IP (Slovenia) - 07101-22/2023/7: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Slovenia |DPA-BG-Color= |DPAlogo=LogoSI.png |DPA_Abbrevation=IP |DPA_With_Country=IP (Slovenia) |Case_Number_Name=07101-22/2023/7 |ECLI= |Original_Source_Name_1=Informacijski pooblaščenec (in SL) |Original_Source_Link_1=https://gdprhub.eu/images/5/5e/07101-22-2023-7_34._%25C4%258Dlen_ZVOP-2_kr%25C5%25A1itev_brez_ukrepa_08012024.pdf |Original_Source_Language_1=Slovenian |Original_Source_Language__Code_1=SL |Original_Source_Name_2= |Orig...") |
No edit summary |
||
Line 10: | Line 10: | ||
|ECLI= | |ECLI= | ||
|Original_Source_Name_1=Informacijski pooblaščenec | |Original_Source_Name_1=Informacijski pooblaščenec | ||
|Original_Source_Link_1=https://gdprhub.eu/images/5/5e/07101-22-2023-7_34._%25C4%258Dlen_ZVOP-2_kr%25C5%25A1itev_brez_ukrepa_08012024.pdf | |Original_Source_Link_1=https://gdprhub.eu/images/5/5e/07101-22-2023-7_34._%25C4%258Dlen_ZVOP-2_kr%25C5%25A1itev_brez_ukrepa_08012024.pdf | ||
|Original_Source_Language_1=Slovenian | |Original_Source_Language_1=Slovenian | ||
Line 70: | Line 70: | ||
On 31 August 2023 the data subject received a marketing message. As he was curious to know how the controller obtained his data, he sent him a data access request, to which the controller did not reply. | On 31 August 2023 the data subject received a marketing message. As he was curious to know how the controller obtained his data, he sent him a data access request, to which the controller did not reply. | ||
On 18 October 2023, the controller was requested by the DPA to take a written decision on the applicant's request in accordance with [[Article 12 GDPR|Article 12 GDPR]] and 15 GDPR. | On 18 October 2023, the controller was requested by the DPA to take a written decision on the applicant's request in accordance with [[Article 12 GDPR|Article 12 GDPR]] and [[Article 15 GDPR]]. | ||
On 3 November 2023, the data controller sent an email to the DPA, indicating that they responded to the request for access to personal data and removed the data subject from the customer database. | On 3 November 2023, the data controller sent an email to the DPA, indicating that they responded to the request for access to personal data and removed the data subject from the customer database. | ||
Line 83: | Line 83: | ||
The DPA acknowledged that the controller complied with the data subject’s request after the expiration of a 1-month deadline. However, the controller remedied this breach by a response to the data subject based on the DPA’s request of 18 October 2023. As a result, the DPA did not find a violation of unlawful storage of data lacking a basis according to [[Article 6 GDPR#1|Article 6(1) GDPR]]. | The DPA acknowledged that the controller complied with the data subject’s request after the expiration of a 1-month deadline. However, the controller remedied this breach by a response to the data subject based on the DPA’s request of 18 October 2023. As a result, the DPA did not find a violation of unlawful storage of data lacking a basis according to [[Article 6 GDPR#1|Article 6(1) GDPR]]. | ||
Regarding the allegations concerning the unlawful use of personal data for direct marketing, the DPA stated that it is not competent to take action in the area regulated by the Slovenian Electronic Communications Act which mirrors the ePrivacy Regulation. | Regarding the allegations concerning the unlawful use of personal data for direct marketing, the DPA stated that it is not competent to take action in the area regulated by the [http://www.pisrs.si/Pis.web/pregledPredpisa?id=ZAKO8611 Slovenian Electronic Communications Act] which mirrors the [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52017PC0010 ePrivacy Regulation]. | ||
Consequently, the DPA found no infringements on the side of the controller and the controller was not ordered to take any specific measures. | Consequently, the DPA found no infringements on the side of the controller and the controller was not ordered to take any specific measures. |
Revision as of 16:19, 12 March 2024
IP - 07101-22/2023/7 | |
---|---|
Authority: | IP (Slovenia) |
Jurisdiction: | Slovenia |
Relevant Law: | Article 6(1) GDPR Article 12 GDPR Article 15 GDPR |
Type: | Complaint |
Outcome: | Rejected |
Started: | 16.10.2023 |
Decided: | 08.01.2024 |
Published: | 31.01.2024 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 07101-22/2023/7 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Slovenian |
Original Source: | Informacijski pooblaščenec (in SL) |
Initial Contributor: | im |
The controller was not ordered to take any specific measures after they missed the deadline to respond to data subject’s access request at they followed the DPA’s order to take a decision.
English Summary
Facts
On 31 August 2023 the data subject received a marketing message. As he was curious to know how the controller obtained his data, he sent him a data access request, to which the controller did not reply.
On 18 October 2023, the controller was requested by the DPA to take a written decision on the applicant's request in accordance with Article 12 GDPR and Article 15 GDPR.
On 3 November 2023, the data controller sent an email to the DPA, indicating that they responded to the request for access to personal data and removed the data subject from the customer database.
On 8 November 2023, the data subject informed that he received a response in which the controller apologized for the delayed response. However, the apology does not change the fact that the controller missed the legally prescribed deadline, thereby violating the law and committing an offense for which a fine is prescribed.
The controller stated the data subject had voluntarily subscribed to receive notifications on 19 June 2015. In connection with this, the applicant pointed out that there were changes in data protection legislation in recent years, and controllers were required to re-obtain consent for further use or delete data. Therefore, the data subject’s claims that retaining the data for 8 years longer and starting using the same data after a period of 8 years is unlawful and unsolicited marketing communication.
The data subject insisted on reporting the violations, believing that the controller stored and used his data without a legal basis.
Holding
The DPA acknowledged that the controller complied with the data subject’s request after the expiration of a 1-month deadline. However, the controller remedied this breach by a response to the data subject based on the DPA’s request of 18 October 2023. As a result, the DPA did not find a violation of unlawful storage of data lacking a basis according to Article 6(1) GDPR.
Regarding the allegations concerning the unlawful use of personal data for direct marketing, the DPA stated that it is not competent to take action in the area regulated by the Slovenian Electronic Communications Act which mirrors the ePrivacy Regulation.
Consequently, the DPA found no infringements on the side of the controller and the controller was not ordered to take any specific measures.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.