this decision. A hearing took place on September 16, 2021.<br />
1.10<br />
<br />
In the decision of April 6, 2022, which was contested on appeal, the AP declared the objection unfounded.<br />
Assessment by the court<br />
<br />
Can [name] be regarded as a third party?<br />
2.1<br />
<br />
The court has designated [name] as a third party at the request of the AP. The plaintiff has taken the position that [name] cannot be regarded as such.<br />
2.2<br />
<br />
[name] has submitted a request for enforcement. Such a request is only an application within the meaning of Article 1:3, third paragraph, of the General Administrative Law Act (GALA), if this request has been made by an interested party. The response to such a request submitted by an interested party is then a decision as referred to in Article 1:3, first paragraph, of the General Administrative Law Act, against which legal remedies can be used. In accordance with Article 1:2, first paragraph, of the General Administrative Law Act, an interested party is defined as: the person whose interest is directly involved in a decision. Only those who have a sufficiently objective and current personal interest that is directly involved in the enforcement decision are in principle an interested party in that decision. The question is whether [name] has such an interest.<br />
2.3<br />
<br />
At the hearing, [name] stated uncontested that he – a resident of Enschede – passed the sensors in the city center with WiFi enabled on his mobile phone and must have been spotted. He believes this is the processing of personal data and considers this a violation of his privacy.<br />
2.4<br />
<br />
In the opinion of the court, this passing of the sensors does not distinguish [name] from other people visiting the city center of Enschede, but he can be regarded as an interested party, provided it is established that the plaintiff is in violation of the GDPR. has processed personal data. The reason for this is that the protection of privacy under European law requires this. The answer to the question of whether [name] can be regarded as a third party in this case depends on the court's opinion in this ruling as to whether the plaintiff has processed personal data. The court finds support for this method of assessment in the ruling of the Administrative Jurisdiction Division of the Council of State dated 18 February 2018 (ECLI:NL:RVS:2018:590).<br />
<br />
Assessment framework<br />
3.1<br />
<br />
Pursuant to Article 4(1) of the GDPR, personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.<br />
3.2<br />
<br />
Recital 26 of the GDPR states that the principles of data protection should apply to any information relating to an identified or identifiable natural person. Pseudonymized personal data that can be linked to a natural person through the use of additional data should be regarded as data relating to an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all means that could reasonably be expected to be used by the controller or by another person to directly or indirectly identify the natural person, for example selection techniques. In order to determine whether means can reasonably be expected to be used to identify the natural person, all objective factors, such as the cost and time required for identification, should be taken into account, taking into account the technology available the time of processing and technological developments. The data protection principles should therefore not apply to anonymous data, namely data that does not relate to an identified or identifiable natural person or to personal data that has been anonymized in such a way that the data subject is not or no longer identifiable. This Regulation therefore does not concern the processing of such anonymous data, including for statistical or research purposes.<br />
3.3<br />
<br />
Article 5(1)(a) of the GDPR stipulates that personal data must be processed in a manner that is lawful, fair and transparent in relation to the data subject (“lawfulness, fairness and transparency”).<br />
3.4<br />
<br />
Pursuant to Article 6(1) of the GDPR, processing is only lawful if and to the extent that at least one of the following conditions is met:<br />
<br />
a)<br />
<br />
<br />
the data subject has given permission for the processing of his personal data<br />
<br />
for one or more specific purposes;<br />
<br />
b)<br />
<br />
<br />
the processing is necessary for the execution of an agreement whereby the<br />
<br />
data subject is a party, or at the request of the data subject before the conclusion of a<br />
<br />
agreement to take measures;<br />
<br />
c)<br />
<br />
<br />
the processing is necessary for compliance with a legal obligation imposed on the<br />
<br />
controller rests;<br />
<br />
d)<br />
<br />
<br />
the processing is necessary to protect the vital interests of the data subject or of a<br />
<br />
protect another natural person;<br />
<br />
e)<br />
<br />
<br />
the processing is necessary for the performance of a task carried out in the public interest or<br />
<br />
of a task in the context of the exercise of public authority vested in the<br />
<br />
controller has been assigned;<br />
<br />
f)<br />
<br />
<br />
the processing is necessary for the pursuit of the legitimate interests of<br />
<br />
the controller or of a third party, except where the interests or<br />
<br />
fundamental rights and freedoms of the data subject which are intended to protect<br />
<br />
personal data outweigh those interests, especially when the<br />
<br />
the person concerned is a child.<br />
<br />
Point (f) of the first paragraph shall not apply to processing by public authorities in the exercise of their duties.<br />
3.5<br />
<br />
Pursuant to Article 18, paragraph 1, of the GDPR Implementation Act, the AP may impose an administrative fine of up to the amounts mentioned in these paragraphs.<br />
3.6<br />
<br />
Article 83(5)(a) of the GDPR provides that breaches of the basic principles of processing, including the conditions for consent, in accordance with Articles 5, 6, 7 and 9 are subject to administrative fines of up to €20,000. 000,-.<br />
<br />
Is there a violation? Is there (processing of) personal data involved?<br />
<br />
4. The court points out that according to settled case law, if the imposition of an administrative fine by an administrative body concerns a discretionary power, the burden of proof of the violation lies with the administrative body, whereby high requirements are imposed on the evidence. The court will assess whether the AP has provided sufficient evidence for the claim that the plaintiff violates Article 5, first paragraph under a, jo. Article 6(1) of the GDPR has processed personal data.<br />
<br />
5. The documents submitted by the plaintiff and the AP show that in the context of the intended passer-by count in the city center of Enschede in the period from May 25, 2018 to April 30, 2020, the MAC address of owners/owners was collected with ten sensors. users of mobile devices with Wi-Fi enabled. The MAC addresses were temporarily stored on the sensor's working memory and then hashed (pseudonymized), after which the hashed MAC address was immediately forwarded to the PFM server. On the server, the last three characters of the hashed MAC address (since January 1, 2019) were cut off.<br />
<br />
6. The AP takes the position that the identity of the natural person does not follow directly from the MAC address or the pseudonymised MAC address and the location data of the sensors, but that the natural person can be identified on the basis of these identifiers. identification is.<br />
<br />
7. The AP has mentioned three different ways to do this, namely:<br />
<br />
a. identification of persons based on the data stored on the sensor:<br />
<br />
PFM knows the exact location of the sensors and has access to the working memory and the software running on each sensor. At the same time as a new detection of a mobile device by a sensor, it is possible for someone from PFM to observe on site which person is walking within the range of the sensor. Especially at quiet times in the city center, this immediately leads to the identification of natural persons. For verification purposes, the person may be asked for his/her MAC address.<br />
<br />
identification of persons using the data in the short-term table (until January 1, 2019):<br />
<br />
PFM is responsible for collecting and validating the data. The short-term table on the server is owned by PFM. From mobile devices that enter the range of a sensor, data with an associated 'status 1' is included in the short-term table and if the same mobile device leaves the range of the sensor a little later, data with 'status 2' is sent to the short-term table . However, if a mobile device remains within range of a certain sensor, for example because that person lives or works within it, then the short-term table will only contain a status 1 record containing the pseudonymised MAC address, date and time. If a status 2 record is missing for a longer period of time, the PFM is aware that the person in question (possibly a resident or store employee) is still within range of the sensor. Someone from PFM can then determine on the spot which person is involved and identify the person.<br />
<br />
identification of persons based on the data in the long-term table:<br />
<br />
For PFM it is also possible to identify natural persons based on the historical data included in the long-term table on the server. Defendant has established that living and movement patterns can be recognized in the long-term table from after January 1, 2019, i.e. after the introduction of cutting off three characters from the hashed MAC address. This will also be the case in the long-term table from before January 1, 2019, when it still contained unique pseudonymised MAC addresses, because six months of data were always stored at that time. Using a pattern, it is possible for PFM to predict when the natural person in question is located somewhere, for example the person who moves between sensors in the city center of Enschede every night between 4:00 AM and 5:00 AM. At night there are hardly any other people on the street and it is possible for PFM to identify this person on the spot.<br />
<br />
8. According to the AP, these three ways of identifying natural persons do not require excessive effort from PFM, given the required time, costs and manpower. The fact that PFM employees do not use these resources in practice to identify people in the city center of Enschede does not alter the fact that they could reasonably do so. The identification can also be done by employees of [company 1] because they have access to all data that PFM collects based on the service level agreement with PFM. The claimant can also make the identification because he also has access to all data based on the processor agreement with [company 1].<br />
<br />
9. The AP concludes that the combination of MAC address and location data and the combination of pseudonymised MAC address and location data on the sensor from May 25, 2018 to April 30, 2020 and in the short- and low-term table until January 1 2019 qualify as personal data within the meaning of the GDPR.<br />
<br />
10. The court notes that when refuting the plaintiff's objections, the AP repeatedly bases itself on the implausibility of circumstances and equivalent wording instead of basing itself on research into facts. Reference is made to the following marginal numbers in the contested decision of April 6, 2022. No. 22: “The AP considers it implausible that the sensors actually receive signals 70 meters around the sensor.” No. 30: “The AP does not consider it plausible that this questioning would never, under any circumstances, lead to someone giving out their MAC address. In any case, it cannot be ruled out…” No. 37: “Although the AP has not established that remote login is possible (…) Although the AP has not investigated and established (…)” No. 39: “(…) which makes it unlikely that it would be impossible for PFM to access the information stored in the cache memory.” No. 42: “The AP finds it plausible that PFM has the knowledge and programming skills to be able to distill living patterns from the long-term table.”<br />
<br />
11. Furthermore, the court understands that the AP dropped the observation of natural persons with a camera mentioned in the fine decision of March 11, 2021 as a possibly illegal means in the contested decision of April 6, 2022.<br />
<br />
12. The court notes that the AP has essentially based its decisions on the ability of the plaintiff to identify natural persons on site on the basis of hashed, pseudonymised and clipped MAC addresses. In the aforementioned ways, the AP assumes the possibility that an employee of the agencies engaged by the claimant or an employee of the claimant itself could be on site at some time in the early morning, when there are few people on the street. to determine that a specific, unique mobile device user is within range of a sensor and could potentially identify that person.<br />
<br />
13. The court is of the opinion that the AP has not sufficiently investigated whether the methods it mentions indeed make it possible, in the given situation, to determine the identity of a user of a mobile device with the naked eye. The AP's mere assertion that the employees in question could reasonably do this does not convince the court. In view of recital 26 of the GDPR, the AP should have investigated whether it could reasonably be expected that the said means would be used to directly or indirectly identify the natural person, taking into account the costs and time required for identification, taking into account the available resources. technology at the time of processing and technological developments should have been involved.<br />
<br />
14. On this basis, the court is of the opinion that the AP, especially in view of the heavy burden of proof resting on the defendant in the event of the imposition of an administrative fine, has not proven that the plaintiff processed personal data with the method he used. of owners/users of mobile devices with Wi-Fi enabled in the city center of Enschede. It follows that the AP has not proven that the plaintiff committed the offense accused of him.<br />
<br />
15. It then follows that [name] cannot be regarded as a third party.<br />
Conclusion<br />
<br />
16. The AP has imposed an administrative fine on the plaintiff on incorrect grounds, so that this decision cannot be upheld. The claimant's appeal is well-founded. The court will annul the contested decision of April 6, 2022 and revoke the fine decision of March 11, 2021.<br />
<br />
17. The court sees reason to order the AP to pay the plaintiff's legal costs. These costs have been calculated on the basis of the Administrative Law Costs Decree (Bpb) at € 2,998 (1 point for the notice of objection + 1 point for the hearing at € 624 per point + 1 point for the notice of appeal + 1 point for appearing at the hearing x weighting factor 1 x € 875 per point).<br />
18.1<br />
<br />
The claimant has requested reimbursement of travel and lost expenses from the representative K.B.H. who appeared on her behalf. Ligthart-Kaalverink. An amount of € 148.90 has been declared for travel costs and an amount of € 356 for lost time costs for two hours for attending the hearing.<br />
18.2<br />
<br />
The court is of the opinion that the travel costs are eligible for reimbursement. Travel costs will be reimbursed on the basis of public transport, second class. The court therefore sets the travel costs eligible for reimbursement at € 29.78.<br />
18.3<br />
<br />
There is no reason for reimbursement of the lost time costs in accordance with Article 2, first paragraph, opening words and under e, of the Bpb since, in the opinion of the court, Mrs Lighart-Kaalverink is employed by the claimant and it has not emerged that she had to take unpaid leave. to attend the hearing. In addition, these costs have not been substantiated in any way.<br />
<br />
19. There is also reason to order the AP to reimburse the court fee of € 365 paid by the plaintiff.<br />
Decision<br />
<br />
The court<br />
<br />
-<br />
<br />
declares the appeal well-founded;<br />
-<br />
<br />
annuls the contested decision;<br />
-<br />
<br />
revokes the decision of March 11, 2021;<br />
-<br />
<br />
orders the AP to pay the legal costs, estimated to date at € 3,027.78;<br />
-<br />
<br />
orders that the AP reimburse the plaintiff for the court fee of € 365 paid by her.<br />
<br />
This statement was made by Mr. J.W.M. Bunt, chairman, and Mr. A. Oosterveld and<br />
<br />
Mr. W.J.B. Cornelissen, members, in the presence of Y. van Arnhem, clerk. The verdict was pronounced in public on<br />
<br />
clerk<br />
<br />
<br />
chair<br />
<br />
A copy of this ruling has been sent to the parties on:<br />
Information about appeal<br />
<br />
A party that does not agree with this ruling can send an appeal to the Administrative Jurisdiction Division of the Council of State explaining why this party does not agree with this ruling. The appeal must be submitted within six weeks of the day on which this decision was sent. If the petitioner cannot await the hearing of the appeal because the case is urgent, the petitioner can ask the preliminary relief judge of the Administrative Jurisdiction Division of the Council of State to take a provisional measure (a temporary measure).<br />
Help with search<br />
</pre></div>Droogstoppelhttps://gdprhub.eu/index.php?title=DSB_(Austria)_-_2023-0.420.407&diff=40529&oldid=0DSB (Austria) - 2023-0.420.4072024-03-25T10:28:28Z<p>Created page with "{{DPAdecisionBOX |Jurisdiction=Austria |DPA-BG-Color= |DPAlogo=LogoAT.png |DPA_Abbrevation=DSB |DPA_With_Country=DSB (Austria) |Case_Number_Name=2023-0.420.407 |ECLI=ECLI:AT:DSB:2023:2023.0.420.407 |Original_Source_Name_1=RIS |Original_Source_Link_1=https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=07ee55d2-a0a6-4e00-8111-c779c3c97ceb&Position=1&SkipToDocumentPage=True&Abfrage=Dsk&Entscheidungsart=Undefined&Organ=Undefined&SucheNachRechtssatz=True&SucheNachTe..."</p>
<a href="https://gdprhub.eu/index.php?title=DSB_(Austria)_-_2023-0.420.407&diff=40529">Show changes</a>Magdalena04https://gdprhub.eu/index.php?title=Korkein_hallinto-oikeus_(Finland)_-_KHO:2024:34&diff=40520&oldid=0Korkein hallinto-oikeus (Finland) - KHO:2024:342024-03-24T21:33:57Z<p>Created page with "{{COURTdecisionBOX |Jurisdiction=Finland |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=Korkein hallinto-oikeus (Finland) |Court_Original_Name=Korkein hallinto-oikeus (Finland) |Court_English_Name=Supreme Administrative Court of Finland |Court_With_Country=Korkein hallinto-oikeus (Finland) (Finland) |Case_Number_Name=KHO:2024:34 |ECLI=ECLI:FI:KHO:2024:34 |Original_Source_Name_1=Korkein hallinto-oikeus |Original_Source_Link_1=https://www.kho.fi/fi/inde..."</p>
<a href="https://gdprhub.eu/index.php?title=Korkein_hallinto-oikeus_(Finland)_-_KHO:2024:34&diff=40520">Show changes</a>Fredhttps://gdprhub.eu/index.php?title=Helsingin_hallinto-oikeus_(Finland)_-_H6072/2021&diff=40519&oldid=0Helsingin hallinto-oikeus (Finland) - H6072/20212024-03-24T21:28:58Z<p>Created page with "{{COURTdecisionBOX |Jurisdiction=Finland |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=Helsingin hallinto-oikeus (Finland) |Court_Original_Name=Helsingin hallinto-oikeus (Finland) |Court_English_Name=Administrative Court of Helsinki |Court_With_Country=Helsingin hallinto-oikeus (Finland) (Finland) |Case_Number_Name=H6072/2021 |ECLI= |Original_Source_Name_1=Helsingin hallinto-oikeus |Original_Source_Link_1=https://gdprhub.eu/index.php?title=File:Helsi..."</p>
<a href="https://gdprhub.eu/index.php?title=Helsingin_hallinto-oikeus_(Finland)_-_H6072/2021&diff=40519">Show changes</a>Fredhttps://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_918/154/2019&diff=40518&oldid=0Tietosuojavaltuutetun toimisto (Finland) - 918/154/20192024-03-24T21:22:05Z<p>Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland) |Case_Number_Name=918/154/2019 |ECLI= |Original_Source_Name_1=Tietosuojavaltuutetun toimisto |Original_Source_Link_1=https://tietosuoja.fi/documents/6927448/204092115/P%25C3%25A4%25C3%25A4t%25C3%25B6s_918.154.2019_verkkoon.pdf/8f7ae20b-bfd8-1060-6da8-1a930ee32171/P%25C3%25A4%25C3%25A4t%25C3..."</p>
<p><b>New page</b></p><div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Finland<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFI.png<br />
|DPA_Abbrevation=Tietosuojavaltuutetun toimisto<br />
|DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland)<br />
<br />
|Case_Number_Name=918/154/2019<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Tietosuojavaltuutetun toimisto<br />
|Original_Source_Link_1=https://tietosuoja.fi/documents/6927448/204092115/P%25C3%25A4%25C3%25A4t%25C3%25B6s_918.154.2019_verkkoon.pdf/8f7ae20b-bfd8-1060-6da8-1a930ee32171/P%25C3%25A4%25C3%25A4t%25C3%25B6s_918.154.2019_verkkoon.pdf?t=1710926261537<br />
|Original_Source_Language_1=Finnish<br />
|Original_Source_Language__Code_1=FI<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=31.01.2019<br />
|Date_Decided=03.06.2020<br />
|Date_Published=<br />
|Year=2020<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 17(1) GDPR<br />
|GDPR_Article_Link_1=Article 17 GDPR#1<br />
|GDPR_Article_2=Article 58(2)(c) GDPR<br />
|GDPR_Article_Link_2=Article 58 GDPR#2c<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=§ 34(2)(4) Act on the Processing of Personal Data by the Police<br />
|National_Law_Link_1=https://www.finlex.fi/fi/laki/ajantasa/2019/20190616#L5P34<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
|National_Law_Name_3=<br />
|National_Law_Link_3=<br />
<br />
|Party_Name_1=Google LLC<br />
|Party_Link_1=https://www.google.com/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=Helsingin hallinto-oikeus<br />
|Appeal_To_Case_Number_Name=H6072/2021<br />
|Appeal_To_Status=Appealed - Overturned<br />
|Appeal_To_Link=https://gdprhub.eu/index.php?title=File:Helsingin_hallinto-oikeus_H6072-2021.pdf<br />
<br />
|Initial_Contributor=fred<br />
|<br />
}}<br />
<br />
The DPA ordered Google to remove several search result links from Google Search, as they had led to outdated information about the data subject.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Pursuant to [[Article 17 GDPR#1|Article 17(1) GDPR]], the data subject had requested Google LLC (the controller) to remove several search result links from Google Search because they led to outdated information about the data subject. The controller had only removed some of the links, rather than implementing the request in its entirety.<br />
<br />
The controller stated that the search result links led to online content, the main subject of which was the arrest warrant issued against the data subject. The controller argued that it had a substantial legitimate interest in keeping the information available to ensure the safety of those dealing with the data subject.<br />
<br />
The data subject claimed that they had already served their prison sentence in full and that the arrest warrant had ceased to be valid since April 2011. Consequently, the information was no longer necessary for the purposes for which it was originally processed. The data subject emphasised that the information about the warrant caused them harm, as it was both inaccurate and outdated.<br />
<br />
=== Holding ===<br />
The DPA considered that since the arrest warrant was no longer valid, the public no longer had a reason to inform the police of their sightings of the data subject. Therefore, due to the passage of time, the availability of the information could no longer be considered justified.<br />
<br />
The DPA also emphasised the importance of the statutory retention period for the arrest warrant. According to [https://www.finlex.fi/fi/laki/ajantasa/2019/20190616#L5P34 Section 34(2)(4) of the Finnish Act on the Processing of Personal Data by the Police], other data concerning an arrest warrant processed for the purpose of finding, monitoring, surveillance or protection of individuals are erased three years after the cancellation or expiry of the warrant or prohibition.<br />
<br />
On the basis of the information gathered, the DPA concluded that the information on the arrest warrant against the data subject was no longer of importance to society.<br />
<br />
As a result, and in accordance with [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]], the DPA ordered the controller to comply with the data subject's request to remove the search result links in question.<br />
<br />
== Comment ==<br />
The Finnish DPA has issued five other decisions regarding the removal of search result links from Google Search, one in favour of Google in case 4543/154/2018 and four against it in cases 5756/154/2018, 6722/154/2018, 8004/154/2018 and 903/154/2019.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.<br />
<br />
<pre><br />
DECISION OF THE DEPUTY DATA PROTECTION OFFICER IN THE MATTER OF DELETING DATA<br />
<br />
Subject: Removing search result links from the search results of the Google Search search service<br />
<br />
Applicant x<br />
<br />
The controller is Google LLC<br />
<br />
The applicant's requirements with justification<br />
<br />
On January 31, 2019, the applicant has initiated a case at the data protection commissioner's office regarding the removal of url search result links from the Google Search search service. The issue has been about url search result links:<br />
<br />
1) x;<br />
2) x;<br />
3) x;<br />
4) x;<br />
5) x;<br />
6) x;<br />
7) x;<br />
8) x;<br />
9) x;<br />
10) x;<br />
11) x; and<br />
12) x.<br />
<br />
In clarifying the matter, Google LLC has announced that it has accepted the applicant's request regarding url search result links 2) and 12). When preparing this decision, these url search result links were not available in connection with a Google search performed under the applicant's name, which is why this decision is limited to url search result links 1) and 3)–11).<br />
<br />
The url search result links that are the subject of the decision lead to online content, the main subject of which is the published wanted advertisement for the applicant. However, information is also available that in February 2010 the Helsinki Court of Appeal had sentenced the applicant to a prison sentence of nine years and four months for a serious drug crime. The online content describes the applicant's appearance. The observations concerning the applicant are requested to be reported to the command center of the Helsinki Police.<br />
<br />
The applicant has justified his removal request by, among other things, that information can be found behind the url search result links requested to be removed, which is already out of date. The applicant has said that the wanted notice in question has not been valid since April 2011. The applicant has emphasized that the online content in question specifically concerns the wanted notice, not the facts behind the wanted notice.<br />
<br />
Statement received from the registrar<br />
<br />
The applicant has submitted a request to the registrar himself to delete the search result links and received a negative response to his request. The data protection authorized office has also requested an explanation from the controller. The registrar has issued his report on 9 April 2020.<br />
<br />
The registrar has announced that he has reconsidered the matter. However, with the exception of url search result links 2) and 12), the controller has stuck to his original decision. In the report given, it has been established that the online content in question deals with the fact that the applicant had been the subject of a police search. It has been said that the applicant avoided the prison sentence he received.<br />
<br />
The controller has also invoked the guidelines of the data protection working group in accordance with Article 29, according to which, in connection with crimes, data protection authorities are more likely to consider deleting search results related to relatively minor and long-ago crimes and less likely to delete results related to serious and recent crimes.<br />
<br />
It has also been stated in the report that this case is about information regarding the applicant's prison sentence for a drug offence. The controller has considered that there is a strong legitimate interest in keeping the information available to ensure the safety of those dealing with the applicant.<br />
<br />
The applicant's equivalent<br />
<br />
The applicant is given the opportunity to give his answer in the case. The applicant has given his answer on 20 April 2020.<br />
<br />
In the response given, it has been stated that the applicant had not avoided the nine years and four months prison sentence he received for serious drug crimes. The online content is from a time before the judgment in question came into force. The applicant has said that he served his prison sentence after the sentence became final.<br />
<br />
Contrary to what was stated in the report, the online content specifically concerns the wanted notice published for the applicant - not the underlying crime. The wanted notice has not been valid since April 2011. The information on the wanted notice is therefore both incorrect and out of date. The applicant has said that he has completed his prison sentence in full. Since the search warrant is no longer valid, the applicant has considered that the information is no longer needed for the purposes for which it was originally processed. Having information available is a disadvantage for the applicant.<br />
<br />
A legal question<br />
<br />
The Deputy Data Protection Commissioner assesses and decides the applicant's case based on the General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018). When deciding the matter, the Deputy Data Protection Commissioner also takes into account the European Data Protection Board's interpretation guidelines issued on 2 December 2019 Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (later the European Data Protection Board's interpretation guidelines), of the European Court of Justice judgments C-131/12 and C-136/17 and, where applicable, also the guidelines on the implementation of the Court of Justice of the European Union judgment of the aforementioned judgment C-131/12 on 26 November 2014 issued by the data protection working group in accordance with Article 29 on "Google Spain and Inc v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” C-131/12 (later Interpretative Guideline of the Article 29 Data Protection Working Party).<br />
<br />
The Deputy Data Protection Commissioner must decide whether the data controller should be given an order according to Article 58, paragraph 2, subsection c of the General Data Protection Regulation to comply with the data subject's request to delete the url search result link in question.<br />
<br />
In this decision, the Deputy Data Protection Commissioner assesses the applicant's case in terms of the processing of personal data by the controller and the online service it offers. The decision does not take a position on whether the other operator involved in the matter, i.e. the original publisher of the data, has the right to keep the data available on its own website.<br />
<br />
Decision and reasons of the Deputy Data Protection Commissioner<br />
<br />
I accept the applicant's requirements on the grounds stated below and give Google LLC an order according to Article 58, paragraph 2, subparagraph c of the General Data Protection Regulation to comply with the applicant's request to remove the url search result links in question.<br />
<br />
According to Article 17 of the General Data Protection Regulation, if the conditions listed in the article are met, the data subject has the right to have the data controller delete personal data concerning the data subject without undue delay. The registered person can request the deletion of data on more than one basis mentioned in the article. The European Data Protection Board has, with the above-mentioned interpretation guideline (Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR), taken a position on the application of the requirements laid down in Article 17, Section 1 of the General Data Protection Regulation in matters concerning internet search engines.<br />
<br />
On the judgments of the European Court of Justice C-131/12 and C-136/17<br />
<br />
In the judgments of the EU Court C-131/12 and C-136/17, it has been stated that the processing of personal data carried out in connection with internet search engines, when the search is made under the name of the data subject, can significantly affect the data subject's privacy rights.<br />
<br />
In the aforementioned judgments, it has also been stated that two independent, separate actors are always associated with the information published on a certain individual website and its availability in the search results of internet search engines: 1) the website administrator, i.e. the so-called original publisher and 2) the internet search service administrator. In judgment C-131/12, it has been established that the internet search engine is an independent data controller with regard to the processing of personal data that the search engine performs in order to provide url search results (see paragraphs 35−41, 82−83 and 88 of the judgment). The two separate operators mentioned above do not, in principle, process personal data on the same basis. In the decision of the European Court of Human Rights, M.L. and W.W. vs Germany (issued on June 28, 2018), it has been stated that in the weighing of interests, different outcomes can be reached depending on the matter at hand: (i) the activity of the original publisher can be seen as being at the core of the rights to freedom of speech and expression, while ii) the primary purpose of the operator of the internet search service, on the other hand, is not has not been to publish the information in question per se, but to collect any information about the registered person in one place and thus enable the creation of a personal image of the registered person.<br />
<br />
In judgment C-131/12, it was further stated that a person's public or public-like status is a factor that may lead to the so-called general public having the right to obtain personal information about him from an internet search engine. Among other things, the judgment states the following: [w]hen the data subject can, in relation to his fundamental rights under Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, demand that the information in question is no longer made available to the general public by including it in such a list of search results, it must be considered - as, for example, in the judgment It appears from section 81 - that the rights in question supersede not only the economic interest of the operator of the search engine, but also the interest of the general public in finding the mentioned information when searching under the name of the registered person. However, this would not be an issue if it turns out that interference with the data subject's fundamental rights for special reasons such as the data subject's position in the public domain can be justified by the primary interest that the general public has in obtaining that information as a result of the inclusion in question (see paragraph 97 of the judgment).<br />
<br />
In the judgment of the EU Court C-136/17, it has been stated that […] the right to the protection of personal data is not an absolute right, but it must […] be considered in relation to its function in society and, in accordance with the principle of proportionality, it must be proportionate to other fundamental rights. Furthermore, it has been stated that especially in Article 17(3)(a) of the Data Protection Regulation, the requirement for weighing the fundamental rights to respect for private life and the protection of personal data established in Articles 7 and 8 of the Charter of Fundamental Rights, and the fundamental right to freedom of communication guaranteed in Article 11 of the Charter of Fundamental Rights, on the other hand, has been explicitly established.<br />
<br />
In the judgments mentioned above, it has been established that the rights of the data subject in principle supersede not only the economic interest of the search engine operator, but also the interest of the general public in obtaining the information in question by searching under the name of the data subject. However, the EU court has identified several factors that must be taken into account in the assessment. These include, for example, the nature of the information in question or its sensitivity, and in particular the interests of internet users in accessing information, which, in turn, must be taken into account when evaluating, for example, the registered person's possible public or public-like status.<br />
<br />
The concept of public position has been defined in the interpretation guidelines of the data protection working group in accordance with Article 29 mentioned above. According to this interpretation guide, a public position or a public person means that the person is at least to some extent in so-called media exposure due to his activities or commitments. If a person has a public position, then there is a reason that the general public should be able to search the internet search engine for information that is relevant to the person's public or similar role (see pages 13−14 of the interpretation instructions of the data protection working group according to 29).<br />
<br />
Evaluation of the applicant's case<br />
<br />
Committing a criminal act and being convicted of it basically gives a person a public status in society and exposes them to so-called media exposure for the act in question. The starting point is that a person who has committed a criminal act cannot have the same justified assumption about the extent of the protection of their privacy after their act as a person who has not committed a crime.<br />
<br />
The aforementioned principle emerges, for example, from the judgment of the European Court of Human Rights, Sidabras and Džiautas v. Lithuania (2004, paragraph 49), where it is considered that Article 8 of the European Convention on Human Rights, which protects, among other things, respect for private life, does not protect against the loss of reputation that is a foreseeable consequence of a person's own actions , such as committing a crime. The decision of the European Court of Human Rights Axel Springer Ag v. Germany (2012, paragraph 83) also confirms the same line.<br />
<br />
However, the above does not mean that a person who has committed a crime has no privacy protection at all. Despite the criminal act and the punishment received for it, part of the personal data of the person in question remains within the scope of his private life and the protection of privacy, which is his fundamental right.<br />
<br />
In the applicant's case, it is undisputed that in 2010 he was sentenced to a prison sentence of nine to nine years and four months for a serious drug crime. I consider that, as a result, the applicant has a public or public-like status as referred to in judgment C-131/12. I will use the term "public station" below for this position. This public position basically gives the general public a legitimate interest in obtaining personal information about the applicant from the Google Search search service in the manner outlined in judgment part C-131/12 (see paragraph 97 of the judgment). It should also be noted that according to the Journalists' instructions, the name, picture or other identifying information of a person convicted of a crime may be published, unless it is clearly unreasonable in relation to the position or act of the person convicted.<br />
<br />
To the extent that the provision of the applicant's personal data in the internet search engine is possible due to the position stated above, the issue of the temporal dimension of the permitted processing of personal data is also integrally related to the matter. In other words, how long will the public status exist so that the processing of personal data related to a criminal act is not restricted in connection with name searches on internet search engines.<br />
<br />
The interpretation guidelines of the European Data Protection Board state that the data subject can ask the operator of the internet search engine to remove from the search results those url search result links whose availability, for example due to the passage of time, cannot be considered justified at the time of review. Consequently, it must be assessed whether the information in question should be considered outdated or not updated at the time of review. For example, the question may be about information that, due to the passage of time, is considered imprecise, incorrect or outdated. The evaluation must take into account the original purposes of the processing. The evaluation should also take into account the original storage periods applicable to the information in question (see page 6 of the European Data Protection Board's interpretation instructions).<br />
<br />
In the judgments of the EU Court C-131/12, the removal of personal data (url search results) from the name-own internet search engine has been outlined. When assessing the need to delete personal data related to a public position, a weighing of interests must be carried out, which also takes into account the rights of other persons to receive information about the registrant via url search results from the Google Search search service. In the weighing of interests, an effort must be made to find a fair balance between the general public's interest in obtaining information and the registered person's fundamental rights pursuant to Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. Although the rights of the data subject protected by the articles in question generally supersede the mentioned interest of internet users, according to the judgment, the balance may still depend in special cases on the nature of the data in question and their sensitivity in terms of the data subject's private life, and on the public's interest in having access to the data in question, and the latter interest may be different, among other things, on the basis of the public status of the person in question (cf. EU Court judgment C-131/12 paragraphs 73−74, 81, 97, 99 and Section 6 and Section 8 subsection 1 section 8 of the Personal Data Act).<br />
<br />
Furthermore, in the interpretation instructions of the data protection working group in accordance with Article 29, the personal data processed in connection with search engine operation is divided into both factual information (facts) and opinions/views that individuals have about something or a person. When assessing the inaccuracy/accuracy of personal data, it must be taken into account whether the issue is a fact whose correctness cannot be disputed or whether the issue is a subjective opinion or view. In the mentioned interpretation instruction, it is outlined that the data protection authorities are more likely to consider deletion of search result information that is accompanied by an objectively perceptible factual error and which therefore gives an incorrect, incomplete or misleading picture of the person (see pages 15 and 17 of the interpretation instruction of the data protection working group in accordance with Article 29 ).<br />
<br />
In the interpretation guide, it has also been stated that member states may have special national legislation that defines the temporal dimension of access to information about the commission of a crime. Data protection authorities may, when considering a criminal matter, take into account the relevant national principles and approaches that are generally related to the processing of such data (see page 20 of the interpretation instructions of the data protection working group in accordance with Article 29).<br />
<br />
The applicant has not denied that he was sentenced for a serious drug crime to a prison sentence of nine years and four months. The applicant has not denied that he was the subject of a wanted notice. So it is not really a question of the fact that behind the url search result links in question, there is information available about a matter concerning the applicant that is not true. However, it is significant that the target of the online content in question is the published wanted notice about the applicant - not the factors influencing the background of the wanted notice per se. The online content does not describe the applicant's crime in more detail. The applicant's act and the resulting punishment are only mentioned at the mention level. The main topic of the online content is the published wanted notice about the applicant.<br />
<br />
When the url search result links requested to be deleted have dealt with the applicant's crime and possibly the related punishment, the applicant's case is basically mirrored in the national special legislation that generally defines the temporal dimension of the availability of information about the commission of crimes (cf. page 20 of the interpretation instructions of the data protection working group according to 29).<br />
<br />
As stated in the interpretation guidelines of the European Data Protection Board, the evaluation must, however, take into account the original purposes of the processing and the original storage periods applicable to the information in question (see page 6 of the interpretation guidelines of the European Data Protection Board).<br />
<br />
In the online content in question, the main subject is the wanted notice published about the applicant. It should be noted that the search warrant is no longer valid. The public no longer has a reason to inform the police of their findings concerning the applicant. It can be stated that the availability of data can no longer be considered justified due to the passage of time.<br />
<br />
As stated above, the original storage periods applicable to the information in question are also important. Section 34 of the Act on the Processing of Personal Data in Police Operations (616/2019) provides for the deletion of personal data other than those referred to in Section 33 of the Act. According to Section 34, Subsection 1, Clause 4 of the Act, other information regarding the search warrant processed for the purpose of reaching, monitoring, monitoring and protecting persons is deleted three years after the cancellation or termination of the warrant. The validity of the wanted notice published for the applicant has expired in April 2011. If the applicant's case is reflected in this retention period provision, it can be stated that the information from the wanted notice concerning the applicant is no longer socially relevant.<br />
<br />
Based on the above, I give Google LLC an order in accordance with Article 58, paragraph 2, subparagraph c of the General Data Protection Regulation to comply with the applicant's request to remove the url search result link in question.<br />
<br />
Applicable legal provisions<br />
<br />
Those mentioned in the justifications.<br />
</pre></div>Fredhttps://gdprhub.eu/index.php?title=VG_Berlin_-_1_K_187/21&diff=40516&oldid=0VG Berlin - 1 K 187/212024-03-22T13:30:19Z<p>Created page with "{{COURTdecisionBOX |Jurisdiction=Germany |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=VG Berlin |Court_Original_Name=Verwaltungsgericht Berlin |Court_English_Name=Administrative Court Berlin |Court_With_Country=VG Berlin (Germany) |Case_Number_Name=1 K 187/21 |ECLI=ECLI:DE:VGBE:2024:0206.1K187.21.00 |Original_Source_Name_1=Juris |Original_Source_Link_1=https://gesetze.berlin.de/bsbe/document/JURE240003073/part/L |Original_Source_Language_1=German |O..."</p>
<p><b>New page</b></p><div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Germany<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=VG Berlin<br />
|Court_Original_Name=Verwaltungsgericht Berlin<br />
|Court_English_Name=Administrative Court Berlin<br />
|Court_With_Country=VG Berlin (Germany)<br />
<br />
|Case_Number_Name=1 K 187/21<br />
|ECLI=ECLI:DE:VGBE:2024:0206.1K187.21.00<br />
<br />
|Original_Source_Name_1=Juris<br />
|Original_Source_Link_1=https://gesetze.berlin.de/bsbe/document/JURE240003073/part/L<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Date_Decided=06.02.2024<br />
|Date_Published=<br />
|Year=2024<br />
<br />
|GDPR_Article_1=Article 15 GDPR<br />
|GDPR_Article_Link_1=Article 15 GDPR<br />
|GDPR_Article_2=Article 15(1) GDPR<br />
|GDPR_Article_Link_2=Article 15 GDPR#1<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Julia<br />
|<br />
}}<br />
<br />
The Administrative Court of Berlin held that a refusal by the controller to comply with a request for information (Art. 15 GDPR) due to the disproportionately high effort required for its fulfillment is only permissible in narrowly defined exceptional cases.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
In October 2020, the data subject (plaintiff) requested information regarding his personal data stored by the data controller (defendant) and requested copies of all records containing this data. In a letter from November 2020, the controller provided the data subject with information regarding the personal data stored in their IT systems, the categories of this data, and the recipients of this data to whom the controller had disclosed it.<br />
<br />
After receiving the controller's letter, the data subject argued that the information provided is incomplete as it only listed his so-called master data ('Stammdaten'), whereas he asserted a right to receive copies of all documents held by the data controller in which his personal data is listed. He additionally demanded from the controller to delete all of his personal data. The data controller was of the opinion that the provided information following the data subject's request was complete. <br />
<br />
Subsequently, the data subject claimed that, that under the GDPR he is entitled to receive copies of all documents held by the defendant containing his personal data. On March 15, 2021, the data subject filed a lawsuit against the controller.<br />
<br />
=== Holding ===<br />
In the judgment, the court highlighted the purpose of the right to information under Article 15(1) of the GDPR, as indicated, among other places, in Recital 63 of the GDPR, is to enable data subjects to be aware of the processing of their personal data, thereby allowing them to subsequently verify not only the accuracy of this data but also the legality of its processing. Therefore, the court agreed with the data subject that for a legality check, a mere abstract overview of the processed data is not sufficient as it was present in the case at hand when the data subject only received information that covered the master data stored in the data controller's IT systems. Rather, in order to be able to verify the legality of data processing in each individual case, the court held that it is necessary to provide specific information on the context in which the data was processed. <br />
<br />
The court acknowledged that responding to Art. 15(1) GDPR requests is combined with a substantial effort for controllers. However, due to the importance of the - generally unconditional - right to information under [[Article 15 GDPR#1|Article 15(1) GDPR]], a refusal by the controller to comply with a request for information due to the disproportionately high effort required for its fulfillment is only permissible in narrowly defined exceptional cases. The court held that this might occur in cases of an obviously significant disparity between the efforts required to fulfill the right to information and the information interest of the data subject.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
If you see this message, you do not have JavaScript activated in your browser. Please activate JavaScript to use the citizen service.<br />
</pre></div>Julia kraemerhttps://gdprhub.eu/index.php?title=HDPA_(Greece)_-_48/2023&diff=40512&oldid=0HDPA (Greece) - 48/20232024-03-21T14:52:31Z<p>Created page with "{{DPAdecisionBOX |Jurisdiction=Greece |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoGR.jpg |DPA_Abbrevation=HDPA |DPA_With_Country=HDPA (Greece) |Case_Number_Name=48/2023 |ECLI= |Original_Source_Name_1=HDPA |Original_Source_Link_1=https://www.dpa.gr/sites/default/files/2024-02/48_2023%2520anonym.pdf |Original_Source_Language_1=Greek |Original_Source_Language__Code_1=EL |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Sour..."</p>
<p><b>New page</b></p><div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Greece<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoGR.jpg<br />
|DPA_Abbrevation=HDPA<br />
|DPA_With_Country=HDPA (Greece)<br />
<br />
|Case_Number_Name=48/2023<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=HDPA<br />
|Original_Source_Link_1=https://www.dpa.gr/sites/default/files/2024-02/48_2023%2520anonym.pdf<br />
|Original_Source_Language_1=Greek<br />
|Original_Source_Language__Code_1=EL<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=27.04.2022<br />
|Date_Decided=26.01.2024<br />
|Date_Published=26.02.2024<br />
|Year=2024<br />
|Fine=1000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 6(1) GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR#1<br />
|GDPR_Article_3=Article 12(3) GDPR<br />
|GDPR_Article_Link_3=Article 12 GDPR#3<br />
|GDPR_Article_4=Article 12(4) GDPR<br />
|GDPR_Article_Link_4=Article 12 GDPR#4<br />
|GDPR_Article_5=Article 15 GDPR<br />
|GDPR_Article_Link_5=Article 15 GDPR<br />
|GDPR_Article_6=<br />
|GDPR_Article_Link_6=<br />
|GDPR_Article_7=<br />
|GDPR_Article_Link_7=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Inder-kahlon<br />
|<br />
}}<br />
<br />
The Hellenic DPA imposed €1,000 administrative fine on an accountant for unlawfully collecting and using personal data without proper authorisation, violating [[Article 5 GDPR|Article 5(1)(a) GDPR]] and [[Article 6 GDPR|Article 6(1)) GDPR]].<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The data subject, who lives abroad and had no contact with his deceased father, lodged a complaint against his father’s accountant for the unauthorised and unlawful processing of his personal data. The data subject discovered through the Tax Office of Athens that an income statement for the year 2020 of his father had been submitted via email by the accountant after his father’s death. The data subject complained that this tax return was submitted without their consent or knowledge and that the accountant who submitted it on behalf of the data subject used his personal data, including his full name and tax identification number, designating him as his father’s tax representative. <br />
<br />
The defendant argued, among other things, that he prepared and submitted the income statement to ease the burden on the data subject, as instructed by the data subject’s deceased father. The accountant further claimed that the name and VAT number of a living relative of the deceased as his representative were a requirement of the tax office, and the data was provided by the data subject’s father when he was alive. The accountant also stated that it was not possible to contact the data subject at the time of submitting the disputed income statement, as the data subject was living abroad and had no way of communicating with him. Finally, the accountant pointed out that the disputed personal details of the data subject, i.e., his name and VAT number, were shared exclusively with the tax office to which they were already known.<br />
<br />
The data subject stated that he and his father did not maintain a relationship, as his mother had sole custody. He also mentioned that he only acquired a VAT number after receiving properties from his mother, and neither his father nor his father's accountant had knowledge of his tax affairs. Moreover, the data subject contested the existence of an authorization or mandate from his father to the accountant, citing a lack of evidence. Additionally, the data subject noted that such authorizations, if any, typically expire upon the principal's death. The accountant’s action put the data subject at risk of incurring unknown administrative or criminal liabilities. Furthermore, the data subject disputed the accountant’s claim of technological incompetence, which the accountant cited as the reason for not responding to the data subject's request. The accountant stated that the data subject’s details were disclosed due to tax authorities' requirements and that the disclosure of the data subject’s VAT number did not harm him nor benefit the accountant. Additionally, the accountant pointed out that concerns about his contract or services with the deceased may lead to civil claims, not liability for violating data laws.<br />
<br />
=== Holding ===<br />
The Hellenic DPA found that the accountant had processed the data subject's personal data in violation of [[Article 5 GDPR|Article 5(1)(a) GDPR]], [[Article 6 GDPR|Article 6(1) GDPR]], [[Article 12 GDPR|Article 12(3) GDPR]], [[Article 12 GDPR|Article 12(4) GDPR]] and [[Article 15 GDPR|Article 15 GDPR]].<br />
<br />
As such, the DPA issued a fine of €1,000 in total:<br />
<br />
a) Fine of €500 for violations of [[Article 5 GDPR|Article 5(1)(a) GDPR]], [[Article 6 GDPR|Article 6(1) GDPR]].<br />
b) Fine of €500 for violations of [[Article 12 GDPR|Article 12(3) GDPR]], [[Article 12 GDPR|Article 12(4) GDPR]] and [[Article 15 GDPR|Article 15 GDPR]].<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.<br />
<br />
<pre><br />
The Authority ruled that the collection and use of name and VAT number by an accountant on behalf of an heir without a relevant order constitutes a violation of articles 5 par. 1 item. a) and 6 para. 1 GDPR, while also ruling that the complained data controller violated the provisions of article 15 GDPR in combination with the provisions of article 12 paras. 3, 4 GDPR, as he improperly responded to the subject's access request.<br />
<br />
The Authority imposed by a majority a total fine of 1,000 euros on the complained controller for the above infringements.<br />
</pre></div>Inder-kahlonhttps://gdprhub.eu/index.php?title=Helsingin_hallinto-oikeus_(Finland)_-_5398/2023&diff=40492&oldid=0Helsingin hallinto-oikeus (Finland) - 5398/20232024-03-21T13:52:33Z<p>Created page with "{{COURTdecisionBOX |Jurisdiction=Finland |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=Helsingin hallinto-oikeus (Finland) |Court_Original_Name=Helsingin hallinto-oikeus (Finland) |Court_English_Name=Administrative Court of Helsinki |Court_With_Country=Helsingin hallinto-oikeus (Finland) (Finland) |Case_Number_Name=5398/2023 |ECLI= |Original_Source_Name_1=Helsingin hallinto-oikeus |Original_Source_Link_1=https://gdprhub.eu/index.php?title=File:Helsin..."</p>
<a href="https://gdprhub.eu/index.php?title=Helsingin_hallinto-oikeus_(Finland)_-_5398/2023&diff=40492">Show changes</a>Fredhttps://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_4431/161/21&diff=40491&oldid=0Tietosuojavaltuutetun toimisto (Finland) - 4431/161/212024-03-21T13:47:27Z<p>Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland) |Case_Number_Name=4431/161/21 |ECLI= |Original_Source_Name_1=Finlex |Original_Source_Link_1=https://www.finlex.fi/fi/viranomaiset/tsv/2021/20211243 |Original_Source_Language_1=Finnish |Original_Source_Language__Code_1=FI |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Lan..."</p>
<a href="https://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_4431/161/21&diff=40491">Show changes</a>Fredhttps://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_TSV/26/2020&diff=40472&oldid=0Tietosuojavaltuutetun toimisto (Finland) - TSV/26/20202024-03-19T18:04:20Z<p>Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland) |Case_Number_Name=TSV/26/2020 |ECLI= |Original_Source_Name_1=Tietosuojavaltuutetun toimisto |Original_Source_Link_1=https://tietosuoja.fi/documents/6927448/204092115/P%25C3%25A4%25C3%25A4t%25C3%25B6s+TSV.26.2020.pdf/cc31f8b8-a4ec-e622-501d-6b0e2e1a53ca/P%25C3%25A4%25C3%25A4t%25C3%25B6s+TSV...."</p>
<a href="https://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_TSV/26/2020&diff=40472">Show changes</a>Fredhttps://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9991183&diff=40437&oldid=0Garante per la protezione dei dati personali (Italy) - 99911832024-03-19T11:24:09Z<p>Created page with "{{DPAdecisionBOX |Jurisdiction=Italy |DPA-BG-Color=background-color:#095d7e; |DPAlogo=LogoIT.png |DPA_Abbrevation=Garante per la protezione dei dati personali |DPA_With_Country=Garante per la protezione dei dati personali (Italy) |Case_Number_Name=9991183 |ECLI= |Original_Source_Name_1=Garante per la protezione dei dati personali |Original_Source_Link_1=https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9991183 |Original_Source_Language_1=Italian |Origi..."</p>
<a href="https://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9991183&diff=40437">Show changes</a>Imhttps://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202204501&diff=40435&oldid=0AEPD (Spain) - EXP2022045012024-03-19T11:15:44Z<p>Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202204501 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00293-2023.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code..."</p>
<a href="https://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202204501&diff=40435">Show changes</a>Lmhttps://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9993105&diff=40434&oldid=0Garante per la protezione dei dati personali (Italy) - 99931052024-03-19T10:13:06Z<p>Created page with "{{DPAdecisionBOX |Jurisdiction=Italy |DPA-BG-Color=background-color:#095d7e; |DPAlogo=LogoIT.png |DPA_Abbrevation=Garante per la protezione dei dati personali |DPA_With_Country=Garante per la protezione dei dati personali (Italy) |Case_Number_Name=9993105 |ECLI= |Original_Source_Name_1=Garante per la protezione dei dati personali |Original_Source_Link_1=https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9993105 |Original_Source_Language_1=Maltese |Origi..."</p>
<a href="https://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9993105&diff=40434">Show changes</a>Imhttps://gdprhub.eu/index.php?title=CJEU_-_C%E2%80%91479/2_-_OC_v_Commission&diff=40421&oldid=0CJEU - C‑479/2 - OC v Commission2024-03-18T22:35:26Z<p>Created page with "{{CJEUdecisionBOX |Case_Number_Name=C‑479/2 OC v Commission |ECLI=ECLI:EU:C:2024:215 |Opinion_Link= |Judgement_Link=https://curia.europa.eu/juris/document/document.jsf?text=&docid=283526&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=3322609 |Date_Decided=07.03.2024 |Year=2024 |GDPR_Article_1=Article 4(1) GDPR |GDPR_Article_Link_1=Article 4 GDPR#1 |GDPR_Article_2= |GDPR_Article_Link_2= |GDPR_Article_3= |GDPR_Article_Link_3= |EU_Law_Name_1=2018/1725 |EU_..."</p>
<p><b>New page</b></p><div>{{CJEUdecisionBOX<br />
<br />
|Case_Number_Name=C‑479/2 OC v Commission<br />
|ECLI=ECLI:EU:C:2024:215<br />
<br />
|Opinion_Link=<br />
|Judgement_Link=https://curia.europa.eu/juris/document/document.jsf?text=&docid=283526&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=3322609<br />
<br />
|Date_Decided=07.03.2024<br />
|Year=2024<br />
<br />
|GDPR_Article_1=Article 4(1) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#1<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=2018/1725<br />
|EU_Law_Link_1=https://eur-lex.europa.eu/eli/reg/2018/1725/oj<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
|EU_Law_Name_3=<br />
|EU_Law_Link_3=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=OC<br />
|Party_Link_1=<br />
|Party_Name_2=European Commission <br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Reference_Body=<br />
|Reference_Case_Number_Name=<br />
<br />
|Initial_Contributor=so.h<br />
|<br />
}}<br />
<br />
The CJEU held that the definition of personal data does not depend on whether an 'average reader' can identify the data subject.<br />
<br />
==English Summary==<br />
<br />
=== Facts ===<br />
This is an appeal of the earlier case T‑384/20 - OC v European Commission. <br />
<br />
The claimant (OC) appealed the general court’s decision on three grounds. That the General Court had legally misinterpreted the definition of personal data and had failed to observe proper administrative procedures when making its judgement (right to a presumption of innocence and the right to good administration under the Charter of Fundamental Rights). <br />
<br />
On the concept of personal data, the claimant argued that the general court had legally misinterpreted the concept of an ‘identifiable natural person’. They used two points to make this argument: <br />
<br />
1) Identifiability is not tied to whether an “average reader” can identify you. The case law states that identifiability depends on whether an individual holds ‘additional factors...necessary for identification... [these factors] can be available to a person other than the controller’ (see C-582/14 at para 39 and 41). The General Court’s use of an average reader (at para 32) does not analyse the factors that the specific reader in the case holds. Thus, contra the case law, it does not test whether a person has the additional factors needed for identification. The General Court’s novel use of this test is therefore erroneous. <br />
<br />
2) The General Court had erred in arguing that the ‘means reasonable likely’ to be used to identify a data subject (recital 26 GDPR and recital 16 EUDPR) was limited to only trivial means. Reasonable does not mean trivial. Rather, the court should have looked at the costs and time required for the identification of the claimant to determine whether the claimant could be identified using ‘reasonable means’. This would be in line with what the recital actually states (at para 33). <br />
<br />
The Commission asked for these two points, and subsequently the crux of the first ground, to be declared inadmissible by the court (at para 34).<br />
<br />
=== Holding ===<br />
The Court held that the General Court had made several errors of law and that the grounds of appeal must be upheld. In doing so, they sent the case back to the General Court to be decided again. <br />
<br />
First, the Court noted that the EUDPR (Regulation 2018/1725) and the GDPR share the same definition of personal data. Given that the legislator (at recital 4 and 5 of 2018/1725) intended to establish an equivalent law to the GDPR, both regimes must be read in the same way (at para 43). <br />
<br />
Second, identifiability is defined by Article 3(1) 2018/1725 (Article 4(1) GDPR). The use of the word ‘indirectly’ in these Articles means that it is not necessary for information alone to be the factor that identifies someone (at para 47). It is not required that all the information enabling the identification be in the hand of one person (at para 48). The fact that additional information is necessary to identify a data subject does not mean that the data cannot be classified a personal (at para 44).<br />
<br />
Third, it is ‘reasonably likely’ that combining OLAF’s press report with additional information would be used as a way to identify the claimant (at para 50). The General Court had been wrong to limit this ‘reasonable means’ test by confusing it with liability. Article 3(1) 2018/1725 states that only acts attributable to an EU Institution can give rise to liability on part of the European Union, it took this to mean that the identification of the claimant must only have resulted from the press release alone (at para 52). On the facts the German journalist who identified the claimant had specialist information and so the General Court ruled that these were not ‘reasonable means’ and that the claimant could not be identified (at para 53). The Court made clear that the liability and identification are separate (at para 54). The fact that additional information is needed and that it comes from a source other than the controller does not rule out the identifiable nature of the claimant (at para 55). This is supported by the fact that recital 16 (recital 26 GDPR) makes specific that identification can come from ‘any other person’. <br />
<br />
Fourth, the Court rejected the General Court’s invention of an ‘average reader’. The General Court had invented this test and used it for the first time in T‑384/20 - OC v European Commission. The fact that the reader of the press release is a journalist, cannot lead to the conclusion that data is not personal (at para 58). <br />
<br />
Last, the Court looked at the facts of the case and determined that the fact that the press release contained the claimant’s; gender, nationality, father’s occupation, grant amount for a scientific project and the geographical location of the entity hosting that project, would together allow the Claimant to be identifiable (at para 61). Furthermore, the Court applied the ‘reasonable means’ test and determined that identification could occur without a disproportionate effort in terms of time, cost and labour. There is no obligation on the claimant to prove that they had actually been identified by the time of the case as no such condition is contained in Article 3(1) 2018/1725 (Article 4(1) GDPR). It follows that the General Court erred in finding that the claimant was not identifiable and that therefore, the data was not personal.<br />
<br />
== Comment ==<br />
This a potentially landmark case. The Court has gone the furthest since Breyer in scoping out what identifiability means as well as how the test of ‘reasonable means’ (recital 26 GDPR) relates to it.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''</div>So.hhttps://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202202954&diff=40419&oldid=0AEPD (Spain) - EXP2022029542024-03-18T17:51:59Z<p>Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202202954 |ECLI= |Original_Source_Name_1=Agencia Española de Protección de Datos |Original_Source_Link_1=https://www.aepd.es/documento/ps-00070-2023.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Langua..."</p>
<a href="https://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202202954&diff=40419">Show changes</a>Lmhttps://gdprhub.eu/index.php?title=UODO_(Poland)_-_DKN.5131.42.2022&diff=40418&oldid=0UODO (Poland) - DKN.5131.42.20222024-03-18T17:26:36Z<p>Created page with "{{DPAdecisionBOX |Jurisdiction=Poland |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoPL.png |DPA_Abbrevation=UODO |DPA_With_Country=UODO (Poland) |Case_Number_Name=DKN.5131.42.2022 |ECLI= |Original_Source_Name_1=UODO |Original_Source_Link_1=https://www.uodo.gov.pl/decyzje/DKN.5131.42.2022 |Original_Source_Language_1=Polish |Original_Source_Language__Code_1=PL |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language..."</p>
<a href="https://gdprhub.eu/index.php?title=UODO_(Poland)_-_DKN.5131.42.2022&diff=40418">Show changes</a>Imhttps://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_32/2024&diff=40416&oldid=0APD/GBA (Belgium) - 32/20242024-03-18T17:10:00Z<p>Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=32/2024 |ECLI= |Original_Source_Name_1=GBA |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/bevel-nr.-32-2024.pdf |Original_Source_Language_1=Dutch |Original_Source_Language__Code_1=NL |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Lang..."</p>
<p><b>New page</b></p><div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Belgium<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoBE.png<br />
|DPA_Abbrevation=APD/GBA<br />
|DPA_With_Country=APD/GBA (Belgium)<br />
<br />
|Case_Number_Name=32/2024<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=GBA<br />
|Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/bevel-nr.-32-2024.pdf<br />
|Original_Source_Language_1=Dutch<br />
|Original_Source_Language__Code_1=NL<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Partly Upheld<br />
|Date_Started=26.12.2023<br />
|Date_Decided=13.02.2024<br />
|Date_Published=<br />
|Year=2024<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 15(1) GDPR<br />
|GDPR_Article_Link_1=Article 15 GDPR#1<br />
|GDPR_Article_2=Article 15(3) GDPR<br />
|GDPR_Article_Link_2=Article 15 GDPR#3<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=nzm<br />
|<br />
}}<br />
<br />
The DPA held that when files constituted by other entities have been consulted in examining a data subject’s credit application, if the latter makes an access request, the controller must give him access to all the documents consulted during the examination.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A data subject’s credit application was refused by the controller. Consequently, the data subject exercised his right of access with the controller and filed a complaint with its Financial Services Ombudsman. The controller informed him that 3 files had been consulted in examining his credit application: (i) his own file, (ii) the Central Individual Credit Register file and (iii) a finance company’s file. The controller shared the full content of the data subject’s file and only the identity and contact details of the respective controllers. It also told the data subject to contact the controllers of those files to exercise his right of access regarding said documents. <br />
<br />
The data subject claimed that the information to which he had been given access to was incomplete, as the controller also had the “purpose of the credit” as well as an image of his identity card. The data subject asked the controller to confirm that he had been given access to all his personal data. The controller responded that it had other data in its possession, namely the one it received as part of the data subject’s complaint to the Financial Services Ombudsman. <br />
<br />
Following this, the data subject lodged a complaint with the Belgian DPA (“APD”).<br />
<br />
=== Holding ===<br />
Under [[Article 15 GDPR#1|Article 15(1) GDPR]], the data subject has the right to obtain from the controller, a confirmation as to whether or not personal data concerning him are being processed and if so, to obtain access to such personal data. The APD considered that in the present case, the controller did not respond directly to the data subject’s question asking it to confirm that he had been given access to all his personal data. Thus, the data subject did not obtain a conclusive answer or access as required by [[Article 15 GDPR#1|Article 15(1) GDPR]]. <br />
<br />
Moreover, [[Article 15 GDPR#3|Article 15(3) GDPR]] provides that the controller must provide a copy of the personal data being processed. The APD held that the controller processed an image of the data subject’s identity card and failed to provide a copy in response to the request. Therefore, the controller violated [[Article 15 GDPR#3|Article 15(3) GDPR]].<br />
<br />
Finally, the APD pointed out that the purpose of the right of access is to “to be aware of, and verify, the lawfulness of the processing” (Recital 63 GDPR). The right of access therefore supports the right to rectification. Regarding the 2 other files the controller consulted, the APD considered that the controller determines the means and purposes of the processing of the personal data in question. However, without access to these 2 files, the data subject could not determine whether it was necessary to contact the controllers of those files in order to exercise his right to rectification. <br />
<br />
The APD therefore ordered the controller to comply with the data subject’s access request by granting him access to all the personal data concerning him, as well as a copy of the data in question.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.<br />
<br />
<pre><br />
1/7<br />
<br />
<br />
<br />
Dispute Chamber<br />
<br />
<br />
Decision 32/2024 of February 13, 2024<br />
<br />
<br />
File number: DOS-2024-00078<br />
<br />
<br />
Subject: Complaint due to insufficient response to a request for access<br />
<br />
<br />
<br />
The Disputes Chamber of the Data Protection Authority, composed of Mr<br />
<br />
Hielke HIJMANS, sole chairman;<br />
<br />
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016<br />
<br />
on the protection of natural persons with regard to the processing of<br />
<br />
personal data and regarding the free movement of such data and to the revocation of<br />
<br />
Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;<br />
<br />
<br />
Having regard to the law of 3 December 2017 establishing the Data Protection Authority,<br />
<br />
hereinafter “WOG”;<br />
<br />
In view of the internal rules of order, as approved by the House of Representatives<br />
<br />
Representatives on December 20, 2018 and published in the Belgian Official Gazette on<br />
<br />
January 15, 2019;<br />
<br />
<br />
Considering the documents in the file;<br />
<br />
<br />
Has made the following decision regarding:<br />
<br />
<br />
Complainant: X, hereinafter “the complainant”<br />
<br />
<br />
<br />
The defendant: Y, hereinafter “the defendant” Decision 32/2024 — 2/7<br />
<br />
<br />
I. Facts and procedure<br />
<br />
<br />
1. On December 26, 2023, the complainant will submit a complaint to the Data Protection Authority<br />
<br />
against the defendant.<br />
<br />
2. The subject of the complaint concerns the exercise of the right of access by the complainant<br />
<br />
without receiving an adequate response from the controller.<br />
<br />
The complainant had exercised his right of access after his credit application was refused<br />
<br />
by the defendant. As a result, the defendant informed the complainant that there were three<br />
<br />
files were consulted in examining his credit application, namely that<br />
<br />
from the defendant itself, the Central Office for Credit to Private Individuals, and a<br />
financing company. The defendant sent “a complete content of the data<br />
<br />
that are in our files” to the complainant. Of the data in the remaining<br />
<br />
two files, the defendant shared only the identity and contact information of the<br />
<br />
respective controllers.<br />
<br />
The complainant disputed that the data he was given access to was complete. He asked<br />
<br />
namely that the defendant also had the “purpose of the credit” and an image<br />
<br />
of his identity card. He once again requested the defendant “to provide the files you as<br />
<br />
lender [sic] has in your possession, as you inform me, to transfer to me.” The complainer<br />
<br />
had also filed a complaint with the defendant's financial services ombudsman, and<br />
the documents available to the Disputes Chamber show that communication between the<br />
<br />
defendant and the complainant focused mainly on the rest for a certain period of time<br />
<br />
investigating the substantive reasons for the refusal of the credit, which is outside the<br />
<br />
scope of this decision. After some time, the complainant made contact again<br />
<br />
contacted the defendant to ask for confirmation that he had been given access to all<br />
<br />
his personal data. The defendant responded as follows:<br />
<br />
"Dear,<br />
<br />
We have other data in our possession, namely the one we received in the context<br />
<br />
of your complaint to the financial services ombudsman.<br />
<br />
3. On January 8, 2024, the complaint will be declared admissible by the First Line Service on the grounds<br />
<br />
of Articles 58 and 60 of the WOG and the complaint is filed on the basis of Article 62, § 1 of<br />
<br />
the WOG has been transferred to the Disputes Chamber.<br />
<br />
4. In accordance with Article 95, § 2, 3° of the WOG as well as Article 47 of the internal regulations<br />
<br />
order of the GBA, the parties can request a copy of the file. If one<br />
<br />
both parties wish to make use of the opportunity to consult and<br />
<br />
copying the file, he or she must contact the secretariat of the<br />
<br />
Disputes Chamber, preferably via litigationchamber@apd-gba.be. Decision 32/2024 — 3/7<br />
<br />
<br />
II. Justification<br />
<br />
<br />
5. According to Article 15.1 GDPR, the data subject has the right to obtain from the<br />
<br />
controller to obtain clarity about whether or not to process<br />
<br />
personal data concerning him and, if applicable, to obtain access to it<br />
those personal data and the information referred to in Article 15.1.a) to h), GDPR.<br />
<br />
<br />
In accordance with Article 12.1 GDPR, read in conjunction with recital 58 hereof<br />
<br />
Regulation, the controller must take appropriate measures to ensure that<br />
the data subject the communications referred to in Article 15 GDPR in connection with the processing<br />
<br />
in a concise, transparent, understandable and easily accessible form and in<br />
<br />
receives clear and simple language”. Article 12.2 GDPR also stipulates that the<br />
<br />
controller must exercise the data subject's rights<br />
<br />
facilitate.<br />
<br />
6. The Disputes Chamber notes that the complainant submitted his request for access on 6<br />
<br />
October 2023.<br />
<br />
7. On October 17, 2023, the defendant informed the complainant that in the investigation of his<br />
<br />
file, three files were consulted. These files were those of (1) the<br />
<br />
defendant itself, (2) the Central Office for Credit to Private Individuals, and (3) a<br />
<br />
financing company. The same email contained, according to the defendant, “a complete<br />
<br />
content of the data contained in our files”. However, the complainant disputed<br />
that this information was complete. In particular, he stated that the defendant would also<br />
<br />
have the “purpose of the credit”.<br />
<br />
<br />
On December 26, 2023, the complainant asked the defendant to confirm that he had access<br />
had received in all his personal data. The defendant responded that also “other<br />
<br />
data” were processed, and referred to the data provided by the complainant<br />
<br />
provides financial services in the context of his complaint to the Ombudsman<br />
<br />
defendant. Since the defendant did not directly answer the question of the<br />
<br />
complainant whether he had been given access to all his personal data, the complainant did not obtain any<br />
<br />
clear information about whether or not certain personal data are processed.<br />
Consequently, the complainant has not been provided with sufficient clarity or insight as required in Article<br />
<br />
15.1 GDPR.<br />
<br />
<br />
8. Furthermore, the complainant states that the defendant has an image of his identity card<br />
processed, and failed to provide a copy of it in response to the<br />
<br />
request for inspection. In this context, the Disputes Chamber recalls that Article 15.3 GDPR<br />
<br />
provides that the controller “a copy of the personal data that<br />
<br />
are processed” must be provided to the data subject. If the defendant indeed Decision 32/2024 — 4/7<br />
<br />
<br />
processes an image of the complainant's identity card, the defendant must also have one<br />
<br />
provide a copy of this image to satisfy the complainant's right of inspection.<br />
<br />
<br />
9. Regarding the two other files that the defendant consulted, communicated<br />
<br />
the defendant only the identification details and addresses of the respective<br />
<br />
controllers. The results of the consultations by the defendant –<br />
<br />
namely the contents of the files – the defendant did not communicate this to the complainant. At<br />
<br />
the latter was told to contact the administrators of that<br />
<br />
files to exercise his right of access. To the extent that the defendant<br />
<br />
determines the purposes and means of the processing of the personal data concerned<br />
However, he is a data controller and is therefore obliged to follow up himself<br />
<br />
the complainant's right of access in accordance with Article 15.1 GDPR. In this respect it is<br />
<br />
appropriate to recall that the aim of the right of access is to ensure that<br />
<br />
the data subject “can inform himself of the processing and its lawfulness<br />
<br />
can check this” (recital 63 GDPR). The right of access thus supports it<br />
<br />
right to the protection of personal data, and facilitates the exercise of others<br />
<br />
rights included in the GDPR, and in particular the right to rectification. Without<br />
<br />
access to the data that the defendant did or did not consult with the two parties involved<br />
<br />
files, the complainant is unable to determine whether it is necessary to contact them<br />
<br />
with those responsible for those files to assert his right to rectification.<br />
<br />
Furthermore, it should be noted that Article VII.79 of the Code of Economic Law<br />
<br />
stipulates that the “lender shall immediately provide the consumer with the result of the loan free of charge<br />
<br />
consultation [communicates] as well as the identity and address of the person responsible for the<br />
<br />
processing the files he consulted” (emphasis added).<br />
<br />
<br />
10. The Disputes Chamber is of the opinion that based on the above analysis<br />
<br />
concluded that the defendant may have violated the provisions of the GDPR<br />
was committed, which justifies taking one in this case<br />
<br />
decision on the basis of Article 95, § 1, 5° of the WOG, more specifically the<br />
<br />
order the controller to comply with the exercise by the<br />
<br />
complainant of his right of access (Article 15.1 GDPR).<br />
<br />
<br />
11. This decision is a prima facie decision taken by the Disputes Chamber<br />
<br />
in accordance with Article 95 of the WOG on the basis of the complaint submitted by the complainant,<br />
2<br />
in the context of the “procedure prior to the decision on the merits” and none<br />
<br />
decision on the merits of the Disputes Chamber within the meaning of Article 100 of the WOG.<br />
<br />
<br />
<br />
<br />
<br />
<br />
1CJEU December 20, 2017, Peter Nowak v. Data Protection Commissioner, C-434/16, ECLI:EU:C:2017:994<br />
2Section 3, Subsection 2 of the WOG (Articles 94 to 97). Decision 32/2024 – 5/7<br />
<br />
<br />
The Disputes Chamber has thus decided, on the basis of Article 58.2.c) GDPR and<br />
<br />
Article 95, § 1, 5° of the WOG, to order the defendant to comply with the request<br />
<br />
of the data subject to exercise his rights, in particular the right of access such as<br />
<br />
determined in Article 15 GDPR.<br />
<br />
<br />
12. The purpose of this decision is to inform the defendant of the fact that this<br />
<br />
may have committed an infringement of the provisions of the GDPR and this in the<br />
<br />
the opportunity to still comply with the aforementioned provisions.<br />
<br />
<br />
13. If the defendant does not agree with the content of the present primafacie<br />
<br />
decision and is of the opinion that it can apply factual and/or legal arguments<br />
<br />
that could lead to a different decision, this can be done via the e-mail address<br />
<br />
litigationchamber@apd-gba.be send a request to hear the merits of the case<br />
<br />
to the Disputes Chamber within 30 days after notification of this<br />
<br />
decision. The implementation of this decision will, if necessary, continue for a period of time<br />
<br />
suspended for the aforementioned period.<br />
<br />
14. In the event of a continuation of the merits of the case, the<br />
<br />
Dispute Chamber the parties on the basis of Articles 98, 2° and 3° in conjunction with Article 99 WOG<br />
<br />
invite them to submit their defenses as well as any documents they consider useful in the case<br />
<br />
<br />
file to add. If necessary, the present decision will be permanently suspended.<br />
<br />
15. Finally, for the sake of completeness, the Disputes Chamber points out that a hearing on the merits<br />
<br />
of the case may lead to the imposition of the measures stated in Article 100 of the WOG. 3<br />
<br />
<br />
16. In accordance with Article 57WOG, and with regard to the language in which the complaint is submitted,<br />
<br />
Dutch is used as the procedural language.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
3Article 100. § 1. The Disputes Chamber has the authority to:<br />
1° to dismiss a complaint;<br />
2° to order the dismissal of prosecution;<br />
3° order the suspension of the ruling;<br />
<br />
4° to propose a settlement;<br />
5° formulate warnings and reprimands;<br />
6° order that the data subject's requests to exercise his rights be complied with;<br />
7° to order that the person concerned is informed of the security problem;<br />
8° order that processing be temporarily or permanently frozen, restricted or prohibited;<br />
9° to order that the processing be brought into compliance;<br />
10°the rectification, limitation or deletion of data and its notification to the recipients of the data<br />
recommend data;<br />
11° order the withdrawal of the recognition of certification bodies;<br />
12° to impose penalty payments;<br />
13° to impose administrative fines;<br />
14° the suspension of cross-border data flows to another State or an international institution<br />
<br />
command;<br />
15° to transfer the file to the public prosecutor's office in Brussels, who will inform it of the<br />
follow-up given to the file;<br />
16° decide on a case-by-case basis to publish its decisions on the website of the<br />
Data Protection Authority. Decision 32/2024 — 6/7<br />
<br />
<br />
<br />
III. Publication of the decision<br />
<br />
17. Considering the importance of transparency with regard to decision-making<br />
<br />
Dispute Chamber, this decision will be published on the website of the<br />
<br />
Data Protection Authority. However, it is not necessary that the<br />
<br />
identification details of the parties are disclosed directly.<br />
<br />
<br />
<br />
FOR THESE REASONS ,<br />
<br />
<br />
the Disputes Chamber of the Data Protection Authority decides, with reservations<br />
<br />
from the submission of a request by the defendant for a hearing on the merits<br />
<br />
in accordance with Article 98 et seq. of the WOG, to:<br />
<br />
- on the basis of Article 58.2.c) of the GDPR and Article 95, § 1, 5° of the WOG the<br />
<br />
order the defendant to comply with the data subject's request<br />
<br />
to exercise its rights, in particular the right of access (Article 15 GDPR), by<br />
<br />
to grant the complainant access to all personal data relating to him<br />
<br />
processed by the defendant, as well as a copy of the data concerned<br />
<br />
provided, and this within a period of 30 days from the<br />
<br />
notification of this decision;<br />
<br />
- order the defendant to contact the Data Protection Authority (Dispute Chamber)<br />
<br />
by e-mail within the same period of the consequences<br />
<br />
this decision will be given via the email address litigationchamber@apd-gba.be;<br />
<br />
and<br />
<br />
<br />
- in the absence of timely implementation of the above by the defendant,<br />
to consider the merits of the case ex officio in accordance with Articles 98 et seq.<br />
<br />
of the WOG.<br />
<br />
<br />
<br />
Pursuant to Article 108, § 1 of the WOG, within a period of thirty days from the<br />
<br />
notice, an appeal against this decision will be filed with the Market Court (court of<br />
<br />
appeal Brussels), with the Data Protection Authority as defendant.<br />
<br />
<br />
Such an appeal can be lodged by means of an inter partes petition<br />
4<br />
must contain statements listed in Article 1034ter of the Judicial Code. It<br />
<br />
<br />
<br />
4The petition states, under penalty of nullity:<br />
1° the day, month and year;<br />
2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or<br />
company number;<br />
3° the surname, first name, place of residence and, where applicable, the capacity of the person to be<br />
summoned;<br />
4° the subject matter and brief summary of the grounds of the claim;<br />
5° the judge before whom the claim is brought; Decision 32/2024 — 7/7<br />
<br />
<br />
an objection petition must be submitted to the registry of the Market Court<br />
<br />
in accordance with Article 1034quinquies of the Dutch Civil Code. , 5 or via e-Deposit<br />
<br />
IT system of Justice (Article 32ter of the Judicial Code).<br />
<br />
<br />
<br />
<br />
<br />
<br />
(get). Hielke IJMANS<br />
<br />
Chairman of the Disputes Chamber<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
6° the signature of the applicant or his lawyer.<br />
5<br />
The petition with its attachment will be sent by registered letter, in as many copies as there are parties involved.<br />
deposited with the clerk of the court or at the registry.<br />
</pre></div>Nzmhttps://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_38/2024&diff=40412&oldid=0APD/GBA (Belgium) - 38/20242024-03-18T16:12:20Z<p>Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=38/2024 |ECLI= |Original_Source_Name_1=APD |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/zonder-gevolg-nr.-38-2024.pdf |Original_Source_Language_1=French |Original_Source_Language__Code_1=FR |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_So..."</p>
<p><b>New page</b></p><div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Belgium<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoBE.png<br />
|DPA_Abbrevation=APD/GBA<br />
|DPA_With_Country=APD/GBA (Belgium)<br />
<br />
|Case_Number_Name=38/2024<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=APD<br />
|Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/zonder-gevolg-nr.-38-2024.pdf<br />
|Original_Source_Language_1=French<br />
|Original_Source_Language__Code_1=FR<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Rejected<br />
|Date_Started=09.08.2022<br />
|Date_Decided=21.02.2024<br />
|Date_Published=<br />
|Year=2024<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 7(3) GDPR<br />
|GDPR_Article_Link_1=Article 7 GDPR#3<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=nzm<br />
|<br />
}}<br />
<br />
The DPA dismissed a cookie complaint regarding the absence of a “withdraw consent” option as the controller set one up before the DPA’s investigation.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A data subject represented by noyb (European Centre for Digital Rights) complained that a website did not provide a “withdraw consent” or similar options. Therefore, noyb considered that the cookie banner infringed both the GDPR as well as the ePrivacy directive as it was not as easy to give consent as it was to withdraw it. <br />
<br />
On 9 August 2022, the data subject lodged a complaint with the Belgian DPA (“APD”).<br />
<br />
=== Holding ===<br />
On 24 August 2022, the APD visited the controller’s website and discovered that the cookie banner included an "Accept all" button, a “Reject all” button and a “Cookie settings” button. The APD therefore considered that the sole infringement invoked by the data subject was no longer founded. These findings were still applicable on 19 February 2024, thus, the APD decided to close the case. <br />
<br />
Additionally, the APD also found that none of the categories of non-essential cookies were ticked by default.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the French original. Please refer to the French original for more details.<br />
<br />
<pre><br />
1/6<br />
<br />
<br />
<br />
<br />
<br />
Litigation Chamber<br />
<br />
Decision 38/2024 of February 21, 2024<br />
<br />
<br />
File number: DOS-2022-03263<br />
<br />
<br />
Subject: Complaint due to the processing of personal data through<br />
<br />
of a website, without the valid consent of the person concerned<br />
<br />
<br />
<br />
The Litigation Chamber of the Data Protection Authority, made up of Mr.<br />
<br />
Hielke HIJMANS, president, sitting alone;<br />
<br />
<br />
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the<br />
<br />
protection of natural persons with regard to the processing of personal data and<br />
<br />
to the free movement of these data, and repealing Directive 95/46/EC (general regulation on the<br />
data protection), hereinafter “GDPR”;<br />
<br />
<br />
Having regard to the Law of December 3, 2017 establishing the Data Protection Authority, hereinafter<br />
<br />
“ACL”;<br />
<br />
<br />
Having regard to the Law of July 30, 2018 relating to the protection of individuals with regard to<br />
<br />
processing of personal data, hereinafter “LTD”;<br />
<br />
Having regard to the Internal Regulations as approved by the House of Representatives on<br />
<br />
December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;<br />
<br />
<br />
Considering the documents in the file;<br />
<br />
<br />
Has taken the following decision regarding:<br />
<br />
<br />
<br />
The complainant: X, hereinafter “the complainant”, represented by NOYB - EUROPEAN CENTER FOR<br />
<br />
DIGITALR IGHTS, Goldschlagstraße 172/4/3/2 – 1140 Vienna (Austria)<br />
<br />
<br />
The defendant: Y, hereinafter “the defendant” Decision 38/2024 — 2/6<br />
<br />
<br />
<br />
<br />
I. Facts and procedure<br />
<br />
<br />
1. The complaint concerns processing of personal data through the page<br />
<br />
internal […], without the valid consent of the person concerned.<br />
<br />
The complainant states that she visited the website on 22-10-2021. This web page presented<br />
<br />
a “banner” of a consent management platform (hereinafter, “Z1”) provided by<br />
<br />
Z2. Ended on 10-06-2022, the complainant signs a mandate of representation, in accordance<br />
<br />
in Article 80(1) GDPR, with NOYB.<br />
<br />
The complaint mentions several personal data processing operations,<br />
<br />
in the context of providing the web page, allegedly based on consent<br />
<br />
of the person concerned. More precisely, the complaint alleges an infringement of the GDPR as well<br />
<br />
than the ePrivacy Directive (ePD), namely that it would not be as easy to withdraw your<br />
<br />
consent than giving it. According to the complaint, the option to accept the activities<br />
<br />
of processing concerned appears prominently in the banner, but the complainant does not<br />
<br />
was able to easily find the option allowing him to withdraw his consent. There was no<br />
<br />
notably no clearly visible button entitled “withdraw consent” or options<br />
<br />
similar. The complaint also specifies that despite the possibility that Z2 offers to display on<br />
<br />
all pages have a floating and permanently visible icon, allowing people to<br />
<br />
concerned to return to their cookie settings in order to withdraw their consent, the<br />
<br />
defendant deliberately chose not to activate this option.<br />
<br />
2. On August 9, 2022, the complainant filed a complaint with the Data Protection Authority.<br />
<br />
<br />
3. On August 9, 2022, the First Line Service of the Data Protection Authority<br />
<br />
declares the complaint admissible on the basis of articles 58 and 60 of the LCA, and transmits it<br />
er<br />
to the Litigation Chamber in accordance with article 62, § 1 of the LCA.<br />
<br />
<br />
II. Motivation<br />
<br />
<br />
4. Based on the facts described in the complaint file as summarized above, and on the<br />
<br />
basis of the powers assigned to it by the legislator under article 95, § 1<br />
<br />
of the LCA, the Litigation Chamber decides on the follow-up to be given to the file; as it happens,<br />
<br />
the Litigation Chamber decides to proceed with the classification without further action of the complaint,<br />
<br />
in accordance with article 95, § 1, 3° of the LCA, for the reasons set out below.<br />
<br />
<br />
5. In matters of dismissal, the Litigation Chamber is required to provide reasons for its decision.<br />
1<br />
decision by step and to:<br />
<br />
<br />
<br />
<br />
<br />
<br />
1Market Court (Brussels Court of Appeal), September 2, 2020, judgment 2020/AR/329, p. 18. Decision 38/2024 — 3/6<br />
<br />
<br />
<br />
- pronounce a classification without technical follow-up if the file does not contain or not<br />
<br />
sufficient evidence likely to lead to a sanction or if it includes a<br />
<br />
technical obstacle preventing it from rendering a decision;<br />
<br />
- or pronounce a classification without further opportunity, if despite the presence<br />
<br />
of elements likely to lead to a sanction, the continuation of the examination of the<br />
<br />
file does not seem appropriate given the priorities of the Authority of<br />
<br />
data protection as specified and illustrated in the Privacy Policy<br />
<br />
classification without further action by the Litigation Chamber. 2<br />
<br />
<br />
6. In the event of dismissal based on several reasons for dismissal, these<br />
<br />
last (respectively, classification without technical follow-up and classification without follow-up<br />
<br />
opportunity) must be treated in order of importance.3<br />
<br />
<br />
7. In this case, the Litigation Chamber decides to proceed with a classification without further action.<br />
<br />
the complaint on grounds of expediency. The decision of the Litigation Chamber is based<br />
<br />
more precisely on a reason for which it considers it inappropriate to pursue<br />
<br />
the follow-up of the file, and therefore decides not to proceed, among other things, with an examination<br />
<br />
of the case as to its merits.<br />
<br />
8. In this case, the Litigation Chamber was able to note, on August 24, 2022, that the<br />
<br />
site concerned by the complaint presented a cookie banner including not only a<br />
<br />
button allowing you to reject all (non-essential) cookies, but also included<br />
<br />
a functional URL address at the bottom of the page, entitled “Cookie Settings”:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
2<br />
In this regard, the Litigation Chamber refers to its policy of classification without further action as developed and published on the<br />
website of the Data Protection Authority: https://www.autoriteprotectiondonnees.be/publications/politique-de-<br />
classification-without-suite-of-the-contentious-chamber.pdf.<br />
3Cf. Title 3 – In what cases is my complaint likely to be dismissed by the Litigation Chamber? of the<br />
policy of dismissal without further action by the Litigation Chamber. Decision 38/2024 — 4/6<br />
<br />
<br />
<br />
It therefore appears that the only violation invoked by the complaint is no longer founded from the<br />
<br />
datementioned.TheContentiousChamberconsequentlydecidestoclassifywithoutfurther<br />
<br />
the complainant's grievance, taking into account the fact that the subject of the complaint has disappeared due to the<br />
<br />
measures taken by the controller before transferring the complaint to the Chamber<br />
4<br />
Litigation by the APD Front Line Service. The Litigation Chamber<br />
<br />
further emphasizes that the above findings still apply as of 19<br />
<br />
February 2024:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
9. In the alternative, the Litigation Chamber was also able to observe, on the occasion of this<br />
<br />
visit to the site concerned, that none of the categories of non-essential cookies were checked<br />
<br />
by default. The Litigation Chamber recalls in this regard that the European Committee of<br />
<br />
Data Protection (EDPB) adopted, on January 17, 2023, the report established by the group<br />
5<br />
work on cookie banners (“Cookie Banner Taskforce”), in which the<br />
<br />
European supervisory authorities have notably adopted a common position on<br />
<br />
the prohibition of using pre-selected preferences authorizing the placement and<br />
<br />
reading of non-essential cookies, as well as the obligation to provide the possibility for<br />
users to easily withdraw their consent at any time. Bedroom<br />
<br />
litigation notes that the data controller has, in the present case, configured<br />
<br />
the cookies banner in accordance with the requirements listed in the report<br />
<br />
aforementioned.<br />
<br />
<br />
10. Finally, the Litigation Chamber specifies that it is not necessary to rule on<br />
<br />
the complainant's interest in taking action in the specific case, given the reasons for dismissal<br />
<br />
stated above.<br />
<br />
<br />
<br />
4Cf. criterion B.6 in the Dispute Chamber's policy of dismissal.<br />
<br />
5EDPB – Report on the work undertaken by the Cookie Banner Taskforce (adopted on 17 January 2023), available at the link<br />
following: https://edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf. Decision 38/2024 — 5/6<br />
<br />
<br />
<br />
III. Publication and communication of the decision<br />
<br />
<br />
<br />
11. Considering the importance of transparency regarding the process<br />
<br />
decision-making and the decisions of the Litigation Chamber, this decision will be published on the<br />
<br />
website of the Data Protection Authority. However, it is not necessary for this<br />
<br />
so that the identification data of the parties are directly communicated.<br />
<br />
<br />
12. In accordance with its policy of dismissal, the Litigation Chamber<br />
6<br />
will communicate the decision to the defendant. Indeed, the Litigation Chamber decided to<br />
<br />
communicate the decisions of dismissal to the defendants by default. There<br />
<br />
Chambre Litigation, however, refrains from such communication when the complainant<br />
<br />
requested anonymity vis-à-vis the defendant and when the communication of the decision to the<br />
<br />
defendant, even pseudonymized, nevertheless risks allowing his reidentification. This 7<br />
<br />
is not the case in the present case.<br />
<br />
<br />
<br />
<br />
FOR THESE REASONS ,<br />
<br />
<br />
the Litigation Chamber of the Data Protection Authority decides, after<br />
<br />
deliberation, to classify this complaint without further action in application of article 95,§ 1, 3° er<br />
<br />
of the LCA.<br />
<br />
<br />
<br />
<br />
In accordance with article 108, § 1 of the LCA, an appeal against this decision may be lodged,<br />
<br />
within thirty days from its notification, to the Court of Markets (court<br />
<br />
of Appeal of Brussels), with the Data Protection Authority as defendant.<br />
<br />
<br />
Such an appeal may be introduced by means of an interlocutory request which must contain the<br />
<br />
information listed in article 1034ter of the Judicial Code. The interlocutory request must be<br />
<br />
filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , or 9<br />
<br />
<br />
via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. judic.).<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
6<br />
Cf.Title 5–Will the classification without further action be published? Will the opposing party be informed? of the classification policy<br />
without further action by the Contentious Chamber.<br />
7Ibidem.<br />
<br />
8The request contains barely any nullity:<br />
1° indication of the day, month and year;<br />
2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualifications and his national register number or<br />
Business Number;<br />
<br />
3° the surname, first name, address and, where applicable, the status of the person to be summoned;<br />
4° the object and summary of the grounds of the request;<br />
5° indication of the judge who is seized of the request;<br />
6° the signature of the applicant or his lawyer.<br />
9 The request, accompanied by its annex, is sent, in as many copies as there are parties involved, by letter<br />
<br />
recommended to the court clerk or filed with the court registry. Decision 38/2024 — 6/6<br />
<br />
<br />
<br />
<br />
To enable it to consider any other possible course of action, the Litigation Chamber refers<br />
<br />
the complainant to the explanations provided in its policy of dismissal. 10<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
(sé). Hielke HIJMANS<br />
<br />
<br />
<br />
President of the Litigation Chamber<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
10Cf. Title 4 – What can I do if my complaint is closed? of the Chamber's policy of dismissal<br />
Contentious.<br />
</pre></div>Nzmhttps://gdprhub.eu/index.php?title=VwGH_-_Ro_2020/04/0031-9&diff=40400&oldid=0VwGH - Ro 2020/04/0031-92024-03-18T15:02:23Z<p>Created page with "{{COURTdecisionBOX |Jurisdiction=Austria |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=VwGH |Court_Original_Name=Verwaltungsgerichtshof |Court_English_Name=Austrian Administrative Supreme Court |Court_With_Country=VwGH (Austria) |Case_Number_Name=Ro 2020/04/0031-9 |ECLI=ECLI:AT:VWGH:2024:RO2020040031.J00 |Original_Source_Name_1=RIS |Original_Source_Link_1=https://www.ris.bka.gv.at/Dokumente/Vwgh/JWT_2020040031_20240201J00/JWT_2020040031_20240201J00.p..."</p>
<a href="https://gdprhub.eu/index.php?title=VwGH_-_Ro_2020/04/0031-9&diff=40400">Show changes</a>Echttps://gdprhub.eu/index.php?title=CJEU_-_C-46/23_-_Budapest_F%C5%91v%C3%A1ros_IV._Ker%C3%BClet_%C3%9Ajpest_%C3%96nkorm%C3%A1nyzat_Polg%C3%A1rmesteri_Hivatala_v._Nemzeti_Adatv%C3%A9delmi_%C3%A9s_Inform%C3%A1ci%C3%B3szabads%C3%A1g_Hat%C3%B3s%C3%A1g&diff=40394&oldid=0CJEU - C-46/23 - Budapest Főváros IV. Kerület Újpest Önkormányzat Polgármesteri Hivatala v. Nemzeti Adatvédelmi és Információszabadság Hatóság2024-03-18T14:02:32Z<p>Created page with "{{CJEUdecisionBOX |Case_Number_Name=C-46/23 Budapest Főváros IV. Kerület Újpest Önkormányzat Polgármesteri Hivatala v. Nemzeti Adatvédelmi és Információszabadság Hatóság |ECLI=ECLI:EU:C:2024:239 |Opinion_Link= |Judgement_Link=https://curia.europa.eu/juris/document/document.jsf?text=2016%252F679&docid=283833&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=2140435#ctx1 |Date_Decided=14.03.2024 |Year=2024 |GDPR_Article_1=Article 17 GDPR |GDPR_A..."</p>
<p><b>New page</b></p><div>{{CJEUdecisionBOX<br />
<br />
|Case_Number_Name=C-46/23 Budapest Főváros IV. Kerület Újpest Önkormányzat Polgármesteri Hivatala v. Nemzeti Adatvédelmi és Információszabadság Hatóság<br />
|ECLI=ECLI:EU:C:2024:239<br />
<br />
|Opinion_Link=<br />
|Judgement_Link=https://curia.europa.eu/juris/document/document.jsf?text=2016%252F679&docid=283833&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=2140435#ctx1<br />
<br />
|Date_Decided=14.03.2024<br />
|Year=2024<br />
<br />
|GDPR_Article_1=Article 17 GDPR<br />
|GDPR_Article_Link_1=Article 17 GDPR<br />
|GDPR_Article_2=Article 58(2)(d) GDPR<br />
|GDPR_Article_Link_2=Article 58 GDPR#2d<br />
|GDPR_Article_3=Article 58(2)(g) GDPR<br />
|GDPR_Article_Link_3=Article 58 GDPR#2g<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Budapest Főváros IV. Kerület Újpest Önkormányzat Polgármesteri Hivatala<br />
|Party_Link_1=https://ujpest.hu/<br />
|Party_Name_2=Nemzeti Adatvédelmi és Információszabadság Hatóság<br />
|Party_Link_2=https://www.naih.hu/<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Reference_Body=Alkotmánybíróság (Hungary Constitutional Court)<br />
|Reference_Case_Number_Name=<br />
<br />
|Initial_Contributor=lm<br />
|<br />
}}<br />
<br />
The CJEU held that DPAs can exercise corrective powers under Article 58(2)(d) and (g) GDPR to order erasure of personal data by their own motion, regardless of where the data originated or whether the data subject requested its erasure.<br />
<br />
==English Summary==<br />
<br />
=== Facts ===<br />
In February 2020, the Újpest administration (the controller) obtained personal data about Hungarian residents from the Hungarian Treasury and Budapest district office. The intent was to determine eligibility for a program seeking to provide financial supports to residents made vulnerable by the COVID-19 pandemic. <br />
The Hungarian DPA initiated an investigation after a report alerted it of the processing. The DPA determined that the controller failed to timely inform data subjects of the categories of personal data processed, the purposes of processing, or how they could exercise their rights in relation to the processing. On 22 April 2021, it found that the controller violated Articles 5, 14, and 12(1) GDPR. <br />
Pursuant to Article 58(2)(d), the DPA ordered the controller to erase the personal data of data subjects who were entitled to the right to erasure but had not requested it. <br />
The controller challenged the DPA’s order before the Fővárosi Törvényszék (Budapest High Court), arguing that [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]] does not empower the DPA to order the erasure of personal data in the absence of an [[Article 17 GDPR|Article 17 GDPR]] request from the data subject.<br />
On appeal, the Alkotmánybíróság (Hungarian Constitutional Court) held that the DPA is empowered to order erasure of unlawfully processed personal data of its own motion, regardless of whether a request has been made by the data subject. In doing so, it set aside a prior judgment by the Kúria (Hungary Supreme Court).<br />
Seeking clarification on the interpretation of Article 17 and 58(2) GDPR, the Constitutional Court referred two questions to the CJEU: <br />
1. Can a DPA order a controller or processor to erase unlawfully processed personal data despite the absence of a request from the data subject?<br />
2. If the DPA can exercise such corrective power, is that so whether or not the personal data were obtained from the data subject?<br />
<br />
=== Holding ===<br />
With regard to the first question, the Court held that some corrective powers under [[Article 58 GDPR#2|Article 58(2) GDPR]], namely 58(2)(d) and (g) GDPR, may be exercised by the DPA of its own motion. [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]], on the other hand, does require a prior data subject request. <br />
The Court noted that the plain language of Article 58(2)(d) and (g) does not require a data subject request to authorize the DPA’s corrective power. [[Article 58 GDPR|Article 58 GDPR]] uses different wording to distinguish between corrective measures that may only be adopted following a data subject request, such as Article 58(2)(c), and corrective measures that may be ordered by an authority of its own motion, such as Article 58(2)(d) and (g) GDPR. In addition, the Court found that [[Article 17 GDPR#1|Article 17(1) GDPR]] distinguishes between the right of the data subject to obtain erasure of their data and the obligation of the controller to erase such personal data without undue delay. The controller’s obligation thus attaches regardless of whether the data subject requests erasure. <br />
With regard to the second question, the Court concluded that the DPA’s power to order erasure of unlawfully processed data applies both to data collected from the data subject and to data originating from another source. It noted that the text of the provisions does not suggest that DPA corrective powers are contingent on the origin of the data.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''</div>Lmhttps://gdprhub.eu/index.php?title=VwGH_-_VwGH_Ro_2021/04/0010-11&diff=40390&oldid=0VwGH - VwGH Ro 2021/04/0010-112024-03-18T08:43:16Z<p>Created page with "{{COURTdecisionBOX |Jurisdiction=Austria |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=VwGH |Court_Original_Name=Verwaltungsgerichtshof |Court_English_Name=Austrian Administrative Supreme Court |Court_With_Country=VwGH (Austria) |Case_Number_Name=VwGH Ro 2021/04/0010-11 |ECLI=ECLI:AT:VWGH:2023:RO2021040010.J09 |Original_Source_Name_1=VwGH |Original_Source_Link_1=https://www.vwgh.gv.at/medien/mitteilungen/Ro_2021040010.pdf?9g4sif |Original_Source_Lang..."</p>
<a href="https://gdprhub.eu/index.php?title=VwGH_-_VwGH_Ro_2021/04/0010-11&diff=40390">Show changes</a>Echttps://gdprhub.eu/index.php?title=Kammarr%C3%A4tten_i_Stockholm_-_6027-23&diff=40362&oldid=0Kammarrätten i Stockholm - 6027-232024-03-15T17:03:59Z<p>Created page with "{{COURTdecisionBOX |Jurisdiction=Sweden |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=Kammarrätten i Stockholm |Court_Original_Name=Kammarrätten i Stockholm |Court_English_Name=Stockholms administrativ courts of Appel |Court_With_Country=Kammarrätten i Stockholm (Sweden) |Case_Number_Name=6027-23 |ECLI= |Original_Source_Name_1=Allmanhandling.se |Original_Source_Link_1=https://allmanhandling.se/wp-content/uploads/2024/03/KR_Stockholm_6027_23.pdf |..."</p>
<p><b>New page</b></p><div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Sweden<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=Kammarrätten i Stockholm<br />
|Court_Original_Name=Kammarrätten i Stockholm<br />
|Court_English_Name=Stockholms administrativ courts of Appel<br />
|Court_With_Country=Kammarrätten i Stockholm (Sweden)<br />
<br />
|Case_Number_Name=6027-23<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Allmanhandling.se <br />
|Original_Source_Link_1=https://allmanhandling.se/wp-content/uploads/2024/03/KR_Stockholm_6027_23.pdf<br />
|Original_Source_Language_1=Swedish<br />
|Original_Source_Language__Code_1=SV<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Date_Decided=13.03.2024<br />
|Date_Published=<br />
|Year=2024<br />
<br />
|GDPR_Article_1=Article 10 GDPR<br />
|GDPR_Article_Link_1=Article 10 GDPR<br />
|GDPR_Article_2=Article 85(1) GDPR<br />
|GDPR_Article_Link_2=Article 85 GDPR#1<br />
|GDPR_Article_3=Article 85(2) GDPR<br />
|GDPR_Article_Link_3=Article 85 GDPR#2<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=1 kap. 20 § Fundamental Law on Freedom of Expression<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=1 kap. 4 § Fundamental Law on Freedom of Expression<br />
|National_Law_Link_2=<br />
|National_Law_Name_3=21 kap. 7 § Public Access to Information and Secrecy Act<br />
|National_Law_Link_3=<br />
|National_Law_Name_4=<br />
|National_Law_Link_4=<br />
|National_Law_Name_5=<br />
|National_Law_Link_5=<br />
<br />
|Party_Name_1=Prolegia Research AB<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_From_Body=Swedish Prosecution Authority<br />
|Appeal_From_Case_Number_Name=ÅM2023-1596<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Johan90<br />
|<br />
}}<br />
<br />
The case concerns the demarcation of the Swedish system with a media license that gives the database constitutional protection (freedom of expression) and the demarcation between the right to take part in public documents and use them in one's corporate activities. The Court of Appeal finds that the company's use of obtaining the documents for background checks because the priority of EU law means that the Swedish regulation should not be applied, and therefore the Public Prosecutor's Office cannot interpret it.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A company Prolegia Research AB has request to take part in records in a criminal case by the constitutional right to access public records in sweden. The company is sericeprovider in are like background checks and consultancy in recruitment. The company has during the process to get access applied for a voluntary certificate of publication that give the entity the same constituinal cover as pappers and TV by the constutition. <br />
<br />
The company has calmes that the by the voluntary certificate of publication is useing the data in the records for prupes of journalism and by that not is obligated to enforce the GDPR. The question in the case are if the EU-law by GDPR are to be enforced before the swedish constition and if the the company are processing with the records are for journalism purpes or more for a bussiness purpes.<br />
<br />
=== Holding ===<br />
The DPA has in a memorandum, IMYRS 2022:2 sayed following as a summery. <br />
<br />
According to Article 85 of the Data Protection Regulation, Member States are obliged to national legislation the right to protection of personal integrity and the right to freedom of expression and information. In Sweden, this has taken place through the regulation in ch. 1. Section 7 of the law (2018:218) with provisions adapting to the EU's data protection regulation (data protection act). The first paragraph of the section states that personal data processing that is covered by the constitutional protection in the Freedom of the Press Ordinance (TF) and the freedom of expression fundamental law (YGL) are exempted from the requirements and the data protection regulation if the application of the regulation would come into conflict with<br />
the constitutions. In c h. 1 Section 7, second paragraph, exceptions are made with regard to opinion and freedom of information. The exception covers treatments that take place for journalistic purposes purposes or for academic, artistic or literary creation. If the exception is applicable, most provisions of the data protection regulation do not apply.<br />
<br />
In the legal position, the following questions concerning concepts are dealt with "journalistic purposes" based on, among other things, case law from the European Court of Justice and Swedish courts. The position statement also contains a number of examples such as guidance for the application.<br />
<br />
== Comment ==<br />
This is a question many lawyers in Sweden have seen as a problem where the question has been if the Swedish system is compliant with the EU law. The judgment is the first, but the Supreme Administrative Court of Apple has granted dispensation review in a case in the same ground question (case 4588-23) and also has Attunda District Court in Mars requested a preliminary ruling from the court of justice in the same area (district courts nr T 3743-23).<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.<br />
<br />
<pre><br />
BACKGROUND<br />
The Swedish Prosecution Authority decided on 13 July 2023 to reject Prolegia Research AB's request to take part records in criminal case AM-73270-17 and AM-98355-09. As the basis for the decision, it was stated that it could be assumed that the requested data in the records would be processed after disclosure in violation of the EU's data protection regulation 2016/679 (the data protection regulation) and law (2018:218) with supplementary provisions to the EU's data protection regulation (the data protection law ) and that confidentiality according to ch. 21 Section 7 of the Public Access to Information and Secrecy Act (2009:400), OSL, therefore prevented disclosure.<br />
<br />
Prolegia appealed to the Court of Appeal in Stockholm, which on 19 September 2023 (case no. 4653-23) remanded the case as the company had brought forward that the company would conduct journalistic activities and the Public Prosecutor's Office had not taken a position on whether this meant that the company's processing of the personal data contained in the requested documents were exempt from the data protection regulation.<br />
<br />
In the now appealed decision, the Swedish Prosecution Authority, after taking into account the submitted voluntary release certificate, again rejected Prolegia's request to take part in of records in criminal cases AM-73270-17 and AM-98355-09. The Swedish Prosecution Authority stated in the decision that the journalistic purpose must be the main purpose of the processing of personal data so that the exception for journalistic activities must be applicable when assessing whether the data after disclosure can be assumed to be processed in violation of the EU's data protection regulation or the data protection act. Since it had not emerged that Prolegia, which mainly engages in background checks and consultancy in recruitment, had started any journalistic activities, the requested information was covered according to the Prosecutor's Office by confidentiality according to ch. 21. Section 7 OSL.<br />
<br />
CLAIMS, M.M.<br />
Prolegia stands by its request and puts forward, among other things, following. The company has, through a granted publication certificate, a constitutionally protected right to publish its database. The EU's data protection regulation with supplementary Swedish regulations shall not be applied to this part of the company's operations. For the same reason, the data cannot be covered by confidentiality according to ch. 21. Section 7 OSL. The company intends to carry out journalistic activities. It is not a question of maintaining a legal database with search services that contains personal data about individuals. It is not the task of the Swedish Prosecution Authority to assess whether the company's operations are sufficiently journalistic. It is also neither appropriate nor in accordance with current law to give an authority the opportunity to preview and accept, or reject, the explanation provided regarding the relevance of the requested information to the public debate, investigative journalism or broader journalistic purposes. The actions of the Swedish Prosecution Authority involve a circumvention of the rights that follow from a certificate of issuance. The public prosecutor's office has also investigated who requested some of the documents in question and therefore did not carry out the exercise of authority in an objective and impartial manner.<br />
<br />
REASONS FOR THE COURT OF COURT'S DECISION<br />
<br />
Swedish Prosecution Authority procedure <br />
The Court of Appeal does not supervise the <br />
Swedish Prosecution Authority. What Prolegia has brought forward about the authority's proecedure of the case therefore does not entail any action on the part of the Court of Appeal.<br />
<br />
Right to take part in public records<br />
<br />
The issue in the case Similar to the Swedish Prosecution Authority, the Court of Appeal considers that the requested documents are public records. The question in the case therefore becomes whether there is any provision in OSL, primarily ch. 21. Section 7, which means that the records must not be disclosed to Prolegia anyway. As it has emerged in the case that Prolegia has been granted a so-called voluntary certificate of publication and therefore covered by the same constitutional protection as the traditional mass media, the question arises of the relationship between the data protection regulation and the constitutional protection of freedom of expression in the form of publication of information about prosecution on websites. There are no guiding rulings on the issue.<br />
<br />
Legal starting points<br />
<br />
EU law<br />
<br />
Article 10 of the data protection regulation states, among other things, that the processing of personal data relating to convictions in criminal cases and offenses involving crimes may only be carried out under the control of an authority or when processing is permitted under Union law or the national law of the Member States, where appropriate protective measures for the rights and freedoms of the data subjects are established.<br />
<br />
According to Article 85(1) point one of the data protection regulation, the member states must by law combine the right to privacy in accordance with the regulation with the freedom of expression and information, including processing that takes place for e.g. journalistic purposes. From the second point of the article, it appears that the member states, when processing for journalistic purposes, must determine exceptions or deviations from some of the regulation's provisions, if these are necessary to combine the right to privacy with freedom of expression and information. In Article 86, the possibility of exceptions to the publicity of documents is given in order to balance this right with the right to protection of personal data.<br />
<br />
In a ruling on 22 June 2021 (Latvijkas Republikas Saeima, C-439/19, EU:C:2021:504), the European Court of Justice has found that the provisions of the Data Protection Regulation may constitute an obstacle to certain national legislation which means that an authority transfers information about offences, covered by Article 10, to economic operators for further exploitation. The Court recalled that the purpose of Article 10 is to ensure enhanced protection against such processing which, by reason of the particular sensitivity of the data, may constitute a particularly serious interference with the fundamental right to respect for private life and protection of personal data in accordance with the Articles 7 and 8 of the EU Charter of Rights. The Court also stated that Union law takes precedence over national provisions, including the Constitution (paragraphs 74, 126 and 135).<br />
<br />
The Swedish constitutional protection and the relationship to the data protection regulation<br />
<br />
When introducing the Data Protection Act, the legislator considered that the EU data protection regulations continued to provide scope for the provisions on freedom of press and expression in the Swedish constitutions. A disclosure provision was therefore introduced through ch. 1. Section 7 first paragraph of the Data Protection Act, which makes it clear that the Freedom of the Press Act, TF, and the Fundamental Law on Freedom of Expression, YGL, take precedence over the provisions of the Data Protection Ordinance and the Act. From the provision's second paragraph, which has its basis in Article 85(2) of the data protection regulation, it appears that i.a. Article 10 of the Data Protection Regulation shall not be applied to the processing of personal data for journalistic purposes or for academic, artistic or literary creation.<br />
<br />
In the so-called the database rule in ch. 1 § 4 YGL is regulated under which conditions provision of information from a database over the internet is covered by YGL. An actor can, upon application, be granted a certificate of issuance and thereby be covered by constitutional protection. This means according to ch. 1 § 7 first paragraph of the Data Protection Act that the Data Protection Ordinance with supplementary Swedish regulations shall not be applied to the constitutionally protected part of the operator's activities, to the extent that it would conflict with TF or YGL.<br />
<br />
In the preparatory work for the regulations on certificates of issue, it was established that free access to information as rich as possible and to varying opinions is a prerequisite for the citizens themselves to be able to take a stand on various issues that concern them. Among the civil liberties and rights, freedom of expression therefore occupies a central position which, together with freedom of information, has received specific protection in Swedish law through TF and YGL. When introducing the so-called voluntary issuance certificates, the legislator noted that a risk with having to apply for and be granted such a certificate is that the person who wants constitutional protection must turn to an authority. It was stated that it could not be ruled out that there is a risk that the authority in a tense social situation applies the application rules in such a way that constitutional protection is denied with regard to the expected content of the database. The risk was eliminated by stating the conditions for constitutional protection directly in the constitution, current chapter 1. § 5 YGL (government bill prop. 2001/02:74 pp. 36 and 49).<br />
<br />
On January 1, 2019, the possibility was introduced to limit constitutional protection by law regarding certain search services that contain data of a particularly privacy-sensitive nature, e.g. information about sexual orientation and health, with the support of ch. 1 Section 20 YGL. Proposals for corresponding provisions regarding legal violations have been presented on two occasions but not adopted by the Riksdag (Committee terms of reference Dir. 2023:145, pp. 6–7). The Swedish legislation thus lacks the possibility to limit the constitutional protection according to YGL with regard to information about violations of the law through domestic law.<br />
<br />
The Court of Appeal's assessment<br />
<br />
Prolegia has requested access to certain documents in two criminal cases and stated that they are to be used in journalistic activities and that it is not a question of maintaining a legal database with search services that contain personal data about individuals. Since the processing of the requested documents involves the processing of personal data, including information about violations of the law that include crimes, the processing falls under Article 10 of the Data Protection Regulation.<br />
<br />
Such a strict approach as follows from ch. 1. Section 7 first paragraph of the Swedish Data Protection Act, i.e. that the Swedish constitutional protection must always take precedence over the data protection regulation for the holder of a voluntary issuance certificate, is not compatible with the principle of the primacy of Union law. This is especially true in light of the fact that the constitutionally protected part of the business is, according to Swedish law, completely exempt from the provisions of the data protection regulation and that no proportionality assessment is made between, on the one hand, the right to protection of personal data and, on the other hand, the right to protection of freedom of expression and information (Latvijkas Republikas Saeima, p. 105). Taking into account the principle of the primacy of Union law and the practice of the European Court of Justice, the Court of Appeal considers that a balance must be made in each individual case between the privacy protection interest that is expressed by the data protection regulation and the constitutionally protected rights that apply to holders of voluntary issuance certificates and that are found in TF and YGL .<br />
<br />
In this context, it can be stated that the examination carried out when issuing voluntary certificates of issue is of a formal nature. There is also no requirement that any actual journalistic activity, regardless of content, must have begun. In addition, it can be noted that Prolegia already operates an established business in recruitment and that information has previously been requested from the Public Prosecutor's Office in order to carry out background checks in recruitment procedures. It was only after Prolegia had been denied access to certain documents that the company came in with a release certificate and stated that it wished to access the information for journalistic purposes. It has not emerged that Prolegia has started any journalistic activities.<br />
<br />
Denying an actor who has been granted a release certificate access to documents on the grounds that constitutional protection must give way in favor of the Data Protection Regulation must be done with great care. At the same time, the data protection regulation places clear requirements on the member states to establish appropriate safeguards for the rights and freedoms of the data subjects when it comes to personal data relating to convictions in criminal cases and offenses involving crimes, when the processing of such data is carried out by someone other than an authority. When it comes to the proportionality balance between different interests that must be made, the European Court of Justice has stated that data falling under Article 10 of the Data Protection Regulation relates to behavior that society disapproves of, and that granting access to such data may therefore stigmatize the person concerned and constitute a serious interference in his or her private or professional life (Latvijkas Republikas Saeima p. 75).<br />
<br />
Against this background, automatically completely exempting Prolegia from the provisions of the data protection regulation is not compatible with the proportionality assessment that must be made between freedom of expression, public actions and the protection of personal data. The Data Protection Ordinance must therefore be applied when assessing whether Prolegia has the right to access requested documents, despite what is prescribed in the Data Protection Act regarding the primacy of constitutional protection.<br />
<br />
The Data Protection Regulation allows certain exceptions to the protection of personal data for activities that have journalistic purposes. The concept of journalistic purposes must be given a broad interpretation, including activities aimed at disseminating information, opinions or ideas to the public, and is applied to all persons engaged in journalistic activities (Satakunnan Markkinapörssi and Satamedia, C-73/07, EU:C:2008 :727 pp. 56, 58 and 61).<br />
<br />
In a balance between the data subjects' interest in the protection of their personal data and Prolegia's interest in accessing the current data with the intention of being able to carry out journalistic activities in the future, the data subjects' rights weigh more heavily. In making this assessment, the Court of Appeal has taken into account in particular that the information relates to violations of the law and that disclosure could constitute a serious interference in the individual's private or professional life. Prolegia also has, with regard to its already established recruitment activities, an interest in obtaining the data, which currently appears to be the actual purpose of the processing of the requested personal data.<br />
<br />
Against this background, it can be assumed that the information in the requested documents will, after disclosure, be processed in violation of the data protection regulation. The information is therefore covered by confidentiality according to ch. 21 Section 7 OSL. The appeal must therefore be dismissed<br />
</pre></div>Johan90https://gdprhub.eu/index.php?title=NAIH_(Hungary)_-_7286-1/2023&diff=40360&oldid=0NAIH (Hungary) - 7286-1/20232024-03-15T13:37:36Z<p>Created page with "{{DPAdecisionBOX |Jurisdiction=Hungary |DPA-BG-Color=background-color:#7f0037; |DPAlogo=LogoHU.jpg |DPA_Abbrevation=NAIH |DPA_With_Country=NAIH (Hungary) |Case_Number_Name=7286-1/2023 |ECLI= |Original_Source_Name_1=NAIH homepage |Original_Source_Link_1=https://gdprhub.eu/images/5/56/NAIH-7286-2023-hatarozat.pdf |Original_Source_Language_1=Hungarian |Original_Source_Language__Code_1=HU |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Orig..."</p>
<a href="https://gdprhub.eu/index.php?title=NAIH_(Hungary)_-_7286-1/2023&diff=40360">Show changes</a>Im