https://gdprhub.eu/api.php?hidemyself=1&hidebots=1&urlversion=1&tagfilter=OAuth+CID%3A+1&days=7&limit=50&action=feedrecentchanges&feedformat=atomGDPRhub - Recent changes [en]2024-03-28T22:28:53ZTrack the most recent changes to the wiki in this feed.MediaWiki 1.39.6https://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_TSV/29/2020&diff=40638&oldid=0Tietosuojavaltuutetun toimisto (Finland) - TSV/29/20202024-03-28T15:34:42Z<p>Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland) |Case_Number_Name=TSV/29/2020 |ECLI= |Original_Source_Name_1=Finlex |Original_Source_Link_1=https://www.finlex.fi/fi/viranomaiset/tsv/2024/20242123 |Original_Source_Language_1=Finnish |Original_Source_Language__Code_1=FI |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Lan..."</p>
<p><b>New page</b></p><div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Finland<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFI.png<br />
|DPA_Abbrevation=Tietosuojavaltuutetun toimisto<br />
|DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland)<br />
<br />
|Case_Number_Name=TSV/29/2020<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Finlex<br />
|Original_Source_Link_1=https://www.finlex.fi/fi/viranomaiset/tsv/2024/20242123<br />
|Original_Source_Language_1=Finnish<br />
|Original_Source_Language__Code_1=FI<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=27.01.2020<br />
|Date_Decided=12.03.2024<br />
|Date_Published=27.03.2024<br />
|Year=2024<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1c<br />
|GDPR_Article_2=Article 25(2) GDPR<br />
|GDPR_Article_Link_2=Article 25 GDPR#2<br />
|GDPR_Article_3=Article 58(2)(d) GDPR<br />
|GDPR_Article_Link_3=Article 58 GDPR#2d<br />
|GDPR_Article_4=Article 87 GDPR<br />
|GDPR_Article_Link_4=Article 87 GDPR<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
|GDPR_Article_6=<br />
|GDPR_Article_Link_6=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=§ 29(4) Data Protection Act<br />
|National_Law_Link_1=https://www.finlex.fi/fi/laki/ajantasa/2018/20181050#L5P29<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
|National_Law_Name_3=<br />
|National_Law_Link_3=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=fred<br />
|<br />
}}<br />
<br />
The DPA found a hospital to have breached the principle of data minimisation and data protection by design and by default by including personal identification codes in text messages.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The Finnish DPA was notified that a hospital had sent test results to its patients by SMS, including the patient's personal identification code. The DPA then asked the controller to explain the purpose of including personal identification codes in text messages.<br />
<br />
In response to the request, the controller clarified that its mobile service automatically sent test results, treatment instructions and a proposal for the next monitoring date to patients via SMS. The controller stated that the inclusion of the personal identification code in the SMS ensured that the patient information was not inadvertently disclosed to the wrong people.<br />
<br />
The controller considered that the risk related to the processing of the personal identification code was minimal when the personal identification code was sent as an SMS to the patient's mobile phone. The controller claimed that if the SMS was sent to the wrong person, the risks to the life and health of the data subject could be significant.<br />
<br />
=== Holding ===<br />
On the basis of the information provided by the controller, the DPA noted that the purpose of [https://www.finlex.fi/fi/laki/ajantasa/2018/20181050#L5P29 Section 29 of the Finnish Data Protection Act] is to protect the personal identification code and to prevent its unnecessary processing. In addition, according to [https://www.finlex.fi/fi/laki/ajantasa/2018/20181050#L5P29 Section 29(4) of the Finnish Data Protection Act], the personal identification number code should not be unnecessarily included in documents printed from or created on the basis of a filing system. The DPA was of the opinion that SMS should be considered as such a document.<br />
<br />
The DPA emphasised that, in accordance with [[Article 87 GDPR]], the national identity number shall be used only under appropriate safeguards for the rights and freedoms of the data subject. The DPA noted that the personal identification number is a unique and virtually permanent identifier, the access to which by third parties may cause significant harm to the data subject, such as identity theft. Furthermore, the SMS messaging system does not provide for the encryption of message content or traffic data. <br />
<br />
In light of this, the DPA considered that the inclusion of the personal identity code in the SMS does not in fact affect the fact that the SMS is addressed to the right person. The DPA stated that the controller should not process personal identification codes for the sole purpose of facilitating its operations. Therefore, the controller should not have unnecessarily included the personal identity code in the SMS.<br />
<br />
On the basis of the information gathered, the DPA held that the controller had violated [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]], [[Article 25 GDPR#2|Article 25(2) GDPR]] and [https://www.finlex.fi/fi/laki/ajantasa/2018/20181050#L5P29 Section 29(4) of the Finnish Data Protection Act]. As a result, and in accordance with [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], the DPA ordered the controller to bring its processing operations into compliance with the aforementioned provisions.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.<br />
<br />
<pre><br />
Thing<br />
<br />
Sending personal ID and laboratory test data to the patient via text message<br />
Registrar<br />
<br />
Welfare district (At the time the matter was initiated, the hospital district was the data controller. From January 1, 2023, responsibility for the register has been transferred from the hospital district to the welfare district.)<br />
Notification made to the office of the Data Protection Commissioner<br />
<br />
The person who contacted the Data Protection Commissioner's office on January 27, 2020 stated in his report that he had received a text message from the central hospital that started with his personal identification number and in which he was told that his PSA sample had failed. The text message asked to contact the laboratory.<br />
<br />
The initiator inquires about the compliance of the operating method with data protection legislation.<br />
Statement received from the registrar<br />
<br />
The Office of the Data Protection Commissioner has requested an explanation from the data controller with an explanation request dated August 2, 2022. On August 23, 2022, the registrar has issued a written statement on the matter.<br />
<br />
The controller has presented in his report that the inclusion of the personal identification number in text messages ensures that, for example, information is not accidentally directed to wrong persons with the same name.<br />
<br />
According to the registrar, the mobile service automatically sends the patient a text message with the value measured in the test, treatment instructions and a proposal for the next control day. The contents of automatic text messages can be, for example, the following:<br />
<br />
“[Patient ID]: [Test X] score is [Y] and everything is fine. Your next checkup is on [date]”<br />
<br />
“[Patient ID]: The value of [Test X] is [Y]. To check the situation, please contact us"<br />
<br />
According to the registrar, in a service where the personal identification number is transmitted as a text message to the patient's own mobile phone, the risk related to the processing of the personal identification number is estimated to be low. On the other hand, in a situation where a message after a laboratory test is targeted to the wrong person, the risks to the registered person's life and health can be considerably high.<br />
On applicable legislation<br />
<br />
The General Data Protection Regulation (EU) 2016/679 of the European Parliament and the Council (General Data Protection Regulation) and the specifying national data protection act (1050/2018) apply in this case.<br />
<br />
Article 5(1)(c) of the General Data Protection Regulation provides for the principle of data minimization. According to the article, personal data must be relevant and relevant and limited to what is necessary in relation to the purposes for which they are processed.<br />
<br />
Article 25 of the General Data Protection Regulation provides for built-in and default data protection. According to paragraph 1 of the article, taking into account the latest technology and implementation costs, as well as the nature, scope, context and purposes of the processing, as well as the varying probability and seriousness of the risks to the rights and freedoms of natural persons caused by the processing, the controller must, in connection with determining the processing methods and the processing itself, effectively implement data protection principles such as data minimization appropriate technical and organizational measures, such as pseudonymization of data and the necessary protective measures, so that they can be included as part of the processing and so that the processing complies with the requirements of the General Data Protection Regulation and the rights of data subjects are protected. According to paragraph 2 of the article, the controller must implement appropriate technical and organizational measures to ensure that by default only personal data necessary for each specific purpose of the processing is processed. This obligation applies to the amount of personal data collected, the extent of processing, storage time and availability. With the help of these measures, it must be ensured in particular that personal data is not, by default, made available to an unlimited number of people without the contribution of a natural person.<br />
<br />
Article 32 of the General Data Protection Regulation provides for the security of processing. According to paragraph 1 of the article, taking into account the latest technology and implementation costs, the nature, scope, context and purposes of the processing, as well as the risks to the rights and freedoms of natural persons, which vary in their probability and severity, the controller and the personal data processor must implement appropriate technical and organizational measures to ensure a level of security corresponding to the risk. According to paragraph 2 of the article, when assessing the appropriate level of security, special attention must be paid to the risks involved in the processing, especially due to the accidental or illegal destruction, loss, alteration, unauthorized disclosure or access to personal data of transferred, stored or otherwise processed personal data.<br />
<br />
Article 87 of the General Data Protection Regulation provides for the handling of the national identity number. According to the article, member states can define in more detail the special conditions for processing a national identity number or other general identifier. In this case, the national identity number or other general identifier must be used only in compliance with appropriate safeguards regarding the rights and freedoms of the data subject in accordance with the General Data Protection Regulation.<br />
<br />
At the time of the event of the matter to be resolved, Section 29 of the Data Protection Act provides for the processing of personal identification numbers as follows: According to Section 29, subsection 1, personal identification numbers may be processed with the consent of the data subject or, if the processing is stipulated by law. In addition, the personal identification number may be processed if unambiguous identification of the registered person is important: 1) in order to perform a task stipulated by law; 2) to implement the rights and obligations of the registered or data controller; or 3) for historical or scientific research or statistics. According to section 29 subsection 2 of the Data Protection Act, the personal identification number may be processed in the granting of credit or debt collection, insurance, credit institution, payment service, rental and lending activities, credit information activities, health care, social care and other social security or official, employment and other service relationships and related to them in matters concerning related interests. According to section 29 subsection 4 of the Data Protection Act, the personal identification number should not be entered unnecessarily in documents printed or drawn up based on the personal register.<br />
<br />
The regulation of Section 29 of the Data Protection Act has been tightened with a legal amendment that entered into force on January 1, 2024. In this decision of the Deputy Data Protection Commissioner, the regulation in force at the time of the event is applied.<br />
A legal issue<br />
<br />
The Deputy Data Protection Commissioner assesses and resolves the matter on the basis of the aforementioned General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018).<br />
<br />
The Deputy Data Protection Commissioner must resolve:<br />
<br />
Has the controller's procedure, in which it has usually sent automated text messages regarding laboratory visits to registered users, including personal identification numbers, been in accordance with Article 5(1)(c), Article 25(2) and Section 29.4 of the Data Protection Act of the General Data Protection Regulation.<br />
<br />
In the case that is now the subject of the decision, it is also a question of matters related to the use of text messages, related to the security of processing, in accordance with Article 32, paragraphs 1 and 2 of the General Data Protection Regulation. Regarding the protection of personal data sent by text message, the deputy data protection officer gives guidance to the controller.<br />
Decision of the Deputy Data Protection Commissioner<br />
Decision<br />
<br />
The registrant's usual procedure, in which it has sent automated text messages regarding laboratory visits to registered users that include personal identification numbers, has not been in accordance with Section 29.4 of the Data Protection Act (personal identification processing), Article 5 paragraph 1 subsection c (minimization of data) of the General Data Protection Regulation and Article 25 According to section 2 (default data protection).<br />
<br />
The controller is given an order in accordance with Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation to bring the processing activities regarding the processing of the personal identification number into compliance with the provisions of the General Data Protection Regulation and the Data Protection Act.<br />
<br />
The deputy data protection commissioner orders the data controller to submit a report on the measures taken to the data protection commissioner's office by May 13, 2024, unless it applies for an amendment to this decision.<br />
<br />
Regarding the procedure for sending laboratory research data by text message, the deputy data protection commissioner gives guidance to the data controller.<br />
Reasoning<br />
The necessity of a personal ID in text messages<br />
<br />
In the case being evaluated now, the person who reported to the data protection commissioner's office has been sent a text message about the failure of the laboratory test. In addition, the personal identification number of the person who made the report was mentioned in the text message and he was urged to contact the laboratory. The text message was about a message sent to the patient automatically, via a mobile service.<br />
<br />
In its report, the registrar has stated that by including the social security number in text messages, it is ensured that, for example, information is not mistakenly directed to persons with the same name but different social security numbers.<br />
<br />
The purpose of Section 29 of the Data Protection Act is to protect the personal identification number and to try to prevent its unnecessary processing. (HE 96/1998, p. 48.) According to Section 29.4 of the Data Protection Act, the personal identification number must not be entered unnecessarily in documents printed or drawn up based on the personal register.<br />
<br />
The concept of a document is broad. In legislation, the concept of a document is defined, for example, in Section 5.1 of the Publicity Act (621/1999). According to the law, in the law in question, a document means, in addition to a written and pictorial representation, a message made up of signs intended to belong together due to its use, about a specific object or matter, which can only be found out with the help of automatic data processing or audio and video reproduction devices or other aids. (It should also be remembered that the protection of natural persons should be technology-neutral, i.e. it should not depend on the technology used, see e.g. introductory paragraph 15 of the General Data Protection Regulation.) What is stipulated in Section 29.4 of the Data Protection Act is not limited to certain types of documents. In the case being evaluated now, the text message must be considered a document referred to in Section 29.4 of the Data Protection Act, in which the personal identification number should not be entered unnecessarily.<br />
<br />
In addition to Section 29 of the Data Protection Act, other relevant provisions of the General Data Protection Regulation, such as Article 5(1)(c) and Article 25(2) of the General Data Protection Regulation, apply to the processing of personal identification numbers. (The national identity number must only be used in compliance with the appropriate safeguards regarding the rights and freedoms of the data subject in accordance with the General Data Protection Regulation, see Article 87 of the General Data Protection Regulation and HE 9/2018 vp, p. 113. See also e.g. the decision of the Court of Justice of the European Union in case C -439/19, point 96 of the decision.) It follows from the aforementioned provisions that the data controller must build its information systems so that the personal identification number is processed only in situations where it is necessary.<br />
<br />
The deputy data protection commissioner states that the reasons presented by the controller for the necessity of processing the personal identification number are essentially related to the identification of the registered person at the stage when the information of the right patient is retrieved from the information system. It is possible for the registrar to process the personal identification number in its background system for the purpose of identifying the patient and to ensure that it is the right person to whom the text message will be forwarded.<br />
<br />
The Deputy Data Protection Commissioner states that although the personal identification number can be processed to identify the person to whom the text message is intended to be forwarded, the personal identification number should not be unnecessarily included in the content of the text message.<br />
<br />
The deputy data protection commissioner considers that entering a personal identification number in a text message does not actually affect the fact that the message is directed to the right person. The registrar has not brought forward any other grounds for processing the personal identification number, and the Deputy Data Protection Commissioner is not aware of any other grounds on the basis of which it would be necessary to include the personal identification number in the text message. The procedure of the data controller has therefore not been in accordance with Articles 5(1)(c) and 25(2) of the General Data Protection Regulation or Section 29.4 of the Data Protection Act, based on the reasons presented above.<br />
<br />
In this connection, the Deputy Data Protection Commissioner reminds that the personal identification number should not be used, for example, solely for the purpose of making the operations of the data controller smoother, and the data controller should not process the personal identification number only because data processing is easier with the personal identification number. (See also HE 9/2018 vp, pp. 113–114.) Information systems must be built in such a way that text messages sent automatically do not include personal identification numbers unnecessarily. The personal identification number must also be processed in such a way that it does not become improperly available to outsiders.<br />
<br />
With regard to this procedure, the Deputy Data Protection Commissioner issues an order to the data controller to bring the processing operations into compliance with data protection regulations.<br />
Protection of personal data sent by text message<br />
<br />
With regard to the protection of personal data sent by text message, the deputy data protection commissioner provides general guidance to the data controller.<br />
<br />
The person initiating the case has been sent a text message with their personal identification number and information about the failure of a specific, separately named laboratory test. It has been about text messages sent to registrants in the usual way.<br />
<br />
The following can be stated about the data security of text messages: SMS messages travel unprotected in the mobile phone network between telecom companies. The content of SMS messages is not protected during transmission, for example with encryption, except for the radio traffic between the mobile device and the base station of the mobile phone network. The SMS message system (SS7) does not provide conditions for encrypting message content or message transmission information.<br />
<br />
In the case of text messages, it can also be noted that vulnerabilities have been identified in the SS7 protocol suite that implements the transmission mechanisms of SMS messages, which pose a threat to the confidentiality of communications and which cannot be repaired or properly managed. Because of these vulnerabilities, it is possible, for example, to direct SMS messages sent to a certain subscriber interface to a telecommunications company that is not involved in the transmission of communications in the mobile phone network and read them there in plain language. It is also possible to extract data through malware that is injected into mobile devices. In addition, misuse of the roaming feature of the SS7 protocol group may enable, for example, the eavesdropping of traffic between a mobile device and a cellular network. SMS messages can also be intercepted locally using fake access points or malicious applications.<br />
<br />
The personal identification number is a strongly identifying and originally intended to be a permanent identifier, the identification of which bystanders can cause significant harm to the registered person, such as becoming a victim of identity theft. The personal identification number must only be used in compliance with appropriate protective measures regarding the rights and freedoms of the data subject in accordance with the General Data Protection Regulation.<br />
<br />
Information about a medical procedure performed on a specific person is, on the other hand, health-related information belonging to special personal data groups (Article 9 of the General Data Protection Regulation). The controller must protect data belonging to special personal data groups particularly well. (See, e.g., introductory paragraph 51 of the General Data Protection Regulation. The legislation also provides for special confidentiality obligations when the health care unit processes the patient's health data.)<br />
<br />
The Deputy Data Protection Commissioner directs the data controller to note that the data security risks associated with the data controller's procedure as described above, which it must take into account in order to meet the requirements of Article 32, paragraphs 1 and 2 of the General Data Protection Regulation, such as the appropriate management of risks related to access to personal data. Due to the general implementation method of text message protection, it is not practically possible for the data controller to improve this protection with technical measures, but must ensure that the appropriate protection of personal data is implemented by limiting the personal data that can be included in text messages sent unilaterally to registered users.<br />
<br />
The data content of text messages sent to registrants must therefore be formed in accordance with the processing security requirement and the requirements of built-in and default data protection (Article 25 of the General Data Protection Regulation), following a risk-based approach. Likewise, when defining the content of text messages, the controller must properly take into account the shortcomings related to the protection of text messages and the nature of the information delivered by text message.<br />
<br />
Based on the above, the deputy data protection commissioner directs the data controller to limit the data content of text messages appropriately as a default method of operation. For example, in the case of a person who reported to the data protection authorized officer's office, it would have been possible to limit the content of the text message so that the text message would have told about the failure of the laboratory test at a general level and asked the person to contact the laboratory.<br />
<br />
When determining its procedures, the controller should also evaluate the possibilities for alternative methods of operation in the usual way of bringing personal data to the knowledge of the data subjects.<br />
</pre></div>Fredhttps://gdprhub.eu/index.php?title=CJEU_-_C%E2%80%9137/20_and_C%E2%80%91601/20,_-_WM_and_Sovim_SA_v_Luxembourg_Business_Registers&diff=40614&oldid=0CJEU - C‑37/20 and C‑601/20, - WM and Sovim SA v Luxembourg Business Registers2024-03-27T15:16:59Z<p>Created page with "{{CJEUdecisionBOX |Case_Number_Name=C‑37/20 and C‑601/20, WM and Sovim SA v Luxembourg Business Registers |ECLI=ECLI:EU:C:2022:912 |Opinion_Link= |Judgement_Link=https://curia.europa.eu/juris/document/document.jsf;jsessionid=7822E0491037A3F35E2A8E87BF4C8A78?text=&docid=268059&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=5227097 |Date_Decided=22.11.2022 |Year=2022 |GDPR_Article_1=Article 5(1) GDPR |GDPR_Article_Link_1=Article 5 GDPR#1 |GDPR_Article_2=..."</p>
<p><b>New page</b></p><div>{{CJEUdecisionBOX<br />
<br />
|Case_Number_Name=C‑37/20 and C‑601/20, WM and Sovim SA v Luxembourg Business Registers<br />
|ECLI=ECLI:EU:C:2022:912<br />
<br />
|Opinion_Link=<br />
|Judgement_Link=https://curia.europa.eu/juris/document/document.jsf;jsessionid=7822E0491037A3F35E2A8E87BF4C8A78?text=&docid=268059&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=5227097<br />
<br />
|Date_Decided=22.11.2022<br />
|Year=2022<br />
<br />
|GDPR_Article_1=Article 5(1) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=Article 30 Directive 2015/849<br />
|EU_Law_Link_1=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%253A32015L0849<br />
|EU_Law_Name_2=Article 7 and 9 Charter of Fundamental Rights<br />
|EU_Law_Link_2=https://www.europarl.europa.eu/charter/pdf/text_en.pdf<br />
|EU_Law_Name_3=Directive 2018/843<br />
|EU_Law_Link_3=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%253A32018L0843<br />
|EU_Law_Name_4=<br />
|EU_Law_Link_4=<br />
|EU_Law_Name_5=<br />
|EU_Law_Link_5=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=SOVIM SA <br />
|Party_Link_1=<br />
|Party_Name_2=WM<br />
|Party_Link_2=<br />
|Party_Name_3=Luxembourg Business Registers<br />
|Party_Link_3=https://www.lbr.lu/mjrcs-lbr/jsp/IndexActionNotSecured.action?time=1710010265362&loop=3#ANCHOR_TO_MESSAGES<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Reference_Body=<br />
|Reference_Case_Number_Name=<br />
<br />
|Initial_Contributor=Mgrd<br />
|<br />
}}<br />
<br />
The CJEU ruled that Directive 2018/843, determining public access to EU beneficial ownership data of companies on Member State registers, violates privacy rights under the EU Charter of Fundamental Rights.<br />
<br />
==English Summary==<br />
<br />
=== Facts ===<br />
In Case C-37/20, YO, a real estate company, lodget a request to Luxembourg Business Registers (LBR) pursuant Article 15 Law of 13 January 2019 (Law of 13 January 2019 of Luxembourg establishing the Beneficial Owner Register - transposing the provisions of Article 30 Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing) requesting that access to the information concerning WM, its beneficial owner, contained in the register, to be restricted solely to the entities mentioned in that provision, on the ground that the general public’s access to that information would seriously, actually and immediately expose WM and his family to a disproportionate risk and risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation.<br />
<br />
On November 20, 2019 the request was rejected by LBR arguing that WM’s situation does not meet the requirements of Article 15 Law of 13 January 2019, since WM cannot rely either on ‘exceptional circumstances’ or on any of the risks referred to in that article.<br />
<br />
On 5 December 2019, WM brought an action before the tribunal d’arrondissement de Luxembourg (Luxembourg District Court, Luxembourg), maintaining that his position as executive officer and beneficial owner of YO and of a number of commercial companies requires him frequently to travel to countries whose political regime is unstable and where there is a high level of crime, which creates a significant risk of his being kidnapped, abducted, subjected to violence or even killed.<br />
<br />
In that regard, the referring court raised the question of the interpretation to be given to the concepts of ‘exceptional circumstances’, ‘risk’ and ‘disproportionate’ risk within the meaning of Article 30(9) Directive 2015/849, as amended.<br />
<br />
In Case C‑601/20, Sovim lodged a request to LBR, pursuant to Article 15 Law of 13 January 2019, requesting that access to the information concerning its beneficial owner, contained in the register, be restricted solely to the entities mentioned in that provision. On February 6, 2020, the request was rejected by LBR.<br />
<br />
On 24 February 2020, Sovim brought an action before the referring court seeking a declaration that Article 12 Law of 13 January 2019, pursuant to which access to certain information contained in the register is open to ‘any person’, and/or Article 15 Law of 13 January 2019 are inapplicable and an order for the information provided by Sovim pursuant to Article 3 Law of 13 January 2019 not to be made publicly accessible.<br />
<br />
Sovim argued that granting public access to the identity and personal data of its beneficial owner would infringe the right to respect for private and family life and the right to the protection of personal data, enshrined respectively in Articles 7 and 8 EU Charter of Fundamental Rights.<br />
<br />
They also stated that the aim of Directive 2015/849, on the basis of which the Law of 13 January 2019 was introduced into Luxembourg law, are to identify the beneficial owners of companies used for the purposes of money laundering or terrorist financing, as well as to ensure certainty in commercial relationships and market confidence. However, it has not been shown how granting the public entirely unrestricted access to the data held in the register enables those aims to be attained.<br />
<br />
Sovim highlighted that public access to personal data contained in the register constitutes an infringement of several provisions of the GDPR, in particular a number of fundamental principles set out in Article 5(1) thereof.<br />
<br />
In the alternative, Sovim claims that the referring court should hold that there is a disproportionate risk in the present case, within the meaning of Article 15(1) Law of 13 January 2019, and accordingly make an order requiring LBR to restrict access to the information referred to in Article 3 Law of 13 January 2019.<br />
<br />
=== Holding ===<br />
CJEU examined if Directive 2018/843's amendment, mandating public access to beneficial ownership data, was valid under Articles 7 and 8 EU Charter of Fundamental Rights.<br />
<br />
This amendment requires Member States to ensure that information on beneficial ownership is accessible to the general public. The Court identified that making beneficial ownership information publicly accessible does indeed constitute an interference with these fundamental rights.<br />
<br />
CJEU emphasized the potential for creating detailed profiles on individuals based on their economic activities and the unlimited access by potentially any person, which could lead to misuse of this information. Despite recognizing that such transparency aims to deter money laundering and terrorist financing, the Court questioned whether this broad access is strictly necessary and proportionate to the objectives pursued.<br />
<br />
The CJEU questioned the justification for this interference, considering whether the measures respect the essence of the fundamental rights under the Charter, whether they genuinely meet objectives of general interest recognized by the EU, and whether they are necessary and proportionate.<br />
<br />
Despite acknowledging the importance of combating financial crimes, CJEU found that the directive's approach to providing unrestricted public access to beneficial ownership information did not guarantee a proper balance between the objective of general interest and the protection of fundamental rights, such as privacy. The Court highlighted the lack of clear and precise rules on the scope and application of this measure, raising concerns over the adequacy of safeguards against the risk of abuse and the difficulty for individuals to control or challenge the use of their data.<br />
<br />
Ultimately, the CJEU declared Article 1(15)(c) Directive 2018/843 invalid, concluding that making beneficial ownership information universally accessible to the public constitutes a serious interference of the rights pursuant Articles 7 and 8 EU Charter of Fundamental Rights that is not justified by the objectives of general interest it seeks to achieve.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''</div>Imhttps://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9996609&diff=40608&oldid=40606Garante per la protezione dei dati personali (Italy) - 99966092024-03-27T15:08:01Z<p></p>
<a href="https://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9996609&diff=40608&oldid=40606">Show changes</a>Lmhttps://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9996609&diff=40606&oldid=0Garante per la protezione dei dati personali (Italy) - 99966092024-03-27T15:01:24Z<p>Created page with "{{DPAdecisionBOX |Jurisdiction=Italy |DPA-BG-Color=background-color:#095d7e; |DPAlogo=LogoIT.png |DPA_Abbrevation=Garante per la protezione dei dati personali |DPA_With_Country=Garante per la protezione dei dati personali (Italy) |Case_Number_Name=9996609 |ECLI= |Original_Source_Name_1=Garante Per La Protezione Dei Dati Personali |Original_Source_Link_1=https://gdprhub.eu/images/1/1c/IT_DPA_9996009_08.02.2024.pdf |Original_Source_Language_1=Italian |Original_Source_La..."</p>
<p><b>New page</b></p><div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Italy<br />
|DPA-BG-Color=background-color:#095d7e;<br />
|DPAlogo=LogoIT.png<br />
|DPA_Abbrevation=Garante per la protezione dei dati personali<br />
|DPA_With_Country=Garante per la protezione dei dati personali (Italy)<br />
<br />
|Case_Number_Name=9996609<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Garante Per La Protezione Dei Dati Personali<br />
|Original_Source_Link_1=https://gdprhub.eu/images/1/1c/IT_DPA_9996009_08.02.2024.pdf<br />
|Original_Source_Language_1=Italian<br />
|Original_Source_Language__Code_1=IT<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=<br />
|Year=<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 4(11) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#11<br />
|GDPR_Article_2=Article 5 GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR<br />
|GDPR_Article_3=Article 7 GDPR<br />
|GDPR_Article_Link_3=Article 7 GDPR<br />
|GDPR_Article_4=Article 12 GDPR<br />
|GDPR_Article_Link_4=Article 12 GDPR<br />
|GDPR_Article_5=Article 13 GDPR<br />
|GDPR_Article_Link_5=Article 13 GDPR<br />
|GDPR_Article_6=Article 24 GDPR<br />
|GDPR_Article_Link_6=Article 24 GDPR<br />
|GDPR_Article_7=Article 25 GDPR<br />
|GDPR_Article_Link_7=Article 25 GDPR<br />
|GDPR_Article_8=Article 28 GDPR<br />
|GDPR_Article_Link_8=Article 28 GDPR<br />
|GDPR_Article_9=<br />
|GDPR_Article_Link_9=<br />
|GDPR_Article_10=<br />
|GDPR_Article_Link_10=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Maggioli S.p.A.<br />
|Party_Link_1=https://www.maggioli.com/it-it<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=<br />
|<br />
}}<br />
<br />
The DPA found that a controller violated transparency and processing oversight obligations in using cookies on several websites, and determined that using an ‘X’ rather than a 'reject' button is permissible when it is discussed in the cookie banner.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
In August 2021, several data subjects represented by noyb (European Centre for Digital Rights) filed complaints against Maggioli S.p.A. (controller) concerning its use of cookies and other tracking tools. The complaint alleged several violations across a number of the controller’s webpages, including: <br />
<br />
• the absence of a ‘reject’ button at the first level of the cookie banner; <br />
• the use of pre-ticked boxes at the second level of the cookie banner; <br />
• the use of a cookie rejection mode that consisted of a link instead of a button (unlike the ‘accept all’ button); <br />
• the use of misleading button colors and contrasts; <br />
• the improper reliance on legitimate interest as a legal basis for cookie processing; <br />
• a procedure for revoking consent that was not easily accessible. <br />
<br />
The Italian DPA (Garante) carried out an investigation. During its investigation, it noted that the controller contracted with OneTrust (processor), a service that classified cookies and reported them in the controller’s cookie banner and cookie policy. Notably, only the processor could directly modify the cookie banner and cookie policy. The Garante also observed that the controller used only technical, non-tracking cookies. The processor, however, had erroneously attributed third parties’ tracking cookies that were on the controller’s webpage to the controller. <br />
On 30 May 2023, the DPA notified the controller of the alleged violations and that it was initiating the procedure pursuant to Article 166(5) of the Code on Protection of Personal Data. <br />
<br />
On 29 June 2023, the controller replied with a defensive brief. It noted that, upon discovering the processor’s erroneous cookie categorizations, the controller requested that the error be corrected. When the processor failed to do so in breach of their contract, the controller withdrew from the contract and entered into an agreement with a new supplier to alter the cookie banner. The controller also argued that the failure to inform users about the meaning of the X had not resulted in any violation because the controller only used technical non-tracking cookies.<br />
<br />
=== Holding ===<br />
The Garante found that the controller’s conduct breached Articles 4(11), 5, 7, 12, 13, 24, 25, and 28 GDPR as well as Article 122 of the Code. The DPA focused on three core issues with the controller’s processing.<br />
<br />
First, the controller failed to indicate the meaning of the command marked by the ‘X’ graphic in the cookie banner. The Garante considered this a violation of Articles 5(1)(a), 12 and 13 GDPR because it failed to provide data subjects the fullest possible awareness regarding the processing of their personal data and choices they are entitled to make under the law. <br />
<br />
Second, the Garante found that the controller violated Articles 4(11) and 7 GDPR by erroneously citing legitimate interest as its legal basis for processing via cookies when such processing requires consent as a legal basis. The Garante noted, however, that the controller only actually relied on legitimate interest as a legal basis for its own use of cookies, which were technical and non-tracking. As technical cookies do not require user consent, the Garante found that despite qualifying the incorrect legal basis in the cookie banner, its own processing in fact complied with rules and did not harm data subjects. Nonetheless, the erroneous naming of legitimate interest as the legal basis in the cookie banner was unlawful under Articles 5(1)(a), 12 and 13 GDPR because it misled consumers.<br />
<br />
Finally, the Garante noted that the relationship between the controller and processor, and namely the controller’s inability to modify the cookie banner and cookie policy, resulted in violations of Articles 24, 25, and 28 GDPR. It emphasized that Articles 24 and 25 GDPR impose a responsibility on the controller to oversee processing and guarantee that processor activities comply with the GDPR. <br />
<br />
In light of these violations, the Garante issued a warning, deciding not to impose a fine. It took into account the controller’s changes to banners following receipt of noyb’s complaints, lack of harm to users’ data since the controller itself only used technical cookies, lack of fraudulent intent, and withdrawal from the contract with its supplier after it failed to comply with the controller’s requests, cooperation with the DPA, and the lack of further complaints.<br />
<br />
== Comment ==<br />
‘X’ button: The Garante concluded that the ‘X’ function was sufficient where the cookie banner defined the effect of clicking ‘X.’ The issue thus was not the use of the ‘X’ (as opposed to something like a ‘reject’ button), but rather the lack of explanation within the cookie banner. In coming to this conclusion, the Garante rejected the data subjects’ arguments that a mere ‘X’ somewhere on the cookie banner was insufficient and a ‘reject’ button was required.<br />
<br />
Cookie usage: The Garante noted that the controller did not itself use profiling cookies. As a result, it found that the controller itself only resorted to the legal basis of legitimate interests in relation to this use of technical cookies, which is a proper legal basis for such cookies, and thus did not harm consumers. Notably, third parties do use tracking cookies to carry out profiling on the controller’s webpage. By concluding that the controller itself processed data in compliance with the Garante’s Guidelines, the DPA implicitly determined that the controller is not responsible for third party cookies that are used on its webpage.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>Lmhttps://gdprhub.eu/index.php?title=Upravni_sud_u_Zagrebu_-_Usl-4017/23-6&diff=40579&oldid=0Upravni sud u Zagrebu - Usl-4017/23-62024-03-27T12:47:11Z<p>Created page with "{{COURTdecisionBOX |Jurisdiction=Croatia |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=Upravni sud u Zagrebu |Court_Original_Name=Republika Hrvatska Upravni sud u Zagrebu |Court_English_Name=Administrative Court of Zaghreb |Court_With_Country=Upravni sud u Zagrebu (Croatia) |Case_Number_Name=Usl-4017/23-6 |ECLI= |Original_Source_Name_1=Republika Hrvatska Upravni sud u Zagrebu |Original_Source_Link_1=https://sudskapraksa.vsrh.hr/decisionPdf?id=090216b..."</p>
<p><b>New page</b></p><div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Croatia<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=Upravni sud u Zagrebu<br />
|Court_Original_Name=Republika Hrvatska Upravni sud u Zagrebu<br />
|Court_English_Name=Administrative Court of Zaghreb<br />
|Court_With_Country=Upravni sud u Zagrebu (Croatia)<br />
<br />
|Case_Number_Name=Usl-4017/23-6<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Republika Hrvatska Upravni sud u Zagrebu<br />
|Original_Source_Link_1=https://sudskapraksa.vsrh.hr/decisionPdf?id=090216ba80eeeb22%09<br />
|Original_Source_Language_1=Croatian<br />
|Original_Source_Language__Code_1=HR<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Date_Decided=05.02.2024<br />
|Date_Published=<br />
|Year=2024<br />
<br />
|GDPR_Article_1=Article 57(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 57 GDPR#1a<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=Zakon o općem upravnom postupku (Croatian Act on General Administrative Procedure)<br />
|National_Law_Link_1=https://www.zakon.hr/z/65/Zakon-o-op%25C4%2587em-upravnom-postupku<br />
|National_Law_Name_2=Zakon o provedbi Opće uredbe o zaštiti podataka (National Law Implementing the GDPR)<br />
|National_Law_Link_2=https://www.zakon.hr/z/1023/Zakon-o-provedbi-Op%25C4%2587e-uredbe-o-za%25C5%25A1titi-podataka<br />
|National_Law_Name_3=<br />
|National_Law_Link_3=<br />
|National_Law_Name_4=<br />
|National_Law_Link_4=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=nz, lm<br />
|<br />
}}<br />
<br />
The Administrative Court found that, although the DPA failed to enforce its decision contrary to the GDPR, the statute of limitations for enforcing an order under national law had expired and the DPA could not be ordered to enforce its decision.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The data subjects’ yard was filmed by a third-party. The data subject lodged a complaint with the Croatian DPA (“AZOP”). The AZOP considered that this processing operation had no valid legal basis. On 3 October 2018, it ordered the deletion of every recording of the yard or public road and prohibited the third party from recording the yard in question. The decision indicated that “No appeal is allowed against this decision”. In accordance with Article 133(2) of the Croatian Act on General Administrative Procedure, the decision became enforceable by delivery of the decision to the party. <br />
<br />
The controller did not act on the decision. The data subjects thus submitted a request to the AZOP to adopt an enforcement decision. Meanwhile, a third party initiated an administrative dispute against the initial decision taken by the AZOP. The AZOP responded to the data subjects that the conditions for execution of the decision were not met because that decision faced an ongoing procedure before an Administrative Court. <br />
<br />
Following the conclusion of the administrative dispute, the data subjects asked the AZOP to adopt a decision on the enforcement of the decision. The AZOP did not take any action. <br />
<br />
The data subjects submitted a complaint with the Administrative Court of Zaghreb against the AZOP. The AZOP stated that it did not take any action because the controller indicated that the recordings were deleted and the data subjects did not prove the contrary. It made two arguments pursuant to the Croatian Act on General Administrative Procedure. First, it noted that Article 139(1) of this Act establishes an obligation to issue a decision when the executed party does not act according the enforcement decision. Second, the AZOP argued that the decision cannot be enforced because the statute of limitations period granting 5 years to bring an enforcement action under Article 135(3) of the Croatian Act on General Administrative Procedure had expired. According to this provision, after five years from the data that an order became enforceable, its enforcement may no longer be requested.<br />
<br />
=== Holding ===<br />
The Upravni Sud u Zagrebu (Administrative Court of Zaghreb) noted that pursuant to [[Article 52 GDPR|Article 52 GDPR]], a supervisory authority’s task is not simply to establish a violation of legal provisions, but also to ensure the removal of such violation. Thus, the AZOP is obliged to issue an enforcement decision under Articles 138 and 139 of the Croatian Act on General Administrative Procedure. <br />
<br />
Nonetheless, the Administrative Court agreed with the AZOP that the statute of limitations period under Article 135(3) of the Croatian Act on General Administrative Procedure applied and had expired in this case. As a result, the administrative court could not order the AZOP to issue an enforcement decision. <br />
<br />
The Administrative Court ordered the defendant to compensate the data subject EUR 684.10 within 15 days for the costs of the administrative dispute.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.<br />
<br />
<pre><br />
REPUBLIC OF CROATIA<br />
ADMINISTRATIVE COURT IN ZAGREB<br />
Avenija Dubrovnik 6 and 8<br />
<br />
Business number: UsI-4017/23-6<br />
<br />
IN I M E R E P U B L I K E H R V A T S K E<br />
<br />
P R E S U D A<br />
<br />
The Administrative Court in Zagreb, according to the judge of that court, Anti Drezga and Slobodanka<br />
<br />
Gorsensky, recorder, in the administrative dispute plaintiff 1. M. N. from Z., OIB:... and 2. T. I.-<br />
P. from Z., OIB: ..., represented by attorney N. O., attorney at O., H. and partners,<br />
law firm d.o.o. from Z., against the defendant Agency for the Protection of Personal Data,<br />
Z., OIB: ..., due to the management's silence, February 5, 2024,<br />
<br />
he decided<br />
<br />
<br />
The claim that reads:<br />
"I The claim of plaintiff I-M is approved. N. and II-T. I. P. and is ordered to the defendant<br />
to the Personal Data Protection Agency within 30 days from the date of delivery<br />
judgment to issue a decision on the execution of the decision of the Agency for the Protection of Personal Data<br />
CLASS: UP/I-041-02/17-08/20, URBROJ: 567-02/03-18-01 from 03.10.2018.<br />
II The defendant is ordered to compensate the plaintiffs for the costs of this administrative dispute in<br />
<br />
in the amount of EUR 684.10, all within 15 days."<br />
<br />
Explanation<br />
<br />
1.1. The plaintiffs in the lawsuit essentially state that it is about the request for protection<br />
the right plaintiff, proceedings were conducted before the defendant, CLASS: UP/I-041-02/17-<br />
08/20, URBROJ: 567-02/03-18-01, in which on October 3, 2018, it was adopted<br />
<br />
a decision establishing that the processing of personal data by a third party<br />
filmed yard co-owned by the plaintiffs, without a legal and appropriate purpose<br />
legal basis. The decision in question prohibits a third person from recording<br />
of the yard in question and ordered to delete all records created by recording the yard<br />
that is, public roads, which were collected without a legal basis. As an instruction on legal<br />
the remedy of the decision in question reads "No appeal is allowed against this decision", so,<br />
in accordance with Article 133, Paragraph 2 of the Act on General Administrative Procedure, the decision became<br />
<br />
executory but by delivery of the solution to the party, and the third party is not voluntary according to the same<br />
acted, the plaintiffs submitted a request to the defendant on July 12, 2021<br />
of making a decision on enforcement. However, as a third party initiated an administrative dispute<br />
against the aforementioned decision, the defendant responded to the plaintiff's request<br />
by letter CLASS: UP/I-041-02/17-08/20, UR NO: 567-02/03-21-14 dated October 10<br />
2021 as "in relation to the specific case, we state that at this moment they are not<br />
the conditions for the execution of the aforementioned decision of this Agency have been met. In this sense, we state how 2 Business number: UsI-4017/23-6<br />
<br />
<br />
this Agency will carry out the execution of the decision after the completion of the procedure conducted before<br />
by the said competent court", although citing the article of the Law on General<br />
<br />
administrative procedure indicating that the conditions for execution have been met, given that<br />
decision against which no appeal is allowed, delivered to the party. Continuing on<br />
termination of the administrative dispute, the plaintiffs filed again on October 18, 2022<br />
to the defendant, a proposal for the adoption of a decision on execution, at a time when it is undoubtedly,<br />
even according to the defendant's illegal interpretation of the legal provision, the solution became<br />
executive. However, the defendant has not taken any action on the occasion to date<br />
of the defendant's proposal, nor did he issue a decision on enforcement.<br />
<br />
1.2. The plaintiffs are submitting this administrative complaint to the title court based on the article<br />
Paragraph 3, paragraph 1, point 3 of the Administrative Disputes Act for the purpose of assessing illegality<br />
failure of the defendant to act according to the regulation, in the specific case according to<br />
provisions of the Law on General Administrative Procedure. In the specific case, how is it<br />
on the occasion of the request for the protection of the plaintiff's rights, a procedure was conducted before the Agency for<br />
protection of personal data, CLASS: UP/I-041-02/17-08/20, UR NO: 567-02/03-18-<br />
<br />
01, in which the aforementioned decision was adopted, which established that the processing<br />
personal data by L. K. through the video surveillance system recorded yard in<br />
co-owned by the applicant at the address R. 5, without a lawful and appropriate purpose<br />
legal basis, the plaintiffs point out that it is undoubtedly the case in this particular case<br />
on administrative procedure, so the provisions of the Act on<br />
general administrative procedure on the manner and time of issuing enforceability for the first instance<br />
administrative act. According to the decision of L. K., filming of the yard in question is prohibited<br />
<br />
and the ordered deletion of all records created by recording the yard or public road, a<br />
which were collected without a legal basis. Since she did not act according to the decision, and the instruction of Fr<br />
the legal remedy of the decision in question reads "No appeal is allowed against this decision",<br />
in accordance with Article 133 paragraph 2 of the Act on General Administrative Procedure, the decision is<br />
became enforceable already by delivery of the decision to the party, the plaintiffs were therefore established on 12<br />
July 2021 submitted a request to the defendant for the adoption of a decision on enforcement.<br />
1.3. Pursuant to Article 52 of the Act on the Implementation of the General Regulation on Data Protection,<br />
<br />
The Personal Data Protection Agency is defined as a state body, and as such,<br />
has the right and duty to monitor the implementation of the General Data Protection Regulation. After<br />
established gross violation of the plaintiff's legal rights, by his passive behavior<br />
the defendant himself participates in the repeated violation of the very provisions that he is obliged to protect.<br />
Agency - which should play a key role in protecting privacy and personal data<br />
citizens, which is the fundamental right of individuals in the territory of the European Union. Her<br />
the task is not and should not be a simple determination of a violation of the legal provisions on processing<br />
<br />
of personal data, must also ensure the elimination of such violation, as determined violation<br />
the rights of individuals whose personal information is threatened would not just remain "dead<br />
letter on paper". However, to this day, almost a year after<br />
of the submitted request for the adoption of a decision on enforceability, the plaintiffs still have not<br />
received the decision on execution, which the defendant in accordance with Articles 138 and 139 of the Act on<br />
general administrative procedure is obliged to pass, thus denying them protection from abuse<br />
<br />
personal data, guaranteed by international and national regulations. Such as<br />
stated in the basic treaties of the EU, public authorities and courts of the member states in<br />
to the greatest extent, they are responsible for the application of Union law. Therefore, without entering into<br />
autonomy and independence of the defendant's scope, national authorities are obliged to enable<br />
to the individual the full protection of his rights guaranteed at the EU level, and they are on the same<br />
obliged by the General Data Protection Regulation, which is directly applicable in the Republic<br />
To Croatia and all member states of the European Union from May 25, 2018. The largest<br />
<br />
the threat to the protection of personal data and the plaintiff's rights is reflected in the preclusion of protection 3 Business number: UsI-4017/23-6<br />
<br />
<br />
of their rights, which is defined by Article 135, Paragraph 3 of the General Administrative Law<br />
procedure: Therefore, the situation regarding the defendant's guilt is completely absurd<br />
<br />
interpretation of the Law on General Administrative Procedure, that is, provisions on enforceability<br />
decision, as a result of which, due to such an interpretation, the plaintiffs in this October, 2023.<br />
year, the 5-year limitation period for execution from Article 135, paragraph 3 of the Act has passed,<br />
because of which L. K. will have a well-founded right to file an appeal against the execution decision<br />
(if the same is ever passed, even if it is out of date). So, it is undoubtedly<br />
the defendant, as a public law body within the meaning of the Law on General Administrative Procedure, despite<br />
fulfillment of the assumptions provided by law, failed to act in accordance with his own<br />
<br />
legal obligations and to decide on the plaintiff's request for a ruling on<br />
execution.<br />
1.4. They propose to adopt the claim and order the defendant within 30 days from<br />
on the date of delivery of this verdict, to issue a decision on the execution of the decision of the Protection Agency<br />
personal data CLASS: UP/I-041-02/17-08/20, UR NO: 567-02/03-18-01 of 3.<br />
October 2018 and order the defendant to compensate the plaintiffs for the costs of the administrative dispute in<br />
<br />
in the amount of 684.10 euros, all within 15 days.<br />
2. In the response to the complaint, the defendant essentially states that the resolution in question<br />
cannot perform since it is based on Article 135, paragraph 3 of the General Law<br />
administrative procedure, the period of five years has expired from the day when the decision became<br />
executory since L. K. received the decision on October 19, 2018. It points out that the plaintiffs in both<br />
of the proposal for execution that they submitted to the defendant, they did not submit the evidence by which<br />
confirm or prove that L. K. did not act according to the relevant decision or<br />
<br />
to act contrary to the obligation. He believes that the allegations that the defendant did not spend any time are incorrect<br />
one action regarding the proposal of the plaintiff, the future defendant, on August 2, 2023.<br />
carried out control supervision, about which the Minutes of conducted supervision were drawn up<br />
CLASS: 042-02/23-01/25, ID number: 567-12/13-23-05 from August 2, 2023.<br />
was notified by email on August 24, 2023 to the plaintiffs' law office<br />
and at the same time they were provided with the Minutes of the conducted supervision. Subject supervision<br />
according to the statement of N. K., mother of L. K., the two cameras placed under the window are not working<br />
<br />
because the recording storage device was destroyed, by direct inspection the authorized officer<br />
it was determined that the cameras were not connected to any storage device or to the Internet and<br />
N. K. stated that the recordings were deleted/removed. Therefore, the defendant does not see grounds for<br />
issuing a decision on enforcement since the supervisory activities did not establish that L.<br />
K. did not comply with the obligation imposed by the decision, and neither did the plaintiffs to the contrary<br />
proved. He points out that the obligation to pass a decision on execution by which the proposal for<br />
execution refused is not prescribed by the Law on General Administrative Procedure since<br />
<br />
according to what was presented, it was not established that the obligation from the decision in question was not fulfilled.<br />
He states that the Law on General Administrative Procedure prescribes in Article 139 paragraph 1.<br />
only the obligation to issue a decision when the executor fails to comply with the enforcement decision<br />
that is, in Article 140, paragraph 4, the obligation to issue a decision is prescribed when<br />
postpones its execution, therefore the adoption of a decision on rejection is not prescribed<br />
proposals. He proposes to reject the claim as unfounded.<br />
<br />
3. Assessing the legality of the contested decision, the Court reviewed the court file and<br />
file of the defendant. The court decided on the plaintiff's claim without holding a hearing<br />
(Article 36, Paragraph 4 of the Administrative Disputes Act, Official Gazette, No. 20/10,<br />
143/12., 152/14., 94/16., 29/17. and 110/21.; hereinafter ZUS).<br />
4. The claim is unfounded.<br />
5. According to the provisions of Article 135 of the Law on General Administrative Procedure (National<br />
newspaper, number 47/09. and 110/21, hereinafter ZUP) execution is carried out ex officio<br />
<br />
when the public interest dictates it. Enforcement that is in the interest of the party is carried out on 4 Business number: UsI-4017/23-6<br />
<br />
<br />
proposal of the party (proposer of execution). Execution can also be carried out on the basis of<br />
settlements of the parties. After the expiry of the period of five years from the day when the decision became<br />
<br />
executory, the decision cannot be enforced, unless otherwise prescribed by law.<br />
6. If it is an administrative matter passed ex officio, it shall be executed<br />
as a rule, it is carried out ex officio. However, the decision was made according to the request<br />
as a rule, it is carried out on the proposal of the party in whose interest it was adopted<br />
decision that is the subject of execution (proposer of execution). It cannot be denied<br />
identification for the initiation of the enforcement procedure for the person whose request is being processed<br />
the procedure in which the executive title was passed. If it is not adopted according to the party's proposal<br />
<br />
decision on execution, it is about the silence of the administration in the execution procedure.<br />
7. An administrative dispute due to the silence of the administration can be initiated only by the party to whom<br />
the competent authority did not make a decision on the request or appeal. If the competent authority does not<br />
a decision on execution has been made, the party in whose interest the execution is carried out may,<br />
under the assumptions of Article 23, paragraph 5 of the ZUS and Article 24, paragraph 2.<br />
ZUS, file a lawsuit for failure to issue a decision.<br />
<br />
8. In the specific case, the defendant, in the administrative matter regarding the request<br />
plaintiff, issued a decision CLASS: UP/I-041-02/17-08/20, UR NO: 567-02/03-18-<br />
01 of October 3, 2018, by which a third person is prohibited from filming the yard in<br />
co-ownership of the plaintiffs and ordered to delete all records created by recording the yard,<br />
and which were collected without a legal basis. The solution in question was submitted to the third party<br />
to a person on October 19, 2018, when it became enforceable.<br />
9. The plaintiffs proposed the adoption of a decision in a motion dated July 12, 2021<br />
<br />
on execution with the claim that the said decision was not followed, after which<br />
the defendant in the form of a letter, CLASS: UP/I-041-02/17-08/20, ID number: 567-02/03-21-14 from<br />
October 10, 2021, stated that the conditions for execution were not met, referring to<br />
the circumstance that the proceedings before the competent court (High Administrative Court of the Republic<br />
Croatian).<br />
10. The plaintiffs proposed again with the proposal of October 18, 2022<br />
issuing a decision on execution stating that it is a judgment of the High Administrative Court<br />
<br />
of the Republic of Croatia, business number Usž-2892/20 of September 15, 2022, rejected appeal by L.<br />
K. and confirmed judgment of the Administrative Court in Zagreb, business number UsI-3777/18-14 dated<br />
January 21, 2020<br />
11. From the Minutes of the conducted supervision, CLASS: 042-02/23-01/25, CODE:<br />
567-12/13-23-05 of August 2, 2023, it follows that the defendant carried out the control supervision<br />
proceeding according to the aforementioned decision of October 3, 2018. The defendant on August 24<br />
2023 informed the plaintiff's proxies about the results via electronic mail<br />
<br />
control supervision, and the Minutes in question were delivered to them.<br />
12. Without going into the question of whether on the occasion of the mentioned proposal of October 18<br />
In 2022, the defendant should have made a decision on the rejection of the proposal for execution, after he<br />
established that the executor acted according to the executive decision, it is obvious that it is in the sense of the article<br />
135, paragraph 3 of the ZUP expired five years from the day the decision became<br />
enforceable and that the defendant cannot issue a decision on execution, and therefore neither can the administrative court<br />
<br />
cannot order the adoption of a decision on enforcement.<br />
13. Considering all the above, it was decided as in the sentence of this judgment<br />
applying the provisions of Article 57, paragraph 1 of the ZUS.<br />
<br />
In Zagreb, February 5, 2024.<br />
<br />
Referee:<br />
<br />
Ante Drezga, Acting Director 5 Business number: UsI-4017/23-6<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Legal remedy:<br />
An appeal to the High Administrative Court of the Republic of Croatia is allowed against this verdict.<br />
The appeal is filed through this court in a sufficient number of copies for the court and all parties<br />
in the dispute, within 15 days from the date of delivery of the judgment.<br />
</pre></div>Lmhttps://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9991064&diff=40573&oldid=0Garante per la protezione dei dati personali (Italy) - 99910642024-03-27T10:49:27Z<p>Created page with "{{DPAdecisionBOX |Jurisdiction=Italy |DPA-BG-Color=background-color:#095d7e; |DPAlogo=LogoIT.png |DPA_Abbrevation=Garante per la protezione dei dati personali |DPA_With_Country=Garante per la protezione dei dati personali (Italy) |Case_Number_Name=9991064 |ECLI= |Original_Source_Name_1=Garante per la protezione dei dati personali |Original_Source_Link_1=https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9991064 |Original_Source_Language_1=Italian |Origi..."</p>
<a href="https://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9991064&diff=40573">Show changes</a>Imhttps://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202301323&diff=40557&oldid=0AEPD (Spain) - EXP2023013232024-03-27T08:57:41Z<p>Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202301323 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/reposicion-ai-00057-2023.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Lan..."</p>
<p><b>New page</b></p><div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=EXP202301323<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEPD<br />
|Original_Source_Link_1=https://www.aepd.es/documento/reposicion-ai-00057-2023.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Rejected<br />
|Date_Started=10.08.2021<br />
|Date_Decided=15.03.2024<br />
|Date_Published=<br />
|Year=2024<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=<br />
|GDPR_Article_Link_1=<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1= Ley 34/2002, de 11 de julio, de servicios de la sociedad de la información y de comercio electrónico (LSSI) (Spanish ePrivacy Law)<br />
|National_Law_Link_1=https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
|National_Law_Name_3=<br />
|National_Law_Link_3=<br />
<br />
|Party_Name_1=Turner Broadcasting System España<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=AEPD - Internal Appeal<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Appealed - Confirmed<br />
|Appeal_To_Link=https://www.aepd.es/documento/reposicion-ai-00057-2023.pdf<br />
<br />
|Initial_Contributor=lm<br />
|<br />
}}<br />
<br />
The Spanish DPA dismissed an internal appeal challenging its decision that it was not necessary for a controller to provide a reject button on its webpage, finding that the question arose under Spain’s ePrivacy Law rather than the GDPR.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A data subject lodged a complaint with the Austrian DPA after it tried to access one of Turner Broadcasting System España’s (controller’s) websites but was redirected to a new webpage that did not offer an option to reject cookies. Additionally, once the cookies were accepted, it was not possible to access the cookie control panel to revoke consent. Instead, consent could only be revoked by taking a number of additional steps, including entering an English-language portal and sending the controller an email requesting to withdraw consent. <br />
<br />
The data subject lodged a complaint with the Austrian DPA. On 26 January 2023, the Austrian DPA communicated the case to the Spanish DPA (AEPD) pursuant to the Internal Market Information System.<br />
<br />
The AEPD initiated an investigation. Through its own investigation of the webpage, the AEPD confirmed that on the redirected page, only technical or necessary cookies were used. Additionally, it noted that the information noted in the Cookie Policy was accurate. The AEPD concluded that it was not necessary to provide a ‘Reject’ button under these circumstances. <br />
<br />
The data subject filed an internal appeal focusing on three claims. First, the data subject argued that the Austrian DPA should have been the authority concerned and at the least failed to notify the data subject of the AEPD’s decision in violation of [[Article 60 GDPR#8|Article 60(8) GDPR]]. Second, the data subject argued that the AEPD failed to consider the data subject’s complaint and instead decided the case based on its own interaction with the webpage. Third, the data subject claimed that upon selecting ‘accept’ on the cookie banner, Google Analytics cookies which are not strictly necessary are installed. Such cookies can only be installed where valid consent has been obtained – the cookie banner, however, offered no permanently visible option to withdraw consent and required multiple steps (as discussed above) in violation of [[Article 7 GDPR#3|Article 7(3) GDPR]].<br />
<br />
=== Holding ===<br />
The AEPD dismissed the appeal, concluding that only the Spanish ePrivacy Law is relevant to the case, not the GDPR. <br />
<br />
First, the AEPD rejected the data subject’s argument that the complaint should have been heard by the Austrian DPA. The AEPD noted that the Spanish ePrivacy Law regulates information society services established in Spain. Since the controller’s headquarters and website domain were in Spanish territory, the ePrivacy Law applied and the AEPD was competent to hear the case. Further, the AEPD concluded that only the ePrivacy Law, not the GDPR, applied in this case because it was more specific to the facts at issue. <br />
<br />
The AEPD also rejected the data subject’s second argument. It noted that the presumption of innocence protects entities from sanctions not based on prior evidentiary activity ‘on which the competent body can base a reasonable judgment of guilt.’ This presumption, the DPA reasoned, obliged it to prove the controller’s offence and guilt. The AEPD’s visit to the page was an attempt to verify the veracity of the data subject’s claims, and it was insufficient to do so. <br />
<br />
Finally, the DPA dismissed the third argument because it was not raised in the initial claim.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
1/8<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Procedure No.: EXP202301323 (AI/00057/2023)<br />
<br />
Replacement Appeal No. RR/00111/2024<br />
<br />
<br />
Examined the appeal for reconsideration filed by A.A.A. through the COMMISSION<br />
EUROPEAN INTERNAL MARKET EXCHANGE SYSTEMS (IMI-Austria),<br />
against the resolution issued by the Director of the Spanish Agency for the Protection of<br />
Data in the procedure AI/00057/2023, for violation of the provisions of the Law<br />
34/2002, of July 11, on Information Society Services and Commerce<br />
Electronic (LSSI) and based on the following:<br />
<br />
<br />
FACTS<br />
<br />
FIRST: On 01/25/24, the Director of the Spanish Agency for the Protection of<br />
Data issued Resolution to File Actions in procedure AI/00057/2023,<br />
open to the entity TURNER BROADCASTING SYSTEM ESPAÑA, S.L. with CIF.:<br />
<br />
B82320227, owner of the website https://www.canaltnt.es, for the alleged<br />
violation of article 22 of the LSSI.<br />
<br />
The resolution was notified to the EUROPEAN COMMISSION SYSTEMS OF<br />
INTERNAL MARKET EXCHANGE (IMI-Austria) on 01/29/24, as recorded<br />
on the record.<br />
<br />
<br />
SECOND: As proven facts of the aforementioned procedure, there was evidence of<br />
the following:<br />
<br />
- When trying to enter the website that is the subject of the claim, https://www.canaltnt.es,<br />
<br />
It was found that this no longer existed, redirecting the user to a new page<br />
website, https://www.warnertv.es whose owner is the entity Discovery Networks SL,<br />
with CIF B-86815560, different from the entity initially claimed, (Turner<br />
Broadcasting System España, with CIF.: B82320227).<br />
<br />
THIRD: On 02/14/24, this Agency has received a written appeal for<br />
<br />
replacement presented by the appellant, in which it stated the following:<br />
<br />
FIRST – Lack of notification by the DSB<br />
<br />
1. On January 24, 2024, the AEPD adopted its resolution, which was notified<br />
to this part on January 29, 2024. However, according to the<br />
<br />
article 60(8) GDPR is the supervisory authority to which the<br />
claim, i.e. the DSB, who should have adopted and notified the<br />
resolution to the person interested in this case.<br />
<br />
2. Therefore, the resolution adopted by the AEPD must be considered null<br />
of right, as provided in article 47(1)(b) LPACAP.<br />
<br />
<br />
SECOND – The AEPD did not consider the facts or the petition of the claim<br />
<br />
3. The AEPD did not consider the specific circumstances of the visit of the<br />
website of this party, set forth in the claim in detail. In fact,<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 2/8<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
It seems that the AEPD decided based on the banner that appeared on the<br />
website of the controller during your own visit.<br />
<br />
4. However, the control authority must provide an effective response to the<br />
individual situation of the interested party, taking into account the circumstances<br />
<br />
individuals and the facts about which the claim presented by the<br />
interested. This follows from Considering 141 GDPR, from Article 77.<br />
RGPD and Article 65(3)(b) of the LOPDGDD.<br />
<br />
5. In addition, this party requested in its complaint various measures to be adopted<br />
by the AEPD (see First Fact). The formulated petitum determines<br />
<br />
specifically requested and underlines the need for an evaluation of the<br />
individual situation of this part. In particular, the person responsible continues to try<br />
the personal data of this party unlawfully.<br />
<br />
6. In light of the configuration of the claim ex article 77(1) GDPR that<br />
<br />
“is conceived as a mechanism capable of effectively protecting the<br />
rights and interests of the interested parties” it is beyond any doubt that the<br />
AEPD should have responded to what was requested by this party. It<br />
directly agrees with the provisions of article 88(2) LPACAP. No<br />
However, the AEPD resolution does not provide a concrete response to this petition.<br />
part.<br />
<br />
<br />
7. Therefore, the resolution must be annulled in accordance with art 48(1)<br />
LPACAP.<br />
<br />
B. MATERIAL ASPECTS<br />
<br />
<br />
THIRD – The AEPD applies an erroneous criterion<br />
<br />
8. As stated above, this party visited the website of the controller and,<br />
in addition to not having an equivalent option to reject the use of the<br />
cookies in the first layer of the banner (violation type A, C, D, E), checked<br />
that there was no easy possibility to withdraw consent<br />
<br />
awarded (type K violation).<br />
<br />
9. On the other hand, in the appealed resolution the AEPD states that during its own<br />
visit the person responsible only installed strictly necessary cookies, so no<br />
It was not necessary to offer an option to reject cookies, nor an option<br />
to withdraw consent.<br />
<br />
<br />
10. However, upon checking this part again on the website<br />
https://www.warnertv.es/, it is observed that after selecting “Accept” in the<br />
banner the cookies “_ga” and “_ga_1PMD2PL02L” from Google are installed<br />
Analytics. These are cookies that can only be installed in the case of<br />
<br />
have obtained valid consent (Annex 1).<br />
<br />
11. Although the person responsible has implemented two equivalent options in<br />
its banner cookie, does not offer a permanently visible option that allows<br />
withdrawal of consent. At the bottom of the main page there is only one link<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 3/8<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
to the privacy policy, in which there is a link to the “Portal of<br />
request for individual rights” (in English). On this portal you can then<br />
send an email to withdraw consent. This does not represent<br />
<br />
a possibility to “revoke consent easily” and “at any time”<br />
moment” as required by article 7(3) GDPR and as provided in the<br />
AEPD in relation to the withdrawal of consent.2<br />
<br />
12. From the above it follows that the AEPD is based on a verification<br />
which turns out to be wrong. The controller uses Google Analytics cookies that do not<br />
<br />
They are strictly necessary. However, the person responsible still does not offer<br />
a simple possibility to withdraw consent once given.<br />
<br />
13. From what is stated in this FJ it follows that the criterion adopted in the resolution<br />
appealed is contrary to the legal system and must be annulled.<br />
<br />
<br />
By virtue of what is stated in this writing, and in accordance with the<br />
mentioned provisions, this part<br />
<br />
REQUESTS: I. That an APPEAL OF<br />
REPLACEMENT against the resolution of the Director of the Spanish Agency of<br />
<br />
Data Protection of January 24, 2024 within the framework of the procedure<br />
with file number EXP202301323, and, after admitting it, the<br />
investigative actions that are necessary, in accordance with the<br />
applicable procedural and material standards. II. That the nullity be declared<br />
of the resolution appealed for the reason stated in the<br />
<br />
legal basis first and that the continuation of the<br />
procedure. III. That, if full nullity is not declared,<br />
the appealed resolution is annulled for the reasons set out in the grounds.<br />
<br />
FOUNDATIONS OF LAW<br />
<br />
<br />
Yo<br />
Competence.<br />
<br />
The Director of the Spanish Agency is competent to resolve this appeal.<br />
of Data Protection, in accordance with the provisions of article 123 of the Law<br />
<br />
39/2015, of October 1, of the Common Administrative Procedure of the<br />
Public Administrations (LPACAP) and art. 43.1, second paragraph, of the LSSI.<br />
<br />
II<br />
Response to the allegations<br />
<br />
<br />
In relation to the statements made by the appellant, it is worth noting the<br />
following:<br />
<br />
First: The appellant alleges in the section “First, points 1-2”, of the FJ of<br />
<br />
his writing that the resolution should have been made by the Austrian supervisory authority,<br />
in accordance with article 60(8) RGPD and therefore, the resolution adopted by the AEPD<br />
must be considered null and void, according to article 47(1)(b) LPACAP.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 4/8<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Well, with respect to this allegation, it must be clarified that Spanish Law governs<br />
the “Principle of Regulatory Specialty”, which, in essence, refers to the fact that,<br />
There is a special standard (LSSI) and a general standard (RGPD) that regulate a<br />
<br />
concrete fact, the first prevails over the second.<br />
<br />
This principle does not mean that, in the event of application of both standards (one<br />
general rule and another special one), the first is repealed, but the<br />
simultaneous validity of both rules, although the special rule will be applied with<br />
preference to the general rule in those cases contemplated in it.<br />
<br />
<br />
Regarding the case at hand, there is such a coincidence, that is, in the Ordinance<br />
Spanish Legal System, two regulations coexist, one of a general nature such as the RGPD and<br />
another of a special nature, such as the LSSI that regulates the same facts.<br />
<br />
<br />
If we look at what Article 1 of the GDPR establishes, its purpose is the following:<br />
<br />
1.This Regulation establishes the rules relating to the protection of<br />
natural persons with regard to the processing of personal data and<br />
rules relating to the free circulation of such data.<br />
<br />
<br />
2.This Regulation protects the fundamental rights and freedoms of<br />
natural persons and, in particular, their right to data protection<br />
personal.<br />
<br />
3.The free circulation of personal data in the Union may not be<br />
<br />
restricted or prohibited for reasons related to the protection of<br />
natural persons with regard to the processing of personal data.<br />
<br />
While the object of the LSSI, established in its article 1, indicates that:<br />
<br />
<br />
1. The object of this Law is the regulation of the legal regime of the<br />
services of the information society and contracting via<br />
electronic, regarding the obligations of service providers<br />
including those who act as intermediaries in the transmission of content<br />
through telecommunications networks, commercial communications via<br />
electronic, information before and after the conclusion of contracts<br />
<br />
electronic devices, the conditions relating to their validity and effectiveness and the regime<br />
sanction applicable to service providers of the society of the<br />
information.<br />
<br />
2. The provisions contained in this Law will be understood without prejudice to the<br />
<br />
provided in other state or regional regulations outside the regulatory scope<br />
coordinated, or that have as their purpose the protection of health and safety<br />
public, including the safeguarding of national defense, the interests of the<br />
consumer, the tax regime applicable to the services of the society of the<br />
information, the protection of personal data and the regulations governing<br />
<br />
competition defense.<br />
<br />
For its part, article 2 of the aforementioned standard (LSSI) establishes that:<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 5/8<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
1. This Law will apply to the service providers of the society of<br />
the information established in Spain and the services provided by them.<br />
<br />
<br />
It will be understood that a service provider is established in Spain<br />
when your residence or registered office is in Spanish territory,<br />
as long as these coincide with the place where it is actually<br />
centralized administrative management and direction of its businesses. In other<br />
case, the place where said management or direction is carried out will be taken into account.<br />
<br />
<br />
Therefore, in application of the “Principle of Regulatory Specialty”, the<br />
application of the specific standard, that is, the LSSI, on the general standard, the RGPD,<br />
by having the entity TURNER BROADCASTING SYSTEM ESPAÑA, S.L. with CIF.:<br />
B82320227, its headquarters in Spanish territory, as well as the domain of its website (.es).<br />
<br />
<br />
Regarding the jurisdiction to hear the case, article 43.1 of the LSSI,<br />
establishes the following: (…) Likewise, it will be up to the Human Rights Protection Agency<br />
Data on the imposition of sanctions for the commission of infractions classified in the<br />
articles 38.3 c), d) and i) and 38.4 d), g) and h) of this Law (…). and what is established in the<br />
articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD,<br />
<br />
<br />
While article 63.2 of the LOPDGDD determines that: "The procedures<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
regulations dictated in its development and, insofar as they do not contradict them, with a<br />
subsidiary, by the general rules on administrative procedures."<br />
<br />
<br />
And the fourth additional provision of said standard establishes, with respect to the<br />
powers attributed to the AEPD by other laws, which: "The provisions of Title VIII<br />
and in its development regulations will be applicable to the procedures that the Agency<br />
Spanish Data Protection Agency had to process in exercise of its powers<br />
<br />
that were attributed to it by other laws."<br />
<br />
Therefore, since the claimed entity has its registered office in Spanish territory, it is<br />
competent to hear the claim, the Spanish Data Protection Agency,<br />
based on the provisions of 43.1 of the LSSI, article 63.2 of the LOPDGDD and<br />
Fourth additional provision of said rule to the detriment of the control authority<br />
<br />
Austrian<br />
<br />
Second: The appellant states in the section “Second, points 3-7” of the<br />
FJ of his appeal brief, in essence, that, “the AEPD did not consider the circumstances<br />
specific to the visit to the appellant's website, based solely,<br />
<br />
for the resolution of the file, in the verification that the AEPD itself made of the<br />
information banner that appears on the website, without responding to what was requested<br />
in the claim, forgetting the requests made by the appellant…”<br />
<br />
To respond to this allegation, we must start from the principle that governs all<br />
<br />
judicial or administrative procedure such as the “Principle of Presumption of<br />
Innocence”, which guarantees, in Spanish law, not to suffer a sanction that does not<br />
is based on a previous evidentiary activity on which the body<br />
competent person can base a reasonable judgment of guilt, and entails, among<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 6/8<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
other demands, that of the Administration proving and, therefore, motivating, not only the<br />
facts constituting the infringement, participation in such facts and the<br />
circumstances that constitute a graduation criterion, but also guilt<br />
<br />
that justifies the imposition of sanction (among others, SSTC 76/1990, of April 26;<br />
14/1997, January 28; 209/1999, of November 29 and 33/2000, of November 14<br />
February).<br />
<br />
Likewise, the STS of July 10, 2007 (rec.306/2002) specifies that it must be the<br />
administration that proves guilt because "it is not the interested party who has to<br />
<br />
prove lack of guilt."<br />
<br />
The presumption of innocence, a fundamental right of citizenship according to art 24.2<br />
of the Spanish Constitution and art. 6.2 of the European Convention on Human Rights,<br />
It is expressly included in our regulations for the procedures<br />
<br />
administrative sanctions where among the rights of the interested party in the<br />
disciplinary administrative procedure will have the right "To the presumption of not<br />
existence of administrative responsibility until the contrary is proven."<br />
<br />
And as the STS 04/28/2016 (RC 677/2014) said: "it may mean that the<br />
right to the presumption of innocence, which applies without exception in the field of<br />
<br />
administrative sanctioning procedure, according to the Constitutional Court in<br />
ruling 66/2007, of March 27, means that "no sanction can be imposed<br />
"any that is not based on a previous lawful evidentiary activity", and implies<br />
also the recognition of the right to an administrative sanctioning procedure<br />
due or with all the guarantees, that respects the principle of contradiction and in which the<br />
<br />
alleged perpetrator has the opportunity to defend his own positions,<br />
prohibiting the initiation of disciplinary proceedings when it is appreciable<br />
unequivocally or manifests the absence of rational indications that it has been<br />
committed an infringing conduct, or in which illegality or illegality is absent.<br />
culpability"<br />
<br />
<br />
What the Public Administration cannot is raise administrative responsibility in<br />
the facts presented by the complaining party, without first verifying the veracity of the<br />
themselves. In the case at hand, this verification was based on the review of the<br />
website object of the claim (https://www.canaltnt.es), where it was verified<br />
that it no longer existed, redirecting the user to a new web page<br />
<br />
belonging to a different owner.<br />
<br />
Third: The appellant states in the section “Third.- points 8 to 13” that at<br />
check the new website https://www.warnertv.es/, it is observed that after<br />
Select “Accept” in the banner and the cookies “_ga” and “_ga_1PMD2PL02L” are installed<br />
<br />
of Google Analytics, which are not strictly necessary and that there is no<br />
possibility of withdrawing consent once given.<br />
<br />
First of all, we must mention that the website https://www.warnertv.es, to which<br />
which the appellant mentions in her appeal for reconsideration, the website was not the object of<br />
<br />
initial claim, so its analysis is not appropriate within the scope of this appeal.<br />
replacement.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 7/8<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
However, having said the above, it is worth remembering that, although this new website<br />
(https://www.warnertv.es) comes up due to the fact that when trying to access the<br />
web page that was the subject of the initial claim https://www.canaltnt.es, this redirected to the<br />
user to the new page.<br />
<br />
<br />
Now, the appellant states that, on this new web page<br />
https://www.warnertv.es observes that, when the user gives consent, the<br />
website begins to use two new cookies that are not of a technical nature (“_ga” and<br />
“_ga_1PMD2PL02L”) whose domain belongs to Google Analytics, and that the<br />
possibility of withdrawing consent once given by requesting this Agency<br />
that the investigative actions that are necessary to be carried out<br />
<br />
clarify the facts you claim.<br />
<br />
Therefore, this is a new fact not mentioned in the initial claim. The<br />
The appellant cannot claim that at the appeal stage the<br />
facts that he did not express in a previous procedural phase.<br />
<br />
<br />
The LPACAP provides in its article 118 the following procedural rule: “No<br />
account in the resolution of the resources, facts, documents or allegations of the<br />
appellant, when, having been able to provide them in the processing of allegations, he does not<br />
I've done. Nor may the taking of evidence be requested when the lack of<br />
realization in the procedure in which the appealed resolution was issued outside<br />
<br />
attributable to the interested party.” This standard contains a rule that is nothing more than the<br />
positive concretion for the common administrative sphere of the general principle that the<br />
The law does not protect the abuse of rights (article 7.2 of the Civil Code). This principle<br />
Its purpose, among others, is to prevent the processing of allegations from being useless and<br />
evidence of the application procedures, as would result if the interested parties<br />
could choose, at their discretion, the moment at which to present evidence and allegations,<br />
<br />
since this would be contrary to an elementary procedural order.<br />
<br />
All of this, without prejudice to the possibility of submitting a new claim if you consider<br />
that such events violate regulations that confer powers on the Spanish Agency<br />
of Data Protection.<br />
III<br />
<br />
Conclusion<br />
<br />
Consequently, in the present appeal for reconsideration, the appellant has not<br />
provided new facts or legal arguments that allow reconsideration of the validity<br />
of the contested resolution.<br />
<br />
<br />
Considering the aforementioned precepts and others of general application, the Director of the Agency<br />
Spanish Data Protection<br />
RESOLVES:<br />
<br />
FIRST: DISMISS the appeal for reconsideration filed by A.A.A., through<br />
<br />
THE EUROPEAN COMMISSION INTERNAL MARKET EXCHANGE SYSTEMS<br />
(IMI- Austria), against the archiving resolution issued by the Director of the Agency<br />
Spanish Data Protection Agency on 01/25/24, in procedure AI/00057/2023,<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 8/8<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
SECOND: NOTIFY this resolution to A.A.A. and to the EUROPEAN COMMISSION<br />
INTERNAL MARKET EXCHANGE SYSTEMS (IMI-Austria), in accordance with the<br />
art. 77.2 of the GDPR.<br />
<br />
<br />
In accordance with the provisions of article 50 of the LOPDGDD, this<br />
Resolution will be made public once it has been notified to the interested parties.<br />
<br />
Against this resolution, which puts an end to the administrative route, it may be filed in the<br />
<br />
period of two months counting from the day following the notification of this act<br />
as provided in article 46.1 of Law 29/1998, of July 13, regulating the<br />
Contentious-administrative jurisdiction, contentious-administrative appeal before the<br />
Contentious-administrative Chamber of the National Court, in accordance with the<br />
<br />
provided in article 25 and in section 5 of the fourth additional provision of the<br />
referred legal text.<br />
<br />
<br />
<br />
Sea Spain Martí<br />
Director of the Spanish Data Protection Agency.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
</pre></div>Lmhttps://gdprhub.eu/index.php?title=IP_(Slovenia)_-_07106-8-2023&diff=40546&oldid=0IP (Slovenia) - 07106-8-20232024-03-26T18:38:33Z<p>Created page with "{{DPAdecisionBOX |Jurisdiction=Slovenia |DPA-BG-Color= |DPAlogo=LogoSI.png |DPA_Abbrevation=IP |DPA_With_Country=IP (Slovenia) |Case_Number_Name=07106-8-2023 |ECLI= |Original_Source_Name_1=IP website |Original_Source_Link_1=https://gdprhub.eu/images/0/0a/07106-8-2023-9_odlo%25C4%258Dba_po_42_%25C4%258Dlenu_ZPacP_vrnjeno_v_novo_odlo%25C4%258Danje_24012024.pdf |Original_Source_Language_1=Slovenian |Original_Source_Language__Code_1=SL |Original_Source_Name_2= |Original_S..."</p>
<p><b>New page</b></p><div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Slovenia<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoSI.png<br />
|DPA_Abbrevation=IP<br />
|DPA_With_Country=IP (Slovenia)<br />
<br />
|Case_Number_Name=07106-8-2023<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=IP website<br />
|Original_Source_Link_1=https://gdprhub.eu/images/0/0a/07106-8-2023-9_odlo%25C4%258Dba_po_42_%25C4%258Dlenu_ZPacP_vrnjeno_v_novo_odlo%25C4%258Danje_24012024.pdf<br />
|Original_Source_Language_1=Slovenian<br />
|Original_Source_Language__Code_1=SL<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=24.10.2023<br />
|Date_Decided=24.01.2024<br />
|Date_Published=15.03.2024<br />
|Year=2024<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=<br />
|GDPR_Article_Link_1=<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=42. člen ZPacP<br />
|National_Law_Link_1=https://pisrs.si/pregledPredpisa?id=ZAKO4281<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
|National_Law_Name_3=<br />
|National_Law_Link_3=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=im<br />
|<br />
}}<br />
<br />
The DPA found that the data subject should have access to medical records of her deceased father as the information might have a significant impact on her health.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The data subject filed a complaint with the DPA against a healthcare provider regarding the denial of access to the medical records of her deceased father. The data subject requested access to her father's medical records after his death on 24 October 2023. <br />
<br />
The healthcare provider denied the request based on a document purportedly signed by the deceased father, which prohibited the disclosure of his medical information to his daughter. <br />
<br />
However, according to the data subject the document did not explicitly prohibit access to medical records after the father's death. <br />
<br />
She also argued it could be assumed that her father lacked the capacity to understand the implications of the document due to his dementia. On this account, she provided evidence of her father’s medical condition and claimed that it was produced during a period when he was not of sound mind. <br />
<br />
The healthcare-provide argued that that it possessed a document which clearly prohibited the disclosure of the data to the data subject and therefore respected the deceased persons’ clearly expressed wishes even after his death, since he had clearly expressed an interest, while he was still alive, in enjoying certain fundamental rights protections as a person after his death.<br />
<br />
=== Holding ===<br />
The DPA found that the evidence presented by the healthcare provider, the document signed by the deceased person, did not clearly and unambiguously prohibit the daughter’s access to her father’s medical records after his death. <br />
<br />
The DPA referred to the right to be informed of the patient's medical records after the patient's death which is regulated in Article 42 of the Act on Patient Rights (‘ZPacP’). After the patient's death, the right to be informed of the patient's medical records includes, among others, the patient's spouse, common-law partner, same-sex partner, children and adopted children, and, in the absence of these persons, the patient's parents. These persons shall only be granted access to the information necessary to achieve the legitimate purpose of the consultation. <br />
<br />
The DPA further clarified that pursuant to Article 42(4) ZPacP, the data subject is indeed entitled to be informed of her deceased father's medical records in so far as they related to reasons which might have a significant impact on her health.<br />
<br />
As a result, the DPA referred the case back to the healthcare provider and was instructed to reconsider the data subject’s request for access to her deceased father’s medical records.<br />
<br />
== Comment ==<br />
This ruling relates to the wording of Recital 27 GDPR which states that “This Regulation [GDPR] does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons.”<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.<br />
<br />
<pre><br />
Information Commissioner according to Information Commissioner Mojca Prelesnik (hereinafter IP) on the basis of the fifth paragraph of Article 42 in relation to the tenth paragraph of Article 41 of the Act on Patient Rights (Official Gazette of the Republic of Slovenia, No. 15/08, 55/17, 177/20 and 100/22 – ZNUZSZS; hereafter ZPacP) and on the basis of the third paragraph of Article 251 of the General Administrative Procedure Act (Official Gazette of the Republic of Slovenia, No. 24/06 – official consolidated text, 105/06 – ZUS-1, 126/07, 65/08, 8/10, 82/13, 175/20 – ZIUOPDVE and 3/22 – ZDeb; hereinafter ZUP), on the applicant's appeal: .... of 12 November 2023, against the decision of the healthcare provider: ...., no. …. of 3 November 2023, in the matter of familiarization with medical documentation after the patient's death, issues the following<br />
<br />
<br />
O D L O C B O<br />
<br />
1. Complaints of the applicant... of 12/11/2023 against the decision of the health care provider.... no. …. dated November 3, 2023, is accepted, the challenged decision is canceled and the case is returned to the healthcare provider as a first-level authority for a new procedure.<br />
<br />
The healthcare provider must make a decision on the applicant's request for familiarization with the medical documentation after the patient's death on October 24, 2023 at the latest within 30 days of receiving this decision.<br />
<br />
2. No special costs were incurred in this procedure. The applicant covers her own costs of the procedure.<br />
<br />
<br />
Place the page in:<br />
<br />
On October 24, 2023, the applicant submitted a request to the provider of health care to get acquainted with the medical documentation of her deceased father.... .<br />
<br />
With decision no. …. of 3 November 2023 rejected this request. He based his decision on the existence of a certified power of attorney of the deceased..., with which he prohibits giving his personal data, sending him to various specialist examinations, ordering, etc. daughters - applicants in this procedure. He explained that this authorization was given to the personal physician of the deceased, and he himself received it from the lawyer of the deceased.<br />
<br />
The applicant filed an appeal against this decision on 12 November 2023. In essence, she stated that the healthcare provider did not attach a copy of the written authorization to the decision, which he referred to and which allegedly contained a prohibition on the transmission of personal data. She pointed out that the power of attorney was given to his doctor, not to the provider of medical activities in this procedure, and that it does not contain any indication that after his death, the father forbids her to see the psychiatric medical record that he keeps. She added that the same authorization was given from 27/07/2022 to 13/08/2022 to the patient.... . She further emphasized that already in 2016, her father was receiving strong medication for the treatment of dementia, that he did not have a guardian appointed, and that the lifetime maintenance contract is void, which will be resolved in the probate process. At the same time, the applicant also pointed out that Parkinson's dementia, vascular dementia, cortical and subcortical dementia are hereditary. If the father had a chromosomal mutation for Parkinson's dementia and as his heir has inherited it, this is important for her health. Therefore, he wants to get acquainted with all the results, records, findings regarding the treatment of his father, what health problems he had, etc.<br />
<br />
On 11/13/2023, the IP called on the provider of medical activities, based on 34.a, 139. and the second paragraph of Article 245 of the ZUP, to forward a copy of the express prohibition regarding familiarization with the medical documentation provided by the deceased, a definition of the complaint statements and to provide other relevant explanations and evidence.<br />
<br />
The health care provider is in answer no. …. dated 20 November 2023 explained again that the reason for rejecting the applicant's request for access to the medical records of the deceased father was a copy of the power of attorney provided to the hospital by the lawyer, which clearly states that the deceased applicant is prohibited from providing her personal information. He pointed out that this authorization was given to his personal physician and was authenticated. He explained that until receiving the letter from the deceased's lawyer, he did not have the information about the prohibition to pass on the deceased's data to the applicant, as the deceased was treated by a psychiatrist who also performs home visits as part of community psychiatric treatment. The visit was carried out on 6 October 2021, both daughters were informed about the visit, but the deceased did not in any way announce that he forbids the sharing of information. The health care provider concluded that he has a document that unequivocally prohibits the transmission of data.... the applicant, therefore he respected his clearly expressed wish even after his death, since even while he was alive, he clearly expressed his interest in enjoying certain protection of fundamental rights as a person even after his death. Furthermore, the healthcare provider pointed out that the applicant did not provide any information regarding possible harmful diseases of the applicant's late father in the request for information, so he could not assess or consider them. Based on this, he decided as follows from decision no. …. dated 3 November 2023, in which he took into account the purpose of the law governing the protection of personal data and the will of the deceased, which he expressed clearly and unambiguously. He also attached all relevant documentation to the answer.<br />
<br />
The applicant responded to the IP's request for clarification dated 12/12/2023 on 17/12/2023. As the response is quite extensive, the IP summarizes only the essential statements that are relevant to the decision in this appeal procedure. These are:<br />
- the power of attorney was written by her own hand for her purposes. …. (the applicant's sister) and gave it to her sick, demented father to sign because she was afraid of the life support contract they concluded during the father's illness;<br />
- after the death of his father, he is from …. has received a copy of the "mandate" with all other medical documents;<br />
- only the father's signature is certified on the power of attorney;<br />
- the power of attorney does not say that the father "expressly" forbids access to medical documentation;<br />
- the authorization is addressed to dr. honey …. and nurse ..., who are employed in the health center .... ;<br />
- the legal purpose of familiarization with the medical record and all specialist findings is demonstrated by the attached invitation to the probate hearing on 11/19/2023;<br />
- the ban can also be recorded in the central record of medical documentation, which was not implemented in this case, but the provider of medical activity had to physically inspect the medical record;<br />
- the applicant IP asks to immediately allow her to photocopy and familiarize herself with all the contents of the medical record for the purpose of the inheritance procedure, otherwise she will not be able to deliver the documents to the court in time.<br />
<br />
In the telephone interview with the IP on 19/01/2024 and in the applications from that day and from 20/01/2024, the applicant described in more detail the circumstances of signing the disputed document (power of attorney), especially that the father signed it during dementia, when he was sick and unsound, and therefore cannot constitute a valid prohibition of acquaintance. She pointed out that, despite the existence of this document, she received the medical documentation of her deceased father from other managers (e.g.... and...). As proof that the father was really ill, she attached a psychiatric report and a professional opinion.... dated 16 January 2023, which summarized the content of the available medical documents. She pointed out that the father had been on medication since 2016 and had been diagnosed with dementia, which made him unable to understand his will statements and the legal consequences. She also attached the minutes on the inheritance case and the decision on the suspension of the inheritance proceedings dated 12/19/2023, as well as the decision of the Ministry.... from 2 June 2022.<br />
<br />
The appeal is justified.<br />
<br />
Procedural explanations<br />
<br />
At the outset, the IP explains that, as a second-level authority, in accordance with Article 247 of the ZUP, which, based on the tenth paragraph of Article 41 in connection with the fifth paragraph of Article 42 of the ZPacP, is applicable mutatis mutandis in this appeal procedure, it is obliged to examine the decision in part, in which the applicant disputes. He examines the decision within the limits of the appeal's statements, and ex officio examines whether there were no significant violations of the procedure in the first instance procedure and whether the substantive law was not violated.<br />
<br />
The IP was convinced of the actual situation on the basis of the available material, taking into account Article 10 of the ZUP. On the basis of Article 139 of the ZUP, he assessed that additional procedural actions to determine the actual situation are not necessary.<br />
<br />
General information on the right to access medical documentation after the patient's death<br />
<br />
The right to access medical documentation after the patient's death is regulated in Article 42 of the ZPacP. After the patient's death, the patient's spouse, common-law partner, partner from the same-sex community, children and adopted children, and when these persons are not available, the patient's parents have the right to get acquainted with the patient's medical documentation. These persons are only given access to the data that is necessary to achieve the legitimate purpose of the information. However, if these persons want to get acquainted with the medical documentation that was created at a time when the deceased patient was not capable of making decisions about himself and this situation continued without interruption until his death, they must demonstrate a legal interest in getting acquainted (paragraph two). The request for familiarization of persons is partially or fully rejected if the law stipulates so or if the patient has expressly forbidden the familiarization in writing or orally in the presence of two witnesses before death (third paragraph). Regarding the prohibition, the law also provided for an exception: despite the patient's prohibition, the patient's parents, descendants, spouse, common-law partner, partner from the same-sex community, brothers and sisters or other persons close to the patient may, through the doctor, become familiar with those personal data that are or could be important for their health (fourth paragraph). The healthcare provider decides on the request for information within 15 days of receiving the reasoned request. If the request is partially or fully rejected, the entitled persons have the right to file a complaint with the IP (fifth paragraph).<br />
<br />
The applicant can therefore become familiar with the medical documentation of the deceased patient under the following conditions:<br />
- the request for familiarization is explained in such a way that it is clear what the purpose of the familiarization is,<br />
- the claimed purpose of familiarization is not illegal,<br />
- the kinship relationship with the deceased patient is demonstrated in an appropriate manner and<br />
- the deceased patient did not prohibit access to his medical documentation during his lifetime.<br />
<br />
At the same time, it must be taken into account that the right to access the medical documentation after the patient's death is the right of persons from Article 42 of the ZPacP, which is opposed by the patient's right to prohibit such access, and both rights can be granted under the conditions set by law and in a certain measures limited.<br />
<br />
On the ability to judge<br />
<br />
A free and serious declaration of will cannot conceptually be given by a person who is not able to understand the meaning of the will he declares. The ability to judge is not specifically regulated in our legislation. It is the actual ability to understand the meaning of one's actions, or the ability to understand the meaning of a declaration of will and the legal consequences it causes. A necessary condition for the ability to judge is the actual psychophysical properties of the subject. For example, the ability to judge is a prerequisite for the validity of the declaration of business will. As a general rule, the capacity to judge is assumed in persons who have business capacity. However, this assumption is not irrefutable. There may be a discrepancy between business capacity and the ability to judge, especially when a full business person loses the actual capacity to judge (for example, due to dementia), and business capacity has not yet been formally taken away.<br />
<br />
ZPacP defines the capacity to make decisions about oneself in point 19 of Article 2, which is the ability of the patient to independently exercise the rights from this law. The patient is capable of making decisions about himself if, based on his age, maturity, state of health or other personal circumstances, he is able to understand the meaning and consequences of exercising the rights from this law, especially the consent, refusal or revocation of the refusal of medical intervention or medical treatment. The patient's right to prohibit access to his medical documentation during his lifetime to a person who, based on Article 42 of the ZPacP, is otherwise entitled to familiarize himself with this documentation after the patient's death, could also be understood as exercising the right from this law.<br />
<br />
The ZPacP does not specify more precisely what the prohibition of familiarization from the third paragraph of the ZPacP must be (except that it must be given explicitly and in writing or orally in the presence of two witnesses). Both from the general requirement for the ability to make judgments and from the definition of the ability to make decisions about oneself, it undoubtedly follows that at the time of giving such a prohibition, the patient must be able to understand the meaning of this statement and the consequences it causes, and it is not only the legal capacity that is relevant, but the actual the ability to form a valid will, taking into account age, maturity, state of health and other personal circumstances.<br />
<br />
Assessment of the merits of the appeal<br />
<br />
The healthcare provider justified the rejection of the applicant's request for access to her deceased father's medical documentation by the existence of a prohibition under the third paragraph of Article 42 of the ZPacP. This stipulates that the request for the familiarization of the persons from the previous paragraph shall be partially or completely rejected, if the law stipulates so or if the patient expressly prohibited the familiarization in writing or orally in the presence of two witnesses before death. Since the other conditions for familiarization were not disputed, the IP did not elaborate on them in this decision.<br />
<br />
In a specific case, it is essential whether the ban on familiarization according to the third paragraph of Article 42 of the ZPacP, which is referred to by the healthcare provider, meets all the conditions for validity. It is a document entitled "Authorization" and dated 3 June 2022. The addressees are identified as .... (according to the explanations of the deceased's medical provider, this was a personal physician) and a nurse.... . The document states that …. "I forbid giving my health information, sending it to various specialist examinations, ordering it for my daughter..." and that the information "can only be obtained by my daughter.... (...), because we have a contract of employment. on life support." On the other side of the document, there is a confirmation from the Administrative Unit... that... signed this document with his own hand.<br />
<br />
Based on the content of the document, the IP does not agree with the assessment given by the medical provider in the contested decision, that the deceased father clearly and unequivocally forbade the applicant to get acquainted with all the medical documentation relating to him. The will of the patient expressed during his lifetime must be interpreted taking into account all the circumstances that may be relevant in assessing the validity and scope of the ban on familiarization with his medical documentation relating to the period after death. The IP believes that the provider of health care in this specific case did not assess these circumstances, which are highlighted below, to a sufficient extent.<br />
<br />
First of all, the applicant's complaint that the late father did not "expressly" prohibit access to his medical documentation is important. For the prohibition to be valid according to the third paragraph of Article 42 of the ZPacP, it is not necessary that this term be directly stated in the document (or that the patient use it literally in the case of a verbal prohibition). According to the SSKJ, this word means that something is expressed clearly and definitely. The express prohibition must therefore be expressed unequivocally, whereby it must be clear that it is a prohibition of familiarization that takes effect after death, as well as to which medical documentation or to which provider of medical activity it refers and against whom it is effective.<br />
<br />
Therefore, in order to assess to whom a specific ban on familiarization applies, or how widely it has an effect, it is important who is the addressee of the ban. Given that the document containing the prohibition of "disclosing health information" is named "power of attorney" and is specifically addressed to the deceased's personal physician and nurse, it cannot automatically be considered that the prohibition applies to all health care providers who have with the deceased's documentation. The term power of attorney is usually understood to mean the right to represent, which is given by the authorizer through a legal transaction to the agent (first paragraph of Article 74 of the Code of Obligations; Official Gazette of the Republic of Slovenia, No. 97/07 – official consolidated text, 64/16 – Sec. US and 20/18 – OROZ631). From the title of the document, it could therefore be concluded that the deceased limited the prohibition of familiarization only to the medical documentation with which his personal doctor is at his disposal. The applicant's claims that the prohibition is not recorded in the central register of patient data (which is otherwise only a possibility, but not a condition for the validity of the prohibition), that the document was forwarded to the healthcare provider by a lawyer who also represents the applicant's sister (otherwise I wouldn't have known about him at all), that the document was written by the applicant's sister, who is in dispute with the applicant, and that, despite the existence of this document, the applicant obtained the medical documentation of her deceased father from other healthcare providers.<br />
<br />
The prerequisite for issuing a valid ban is, as already explained, the ability to judge. The medical condition of the deceased, which should have been known to the health care provider at least for the period of his treatment, shows doubt about the reality of the assumption of this type of ability when the disputed prohibition was issued (i.e. 3 June 2022). This essential question was not clarified in the proceedings at first instance. With her assertions in the request and even more explicitly in this appeal procedure, among other things with an expert opinion..., the applicant sufficiently demonstrated a well-founded suspicion that the late father was unable to understand the meaning of the content of the "power of attorney" at the time of the injunction due to dementia. who signed it and its consequences.<br />
<br />
The listed questions, which are important in assessing the validity of the rejection of the applicant's request, were not discussed in the first-level procedure, as a result of which the remaining factual situation was incompletely established. Based on the dementia of the deceased patient, the healthcare provider should determine his ability to issue a valid prohibition and, in the event of its existence, in addition to the narrow legal provisions, more critically assess the content of the document, which is said to contain the prohibition according to the third paragraph of Article 42 of the ZPacP.<br />
<br />
According to the applicant's statements, the IP also explains the following. On the basis of the fourth paragraph of Article 42 of the ZPacP, she could indeed be entitled to get acquainted with the health documentation of her deceased father in the part that relates to reasons that may significantly affect her health, but this was not mentioned in her request of 24 October 2023 claimed, but requested this documentation for the purposes of probate proceedings. The IP points out that the applicant can submit a new request and justify this exception more concretely in order to obtain the required documentation. In relation to the alleged errors in the appointment of the guardian and violations of Article 275 of the Family Code, the IP adds that its powers are defined in Article 2 of the ZInfP and only cover the areas of personal data protection and access to public information. Therefore, it cannot decide whether there has been a violation of the legislation for which it is not competent to supervise, and whether liability for damages may be given. The subject of this appeal procedure is limited to the assessment of whether the health care provider justifiably refused the applicant's request for access to her deceased father's medical records pursuant to Article 42 of the ZPacP. The IP also points out that it does not have the role of the proposer of the law in relation to the complaint statements regarding the need to amend the legislation, but must, in accordance with the principle of legality from Article 6 of the ZUP, make decisions according to the law, by-laws, regulations of local communities and general acts issued for the exercise of public powers. Regarding the claims that the applicant must bring the deceased father's medical documentation as evidence to the probate hearing, the IP merely remarks that the court can generally only obtain the information necessary for the decision and the documents, if the client cannot get them handed over to her.<br />
<br />
Return to re-procedure and instructions to the healthcare provider<br />
<br />
The first paragraph of Article 251 of the ZUP stipulates that when the authority of the second instance determines that the facts were incompletely or erroneously established in the procedure at the first instance, that there were significant violations of the procedural rules in the procedure, or that the wording of the challenged decision is unclear, or in contrary to the reasoning, complete the procedure and eliminate the mentioned deficiencies either by himself or through the authority of the first instance or through the requested authority. The third paragraph of the same article also stipulates that if the second-instance authority realizes that the shortcomings of the first-instance procedure will be eliminated faster and more economically by the first-instance authority, it cancels the first-instance decision with its own decision and returns the matter to the first-instance authority for a new procedure. In such a case, the authority of the second instance is obliged with its decision to warn the authority of the first instance regarding what the procedure needs to be supplemented, and the authority of the first instance must always act in accordance with this decision and issue a new decision without delay, but no later than within 30 days of receiving the case. The customer has the right to appeal against the new decision.<br />
<br />
The IP is obliged to respect the fundamental principles of the administrative procedure, therefore it must also take into account the principle of economy of the procedure from Article 14 of the ZUP and conduct the procedure quickly, which means with as little delay as possible for the clients and other participants in the procedure, but in such a way that everything that is necessary to determine the actual situation, protect the client's rights and legal interests, and issue a legal and correct decision. This will be most easily achieved by the healthcare provider at the first level, because the request for familiarization refers to the documentation that he has at his disposal and knows best. The set deadline for re-decision is in accordance with ZUP.<br />
<br />
It follows from the above findings that, in a repeated procedure based on the third paragraph of Article 42 of the ZPacP, the health care provider will have to assess whether there is a valid ban on familiarization with the medical documentation after the patient's death, explain this and make a new decision on the applicant's request. In doing so, he will have to primarily determine the patient's ability to judge at the time of the injunction and, on the condition that this assumption will not be challenged, also assess other relevant circumstances that the IP described in the previous section.<br />
<br />
Conclusive<br />
<br />
On the basis of the third paragraph of Article 251 of the ZUP, the IP upheld the appeal, eliminated the contested response of the healthcare provider and sent the matter back to him for retrial, because it was established that the facts were incompletely established in the first instance procedure, and the shortcomings will be more easily eliminated by the provider . He must make a decision on the applicant's request for information under Article 42 of the ZPacP no later than 30 days after receiving this decision (point 1 of the sentence of this decision).<br />
<br />
This decision is in accordance with the provisions of the Act on Administrative Fees (Official Gazette of the RS, No. 106/10 - official consolidated text, 14/15 - ZUUJFO, 84/15 - ZZelP-J, 32/16, 30/18 - ZKZaš and 189/20 – ZFRO) exempted from paying the administrative fee. No special costs were incurred in this appeal procedure (point 2 of the sentence of this decision).<br />
<br />
<br />
Lessons on the legal remedy:<br />
Neither an appeal nor an administrative dispute is allowed against this decision.<br />
<br />
<br />
Manager's procedure:<br />
………………………….. Mojca Prelesnik, Univ. B.Sc. right.,<br />
Information Commissioner<br />
</pre></div>Imhttps://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9993548&diff=40544&oldid=0Garante per la protezione dei dati personali (Italy) - 99935482024-03-26T17:40:42Z<p>Created page with "{{DPAdecisionBOX |Jurisdiction=Italy |DPA-BG-Color=background-color:#095d7e; |DPAlogo=LogoIT.png |DPA_Abbrevation=Garante per la protezione dei dati personali |DPA_With_Country=Garante per la protezione dei dati personali (Italy) |Case_Number_Name=9993548 |ECLI= |Original_Source_Name_1=Garante per la protezione dei dati personali |Original_Source_Link_1=https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9993548 |Original_Source_Language_1=Italian |Orig..."</p>
<a href="https://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9993548&diff=40544">Show changes</a>Imhttps://gdprhub.eu/index.php?title=Pers%C3%B3nuvernd_(Island)_-_2021051091&diff=40542&oldid=0Persónuvernd (Island) - 20210510912024-03-26T15:46:11Z<p>Created page with "{{DPAdecisionBOX |Jurisdiction=Iceland |DPA-BG-Color= |DPAlogo= |DPA_Abbrevation=Persónuvernd |DPA_With_Country=Persónuvernd (Island) |Case_Number_Name=2021051091 |ECLI= |Original_Source_Name_1=Persónuvernd |Original_Source_Link_1=https://www.personuvernd.is/urlausnir/voktun-med-vinnuskilum-starfsmanns-a-veitingastadnum-subway%20 |Original_Source_Language_1=Icelandic |Original_Source_Language__Code_1=IS |Original_Source_Name_2= |Original_Source_Link_2= |Original_So..."</p>
<p><b>New page</b></p><div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Iceland<br />
|DPA-BG-Color=<br />
|DPAlogo=<br />
|DPA_Abbrevation=Persónuvernd<br />
|DPA_With_Country=Persónuvernd (Island)<br />
<br />
|Case_Number_Name=2021051091<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Persónuvernd<br />
|Original_Source_Link_1=https://www.personuvernd.is/urlausnir/voktun-med-vinnuskilum-starfsmanns-a-veitingastadnum-subway%20<br />
|Original_Source_Language_1=Icelandic<br />
|Original_Source_Language__Code_1=IS<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=04.05.2021<br />
|Date_Decided=12.03.2024<br />
|Date_Published=20.03.2024<br />
|Year=2024<br />
|Fine=1,500,00<br />
|Currency=ISK<br />
<br />
|GDPR_Article_1=Article 5(1)(b) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1b<br />
|GDPR_Article_2=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1a<br />
|GDPR_Article_3=Article 6(1) GDPR<br />
|GDPR_Article_Link_3=Article 6 GDPR#1<br />
|GDPR_Article_4=Article 12 GDPR<br />
|GDPR_Article_Link_4=Article 12 GDPR<br />
|GDPR_Article_5=Article 13 GDPR<br />
|GDPR_Article_Link_5=Article 13 GDPR<br />
|GDPR_Article_6=Article 30 GDPR<br />
|GDPR_Article_Link_6=Article 30 GDPR<br />
|GDPR_Article_7=Article 58(2) GDPR<br />
|GDPR_Article_Link_7=Article 58 GDPR#2<br />
|GDPR_Article_8=Article 83 GDPR<br />
|GDPR_Article_Link_8=Article 83 GDPR<br />
|GDPR_Article_9=<br />
|GDPR_Article_Link_9=<br />
|GDPR_Article_10=<br />
|GDPR_Article_Link_10=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Stjörnuna ehf, the operator of Subway in Iceland<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=ec<br />
|<br />
}}<br />
<br />
The Icelandic DPA imposed a fine of €10,059.92 (ISK 1,500,00) on Stjörnuna ehf, the operator of Subway in Iceland for unlawfully monitoring its employees.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The data subject is an employee at Subway in Iceland. <br />
<br />
The controller is Stjörnuna ehf, the operator of Subway in Iceland.<br />
<br />
The data subject filed a complaint to the Icelandic DPA (Persónuvernd) on 4 May 2021.<br />
<br />
The data subject claimed that the store manager monitored him in real time at home, and thus outside the workplace, and called the workplace to give comments on the data subject’s work style based on the footage. This was done without the data subject’s knowledge. <br />
<br />
The controller argued in a letter to the DPA that it had installed the surveillance cameras for the sake of security and property protection. The purpose of the monitoring is factual, the surveillance camera system has been used in a reasonable manner and it has not been used for the control of workers or for monitoring work results. The controller claimed that the store manager went beyond the stated purpose of the monitoring and used the footage to monitor the work performance of the employees without the consent or knowledge of the company representatives. Immediate action was taken to prevent this from happening again.<br />
<br />
However, in a following letter, the controller denied that the store manager regularly monitored staff in real time through the restaurant's surveillance camera system and commented on their work style and behaviour. The controller argued that the store manager was looking at the surveillance camera system on the day in question out of fear that bread was running out. However, the store manager noticed that there was a big queue which did not change after 5 minutes, and therefore called the data subject who was in the rest area to request that the data subject serves the customers. <br />
<br />
Lastly, the controller argued that since there was no systematic collection of information, they had no obligation beyond the installation of signs about the surveillance cameras in the workplace to inform employees more about the monitoring.<br />
<br />
=== Holding ===<br />
Firstly, the DPA found the arguments of the controller conflicting as the purpose for processing was either in the interests of security and property protection or quality control. Regardless which argument should be taken into account, the DPA held that it is clear that the store manager’s use of the footage from the surveillance cameras does not fall under the stated purpose of the company’s monitoring for security and property protection. Moreover, the DPA held that monitoring for controlling the work of the employees is only possible if there are no other means available and it is necessary due to an agreement. The controller did not demonstrate this. Moreover, under Article 5(1)(b), monitoring must be carried out for specified, explicit and legitimate purpose. The DPA found that the controller did not demonstrate that quality control was the purpose of monitoring or that the objectives of quality control cannot be achieved with other and less intrusive measures. Therefore, the DPA found that there was no authorisation for processing under [[Article 6 GDPR#1|Article 6(1) GDPR]]. <br />
<br />
Secondly, the DPA explained that personal data must be processed in a fair and transparent manner in relation to the data subject under [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]. This means that data subjects should be aware when their personal data is collected, used, viewed or processed in another way. Moreover, in light of [[Article 13 GDPR|Article 13 GDPR]], information must be provided to the data subject and must be given a clear picture of the monitoring, including its purpose, how it is carried out, how access to monitoring material arranged and how long the data is stored. The DPA found that the data subject was not adequately informed about the monitoring or what his rights were concerning the monitoring. Moreover, the DPA rejected the controller’s claim that the installation of signs about the monitoring was satisfactory as these signs do not state who is responsible for the monitoring. <br />
<br />
Thirdly, the DPA found that the controller did not keep a record of the processing activities required under [[Article 30 GDPR|Article 30 GDPR]].<br />
<br />
Thus, the DPA ordered the controller under [[Article 58 GDPR#2|Article 58(2) GDPR]] to erase all screenshots of the data subject at work and to inform its data subject about the monitoring, including the purpose of the monitoring and their rights related to it, and to keep record of its processing activities. Moreover, the DPA imposed an administrative fine of €10,059.92 (ISK 1,500,00) on the controller under [[Article 83 GDPR|Article 83 GDPR]] due to the controller’s violations of [[Article 5 GDPR#1|Article 5(1) GDPR]], [[Article 6 GDPR|Article 6 GDPR]], [[Article 12 GDPR|Article 12 GDPR]] and [[Article 13 GDPR|Article 13 GDPR]].<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>Echttps://gdprhub.eu/index.php?title=Rb._Overijssel_-_ZWO_22/775&diff=40533&oldid=0Rb. Overijssel - ZWO 22/7752024-03-26T11:40:30Z<p>Created page with "{{COURTdecisionBOX |Jurisdiction=Netherlands |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=Rb. Overijssel |Court_Original_Name=Rechtbank Overijssel |Court_English_Name=District Court Overijssel |Court_With_Country=Rb. Overijssel (Netherlands) |Case_Number_Name=ZWO 22/775 |ECLI=ECLI:NL:RBOVE:2024:594 |Original_Source_Name_1=Rechtspraak |Original_Source_Link_1=https://uitspraken.rechtspraak.nl/details?id=ECLI:NL:RBOVE:2024:594 |Original_Source_Language..."</p>
<p><b>New page</b></p><div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Netherlands<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=Rb. Overijssel<br />
|Court_Original_Name=Rechtbank Overijssel<br />
|Court_English_Name=District Court Overijssel<br />
|Court_With_Country=Rb. Overijssel (Netherlands)<br />
<br />
|Case_Number_Name=ZWO 22/775<br />
|ECLI=ECLI:NL:RBOVE:2024:594<br />
<br />
|Original_Source_Name_1=Rechtspraak<br />
|Original_Source_Link_1=https://uitspraken.rechtspraak.nl/details?id=ECLI:NL:RBOVE:2024:594<br />
|Original_Source_Language_1=Dutch<br />
|Original_Source_Language__Code_1=NL<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Date_Decided=02.02.2024<br />
|Date_Published=02.02.2024<br />
|Year=2024<br />
<br />
|GDPR_Article_1=Article 4(1) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#1<br />
|GDPR_Article_2=Article 6(1) GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR#1<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Enschede municipality<br />
|Party_Link_1=<br />
|Party_Name_2=Autoriteit Persoonsgegevens (Dutch DPA)<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Appeal_From_Body=Autoriteit Persoonsgegevens<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=https://autoriteitpersoonsgegevens.nl/actueel/boete-gemeente-enschede-om-wifitracking<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Pending appeal<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Droogstoppel<br />
|<br />
}}<br />
<br />
A court ruled that the Dutch DPA did not prove that the MAC addresses constituted personal data (cf [[Article 4 GDPR#1|Article 4(1) GDPR]]), because it did not sufficiently prove that the controller would be able to identify persons connected to the MAC addresses.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
On 6 September 2017 the municipality of Enschede decided to start 24/7 WiFi tracking in the centre of the city. Its purpose was to measure the effectiveness of municipal investments, in view of the responsible use of public funds. The contract to execute this task was given to City Traffic B.V., now Bureau RMC. Bureau RMC then contracted an unnamed party to do the installation and maintenance of the sensors and to collect and validate the data gathered by the sensors. Information collected included hashed MAC-addresses, date and timestamp of exposure, signal strength and sensor ID. It was stored for a period between 6 and 7 months. Starting from 1 January 2019 the hashed MAC-addresses were also truncated. On 30 April 2020 the municipality gave an assignment to Bureau RMC to switch the tracking sensors off.<br />
<br />
The Dutch DPA concluded that the chosen anonymization method of truncating a small part of the hashed MAC address does not sufficiently exclude the risks of singling out, linking or deducing person’s identity based on a pseudonymous identifier + timestamp + location information (available via the sensor ID). Accofrding to the Dutch DPA employees of the controller could identify people in three ways:<br />
(a) When someone walks past sensor, their MAC address is registered and an employee in the vicinity of the sensor could see who is walking by and link the MAC address to the person walking by on that moment. <br />
(b) the moment that a device enters the range of the sensor and the moment when device leaves the range of the sensor were stored. If someone enters for a longer time but does not exit within range sensor, and employee could find out who is in the range of the sensor in the corresponding time-span and connect the MAC address to that person. <br />
(c) An employee could determine a movement pattern based on the readings of multiple sensors, and use this information to link the MAC address to a specific person.<br />
<br />
Because of these reasons the Dutch DPA held that the data processed by the controller constituted personal data. The Dutch DPA considered that the controller did not have an adequate legal basis for processing the personal data, and imposed a fine of €600,000.<br />
<br />
=== Holding ===<br />
The main question the court answered in the case was whether the Dutch DPA had proven that MAC addresses constitute personal data under [[Article 4 GDPR#1|Article 4(1) GDPR]]. <br />
<br />
The court held that the Dutch DPA had insufficiently substantiated their claim that employees of the company would be able to identify the natural person connected to a MAC address. The court noted that the Dutch DPA was using to many assumptions in their argumentation. (For example, the controller held that the range of the wifi-sensors was large, and the DPA assumed (without proof) that this claim by the controller was wrong). Because of the use of unproven assumptions the court concluded that the Dutch DPA has not proven that the MAC addresses constitute personal data. Therefore the Dutch DPA has not proven that the controller had infringed the GDPR. Therefore it overturned the DPA's previous decision and annulled the fine that the Duch DPA had imposed on the municipality.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.<br />
<br />
<pre><br />
Pronunciations<br />
<br />
Some of all judicial decisions are published on Rechtspraak.nl. This is done anonymously.<br />
This statement has been anonymized according to the anonymization guidelines.<br />
ECLI:NL:RBOVE:2024:594<br />
Share pronunciation<br />
Authority<br />
Overijssel District Court<br />
Judgment date<br />
02-02-2024<br />
Date of publication<br />
02-02-2024<br />
Case number<br />
ZWO 22/775<br />
Jurisdictions<br />
Administrative law<br />
Special characteristics<br />
First instance - multiple<br />
Content indication<br />
<br />
The court declares the appeal of the municipality of Enschede well-founded. The municipality appealed against an administrative fine of 600,000 euros imposed by the Dutch Data Protection Authority.<br />
Locations<br />
Rechtspraak.nl<br />
Sdu News Privacy Law 2024/105<br />
Sdu News Privacy Law 2024/20<br />
Enriched pronunciation<br />
Pronunciation<br />
<br />
OVERIJSSEL COURT<br />
<br />
Location Zwolle<br />
<br />
Administrative law<br />
<br />
case number: ZWO 22/775<br />
<br />
ruling of the multiple chamber in the case between<br />
<br />
the mayor and aldermen of Enschede, plaintiff,<br />
<br />
authorized representative: Mr. M.H. Elferink,<br />
<br />
and<br />
Dutch Data Protection Authority, hereinafter: AP,<br />
<br />
authorized representative: Mr. J.M.A. Koster.<br />
Introduction<br />
<br />
In this ruling, the court assesses the plaintiff's appeal against the administrative fine of €600,000 imposed on him by the AP.<br />
<br />
With the contested decision of April 6, 2022 on the plaintiff's objection to the fine decision of March 11, 2021, the AP has stood by that decision.<br />
<br />
The court heard the appeal on November 29, 2023. The plaintiff appeared before K.B.H. Ligthart-Kaalverink, assisted by the authorized representative and M.M. Shorter. The AP was represented by its representative, assisted by W. van Steenbergen and V. Klos.<br />
<br />
Furthermore, [name], hereinafter [name], was heard.<br />
Establishment of the decision<br />
1.1<br />
<br />
On September 5, 2017, the plaintiff decided to start 24/7 footfall counts via sensors in the city center of Enschede from September 6, 2017 to gain insight into visitor numbers. The contract for this has been awarded to [company 1] B.V., now [company 1]. This agency has appointed [company 2] B.V. for the technology. enabled.<br />
1.2<br />
<br />
On July 16, 2018, the AP received a complaint from [name] requesting enforcement action against the municipality of Enschede due to WiFi tracking that infringes the privacy of Enschede residents and visitors.<br />
1.3<br />
<br />
The AP received two more complaints about WiFi tracking from the plaintiff on December 2, 2018 and January 4, 2019.<br />
1.4<br />
<br />
The AP subsequently launched an investigation. In this context, information has been requested from the plaintiff, [company 1] and [company 2] B.V. On May 29, 2019, AP supervisors conducted a local investigation at a number of retailers in the city center of Enschede where a sensor was located.<br />
1.5<br />
<br />
On April 21, 2020, the AP released an investigation report, which concluded in summary that the processing of personal data of owners/users of mobile devices with Wi-Fi enabled in the city center of Enschede is unlawful. The defendant concludes that the plaintiff, as controller, has acted in violation of the General Data Protection Regulation (GDPR) from May 25, 2018 until the date of the report.<br />
1.6<br />
<br />
Following this report, the AP announced its intention on May 8, 2020 to impose a sanction on the claimant, namely an administrative fine and/or a penalty payment.<br />
1.7<br />
<br />
The plaintiff has submitted an opinion against this intention.<br />
1.8<br />
<br />
By decision of March 11, 2021, the AP imposed an administrative fine on the plaintiff of €600,000 because the plaintiff (from May 25, 2018 to April 30, 2020) processed personal data of owners/users of mobile devices with Wi-Fi enabled without any basis. in the city center of Enschede. The plaintiff has thus violated Article 5, first paragraph under a, jo. Article 6(1) of the GDPR is violated.<br />
1.9<br />
<br />
The plaintiff has appealed against this decision. A hearing took place on September 16, 2021.<br />
1.10<br />
<br />
In the decision of April 6, 2022, which was contested on appeal, the AP declared the objection unfounded.<br />
Assessment by the court<br />
<br />
Can [name] be regarded as a third party?<br />
2.1<br />
<br />
The court has designated [name] as a third party at the request of the AP. The plaintiff has taken the position that [name] cannot be regarded as such.<br />
2.2<br />
<br />
[name] has submitted a request for enforcement. Such a request is only an application within the meaning of Article 1:3, third paragraph, of the General Administrative Law Act (GALA), if this request has been made by an interested party. The response to such a request submitted by an interested party is then a decision as referred to in Article 1:3, first paragraph, of the General Administrative Law Act, against which legal remedies can be used. In accordance with Article 1:2, first paragraph, of the General Administrative Law Act, an interested party is defined as: the person whose interest is directly involved in a decision. Only those who have a sufficiently objective and current personal interest that is directly involved in the enforcement decision are in principle an interested party in that decision. The question is whether [name] has such an interest.<br />
2.3<br />
<br />
At the hearing, [name] stated uncontested that he – a resident of Enschede – passed the sensors in the city center with WiFi enabled on his mobile phone and must have been spotted. He believes this is the processing of personal data and considers this a violation of his privacy.<br />
2.4<br />
<br />
In the opinion of the court, this passing of the sensors does not distinguish [name] from other people visiting the city center of Enschede, but he can be regarded as an interested party, provided it is established that the plaintiff is in violation of the GDPR. has processed personal data. The reason for this is that the protection of privacy under European law requires this. The answer to the question of whether [name] can be regarded as a third party in this case depends on the court's opinion in this ruling as to whether the plaintiff has processed personal data. The court finds support for this method of assessment in the ruling of the Administrative Jurisdiction Division of the Council of State dated 18 February 2018 (ECLI:NL:RVS:2018:590).<br />
<br />
Assessment framework<br />
3.1<br />
<br />
Pursuant to Article 4(1) of the GDPR, personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.<br />
3.2<br />
<br />
Recital 26 of the GDPR states that the principles of data protection should apply to any information relating to an identified or identifiable natural person. Pseudonymized personal data that can be linked to a natural person through the use of additional data should be regarded as data relating to an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all means that could reasonably be expected to be used by the controller or by another person to directly or indirectly identify the natural person, for example selection techniques. In order to determine whether means can reasonably be expected to be used to identify the natural person, all objective factors, such as the cost and time required for identification, should be taken into account, taking into account the technology available the time of processing and technological developments. The data protection principles should therefore not apply to anonymous data, namely data that does not relate to an identified or identifiable natural person or to personal data that has been anonymized in such a way that the data subject is not or no longer identifiable. This Regulation therefore does not concern the processing of such anonymous data, including for statistical or research purposes.<br />
3.3<br />
<br />
Article 5(1)(a) of the GDPR stipulates that personal data must be processed in a manner that is lawful, fair and transparent in relation to the data subject (“lawfulness, fairness and transparency”).<br />
3.4<br />
<br />
Pursuant to Article 6(1) of the GDPR, processing is only lawful if and to the extent that at least one of the following conditions is met:<br />
<br />
a)<br />
<br />
<br />
the data subject has given permission for the processing of his personal data<br />
<br />
for one or more specific purposes;<br />
<br />
b)<br />
<br />
<br />
the processing is necessary for the execution of an agreement whereby the<br />
<br />
data subject is a party, or at the request of the data subject before the conclusion of a<br />
<br />
agreement to take measures;<br />
<br />
c)<br />
<br />
<br />
the processing is necessary for compliance with a legal obligation imposed on the<br />
<br />
controller rests;<br />
<br />
d)<br />
<br />
<br />
the processing is necessary to protect the vital interests of the data subject or of a<br />
<br />
protect another natural person;<br />
<br />
e)<br />
<br />
<br />
the processing is necessary for the performance of a task carried out in the public interest or<br />
<br />
of a task in the context of the exercise of public authority vested in the<br />
<br />
controller has been assigned;<br />
<br />
f)<br />
<br />
<br />
the processing is necessary for the pursuit of the legitimate interests of<br />
<br />
the controller or of a third party, except where the interests or<br />
<br />
fundamental rights and freedoms of the data subject which are intended to protect<br />
<br />
personal data outweigh those interests, especially when the<br />
<br />
the person concerned is a child.<br />
<br />
Point (f) of the first paragraph shall not apply to processing by public authorities in the exercise of their duties.<br />
3.5<br />
<br />
Pursuant to Article 18, paragraph 1, of the GDPR Implementation Act, the AP may impose an administrative fine of up to the amounts mentioned in these paragraphs.<br />
3.6<br />
<br />
Article 83(5)(a) of the GDPR provides that breaches of the basic principles of processing, including the conditions for consent, in accordance with Articles 5, 6, 7 and 9 are subject to administrative fines of up to €20,000. 000,-.<br />
<br />
Is there a violation? Is there (processing of) personal data involved?<br />
<br />
4. The court points out that according to settled case law, if the imposition of an administrative fine by an administrative body concerns a discretionary power, the burden of proof of the violation lies with the administrative body, whereby high requirements are imposed on the evidence. The court will assess whether the AP has provided sufficient evidence for the claim that the plaintiff violates Article 5, first paragraph under a, jo. Article 6(1) of the GDPR has processed personal data.<br />
<br />
5. The documents submitted by the plaintiff and the AP show that in the context of the intended passer-by count in the city center of Enschede in the period from May 25, 2018 to April 30, 2020, the MAC address of owners/owners was collected with ten sensors. users of mobile devices with Wi-Fi enabled. The MAC addresses were temporarily stored on the sensor's working memory and then hashed (pseudonymized), after which the hashed MAC address was immediately forwarded to the PFM server. On the server, the last three characters of the hashed MAC address (since January 1, 2019) were cut off.<br />
<br />
6. The AP takes the position that the identity of the natural person does not follow directly from the MAC address or the pseudonymised MAC address and the location data of the sensors, but that the natural person can be identified on the basis of these identifiers. identification is.<br />
<br />
7. The AP has mentioned three different ways to do this, namely:<br />
<br />
a. identification of persons based on the data stored on the sensor:<br />
<br />
PFM knows the exact location of the sensors and has access to the working memory and the software running on each sensor. At the same time as a new detection of a mobile device by a sensor, it is possible for someone from PFM to observe on site which person is walking within the range of the sensor. Especially at quiet times in the city center, this immediately leads to the identification of natural persons. For verification purposes, the person may be asked for his/her MAC address.<br />
<br />
identification of persons using the data in the short-term table (until January 1, 2019):<br />
<br />
PFM is responsible for collecting and validating the data. The short-term table on the server is owned by PFM. From mobile devices that enter the range of a sensor, data with an associated 'status 1' is included in the short-term table and if the same mobile device leaves the range of the sensor a little later, data with 'status 2' is sent to the short-term table . However, if a mobile device remains within range of a certain sensor, for example because that person lives or works within it, then the short-term table will only contain a status 1 record containing the pseudonymised MAC address, date and time. If a status 2 record is missing for a longer period of time, the PFM is aware that the person in question (possibly a resident or store employee) is still within range of the sensor. Someone from PFM can then determine on the spot which person is involved and identify the person.<br />
<br />
identification of persons based on the data in the long-term table:<br />
<br />
For PFM it is also possible to identify natural persons based on the historical data included in the long-term table on the server. Defendant has established that living and movement patterns can be recognized in the long-term table from after January 1, 2019, i.e. after the introduction of cutting off three characters from the hashed MAC address. This will also be the case in the long-term table from before January 1, 2019, when it still contained unique pseudonymised MAC addresses, because six months of data were always stored at that time. Using a pattern, it is possible for PFM to predict when the natural person in question is located somewhere, for example the person who moves between sensors in the city center of Enschede every night between 4:00 AM and 5:00 AM. At night there are hardly any other people on the street and it is possible for PFM to identify this person on the spot.<br />
<br />
8. According to the AP, these three ways of identifying natural persons do not require excessive effort from PFM, given the required time, costs and manpower. The fact that PFM employees do not use these resources in practice to identify people in the city center of Enschede does not alter the fact that they could reasonably do so. The identification can also be done by employees of [company 1] because they have access to all data that PFM collects based on the service level agreement with PFM. The claimant can also make the identification because he also has access to all data based on the processor agreement with [company 1].<br />
<br />
9. The AP concludes that the combination of MAC address and location data and the combination of pseudonymised MAC address and location data on the sensor from May 25, 2018 to April 30, 2020 and in the short- and low-term table until January 1 2019 qualify as personal data within the meaning of the GDPR.<br />
<br />
10. The court notes that when refuting the plaintiff's objections, the AP repeatedly bases itself on the implausibility of circumstances and equivalent wording instead of basing itself on research into facts. Reference is made to the following marginal numbers in the contested decision of April 6, 2022. No. 22: “The AP considers it implausible that the sensors actually receive signals 70 meters around the sensor.” No. 30: “The AP does not consider it plausible that this questioning would never, under any circumstances, lead to someone giving out their MAC address. In any case, it cannot be ruled out…” No. 37: “Although the AP has not established that remote login is possible (…) Although the AP has not investigated and established (…)” No. 39: “(…) which makes it unlikely that it would be impossible for PFM to access the information stored in the cache memory.” No. 42: “The AP finds it plausible that PFM has the knowledge and programming skills to be able to distill living patterns from the long-term table.”<br />
<br />
11. Furthermore, the court understands that the AP dropped the observation of natural persons with a camera mentioned in the fine decision of March 11, 2021 as a possibly illegal means in the contested decision of April 6, 2022.<br />
<br />
12. The court notes that the AP has essentially based its decisions on the ability of the plaintiff to identify natural persons on site on the basis of hashed, pseudonymised and clipped MAC addresses. In the aforementioned ways, the AP assumes the possibility that an employee of the agencies engaged by the claimant or an employee of the claimant itself could be on site at some time in the early morning, when there are few people on the street. to determine that a specific, unique mobile device user is within range of a sensor and could potentially identify that person.<br />
<br />
13. The court is of the opinion that the AP has not sufficiently investigated whether the methods it mentions indeed make it possible, in the given situation, to determine the identity of a user of a mobile device with the naked eye. The AP's mere assertion that the employees in question could reasonably do this does not convince the court. In view of recital 26 of the GDPR, the AP should have investigated whether it could reasonably be expected that the said means would be used to directly or indirectly identify the natural person, taking into account the costs and time required for identification, taking into account the available resources. technology at the time of processing and technological developments should have been involved.<br />
<br />
14. On this basis, the court is of the opinion that the AP, especially in view of the heavy burden of proof resting on the defendant in the event of the imposition of an administrative fine, has not proven that the plaintiff processed personal data with the method he used. of owners/users of mobile devices with Wi-Fi enabled in the city center of Enschede. It follows that the AP has not proven that the plaintiff committed the offense accused of him.<br />
<br />
15. It then follows that [name] cannot be regarded as a third party.<br />
Conclusion<br />
<br />
16. The AP has imposed an administrative fine on the plaintiff on incorrect grounds, so that this decision cannot be upheld. The claimant's appeal is well-founded. The court will annul the contested decision of April 6, 2022 and revoke the fine decision of March 11, 2021.<br />
<br />
17. The court sees reason to order the AP to pay the plaintiff's legal costs. These costs have been calculated on the basis of the Administrative Law Costs Decree (Bpb) at € 2,998 (1 point for the notice of objection + 1 point for the hearing at € 624 per point + 1 point for the notice of appeal + 1 point for appearing at the hearing x weighting factor 1 x € 875 per point).<br />
18.1<br />
<br />
The claimant has requested reimbursement of travel and lost expenses from the representative K.B.H. who appeared on her behalf. Ligthart-Kaalverink. An amount of € 148.90 has been declared for travel costs and an amount of € 356 for lost time costs for two hours for attending the hearing.<br />
18.2<br />
<br />
The court is of the opinion that the travel costs are eligible for reimbursement. Travel costs will be reimbursed on the basis of public transport, second class. The court therefore sets the travel costs eligible for reimbursement at € 29.78.<br />
18.3<br />
<br />
There is no reason for reimbursement of the lost time costs in accordance with Article 2, first paragraph, opening words and under e, of the Bpb since, in the opinion of the court, Mrs Lighart-Kaalverink is employed by the claimant and it has not emerged that she had to take unpaid leave. to attend the hearing. In addition, these costs have not been substantiated in any way.<br />
<br />
19. There is also reason to order the AP to reimburse the court fee of € 365 paid by the plaintiff.<br />
Decision<br />
<br />
The court<br />
<br />
-<br />
<br />
declares the appeal well-founded;<br />
-<br />
<br />
annuls the contested decision;<br />
-<br />
<br />
revokes the decision of March 11, 2021;<br />
-<br />
<br />
orders the AP to pay the legal costs, estimated to date at € 3,027.78;<br />
-<br />
<br />
orders that the AP reimburse the plaintiff for the court fee of € 365 paid by her.<br />
<br />
This statement was made by Mr. J.W.M. Bunt, chairman, and Mr. A. Oosterveld and<br />
<br />
Mr. W.J.B. Cornelissen, members, in the presence of Y. van Arnhem, clerk. The verdict was pronounced in public on<br />
<br />
clerk<br />
<br />
<br />
chair<br />
<br />
A copy of this ruling has been sent to the parties on:<br />
Information about appeal<br />
<br />
A party that does not agree with this ruling can send an appeal to the Administrative Jurisdiction Division of the Council of State explaining why this party does not agree with this ruling. The appeal must be submitted within six weeks of the day on which this decision was sent. If the petitioner cannot await the hearing of the appeal because the case is urgent, the petitioner can ask the preliminary relief judge of the Administrative Jurisdiction Division of the Council of State to take a provisional measure (a temporary measure).<br />
Help with search<br />
</pre></div>Droogstoppelhttps://gdprhub.eu/index.php?title=DSB_(Austria)_-_2023-0.420.407&diff=40529&oldid=0DSB (Austria) - 2023-0.420.4072024-03-25T10:28:28Z<p>Created page with "{{DPAdecisionBOX |Jurisdiction=Austria |DPA-BG-Color= |DPAlogo=LogoAT.png |DPA_Abbrevation=DSB |DPA_With_Country=DSB (Austria) |Case_Number_Name=2023-0.420.407 |ECLI=ECLI:AT:DSB:2023:2023.0.420.407 |Original_Source_Name_1=RIS |Original_Source_Link_1=https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=07ee55d2-a0a6-4e00-8111-c779c3c97ceb&Position=1&SkipToDocumentPage=True&Abfrage=Dsk&Entscheidungsart=Undefined&Organ=Undefined&SucheNachRechtssatz=True&SucheNachTe..."</p>
<a href="https://gdprhub.eu/index.php?title=DSB_(Austria)_-_2023-0.420.407&diff=40529">Show changes</a>Magdalena04https://gdprhub.eu/index.php?title=Korkein_hallinto-oikeus_(Finland)_-_KHO:2024:34&diff=40520&oldid=0Korkein hallinto-oikeus (Finland) - KHO:2024:342024-03-24T21:33:57Z<p>Created page with "{{COURTdecisionBOX |Jurisdiction=Finland |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=Korkein hallinto-oikeus (Finland) |Court_Original_Name=Korkein hallinto-oikeus (Finland) |Court_English_Name=Supreme Administrative Court of Finland |Court_With_Country=Korkein hallinto-oikeus (Finland) (Finland) |Case_Number_Name=KHO:2024:34 |ECLI=ECLI:FI:KHO:2024:34 |Original_Source_Name_1=Korkein hallinto-oikeus |Original_Source_Link_1=https://www.kho.fi/fi/inde..."</p>
<a href="https://gdprhub.eu/index.php?title=Korkein_hallinto-oikeus_(Finland)_-_KHO:2024:34&diff=40520">Show changes</a>Fredhttps://gdprhub.eu/index.php?title=Helsingin_hallinto-oikeus_(Finland)_-_H6072/2021&diff=40519&oldid=0Helsingin hallinto-oikeus (Finland) - H6072/20212024-03-24T21:28:58Z<p>Created page with "{{COURTdecisionBOX |Jurisdiction=Finland |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=Helsingin hallinto-oikeus (Finland) |Court_Original_Name=Helsingin hallinto-oikeus (Finland) |Court_English_Name=Administrative Court of Helsinki |Court_With_Country=Helsingin hallinto-oikeus (Finland) (Finland) |Case_Number_Name=H6072/2021 |ECLI= |Original_Source_Name_1=Helsingin hallinto-oikeus |Original_Source_Link_1=https://gdprhub.eu/index.php?title=File:Helsi..."</p>
<a href="https://gdprhub.eu/index.php?title=Helsingin_hallinto-oikeus_(Finland)_-_H6072/2021&diff=40519">Show changes</a>Fredhttps://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_918/154/2019&diff=40518&oldid=0Tietosuojavaltuutetun toimisto (Finland) - 918/154/20192024-03-24T21:22:05Z<p>Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland) |Case_Number_Name=918/154/2019 |ECLI= |Original_Source_Name_1=Tietosuojavaltuutetun toimisto |Original_Source_Link_1=https://tietosuoja.fi/documents/6927448/204092115/P%25C3%25A4%25C3%25A4t%25C3%25B6s_918.154.2019_verkkoon.pdf/8f7ae20b-bfd8-1060-6da8-1a930ee32171/P%25C3%25A4%25C3%25A4t%25C3..."</p>
<p><b>New page</b></p><div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Finland<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoFI.png<br />
|DPA_Abbrevation=Tietosuojavaltuutetun toimisto<br />
|DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland)<br />
<br />
|Case_Number_Name=918/154/2019<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Tietosuojavaltuutetun toimisto<br />
|Original_Source_Link_1=https://tietosuoja.fi/documents/6927448/204092115/P%25C3%25A4%25C3%25A4t%25C3%25B6s_918.154.2019_verkkoon.pdf/8f7ae20b-bfd8-1060-6da8-1a930ee32171/P%25C3%25A4%25C3%25A4t%25C3%25B6s_918.154.2019_verkkoon.pdf?t=1710926261537<br />
|Original_Source_Language_1=Finnish<br />
|Original_Source_Language__Code_1=FI<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=31.01.2019<br />
|Date_Decided=03.06.2020<br />
|Date_Published=<br />
|Year=2020<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 17(1) GDPR<br />
|GDPR_Article_Link_1=Article 17 GDPR#1<br />
|GDPR_Article_2=Article 58(2)(c) GDPR<br />
|GDPR_Article_Link_2=Article 58 GDPR#2c<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=§ 34(2)(4) Act on the Processing of Personal Data by the Police<br />
|National_Law_Link_1=https://www.finlex.fi/fi/laki/ajantasa/2019/20190616#L5P34<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
|National_Law_Name_3=<br />
|National_Law_Link_3=<br />
<br />
|Party_Name_1=Google LLC<br />
|Party_Link_1=https://www.google.com/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=Helsingin hallinto-oikeus<br />
|Appeal_To_Case_Number_Name=H6072/2021<br />
|Appeal_To_Status=Appealed - Overturned<br />
|Appeal_To_Link=https://gdprhub.eu/index.php?title=File:Helsingin_hallinto-oikeus_H6072-2021.pdf<br />
<br />
|Initial_Contributor=fred<br />
|<br />
}}<br />
<br />
The DPA ordered Google to remove several search result links from Google Search, as they had led to outdated information about the data subject.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Pursuant to [[Article 17 GDPR#1|Article 17(1) GDPR]], the data subject had requested Google LLC (the controller) to remove several search result links from Google Search because they led to outdated information about the data subject. The controller had only removed some of the links, rather than implementing the request in its entirety.<br />
<br />
The controller stated that the search result links led to online content, the main subject of which was the arrest warrant issued against the data subject. The controller argued that it had a substantial legitimate interest in keeping the information available to ensure the safety of those dealing with the data subject.<br />
<br />
The data subject claimed that they had already served their prison sentence in full and that the arrest warrant had ceased to be valid since April 2011. Consequently, the information was no longer necessary for the purposes for which it was originally processed. The data subject emphasised that the information about the warrant caused them harm, as it was both inaccurate and outdated.<br />
<br />
=== Holding ===<br />
The DPA considered that since the arrest warrant was no longer valid, the public no longer had a reason to inform the police of their sightings of the data subject. Therefore, due to the passage of time, the availability of the information could no longer be considered justified.<br />
<br />
The DPA also emphasised the importance of the statutory retention period for the arrest warrant. According to [https://www.finlex.fi/fi/laki/ajantasa/2019/20190616#L5P34 Section 34(2)(4) of the Finnish Act on the Processing of Personal Data by the Police], other data concerning an arrest warrant processed for the purpose of finding, monitoring, surveillance or protection of individuals are erased three years after the cancellation or expiry of the warrant or prohibition.<br />
<br />
On the basis of the information gathered, the DPA concluded that the information on the arrest warrant against the data subject was no longer of importance to society.<br />
<br />
As a result, and in accordance with [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]], the DPA ordered the controller to comply with the data subject's request to remove the search result links in question.<br />
<br />
== Comment ==<br />
The Finnish DPA has issued five other decisions regarding the removal of search result links from Google Search, one in favour of Google in case 4543/154/2018 and four against it in cases 5756/154/2018, 6722/154/2018, 8004/154/2018 and 903/154/2019.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.<br />
<br />
<pre><br />
DECISION OF THE DEPUTY DATA PROTECTION OFFICER IN THE MATTER OF DELETING DATA<br />
<br />
Subject: Removing search result links from the search results of the Google Search search service<br />
<br />
Applicant x<br />
<br />
The controller is Google LLC<br />
<br />
The applicant's requirements with justification<br />
<br />
On January 31, 2019, the applicant has initiated a case at the data protection commissioner's office regarding the removal of url search result links from the Google Search search service. The issue has been about url search result links:<br />
<br />
1) x;<br />
2) x;<br />
3) x;<br />
4) x;<br />
5) x;<br />
6) x;<br />
7) x;<br />
8) x;<br />
9) x;<br />
10) x;<br />
11) x; and<br />
12) x.<br />
<br />
In clarifying the matter, Google LLC has announced that it has accepted the applicant's request regarding url search result links 2) and 12). When preparing this decision, these url search result links were not available in connection with a Google search performed under the applicant's name, which is why this decision is limited to url search result links 1) and 3)–11).<br />
<br />
The url search result links that are the subject of the decision lead to online content, the main subject of which is the published wanted advertisement for the applicant. However, information is also available that in February 2010 the Helsinki Court of Appeal had sentenced the applicant to a prison sentence of nine years and four months for a serious drug crime. The online content describes the applicant's appearance. The observations concerning the applicant are requested to be reported to the command center of the Helsinki Police.<br />
<br />
The applicant has justified his removal request by, among other things, that information can be found behind the url search result links requested to be removed, which is already out of date. The applicant has said that the wanted notice in question has not been valid since April 2011. The applicant has emphasized that the online content in question specifically concerns the wanted notice, not the facts behind the wanted notice.<br />
<br />
Statement received from the registrar<br />
<br />
The applicant has submitted a request to the registrar himself to delete the search result links and received a negative response to his request. The data protection authorized office has also requested an explanation from the controller. The registrar has issued his report on 9 April 2020.<br />
<br />
The registrar has announced that he has reconsidered the matter. However, with the exception of url search result links 2) and 12), the controller has stuck to his original decision. In the report given, it has been established that the online content in question deals with the fact that the applicant had been the subject of a police search. It has been said that the applicant avoided the prison sentence he received.<br />
<br />
The controller has also invoked the guidelines of the data protection working group in accordance with Article 29, according to which, in connection with crimes, data protection authorities are more likely to consider deleting search results related to relatively minor and long-ago crimes and less likely to delete results related to serious and recent crimes.<br />
<br />
It has also been stated in the report that this case is about information regarding the applicant's prison sentence for a drug offence. The controller has considered that there is a strong legitimate interest in keeping the information available to ensure the safety of those dealing with the applicant.<br />
<br />
The applicant's equivalent<br />
<br />
The applicant is given the opportunity to give his answer in the case. The applicant has given his answer on 20 April 2020.<br />
<br />
In the response given, it has been stated that the applicant had not avoided the nine years and four months prison sentence he received for serious drug crimes. The online content is from a time before the judgment in question came into force. The applicant has said that he served his prison sentence after the sentence became final.<br />
<br />
Contrary to what was stated in the report, the online content specifically concerns the wanted notice published for the applicant - not the underlying crime. The wanted notice has not been valid since April 2011. The information on the wanted notice is therefore both incorrect and out of date. The applicant has said that he has completed his prison sentence in full. Since the search warrant is no longer valid, the applicant has considered that the information is no longer needed for the purposes for which it was originally processed. Having information available is a disadvantage for the applicant.<br />
<br />
A legal question<br />
<br />
The Deputy Data Protection Commissioner assesses and decides the applicant's case based on the General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018). When deciding the matter, the Deputy Data Protection Commissioner also takes into account the European Data Protection Board's interpretation guidelines issued on 2 December 2019 Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (later the European Data Protection Board's interpretation guidelines), of the European Court of Justice judgments C-131/12 and C-136/17 and, where applicable, also the guidelines on the implementation of the Court of Justice of the European Union judgment of the aforementioned judgment C-131/12 on 26 November 2014 issued by the data protection working group in accordance with Article 29 on "Google Spain and Inc v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” C-131/12 (later Interpretative Guideline of the Article 29 Data Protection Working Party).<br />
<br />
The Deputy Data Protection Commissioner must decide whether the data controller should be given an order according to Article 58, paragraph 2, subsection c of the General Data Protection Regulation to comply with the data subject's request to delete the url search result link in question.<br />
<br />
In this decision, the Deputy Data Protection Commissioner assesses the applicant's case in terms of the processing of personal data by the controller and the online service it offers. The decision does not take a position on whether the other operator involved in the matter, i.e. the original publisher of the data, has the right to keep the data available on its own website.<br />
<br />
Decision and reasons of the Deputy Data Protection Commissioner<br />
<br />
I accept the applicant's requirements on the grounds stated below and give Google LLC an order according to Article 58, paragraph 2, subparagraph c of the General Data Protection Regulation to comply with the applicant's request to remove the url search result links in question.<br />
<br />
According to Article 17 of the General Data Protection Regulation, if the conditions listed in the article are met, the data subject has the right to have the data controller delete personal data concerning the data subject without undue delay. The registered person can request the deletion of data on more than one basis mentioned in the article. The European Data Protection Board has, with the above-mentioned interpretation guideline (Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR), taken a position on the application of the requirements laid down in Article 17, Section 1 of the General Data Protection Regulation in matters concerning internet search engines.<br />
<br />
On the judgments of the European Court of Justice C-131/12 and C-136/17<br />
<br />
In the judgments of the EU Court C-131/12 and C-136/17, it has been stated that the processing of personal data carried out in connection with internet search engines, when the search is made under the name of the data subject, can significantly affect the data subject's privacy rights.<br />
<br />
In the aforementioned judgments, it has also been stated that two independent, separate actors are always associated with the information published on a certain individual website and its availability in the search results of internet search engines: 1) the website administrator, i.e. the so-called original publisher and 2) the internet search service administrator. In judgment C-131/12, it has been established that the internet search engine is an independent data controller with regard to the processing of personal data that the search engine performs in order to provide url search results (see paragraphs 35−41, 82−83 and 88 of the judgment). The two separate operators mentioned above do not, in principle, process personal data on the same basis. In the decision of the European Court of Human Rights, M.L. and W.W. vs Germany (issued on June 28, 2018), it has been stated that in the weighing of interests, different outcomes can be reached depending on the matter at hand: (i) the activity of the original publisher can be seen as being at the core of the rights to freedom of speech and expression, while ii) the primary purpose of the operator of the internet search service, on the other hand, is not has not been to publish the information in question per se, but to collect any information about the registered person in one place and thus enable the creation of a personal image of the registered person.<br />
<br />
In judgment C-131/12, it was further stated that a person's public or public-like status is a factor that may lead to the so-called general public having the right to obtain personal information about him from an internet search engine. Among other things, the judgment states the following: [w]hen the data subject can, in relation to his fundamental rights under Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, demand that the information in question is no longer made available to the general public by including it in such a list of search results, it must be considered - as, for example, in the judgment It appears from section 81 - that the rights in question supersede not only the economic interest of the operator of the search engine, but also the interest of the general public in finding the mentioned information when searching under the name of the registered person. However, this would not be an issue if it turns out that interference with the data subject's fundamental rights for special reasons such as the data subject's position in the public domain can be justified by the primary interest that the general public has in obtaining that information as a result of the inclusion in question (see paragraph 97 of the judgment).<br />
<br />
In the judgment of the EU Court C-136/17, it has been stated that […] the right to the protection of personal data is not an absolute right, but it must […] be considered in relation to its function in society and, in accordance with the principle of proportionality, it must be proportionate to other fundamental rights. Furthermore, it has been stated that especially in Article 17(3)(a) of the Data Protection Regulation, the requirement for weighing the fundamental rights to respect for private life and the protection of personal data established in Articles 7 and 8 of the Charter of Fundamental Rights, and the fundamental right to freedom of communication guaranteed in Article 11 of the Charter of Fundamental Rights, on the other hand, has been explicitly established.<br />
<br />
In the judgments mentioned above, it has been established that the rights of the data subject in principle supersede not only the economic interest of the search engine operator, but also the interest of the general public in obtaining the information in question by searching under the name of the data subject. However, the EU court has identified several factors that must be taken into account in the assessment. These include, for example, the nature of the information in question or its sensitivity, and in particular the interests of internet users in accessing information, which, in turn, must be taken into account when evaluating, for example, the registered person's possible public or public-like status.<br />
<br />
The concept of public position has been defined in the interpretation guidelines of the data protection working group in accordance with Article 29 mentioned above. According to this interpretation guide, a public position or a public person means that the person is at least to some extent in so-called media exposure due to his activities or commitments. If a person has a public position, then there is a reason that the general public should be able to search the internet search engine for information that is relevant to the person's public or similar role (see pages 13−14 of the interpretation instructions of the data protection working group according to 29).<br />
<br />
Evaluation of the applicant's case<br />
<br />
Committing a criminal act and being convicted of it basically gives a person a public status in society and exposes them to so-called media exposure for the act in question. The starting point is that a person who has committed a criminal act cannot have the same justified assumption about the extent of the protection of their privacy after their act as a person who has not committed a crime.<br />
<br />
The aforementioned principle emerges, for example, from the judgment of the European Court of Human Rights, Sidabras and Džiautas v. Lithuania (2004, paragraph 49), where it is considered that Article 8 of the European Convention on Human Rights, which protects, among other things, respect for private life, does not protect against the loss of reputation that is a foreseeable consequence of a person's own actions , such as committing a crime. The decision of the European Court of Human Rights Axel Springer Ag v. Germany (2012, paragraph 83) also confirms the same line.<br />
<br />
However, the above does not mean that a person who has committed a crime has no privacy protection at all. Despite the criminal act and the punishment received for it, part of the personal data of the person in question remains within the scope of his private life and the protection of privacy, which is his fundamental right.<br />
<br />
In the applicant's case, it is undisputed that in 2010 he was sentenced to a prison sentence of nine to nine years and four months for a serious drug crime. I consider that, as a result, the applicant has a public or public-like status as referred to in judgment C-131/12. I will use the term "public station" below for this position. This public position basically gives the general public a legitimate interest in obtaining personal information about the applicant from the Google Search search service in the manner outlined in judgment part C-131/12 (see paragraph 97 of the judgment). It should also be noted that according to the Journalists' instructions, the name, picture or other identifying information of a person convicted of a crime may be published, unless it is clearly unreasonable in relation to the position or act of the person convicted.<br />
<br />
To the extent that the provision of the applicant's personal data in the internet search engine is possible due to the position stated above, the issue of the temporal dimension of the permitted processing of personal data is also integrally related to the matter. In other words, how long will the public status exist so that the processing of personal data related to a criminal act is not restricted in connection with name searches on internet search engines.<br />
<br />
The interpretation guidelines of the European Data Protection Board state that the data subject can ask the operator of the internet search engine to remove from the search results those url search result links whose availability, for example due to the passage of time, cannot be considered justified at the time of review. Consequently, it must be assessed whether the information in question should be considered outdated or not updated at the time of review. For example, the question may be about information that, due to the passage of time, is considered imprecise, incorrect or outdated. The evaluation must take into account the original purposes of the processing. The evaluation should also take into account the original storage periods applicable to the information in question (see page 6 of the European Data Protection Board's interpretation instructions).<br />
<br />
In the judgments of the EU Court C-131/12, the removal of personal data (url search results) from the name-own internet search engine has been outlined. When assessing the need to delete personal data related to a public position, a weighing of interests must be carried out, which also takes into account the rights of other persons to receive information about the registrant via url search results from the Google Search search service. In the weighing of interests, an effort must be made to find a fair balance between the general public's interest in obtaining information and the registered person's fundamental rights pursuant to Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. Although the rights of the data subject protected by the articles in question generally supersede the mentioned interest of internet users, according to the judgment, the balance may still depend in special cases on the nature of the data in question and their sensitivity in terms of the data subject's private life, and on the public's interest in having access to the data in question, and the latter interest may be different, among other things, on the basis of the public status of the person in question (cf. EU Court judgment C-131/12 paragraphs 73−74, 81, 97, 99 and Section 6 and Section 8 subsection 1 section 8 of the Personal Data Act).<br />
<br />
Furthermore, in the interpretation instructions of the data protection working group in accordance with Article 29, the personal data processed in connection with search engine operation is divided into both factual information (facts) and opinions/views that individuals have about something or a person. When assessing the inaccuracy/accuracy of personal data, it must be taken into account whether the issue is a fact whose correctness cannot be disputed or whether the issue is a subjective opinion or view. In the mentioned interpretation instruction, it is outlined that the data protection authorities are more likely to consider deletion of search result information that is accompanied by an objectively perceptible factual error and which therefore gives an incorrect, incomplete or misleading picture of the person (see pages 15 and 17 of the interpretation instruction of the data protection working group in accordance with Article 29 ).<br />
<br />
In the interpretation guide, it has also been stated that member states may have special national legislation that defines the temporal dimension of access to information about the commission of a crime. Data protection authorities may, when considering a criminal matter, take into account the relevant national principles and approaches that are generally related to the processing of such data (see page 20 of the interpretation instructions of the data protection working group in accordance with Article 29).<br />
<br />
The applicant has not denied that he was sentenced for a serious drug crime to a prison sentence of nine years and four months. The applicant has not denied that he was the subject of a wanted notice. So it is not really a question of the fact that behind the url search result links in question, there is information available about a matter concerning the applicant that is not true. However, it is significant that the target of the online content in question is the published wanted notice about the applicant - not the factors influencing the background of the wanted notice per se. The online content does not describe the applicant's crime in more detail. The applicant's act and the resulting punishment are only mentioned at the mention level. The main topic of the online content is the published wanted notice about the applicant.<br />
<br />
When the url search result links requested to be deleted have dealt with the applicant's crime and possibly the related punishment, the applicant's case is basically mirrored in the national special legislation that generally defines the temporal dimension of the availability of information about the commission of crimes (cf. page 20 of the interpretation instructions of the data protection working group according to 29).<br />
<br />
As stated in the interpretation guidelines of the European Data Protection Board, the evaluation must, however, take into account the original purposes of the processing and the original storage periods applicable to the information in question (see page 6 of the interpretation guidelines of the European Data Protection Board).<br />
<br />
In the online content in question, the main subject is the wanted notice published about the applicant. It should be noted that the search warrant is no longer valid. The public no longer has a reason to inform the police of their findings concerning the applicant. It can be stated that the availability of data can no longer be considered justified due to the passage of time.<br />
<br />
As stated above, the original storage periods applicable to the information in question are also important. Section 34 of the Act on the Processing of Personal Data in Police Operations (616/2019) provides for the deletion of personal data other than those referred to in Section 33 of the Act. According to Section 34, Subsection 1, Clause 4 of the Act, other information regarding the search warrant processed for the purpose of reaching, monitoring, monitoring and protecting persons is deleted three years after the cancellation or termination of the warrant. The validity of the wanted notice published for the applicant has expired in April 2011. If the applicant's case is reflected in this retention period provision, it can be stated that the information from the wanted notice concerning the applicant is no longer socially relevant.<br />
<br />
Based on the above, I give Google LLC an order in accordance with Article 58, paragraph 2, subparagraph c of the General Data Protection Regulation to comply with the applicant's request to remove the url search result link in question.<br />
<br />
Applicable legal provisions<br />
<br />
Those mentioned in the justifications.<br />
</pre></div>Fredhttps://gdprhub.eu/index.php?title=VG_Berlin_-_1_K_187/21&diff=40516&oldid=0VG Berlin - 1 K 187/212024-03-22T13:30:19Z<p>Created page with "{{COURTdecisionBOX |Jurisdiction=Germany |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=VG Berlin |Court_Original_Name=Verwaltungsgericht Berlin |Court_English_Name=Administrative Court Berlin |Court_With_Country=VG Berlin (Germany) |Case_Number_Name=1 K 187/21 |ECLI=ECLI:DE:VGBE:2024:0206.1K187.21.00 |Original_Source_Name_1=Juris |Original_Source_Link_1=https://gesetze.berlin.de/bsbe/document/JURE240003073/part/L |Original_Source_Language_1=German |O..."</p>
<p><b>New page</b></p><div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Germany<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=VG Berlin<br />
|Court_Original_Name=Verwaltungsgericht Berlin<br />
|Court_English_Name=Administrative Court Berlin<br />
|Court_With_Country=VG Berlin (Germany)<br />
<br />
|Case_Number_Name=1 K 187/21<br />
|ECLI=ECLI:DE:VGBE:2024:0206.1K187.21.00<br />
<br />
|Original_Source_Name_1=Juris<br />
|Original_Source_Link_1=https://gesetze.berlin.de/bsbe/document/JURE240003073/part/L<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Date_Decided=06.02.2024<br />
|Date_Published=<br />
|Year=2024<br />
<br />
|GDPR_Article_1=Article 15 GDPR<br />
|GDPR_Article_Link_1=Article 15 GDPR<br />
|GDPR_Article_2=Article 15(1) GDPR<br />
|GDPR_Article_Link_2=Article 15 GDPR#1<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Julia<br />
|<br />
}}<br />
<br />
The Administrative Court of Berlin held that a refusal by the controller to comply with a request for information (Art. 15 GDPR) due to the disproportionately high effort required for its fulfillment is only permissible in narrowly defined exceptional cases.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
In October 2020, the data subject (plaintiff) requested information regarding his personal data stored by the data controller (defendant) and requested copies of all records containing this data. In a letter from November 2020, the controller provided the data subject with information regarding the personal data stored in their IT systems, the categories of this data, and the recipients of this data to whom the controller had disclosed it.<br />
<br />
After receiving the controller's letter, the data subject argued that the information provided is incomplete as it only listed his so-called master data ('Stammdaten'), whereas he asserted a right to receive copies of all documents held by the data controller in which his personal data is listed. He additionally demanded from the controller to delete all of his personal data. The data controller was of the opinion that the provided information following the data subject's request was complete. <br />
<br />
Subsequently, the data subject claimed that, that under the GDPR he is entitled to receive copies of all documents held by the defendant containing his personal data. On March 15, 2021, the data subject filed a lawsuit against the controller.<br />
<br />
=== Holding ===<br />
In the judgment, the court highlighted the purpose of the right to information under Article 15(1) of the GDPR, as indicated, among other places, in Recital 63 of the GDPR, is to enable data subjects to be aware of the processing of their personal data, thereby allowing them to subsequently verify not only the accuracy of this data but also the legality of its processing. Therefore, the court agreed with the data subject that for a legality check, a mere abstract overview of the processed data is not sufficient as it was present in the case at hand when the data subject only received information that covered the master data stored in the data controller's IT systems. Rather, in order to be able to verify the legality of data processing in each individual case, the court held that it is necessary to provide specific information on the context in which the data was processed. <br />
<br />
The court acknowledged that responding to Art. 15(1) GDPR requests is combined with a substantial effort for controllers. However, due to the importance of the - generally unconditional - right to information under [[Article 15 GDPR#1|Article 15(1) GDPR]], a refusal by the controller to comply with a request for information due to the disproportionately high effort required for its fulfillment is only permissible in narrowly defined exceptional cases. The court held that this might occur in cases of an obviously significant disparity between the efforts required to fulfill the right to information and the information interest of the data subject.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
If you see this message, you do not have JavaScript activated in your browser. Please activate JavaScript to use the citizen service.<br />
</pre></div>Julia kraemer