AZOP (Croatia) - Decision 14-09-2023: Difference between revisions
No edit summary Tags: Manual revert Reverted Visual edit |
m (Lwr moved page AZOP (Croatia) - Decision 14-9-2023 to AZOP (Croatia) - Decision 24-01-2022) |
Revision as of 13:37, 23 October 2023
AZOP - / | |
---|---|
Authority: | AZOP (Croatia) |
Jurisdiction: | Croatia |
Relevant Law: | Article 4 GDPR Article 5 GDPR Article 6 GDPR Postal Service Act |
Type: | Complaint |
Outcome: | Rejected |
Started: | |
Decided: | 24.01.2022 |
Published: | 24.01.2022 |
Fine: | n/a |
Parties: | Center for Social Welfare |
National Case Number/Name: | / |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Croatian |
Original Source: | AZOP (in HR) |
Initial Contributor: | Karlo Paljug |
The DPA rejected complaint of the data subject who had stated that his rights were violated because data controller sent compensation via postal service.
English Summary
Facts
The DPA received a request for determination of violation of the right in which data subject states that the Center for Social Welfare brought Decision by which the data subject is recognized with a guaranteed minimum of compensation. In this regard, the data subject points out how his compensation for the September was not paid through a current account, but the employee of the Croatian Post has brought him compensation. On that occasion employee asked him for his ID card. Therefore, the data subject considers that data controller disclosed his personal data about him as a user of the social benefit without his authorization.
Holding
The DPA rejected the complaint.
It emphasized that the right to protection of personal data is not absolute right, and it should be considered in relation to its function in society and harmonized with other fundamental rights in accordance with the principle of proportionality. Also, DPA noted that Postal Service Act prescribe the conditions for performance of its services. In connection, GTC of Croatian Post prescribe in article 47 that the sender, receiver or other authorized person proves his identity, between among other things, with an identity card, and the type and number of the identification document that established the identity it is entered in the corresponding place of the postal document.
Namely, in the specific case there was a legitimate purpose and legal basis from Articles 5 and 6 of the GDPR for forwarding certain personal data to Croatian Post.
DPA pointed out that the method of delivery/payment of the user's minimum fee is not in jurisdiction of this Agency, but it is the decision of the data controller himself in accordance with the special regulation.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.
1 REPUBLIC OF CROATIA PROTECTION AGENCY PERSONAL DATA CLASS: NUMBER: Zagreb, January 24, 2022. Personal Data Protection Agency, OIB: 28454963989 based on Article 57 paragraph 1 and Article 58 paragraph 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27 2016 on the protection of individuals in connection with the processing of personal data and on the free movement of such data data and repealing Directive 95/46/EC (hereinafter referred to as the General Protection Regulation data) SL EU 119, Article 34 of the Law on the Implementation of the General Regulation on Data Protection ("People's novine" no. 42/18) and Article 96 of the Act on General Administrative Procedure ("Narodne novine" no. 47/09 and 110/21), and regarding the request to determine the violation of the right to the protection of personal data x yields the following SOLUTION Request x to establish a violation of the right to personal data protection is rejected as ungrounded. Form layout The Agency for the Protection of Personal Data (hereinafter: the Agency) received a request for determination of violation of the right to protection of personal data x (hereinafter: the applicant) in which he states that the Center for Social Welfare y (hereinafter referred to as the processing manager) brought Decision, CLASS..., NUMBER: ... by which the applicant is recognized with a guaranteed minimum compensation and in which it is determined that the same will be paid to the applicant as a beneficiary on a monthly basis, through the competent center for social welfare to a current account. In this regard, the applicant points out how his compensation for the month of September was not paid through a current account, but through the company of Croatia pošte d.d. and points out that an employee of the said company visited him when he arrived at his home address, asked for an identity card and the signing of the receipt. Therefore, the applicant considers it as it is the processing manager disclosed personal data about him as a user of the Social Center without authorization care and society Hrvatska pošta d.d. 2 Along with his request, the applicant submitted the Decision of the Center for Social Welfare y, CLASS: .., NUMBER: ... from ... year; Decision of the Center for Social Welfare y, CLASS: .., NUMBER: .. of ... years; Complaint sent to the Center for Social Welfare y and the response from the Center for Social Welfare y, CLASS: .., NUMBER: .... years. The request is not founded. First of all, it should be noted that from May 25, 2018, in the Republic of In Croatia, Regulation (EU) 2016/679 of the European Parliament is directly and bindingly applied of the Council of April 27, 2016 on the protection of individuals in connection with the processing of personal data and on free movement of such data and repealing Directive 95/46/EC (General data protection regulation) SL EU L119. The General Data Protection Regulation in Article 4, Paragraph 1, Point 1 stipulates that they are personal data all data relating to an individual whose identity has been determined or can be determined, a an individual whose identity can be established is a person who can be identified directly or indirectly, especially with the help of identifiers such as name, identification number, information about location, network identifier or with the help of one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual. Pursuant to Article 5 of the General Data Protection Regulation, personal data must be: (a) lawfully, fairly and transparently processed with respect to the data subject ("lawfulness, fairness, transparency"); (b) collected for specific, express and lawful purposes and may not be further process in a way that is inconsistent with those purposes ("purpose limitation"); (c) appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed ("reduction amount of data"); (d) accurate and as necessary up-to-date; every reasonable measure must be taken in order to ensure that personal data that are not accurate, taking into account the purposes for which process, delete or correct without delay ("accuracy"); (e) stored in a form that enables identification of the respondent only for as long as is necessary for the purposes for which it is personal data processing ("storage limitation"); (f) processed in the manner in which it is secured adequate security of personal data, including protection against unauthorized or illegal access processing and from accidental loss, destruction or damage by applying appropriate technical or organizational measures ("integrity and confidentiality"). Furthermore, in accordance with Article 6 of the General Data Protection Regulation, processing is only lawful if and to the extent that at least one of the following is met: (a) the subject has given consent to process your personal data for one or more specific purposes; (b) processing is necessary for execution of a contract to which the respondent is a party or to take action upon request of the respondent before the conclusion of the contract; (c) processing is necessary to comply with the controller's legal obligations processing; (d) processing is necessary to protect the key interests of the data subject or other natural person; (e) processing is necessary for the performance of a task of public interest or in the exercise of official authority processing manager; (f) the processing is necessary for the legitimate interests of the controller or a third party parties, except when those interests are stronger than the interests or fundamental rights and freedoms of the respondents who require the protection of personal data. 3 Also, it should be emphasized that the right to protection of personal data is not absolute the law itself must be considered in relation to its function in society and should be harmonized with other fundamental rights in accordance with the principle of proportionality. As a separate law, we cite the Postal Services Act ("Narodne novine", number: 144/12, 153/13, 78/15 and 110/19) regulating postal services, prescribe the conditions for performance of these services and for the provision and financing of universal service, govern the rights, obligations and responsibilities of providers and users of postal services, conditions of access to the postal network, issuance of postage stamps of the Republic of Croatia and surcharge stamps is determined by jobs Croatian regulatory agencies for network activities in the part related to regulatory tasks in the field of postal services, performing inspection supervision in the field of postal services services, and regulate other issues related to the performance of postal services. Also, Article 44 of the aforementioned Act stipulates that the provider of postal services obliged to adopt general conditions for the performance of postal services in domestic and/or international traffic. Based on the quoted article, Hrvatska pošta d.d. is on July 1, 2021. passed the General Terms and Conditions for the provision of universal services, which regulate the manner and conditions performance of the universal service provided by HP-Hrvatska pošta d.d., delivery deadlines, method and conditions of payment for postal services, method of marking payment for postal services on to the postal shipment, the responsibility of HP d.d. and compensation for damage and the submission and settlement procedure complaints of users of postal services. In this connection, it is necessary to point out article 47 of the aforementioned General Terms and Conditions, in which stipulated that the sender, receiver or other authorized person proves his identity, between among other things, with an identity card, and the type and number of the identification document that established the identity it is entered in the corresponding place of the postal document. Furthermore, by looking at the Answer, CLASS: .., CODE: .. from ... which is the Center for social care y as a processing manager delivered to the applicant, it is clear that the manager processing, informed the applicant that he had sent the amounts through the mail. As a result of the above, on the basis of the submitted evidence in this administrative matter it was established that the Center for Social Welfare, as the processing manager, did not provide personal data for use of the applicant for this to an unauthorized recipient/third party and in this sense the request rejects the applicant as unfounded. Namely, in the specific case there was a legitimate purpose and legal basis from Article 5 i 6. General regulations on data protection for forwarding certain personal data to a third party (company Hrvatska pošta d.d.), and all so that the applicant could realize the right that belongs to him in accordance with the adopted Decision, CLASS: .., NUMBER: .. from the year ... or the right to guaranteed minimum compensation. 4 In this regard, it should be emphasized that in the conducted procedure it was not determined that personal data of the applicant were forwarded by the processing manager to the company Hrvatska pošta d.d. to a greater extent than is necessary for the specific purpose of guaranteed delivery minimum fees and that the applicant has not proven in any way that the information about him is as to the user of the Center for Social Care, disclosed to a third party without authorization. Likewise, in the specific case it was established that the company Hrvatska pošta d.d. during the delivery/payment of the guaranteed minimum compensation, it complied with the prescribed procedures and in accordance with Article 47 of the General Terms and Conditions for the provision of universal services, identity verification of the applicant as the payee. Additionally, and further to the applicant's statement that he is guaranteed a minimum compensation should have been paid to the current account as determined by the Decision, CLASS: .., NUMBER: ... from ... year, we point out that the method of delivery/payment of the user's minimum fee is not in jurisdiction of this Agency, but it is the decision of the processing manager himself in accordance with the special regulation. In conclusion, and taking into account all the circumstances of the specific case, there is no evidence that indicate that the applicant's personal data were processed contrary to the General provisions regulations on data protection. Due to the aforementioned circumstances, it was decided as in the Proclamation of the Decision. LEGAL REMEDY No appeal is allowed against this decision, but an administrative dispute can be initiated before the Administrative Court by the court in Zagreb within 30 days from the date of delivery of the decision. DEPUTY DIRECTOR Igor Vulje Deliver: 1. 2. 3. Stationery, here.