Persónuvernd - 2020010373: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Iceland |DPA-BG-Color= |DPAlogo=LogoIS.png |DPA_Abbrevation=Persónuvernd |DPA_With_Country=Persónuvernd (Iceland) |Case_Number_Name=20200103...") |
No edit summary |
||
(One intermediate revision by the same user not shown) | |||
Line 23: | Line 23: | ||
|Currency= | |Currency= | ||
|GDPR_Article_2=Article 5(1)(f) GDPR | |GDPR_Article_2=Article 5(1)(f) GDPR | ||
|GDPR_Article_Link_2=Article 5 GDPR#1f | |GDPR_Article_Link_2=Article 5 GDPR#1f | ||
Line 60: | Line 58: | ||
The Personuvernd (Icelandic DPA) stated in an opinion that exchanges of personal data of foreign prisoners between state agencies (in this case, between the Immigration Office and the Prison and Probation Service) was permissible, provided that the exchange is necessary for the agencies to carry out their legal obligations and that the agencies ensured a sufficient level of security of the data preventing any unauthorised access. | The Personuvernd (Icelandic DPA) stated in an opinion that exchanges of personal data of foreign prisoners between state agencies (in this case, between the Immigration Office and the Prison and Probation Service) was permissible, provided that the exchange is necessary for the agencies to carry out their legal obligations and that the agencies ensured a sufficient level of security of the data preventing any unauthorised access. | ||
== English Summary == | ==English Summary== | ||
=== Facts === | ===Facts=== | ||
The Prison and Probation Service requested an opinion on the data protection implications of processing foreign prisoners' personal data after it requested that the Immigration Office provide it with the criminal history and prison records of "foreigners" sentenced in Iceland. | The Prison and Probation Service requested an opinion on the data protection implications of processing foreign prisoners' personal data after it requested that the Immigration Office provide it with the criminal history and prison records of "foreigners" sentenced in Iceland. | ||
=== Dispute === | ===Dispute=== | ||
Does the GDPR permit the exchange of the personal data of foreign prisoners between state agencies? | Does the GDPR permit the exchange of the personal data of foreign prisoners between state agencies? | ||
=== Holding === | ===Holding=== | ||
The Icelandic DPA was of the opinion that the exchange was GDPR compliant, so long as: | The Icelandic DPA was of the opinion that the exchange was GDPR compliant, so long as: | ||
- Article 5(1)(c) was upheld, ie the purpose for the processing was limited to allowing the Prison Service to facilitate probation for foreign prisoners and grant penalties for out of prison sentences, or to permit the Immigration Service to expel foreign nationals; | - Article 5(1)(c) was upheld, ie the purpose for the processing was limited to allowing the Prison Service to facilitate probation for foreign prisoners and grant penalties for out of prison sentences, or to permit the Immigration Service to expel foreign nationals; | ||
-the legal basis for the processing was Article 6(1)(c), ie the exchange of data was necessary for the agencies to fulfil their legal obligations; | -the legal basis for the processing was Article 6(1)(c), ie the exchange of data was necessary for the agencies to fulfil their legal obligations; | ||
-when either agency was acting as the controller, they had to fulfil their obligations as controllers under Article 32 GDPR, in particular "preventing unauthorized access in a safe and adequate manner in the dissemination and processing of such data." | -when either agency was acting as the controller, they had to fulfil their obligations as controllers under Article 32 GDPR, in particular "preventing unauthorized access in a safe and adequate manner in the dissemination and processing of such data." | ||
== Comment == | ==Comment== | ||
The Icelandic DPA was of the opinion that the the prison service and the immigration office were the controllers at different stages of the exchange; the immigration office was the controller when they sent information to the prison service, and vice versa. | The Icelandic DPA was of the opinion that the the prison service and the immigration office were the controllers at different stages of the exchange; the immigration office was the controller when they sent information to the prison service, and vice versa. | ||
It is also interesting to note that Article 6(1)(c) was considered to be the appropriate legal basis, rather than Article 6(1)(e), which permits processing necessary for the public interest or the exercise of official authority. | It is also interesting to note that Article 6(1)(c) was considered to be the appropriate legal basis, rather than Article 6(1)(e), which permits processing necessary for the public interest or the exercise of official authority. | ||
== Further Resources == | ==Further Resources== | ||
''Share blogs or news articles here!'' | ''Share blogs or news articles here!'' | ||
== English Machine Translation of the Decision == | ==English Machine Translation of the Decision== | ||
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details. | The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details. | ||
Latest revision as of 10:37, 2 July 2020
Persónuvernd - 2020010373 | |
---|---|
Authority: | Persónuvernd (Iceland) |
Jurisdiction: | Iceland |
Relevant Law: | Article 5(1)(f) GDPR Article 6(1)(c) GDPR Article 10 GDPR Article 32 GDPR Article 9.3 Act 90/2018 on Privacy and Processing of Personal Information |
Type: | Advisory Opinion |
Outcome: | n/a |
Started: | |
Decided: | 04.06.2020 |
Published: | 26.06.2020 |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | 2020010373 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Icelandic |
Original Source: | Personuvernd (in IS) |
Initial Contributor: | n/a |
The Personuvernd (Icelandic DPA) stated in an opinion that exchanges of personal data of foreign prisoners between state agencies (in this case, between the Immigration Office and the Prison and Probation Service) was permissible, provided that the exchange is necessary for the agencies to carry out their legal obligations and that the agencies ensured a sufficient level of security of the data preventing any unauthorised access.
English Summary
Facts
The Prison and Probation Service requested an opinion on the data protection implications of processing foreign prisoners' personal data after it requested that the Immigration Office provide it with the criminal history and prison records of "foreigners" sentenced in Iceland.
Dispute
Does the GDPR permit the exchange of the personal data of foreign prisoners between state agencies?
Holding
The Icelandic DPA was of the opinion that the exchange was GDPR compliant, so long as:
- Article 5(1)(c) was upheld, ie the purpose for the processing was limited to allowing the Prison Service to facilitate probation for foreign prisoners and grant penalties for out of prison sentences, or to permit the Immigration Service to expel foreign nationals;
-the legal basis for the processing was Article 6(1)(c), ie the exchange of data was necessary for the agencies to fulfil their legal obligations;
-when either agency was acting as the controller, they had to fulfil their obligations as controllers under Article 32 GDPR, in particular "preventing unauthorized access in a safe and adequate manner in the dissemination and processing of such data."
Comment
The Icelandic DPA was of the opinion that the the prison service and the immigration office were the controllers at different stages of the exchange; the immigration office was the controller when they sent information to the prison service, and vice versa.
It is also interesting to note that Article 6(1)(c) was considered to be the appropriate legal basis, rather than Article 6(1)(e), which permits processing necessary for the public interest or the exercise of official authority.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.
Opinion on the Mutual Dissemination of Personal Information by the Prison and Immigration Institutions Case no. 2020010373 06/26/2020 At the request of the Prison and Probation Service, the Data Protection Authority has given its opinion on the mutual dissemination of the Agency's personal information and the Immigration Office. This is, on the one hand, the transfer of personal information of the Immigration Office to the Prison and Probation Administration, with the purpose of providing the latter with foreign prisoners with probation or permission to serve sentences outside prison. On the other hand, it is the dissemination of personal information of the Prison and Probation Administration to the Directorate of Immigration, for the purpose of the Immigration Office being able, subject to certain conditions, to expel foreign nationals on the basis of the provisions of the Act on Foreigners. The Data Protection Authority considers that agencies may disseminate personal information in the aforementioned manner, provided that they are necessary for the agencies to carry out their statutory obligations. The dissemination and processing of personal data requires that the security of personal data is ensured and that the institutions prevent unauthorized access in a safe and sufficient manner. opinion On June 4, 2020, the Data Protection Authority adopted a concluding opinion in case no. 2018050832: I. procedures 1. Case recommendations Privacy refers to the Prison Administration's case, dated. February 28, 2018, requesting an opinion from the Data Protection Authority on the dissemination of personal information about foreign prisoners between the Prison and Probation Service. The paper refers to the letter from the Directorate of Immigration, dated. February 9, 2018, including It is stated that the Prison and Probation Administration has requested support from the Directorate of Immigration for its request that the Prison and Probation Administration provide the Directorate of Immigration with information on the criminal history and imprisonment of foreigners who have been sentenced in Iceland. The Prison Administration's case also states that the Agency also needs information from the Directorate of Immigration in order to provide the prisoners with probation or to allow them to be sent out of prison subject to certain conditions. The Prison and Probation Service's case was accompanied by the Immigration Service's reasoning for a request for the personal information in question. 1.1. Rationale for the Immigration Office for a request for the transfer of personal information from the Prison and Probation Administration The aforementioned letter from the Directorate of Immigration includes: referred to in Article 95. of the Foreigners Act no. 80/2016 (Aliens Act) and in particular, Paragraph 5 of Art. the provision on the decision of the Directorate of Immigration regarding the expulsion of EEA and EFTA citizens. The letter from the Directorate of Immigration is also discussed. 98-100. Article. Foreigners Act, all of which are provisions concerning the authority or obligation of the Immigration Office to expel a foreigner, with or without a residence permit, subject to certain conditions. Furthermore, it is stated that the Directorate of Immigration has also requested information from the Prison and Probation Administration as soon as possible, on judgments concerning archival cases, cf. 155. and 157. of the Criminal Code no. 19/1940, because of the short term of imprisonment of foreigners as a rule and the short time that the Directorate of Immigration gives them for the handling of an expulsion case, m.t. for a 15 day time limit, cf. Article 7 of the Aliens Act, must have passed before an expulsion may be carried out. In light of the above it is clear that it is necessary for the Immigration Office to obtain information on the alien's criminal history, about his judgment and about the imprisonment of imprisonment, among other things. information on the length of detention, when the detention begins and where, but also whether and when the person has previously served a detention in Iceland and anything else that is considered necessary for the Agency to investigate and make decisions on cases of deportation. It also states that the Immigration Act does not contain provisions concerning the processing of foreigners' personal information at the Prison and Probation Administration, the coordination of information between the Prison and Probation Service or information sharing between the two agencies. In the second sentence. Paragraph 1 Article 17 a foreigner law, which deals with the processing of personal data, states that insofar as the foreign law does not otherwise provide for the provisions of the Data Protection and Processing of Personal Data Act. 1.2. Reasons for the Prison and Probation Administration for requesting the transfer of personal information from the Immigration Office By email on June 12, 2018, the Data Protection Authority requested information from the Prison and Probation Administration, among others. on what authority the Agency considered itself to be able to base the processing of personal data that it requested from the Immigration Office and, furthermore, what legal obligations the Agency considered to be in compliance with the processing. In response from the Prison and Probation Administration, which received 13 p.m. comes i.a. stated that in order for the Prison and Probation Administration to fulfill its statutory role as provided for in the third paragraph. Article 80 Act no. 15/2016 on enforcement of penalties, which allows detainees to be granted a probationary sentence when half the sentence is over if the Immigration Service's decision to expel prisoners has been deported after imprisonment, the Agency must obtain information from the Immigration Office on the decision. On the same day, the Data Protection Authority received additional information from the previous letters from the Prison and Probation Service, stating that the agency also needed information from the Immigration Office for foreign prisoners who were granted permission to serve outside the prison walls if they met certain conditions and therefore needed to know conditions, cf. Paragraph 1 Article 31 Act no. 15/2016. II. Assumptions and conclusion 1. Applicable law This case is due to an opinion request received by Privacy on 28 February 2018, ie. in the validity of the previous Act no. 77/2000, on privacy and the handling of personal data, but relates to the sharing of personal information between the Immigration Office and the Prison and Probation Administration which is still being used. Act no. 77/2000 were resolved by Act no. 90/2018, on Privacy and Processing of Personal Data, which entered into force on 15 July 2018. They also enacted Regulation (EU) 2016/679 on Privacy, as amended and incorporated into the EEA Agreement. No material changes were made with Act no. 90/2018 on the rules that apply to the issue at issue here, and therefore the discussion and content of this opinion is based on the provisions of the new Act, no. 90/2018. However, attention is drawn to the fact that in current Act no. 90/2018 more stringent requirements are made for the data security guarantor. 2. Scope - Guarantee Case delimitation Scope of Act no. 90/2018, on privacy and processing of personal data, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thus the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partially or fully automated and the processing of methods other than automatic processing of personal data that is or should become part of a file. Personal information includes information about a person or person who is personally identifiable and can be considered as personally identifiable if he or she can be directly or indirectly identified by reference to his or her identity or one or more of the characteristics characteristic of him, cf. Item 2 Article 3 of the Act and Paragraph 1. Article 4 Regulation. Processing means an action or series of actions in which personal information is processed, whether the processing is automatic or not, cf. Item 4 Article 3 of the Act and Paragraph 2. Article 4 Regulation. This case concerns the dissemination of personal information about foreign prisoners between the Prison and Probation Service. Respectfully, and with due regard to the above provisions, this matter concerns the processing of personal information that falls under the sphere of privacy. The person responsible for processing personal data complies with Act no. 90/2018 is named as the guarantor. According to paragraph 6. Article 3 the Act refers to an individual, legal entity, governmental authority or other party who decides alone or in collaboration with other purposes and methods for processing personal information, cf. Item 7 Article 4 Regulation. As is the case here, the Prison and Probation Administration is considered responsible for the processing of personal information in their dissemination to the Directorate of Immigration, while the Directorate of Immigration is considered to be the guarantor for the processing of personal information in their dissemination to the Prison and Probation Administration. 3. Legality of processing 3.1 Authorization for processing and principles of Act no. 90/2018 As stated in the comments with the bill that became Act no. 90/2018, on Privacy and Processing of Personal Information, the new law changed that information on whether a person was suspected, charged, charged or convicted of a criminal offense is no longer considered as sensitive personal information. General processing powers Article 9 Act no. 90/2018 therefore applies as a lasting one, however, certain rules apply to the processing of personal information relating to criminal convictions and criminal offenses, cf. Article 10 Regulation (EU) 2016/679 (the Regulation) and Article 12. Act no. 90/2018. All processing of personal data must, therefore, be subject to any of the provisions of Article 9. Act no. 90/2018, cf. Paragraph 5 Article 12 same law. It may be mentioned that personal data may be processed if it is necessary to fulfill the legal obligation that rests with the responsible party, cf. Point 3 Article 9 Act. In the first paragraph. Article 12 Act no. 90/2018, cf. Article 10 of the Regulation, states that the government may not process information on criminal conduct unless it is necessary for the benefit of their statutory tasks. Then says in paragraph 2 Article 12 the same Act on information according to Art. Paragraph 1 may not disseminate unless the disclosure is necessary in the interests of the statutory tasks of the authority concerned or in order to make an administrative decision. 3.2 Security of personal data processing All processing of personal data must also comply with the principles of para. Article 8 Act no. 90/2018, cf. Article 5 Regulation (EU) 2016/679. Among other things, it provides that personal information must be sufficient, relevant and not in excess of what is necessary for the purpose of the processing (point 3) and that it should be processed in such a way as to ensure the appropriate security of the personal data (point 6). ). Information security means, among other things, that personal information is kept secret from unauthorized persons but that it is also accessible to those who need it. Security provisions are in Articles 23, 24 and 27. Act no. 90/2018, according to which the guarantor shall take appropriate technical and organizational security measures to protect personal information taking into account the nature, scope, context and purpose of the processing and the risks to the rights and freedoms of registered persons. Among those who may need to be considered in this regard is whether the guarantor is bound by a duty of confidentiality or falls under similar rules, but this applies to employees of prison institutions, cf. Article 12 Act no. 15/2016 and paragraph 2. Article 57 Local Government Act no. 138/2011. It can also be considered whether data is of the nature to ensure proof of receipt. When assessing whether an authority to process personal data exists, and whether compliance with, inter alia, the aforementioned basic requirements according to par. Article 8 of the Act, may, as appropriate, have to look into the provisions of other laws. As is the case here, on the one hand, try on 98.-100. gr., cf. Article 95 Act no. 80/2016 on foreigners, and on the other hand tries on par. Article 31 and paragraph 3. Article 80 Act no. 15/2016 on enforcement of penalties. 3.3 Authorization to disseminate personal information from the Prison and Probation Administration to the Directorate of Immigration According to Art. Act no. 80/2016, the Directorate of Immigration may expel EEA or EFTA nationals or their relatives from abroad if this is necessary by invoking public policy, public security or public health. In the second paragraph. the same provision states that the expulsion according to Art. Paragraph 1 may decide whether the conduct of the person constitutes a genuine, imminent and sufficiently serious threat to the fundamental interests of society. The decision to expel should not be based solely on general prevention criteria. If the person has been sentenced to punishment or special measures are determined, the expulsion for this reason is permitted only because there is a conduct which may indicate that the person will again commit a punishable offense. Previous criminal offenses alone are not sufficient to expel them. Paragraph 5 of Art. 95 gr. that the Directorate of Immigration must make a decision on expulsion based on the above provisions. According to 98.-100. Article. the Immigration Act may or may be expelled by the Immigration Office if it has been sentenced in Iceland for punishment or for subjecting security measures to conduct that may involve imprisonment for a certain period or for a number of times, but different rules apply depending on whether the alien is in residence. , an indefinite residence permit or without a residence permit. Decision of the Directorate of Immigration based on Art. or 98.-100. Article. The Aliens Act, on the expulsion of foreign nationals from Iceland, shall be considered an administrative decision according to Art. Paragraph 2 Article 1 Administrative Law no. 37/1993. From the above provisions, it can be assumed that when making decisions by the Immigration Office on whether the expatriate should not be expelled, information about whether and then what kind of residence permit a foreigner has made is important, but also about his criminal history, ie. information on the sentence he receives and on the imprisonment of prison sentences, including the length of the detention, when the detention begins and where, and whether the person concerned has previously served a detention in Iceland and otherwise, the violation process of individuals is complied with so that the rule of administrative law is complied with, cf. Article 10 Administrative Law no. 37/1993. 3.4 Authorization to disseminate personal information from the Immigration Office to the Prison and Probation Administration The Prison and Probation Administration is given the power of decision in matters concerning the rights and obligations of prisoners, such as when a prisoner is given probation when half the sentence is over, including when there is already a decision by the Immigration Office that prisoners be deported after their imprisonment, cf. Paragraph 3 Article 80 Act no. 15/2016 on enforcement of penalties. Such decisions by the Prison and Probation Administration are administrative decisions within the meaning of paragraph 2. Article 1 Administrative Law no. 37/1993. The Prison and Probation Administration also decides whether foreign prisoners should be allowed to serve part of the prison term outside prison, provided that he is engaged in work, study, vocational training or treatment approved by the Prison and Probation Administration, cf. Paragraph 1 Article 31 Act no. 15/2016 on enforcement of penalties. From the foregoing, it may be presumed that the Prison and Probation Administration can perform its statutory role of providing probation to foreign prisoners under the conditions of the Act or, if appropriate, to serve part of the prison sentence, subject to certain conditions, as required by the prison. information from the Directorate of Immigration regarding some of the conditions set out in the provisions of par. Article 80 and paragraph 1. Article 31 Act no. 15/2016. 4. Conclusion With reference to the foregoing, it is the opinion of the Data Protection Authority that the transfer of personal information of the Immigration Office to the Prison and Probation Administration, with the aim of providing the latter with criminal justice probation on the basis of paragraph 3. Article 80 Act no. 15/2016 on the enforcement of penalties or that the agency grants penalties for out-of-prison sentences on the basis of the first paragraph. Article 31 the same Act, may rely on the authority in paragraph 3. Article 9 Act no. 90/2018 on privacy and processing of personal information. It is also the opinion of the Data Protection Authority that the transfer of personal information from the Prison and Probation Administration to the Directorate of Immigration for the purpose of the Immigration Office being able to expel foreign nationals on the basis of Article 95. and 98-100. Article. of the Foreigners Act no. 80/2016, can use the authority in point 3. Article 9 Act no. 90/2018 on privacy and processing of personal information. In accordance with this conclusion, and with reference to Articles 23, 24. and paragraph 1. Article 27 Act no. 90/2018 and Article 32. The Regulation emphasizes the importance of the guarantor ensuring the security of personal information and preventing unauthorized access in a safe and adequate manner in the dissemination and processing of such data. The processing of this case has been delayed because of the great concern of the Data Protection Authority. Á l i t s o rð Disclosure by the Prison and Probation Administration of the personal information of foreign prisoners to the Immigration Office for expulsion cases, based on the provisions of Article 95. or 98.-100. Article. Act no. 80/2016 and the Immigration Office's dissemination of the personal information of foreign prisoners for probation or the detention of foreigners outside prison, based on the third paragraph of Art. Article 80 of the Act or Paragraph 1 of Art. Article 31 no. 15/2016, complies with Act no. 90/2018, on privacy and processing of personal information. In Privacy, June 4, 2020 Helga Þórisdóttir Vigdís Eva Líndal