AZOP (Croatia) - Decision 31-05-2022: Difference between revisions

AZOP - Decision 31-05-2022
Authority:	AZOP (Croatia)
Jurisdiction:	Croatia
Relevant Law:	Article 25 GDPR Article 32 GDPR
Type:	Complaint
Outcome:	Upheld
Started:
Decided:	31.05.2022
Published:	16.09.2022
Fine:	n/a
Parties:	n/a
National Case Number/Name:	Decision 31-05-2022
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Croatian
Original Source:	AZOP (in HR)
Initial Contributor:	n/a

The Croatian DPA determined that a school violated Articles 25 and 32 GDPR by losing the master diploma and exam certificate of a former student.

English Summary

Facts

The data subject requested their former school (the controller) to provide them with a certified copy of their master diploma and passed master exam. Whilst obliged to maintain records of former students in its database, the controller informed that the data subject's specific file was missing and the request could not be fulfilled. Consequently, the data subject filed a complaint before the Croatian DPA claiming a breach of their right to personal data protection. While determining the factual situation of the case, the DPA found out that the controller had lost the documentation in 2019, when due to weather problems, the school had to evacuate to another building.

Holding

First, the DPA recalled that data controllers are obliged, under Articles 25 and 32 GDPR, to provide appropriate technical and organisational measures in order to ensure the security of personal data processing as well as prevent accidental loss or destruction of the data.

In the present case, it was determined that the controller lost the requested documents when renovating and relocating the equipment and furniture to another building. Therefore, the controller did not respect the principles of completeness and integrity of personal data processing.

The DPA held that appropriate measures should have been adopted, such as separating files containing personal data from other documents. It added that, especially in the education sector, it is important to continuously maintain and update the security of personal data processing as well as ensure the safe disposal of any personal data which is no longer relevant.

In conclusion, the DPA determined that the controller violated Articles 25 and 32 GDPR by not adopting appropriate measures to prevent the loss of documentation containing personal data of the data subject.

Comment

In this case, the Croatian DPA did not explain which specific corrective powers under Article 58(2) GDPR it used.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.

REPUBLIC OF CROATIA
PROTECTION AGENCY
PERSONAL DATA
CLASS:
NUMBER:
Zagreb, May 31, 2022.
Personal Data Protection Agency, OIB: 28454963989 based on Article 57 paragraph
1 and Article 58 paragraph 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27
2016 on the protection of individuals in connection with the processing of personal data and on the free movement of such data
data and repealing Directive 95/46/EC (hereinafter referred to as the General Protection Regulation
data) SL EU 119, Article 34 of the Law on the Implementation of the General Regulation on Data Protection ("People's
newspaper" No. 42/18) of Article 41 and Article 96 of the Law on General Administrative Procedure ("National
newspaper" No. 47/09 and 110/21), and regarding the request to determine the violation of the right to protection
personal data xy provides the following
SOLUTION
1. Request xy to establish a violation of the right to personal data protection is founded.
2. It is established that the loss/disappearance of documentation, more specifically the Diploma of passing
master's exam No.: ... of ... year and Certificate of master's title
butler NUMBER: ... No. registry books:.. from ... 2005 from the Srednje file
of vocational school xx, which contains personal data xy, there was a violation of Article 25 i
Article 32 of the General Regulation on data protection by Secondary Vocational School xx, as
manager of personal data processing.
3. It is assigned to the Secondary Vocational School xx, as the manager of personal data processing
taking appropriate technical and organizational measures to protect personal data
in daily business, with the aim of protecting the respondents' personal data from loss
in accordance with Article 25 and Article 32 of the General Data Protection Regulation.
Form layout
The Agency for the Protection of Personal Data (hereinafter: the Agency) received a request for
determination of violation of the right to protection of personal data xy (hereinafter: the applicant)
2
in which the applicant essentially states how he came to know that in his
the file of the xx school (hereinafter referred to as: the School) is missing his certified copy of the Passed Diploma
the master's exam, as well as the certificate of master butler title, which the applicant is
submitted the request to the School in 2005.
The request is founded.
Acting on the above-mentioned request, the Agency is for the purpose of accurate and complete
determination of the factual situation in this administrative matter requested from the School a statement as to whether the file
of the applicant contains a copy of the certified Diploma on passing the master's exam as well as
The certificate that the applicant claims to have submitted to the School in 2005. Also from
The schools were asked to state in their statement what personal data protection measures they take
in accordance with articles 25 and 32 of the General Regulation on data protection, related to the protection of personal data
their employees.
The Agency received a statement from the School, in which they state how the director is, as a person
authorized to represent the school, familiar with the applicant's petitions. Also, School
in the statement, he states that as a result of the supervision of the educational inspectorate, at the beginning of the year, they came to
finding out that the worker's file lacks a certified copy of the Master's Diploma
exam No.: ... of ... 2005, as well as the Certificate of master butler qualification
NUMBER:... No. registry books:... from... 2005. In this regard, the statement states
how the applicant was contacted, who then submitted the original Diploma to the School
and the Certificate, which were copied and inserted into the file in the presence of the employee with the note "09.02.2022.
year - the copy is identical to the original" and the seal of the School with the signature of the secretary, which is in replacement until
of the secretary's return from maternity/parental leave.
Furthermore, in the statement, the School states that it stores personal data of employees in folders -
personal files in an iron cabinet with a key that only the director and secretary have. The rest
documentation of former employees, as well as tender documentation and School documentation from
in previous years, they are in wooden cabinets with a key. Also, School in Manifestation
states that this is the first case of missing documentation in the personnel file. Also,
The school states in its statement that in 2019, due to weather problems, there was
leaks and floods in the School in all rooms of the building and that they were distributed in several
of neighboring schools, so that it is also possible that during renovation and relocation of equipment and furniture
lost documentation.
Following on from the above, we point out that from May 25, 2018, in all states
members of the European Union, as well as in the Republic of Croatia in the area of personal data protection,
directly applies Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016.
on the protection of individuals in connection with the processing of personal data and on the free movement of such data
and on repealing Directive 95/46/EC (General Data Protection Regulation) SL EU 119, and
the Agency for the Protection of Personal Data is responsible for its application and implementation.
In article 4.1. The General Data Protection Regulation stipulates that personal data is all
data relating to an individual whose identity has been determined or can be determined ("the respondent");
3
an individual whose identity can be established is a person who can be identified directly or
indirectly, especially with the help of identifiers such as name, identification number, information about
location, network identifier or with the help of one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that individual.
Pursuant to Article 4.2. General data protection regulations, processing means any procedure or
a set of procedures performed on personal data or on sets of personal data,
either by automated or non-automated means such as collecting, recording,
organization, structuring, storage, adaptation or modification, finding, performing insights,
use, disclosure by transmission, dissemination or otherwise making available,
matching or combining, limiting, deleting or destroying.
Article 5 of the General Data Protection Regulation stipulates how personal data must be
lawfully, fairly and transparently processed with respect to the respondent, collected in special,
express and lawful purposes, appropriate, relevant and limited to what is necessary in relation to
the purposes for which they are processed (principle of reducing the amount of data), accurate and, if necessary, up-to-date,
processed in a way that ensures adequate security of personal data, including
protection against unauthorized or illegal processing and against accidental loss, destruction or damage
by applying appropriate technical or organizational measures (principle of integrity and
confidentiality).
It is also necessary to refer to Article 6, paragraph 1 of the General Data Protection Regulation, which
stipulates that the processing of personal data is legal only if and to the extent that it is
at least one of the following is fulfilled: the respondent has given his consent for the processing of his personal data
data for one or more special purposes; processing is necessary for the execution of the contract in which it is
the respondent party or in order to take actions at the request of the respondent before concluding the contract;
processing is necessary to comply with the legal obligations of the controller; processing is necessary in order to
protect the key interests of the legal obligations of the controller; processing is necessary to perform the task
in the public interest or when exercising the official authority of the data controller; processing is necessary for
the needs of the legitimate interests of the data controller or a third party.
Article 25 paragraph 2 of the General Regulation on Data Protection prescribes how the data controller
implements appropriate technical and organizational measures to ensure that the integrated
method, only personal data that is necessary for each specific processing purpose will be processed. This
the obligation applies to the amount of personal data collected, the scope of their processing,
storage period and their availability. More specifically, such measures ensure that personal
data are not automatically, without individual intervention, available to an unlimited number of individuals.
Article 32, paragraph 2 of the General Regulation on Data Protection stipulates that by
managers and processors when assessing the appropriate level of security into account in particular
take the risks posed by the processing, especially the risks of accidental or illegal destruction,
loss, alteration, unauthorized disclosure of personal data or unauthorized access to personal data
data that has been transferred, stored or otherwise processed.
4
In this administrative matter, it was established that the applicant's file is missing
certain documentation containing the personal data of the applicant, more precisely certified
a copy of the Diploma on passing the master's exam Number: ... of ... 2005, as well as the Certificate of
to the acquired title of master butler URNUMBER:... No. registry books:... from .. 2005.
The aforementioned results from the submitted statement of the School, as the processing manager, in which it states
as the relevant documentation is missing in the applicant's file.
From the established factual situation, it is clear how the documents were lost
which contain personal data of the applicant. In this regard, the School as a manager of personal data processing
of data, in the submitted statement states that it is possible that the documentation has disappeared
lost during renovation and relocation of equipment and furniture due to weather conditions.
Also, based on the documentation collected in the procedure, it was established that the School as
the processing manager did not respect the principle of completeness and confidentiality of personal data processing
on the basis of which it was obliged to ensure adequate security of personal data, including
protection against unauthorized or illegal processing and against accidental loss, destruction or damage
by applying appropriate technical or organizational measures. Also, the School as a leader
processing in accordance with the rules of security of personal data processing, is mandatory
appropriate technical and organizational measures to prevent unauthorized interference
data processing procedures, and what can be concluded from the specific case that it did not act
in accordance with the above.
As a result of the determination, we point out the need for undertaking and continuous implementation
appropriate organizational and technical measures for the protection of personal data from Article 25 and Article
32. General regulations on data protection. In the specific case, above all, we indicate the need
continuous education of persons employed in the processing of personal data, primarily in terms of
the obligation to safely dispose and process personal data in such a way that every possibility
reduce the loss/disappearance of documentation containing personal data of employees to a minimum
possible measure.
Also, the School, as a data controller, is obliged to introduce organizational measures to protect personal data
data, for example in such a way that the documentation containing the personal data of the respondent, such as
of natural persons is separated from documentation that does not contain such data. It would also be advisable
keeping records when issuing certain documents at the request of respondents, such as
natural persons. In addition, the School, as the manager of personal data processing, is obliged in the course of some
work activities when certain documents containing personal data are transferred
respondents to act with increased attention, all for the reason that there is no risk of accidental
or illegal destruction, loss, alteration, unauthorized disclosure of personal data or
unauthorized access to personal data that has been transferred, stored or otherwise
processed.
Precisely for the above-mentioned reasons, in the conducted administrative procedure it was determined how
The school, as a data controller, did not take appropriate measures to protect personal data
5
of the applicant, which resulted in the loss/disappearance of the applicant's documentation
request, which violated the provisions of Articles 25 and 32 of the General Data Protection Regulation.
Due to the aforementioned circumstances, it was decided as in the Proclamation of the Decision.
LEGAL REMEDY:
An appeal against this decision is not allowed, but an administrative dispute can be initiated through a lawsuit
before the Administrative Court in Osijek within 30 days from the date of delivery of this decision.
DEPUTY DIRECTOR
Igor Vulje