Persónuvernd (Iceland) - nr. 2020123070: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Iceland |DPA-BG-Color= |DPAlogo=LogoIS.png |DPA_Abbrevation=Persónuvernd (Iceland) |DPA_With_Country=Persónuvernd (Iceland) |Case_Number_Nam...") |
No edit summary |
||
(4 intermediate revisions by 2 users not shown) | |||
Line 48: | Line 48: | ||
}} | }} | ||
The Icelandic DPA | The Icelandic DPA rejected a data subject's claim that their employer failed to comply with an access request they made, because of a lack of evidence of a breach and the fact that labour law should be applied instead of data protection law. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
In 2017, an employee (the Complainant) had been subject to a formal reprimand by his employer (the Company), but had allegedly not been informed about it. Two years later, after being subject to a second reprimand, the Complainant learned about the first formal reprimand against him, and orally requested the Company to | In 2017, an employee (the Complainant) had been subject to a formal reprimand by his employer (the Company), but had allegedly not been informed about it. Two years later, after being subject to a second reprimand, the Complainant learned about the first formal reprimand against him, and orally requested the Company to provide him with a written copy of it. The Company, however, did not provide him with a written copy of the first reprimand. | ||
In that context, the Complainant filed a complaint with the Icelandic DPA against the Company, arguing that the Company had never provided him with a copy of the first formal reprimand against him, despite his (alleged) oral request. The Complainant considered in particular that the Company had acted in violation of the principle of transparency and fairness set in [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], and of his right to access set in [[Article 15 GDPR|Article 15 GDPR]]. | |||
In the course of the proceedings, the Company argued that the Complainant had never personally requested a copy of the reprimand, but that his union had done so in January 2021. The Company further explained to the Icelandic DPA that it had complied with that request on the same day, providing as evidence a copy of the e-mail communication between the Company and the union. | |||
=== Holding === | === Holding === | ||
Regarding the potential violation of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], the Icelandic DPA considered that the question whether the Company should have more diligently informed the Complainant about the first reprimand was a matter of labour law rather than a matter of data protection law. Hence, the Icelandic DPA declared itself incompetent to assess whether the (absence of) communication of the first reprimand to the Complainant was violating the principle of transparency and fairness. | Regarding the potential violation of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], the Icelandic DPA considered that the question whether the Company should have more diligently informed the Complainant about the first reprimand was a matter of labour law rather than a matter of data protection law. Hence, the Icelandic DPA declared itself incompetent to assess whether the (absence of) communication of the first reprimand to the Complainant was violating the principle of transparency and fairness. | ||
Regarding the potential violation of [[Article 15 GDPR|Article 15 GDPR]], the Icelandic DPA noted that the Company was disputing the fact that the Complainant had ever submitted an oral request for receiving a written copy of the first reprimand. The Complainant, for his part, was unable to demonstrate that such oral request was ever made. In view of the situation (i.e. the Complaint's word against the Company's word), the Icelandic DPA decided that it was not in a | Regarding the potential violation of [[Article 15 GDPR|Article 15 GDPR]], the Icelandic DPA noted that the Company was disputing the fact that the Complainant had ever submitted an oral request for receiving a written copy of the first reprimand. The Complainant, for his part, was unable to demonstrate that such oral request was ever made. In view of the situation (i.e. the Complaint's word against the Company's word), the Icelandic DPA decided that it was not in a position to appreciate whether there had been a violation of [[Article 15 GDPR|Article 15 GDPR]] on the part of the Company. | ||
As a result, the Icelandic DPA did not find any violation of the applicable data protection law and closed the case. | As a result, the Icelandic DPA did not find any violation of the applicable data protection law and closed the case. |
Latest revision as of 13:11, 22 December 2021
Persónuvernd (Iceland) - nr. 2020123070 | |
---|---|
Authority: | Persónuvernd (Iceland) |
Jurisdiction: | Iceland |
Relevant Law: | Article 15 GDPR |
Type: | Complaint |
Outcome: | Rejected |
Started: | |
Decided: | 26.11.2021 |
Published: | |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | nr. 2020123070 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Icelandic |
Original Source: | Icelandic DPA (in IS) |
Initial Contributor: | Florence D'Ath |
The Icelandic DPA rejected a data subject's claim that their employer failed to comply with an access request they made, because of a lack of evidence of a breach and the fact that labour law should be applied instead of data protection law.
English Summary
Facts
In 2017, an employee (the Complainant) had been subject to a formal reprimand by his employer (the Company), but had allegedly not been informed about it. Two years later, after being subject to a second reprimand, the Complainant learned about the first formal reprimand against him, and orally requested the Company to provide him with a written copy of it. The Company, however, did not provide him with a written copy of the first reprimand.
In that context, the Complainant filed a complaint with the Icelandic DPA against the Company, arguing that the Company had never provided him with a copy of the first formal reprimand against him, despite his (alleged) oral request. The Complainant considered in particular that the Company had acted in violation of the principle of transparency and fairness set in Article 5(1)(a) GDPR, and of his right to access set in Article 15 GDPR.
In the course of the proceedings, the Company argued that the Complainant had never personally requested a copy of the reprimand, but that his union had done so in January 2021. The Company further explained to the Icelandic DPA that it had complied with that request on the same day, providing as evidence a copy of the e-mail communication between the Company and the union.
Holding
Regarding the potential violation of Article 5(1)(a) GDPR, the Icelandic DPA considered that the question whether the Company should have more diligently informed the Complainant about the first reprimand was a matter of labour law rather than a matter of data protection law. Hence, the Icelandic DPA declared itself incompetent to assess whether the (absence of) communication of the first reprimand to the Complainant was violating the principle of transparency and fairness.
Regarding the potential violation of Article 15 GDPR, the Icelandic DPA noted that the Company was disputing the fact that the Complainant had ever submitted an oral request for receiving a written copy of the first reprimand. The Complainant, for his part, was unable to demonstrate that such oral request was ever made. In view of the situation (i.e. the Complaint's word against the Company's word), the Icelandic DPA decided that it was not in a position to appreciate whether there had been a violation of Article 15 GDPR on the part of the Company.
As a result, the Icelandic DPA did not find any violation of the applicable data protection law and closed the case.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.
Individuals FAQ complete FAQ electronic monitoring general privacy right to be forgotten right to information about their genotype What is processing? A new privacy legislation 2018Almennt the new legislation other interesting stuff educational booklet: Privacy children's booklet: Private youth booklet: public companies and administration asked and answered all the questions and answers electronic monitoring general privacy access right controllers, processors and vinnslusamningarÁbyrgðarskyldaVinnsluskrárNý Privacy legislation 2018FræðsluefniLög and reglurLög privacy rules and regulations other sacrificed rules and guidelines operating international and European law Solutions Solutions Reviews Licensing Various letters Privacy function Privacy News Mega political process personal data my campaign? How to process personal data in election campaigns? Staff and management for media requests for promotional events policy and gi ldiAnnual Reports201620152014201320122011201020092008200720062005200420032002200120001999Other ContentPrivacy PolicyLegal DisclaimerAccessibilityService DeskTwitterEnglishDecisions in EnglishContactLearningTo reportTopic Enter keywords SolutionsReviewsLicensingMiscellaneous letters Search for solutions Year from: Year to: Search No take a position on a complaint regarding access to personal information - complaint above lack of reprimand information dismissed Case no. 2020123070 26.11.2021 Privacy received a complaint about processing of a company at the request of an individual who had worked for the company for access to a reprimand that should have been given to him. In addition, it was complained about that the employee had not received information about the reprimand until about two years after it was supposed to have been granted. Privacy dismissed that part of the complaint that the employee had not been notified the reprimand, in view of the fact that there were issues of employment law that were not fell within the scope of the Privacy Act and the authority of the agency.Where the employee and the company did not agree on whether the complainant had made an oral request for access to their personal information or not, the Data Protection Authority did not consider itself to have grounds to take a position on whether the complainant's rights have been violated in this respect. Ruling On November 11, 2021, the Data Protection Authority announced the following ruling in case no. 2020123070: I. Proceedings On December 14, 2020, the Data Protection Authority received complaint [A] (hereinafter referred to as the complainant) which related to it that [X] had not shown him or provided him a copy of a written reprimand that the company had given him in 2017, to in accordance with his request.By letter, dated. June 10, 2021, informed Privacy [X] on the complaint and granted the company opportunity to comment on it. Answered was on behalf of the company's lawyer by letter dated. 22. s.m. In the letter comes among other things, stated that the complainant had never requested a copy of the reprimand but that was what his union did on January 14, 2021 and the company complied with that request on the same day. The letter was accompanied by a copy e-mail communication between the company and the union to confirm this. By letter dated June 26, 2021, var the complainant invited to comment on answers [X]. The complainant replied by letter dated July 15, s.á. The letter states, among other things, that the complainant had on 11 March 2020 presented his request orally, following another reprimand to him had been granted on the same day. The letter also states that the complaint concerns in particular that the complainant had first been informed of the warning from 2017 more than two years after it was supposed to have been granted and to the complainant considers that it is contrary to the principle of privacy law on transparency and fairness in the processing of personal information.II.Conclusion The Data Protection Authority considers that this must be considered This case concerns, first of all, the fact that the complainant did not receive information on a written reprimand that should have been given to him in 2017 by [X]. At that time were in force Act no. 77/2000 on personal protection and handling of personal information that applied to any electronic processing of personal data and manual processing personal information were or were to become part of a register, cf. Paragraph 1 Article 3 of the Act.In the opinion of the Data Protection Authority should be proposed grounds that this subject of the complaint is in fact related to whether the complainant has has been given a reprimand by [X] and is in that respect an issue of labor law, but does not protect sources employer to record personal information about its employees. Privacy points out that the publication of the reminder may have significance in terms of value its resolution, but resolution on that issue does not fall under Privacy. Like the complaint is presented, it will not be seen that it concerns processing personal information that fell within the scope of Act no. 77/2000 as it was delimited in the first paragraph. Article 3 their. As a result, its solution falls outside jurisdiction of the Data Protection Authority according to para. Article 37 of the Act, cf. now the second paragraph. 39. gr. Act no. 90/2018, and should accordingly dismiss this issue. This case concerns, secondly, the statement complainant that [X] had not complied with his request for access to the reprimand in question as he claims to have presented on 11 March 2020. Act no. 90/2018, on personal protection and the processing of personal information, which prescribes rights registered individuals for access to their own personal information from guarantors, cf. Paragraph 2 Article 17 of them, cf. also Article 15. of the Regulation (EU) 206/679 which was implemented by law. The right of access includes to obtain a copy of the personal information held by the responsible party processing, cf. Paragraph 3 of the Regulation. The party shall discuss whether the complainant has on 11 March 2020 submitted a request for access to the reprimand in question, but according to the complainant, the request was made orally. According to it stands a word against word on this point. The Data Protection Authority therefore has no grounds to take a position on whether [X] has violated the complainant's right of access according to Act no. 90/2018 and Regulation (EU) 2016/679. Then it will not be seen that it is possible to investigate it further with the remedies that the Data Protection Authority has by law, or that there is reason to do so that the agency exercise the powers conferred on it by law to investigate it further. In this connection, however, the Data Protection Authority points out that According to the case file, the complainant has now received a copy of the reprimand in question from [X]. for use of his trade union the part of [A]'s complaint that [X] did not notify him of a written reprimand given to him in 2017.Not lying for [X] having violated [A]'s right to access the reprimand in question according to Act no. 90/2018 um privacy and processing of personal data and Regulation (EU) 2016/679. Helga Þórisdóttir Helga Sigríður Þórhallsdóttir Privacy PolicyLegal DisclaimerAccessibilityService DeskTwitter