IP (Slovenia) - 07100-10/2023/14: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Slovenia |DPA-BG-Color= |DPAlogo=LogoSI.png |DPA_Abbrevation=IP |DPA_With_Country=IP (Slovenia) |Case_Number_Name=07100-10/2023/14 |ECLI= |Original_Source_Name_1=IP (Slovenia) |Original_Source_Link_1=https://www.ip-rs.si/fileadmin/user_upload/zip/Ponovna_uporaba/2024/julij/Julij_2024-Odlocbe-ZIN.zip |Original_Source_Language_1=Slovenian |Original_Source_Language__Code_1=SL |Original_Source_Name_2= |Original_Source_Link_2= |Original_Sourc...")
 
No edit summary
 
(One intermediate revision by one other user not shown)
Line 61: Line 61:
}}
}}


The DPA found the controller was in breach of [[Article 12 GDPR|Article 12 GDPR]] and [[Article 15 GDPR|Article 15 GDPR]], because they didn’t answer access request within one-month period.
The DPA found the controller was in breach of [[Article 12 GDPR|Article 12 GDPR]] and [[Article 15 GDPR|Article 15 GDPR]] because it didn’t answer access request within one-month period.


== English Summary ==
== English Summary ==
Line 78: Line 78:


=== Holding ===
=== Holding ===
The DPA found the controller violated [[Article 12 GDPR|Article 12 GDPR]] in conjunction with [[Article 15 GDPR|Article 15 GDPR]]. The access request answer was done after one-month period under Article 12(2) GDRP expired.  
The DPA found the controller violated [[Article 12 GDPR|Article 12 GDPR]] in conjunction with [[Article 15 GDPR|Article 15 GDPR]]. The access request answer was done after one-month period under [[Article 12 GDPR|Article 12(2) GDPR]] expired.  


The controller remedied the violations committed during the proceedings before the DPA. Thereafter, the DPA decided not to use other corrective powers and only declared the controller violated [[Article 12 GDPR|Article 12 GDPR]] in conjunction with [[Article 15 GDPR|Article 15 GDPR]].
The controller remedied the violations committed during the proceedings before the DPA. Thereafter, the DPA decided not to use other corrective powers and only declared the controller violated [[Article 12 GDPR|Article 12 GDPR]] in conjunction with [[Article 15 GDPR|Article 15 GDPR]].

Latest revision as of 09:04, 11 September 2024

IP - 07100-10/2023/14
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 12(2) GDPR
Article 15 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 19.06.2024
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 07100-10/2023/14
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Slovenian
Original Source: IP (Slovenia) (in SL)
Initial Contributor: wp

The DPA found the controller was in breach of Article 12 GDPR and Article 15 GDPR because it didn’t answer access request within one-month period.

English Summary

Facts

A minor took part in a competition organised by the data controller. After the competition the controller did not published information about the results as expected. A parent of the minor filed an access request with the controller regarding the data of their child, namely results or points obtained, the place and award won.

The controller said they already disclosed the information asked. However, the minor’s parent filed two additional access requests. According to the minor’s parent, they didn’t receive the information asked.

The minor’s parent filed a complaint with the Slovenian DPA (IP).

Within the examination proceedings the controller explained it was technically difficult to update their website in the part containing the competition results, so as the minor received the recognition of the achievement at the school or national level. This was because under the competition rules, the controller was prohibited from changing the official results after their publication. In response, the minor’s parent pointed out the controller did not facilitate the exercise of her rights, giving the example of disclosure of personal data at hand to the minor’s school.

During the communication with the DPA, the controller admitted they still were processing the access request and the delay was caused by organisational issues (sickness absences). Eventually, the controller answered the access request.

Holding

The DPA found the controller violated Article 12 GDPR in conjunction with Article 15 GDPR. The access request answer was done after one-month period under Article 12(2) GDPR expired.

The controller remedied the violations committed during the proceedings before the DPA. Thereafter, the DPA decided not to use other corrective powers and only declared the controller violated Article 12 GDPR in conjunction with Article 15 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.

Number: 07100-10/2023/14
Date: 19 June 2024


The Information Commissioner (hereafter IP) issues, on the basis of Article 77 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals in the processing of personal data and on the free flow of such data and on the repeal of the Directive 95/46/EC (hereinafter the General Regulation) and Article 34 in relation to point 2 of the first paragraph of Article 55 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 163/22; hereafter ZVOP-2) and in in relation to the General Administrative Procedure Act (Official Gazette of the Republic of Slovenia, No. 24/06 – UPB, as amended; hereinafter ZUP), in the application procedure of the applicant with a special position: ..., dated 2 May 2023, against the controller : ..., in the matter of the right to access personal data


O D L O C B O


1. It is established that the operator... at the time of filing the applicant's application... on 2 May 2023, violated Article 15 of the General Regulation in relation to Article 12 of the General Regulation and Article 14 of ZVOP-2 by failing to make a timely decision on requests for access to personal data. 

2. The controller ... shall not be ordered to take measures regarding the processing of personal data.

3. The applicant... is allowed to review the case file in its entirety, which is kept under no. 07100-10/2023.

4. In this procedure, the authority did not incur any special costs, and each party covers its own costs of the procedure.


 P r a s i o n s

1. Current course of the procedure and relevant information

On 05/02/2023, the IP received a report ... for violation of the right to access personal data relating to her daughter .... She stated that on 26/11/2022 her minor daughter attended ... organized by the operator. As her daughter's results were not entered on the administrator's website three weeks after the competition, she informed him about this via e-mail on 19 December 2022 and asked him to provide access to her daughter's personal data (i.e. the result or the points achieved and the place and recognition in the competition). She asked the administrator again on 28/02/2023 to view this information, but he replied that he had already informed the mentor about her daughter's results some time ago and that she should contact her for information, and that the registration process is after the prescribed deadline, i.e. the publication of the official results completely different. Then, on April 6, 2023, the applicant asked the manager for the third time to inform her within eight days of her daughter's ranking and recognition, not just points, but he did not do so again. The applicant pointed out that more than five months have passed since the competition, but the administrator, as a parent, has still not given her access to her daughter's personal data, where the place of ranking and the recognition achieved in the said competition definitely belong. 

On May 4, 2023, the IP asked the operator to make a written decision on the applicant's request in accordance with Articles 12 and 15 of the General Regulation in relation to Article 14 ZVOP-2 within 15 days of receiving this request. The administrator's response was received by the IP on 21/05/2023. The administrator essentially stated that he was informed about the missing entry of the applicant's daughter's achievement, and explained that entering the achievement on the administrator's information website after the publication of the official results is technically not easy. at the same time, he ensured the receipt of recognition for achievement at the school and national level of the competition at the end of the school year. He pointed out that the subsequent entry of the achievement on the server (entry after the publication of the official results of the competition) changes the achieved place of the share of competitors, which is contrary to the rules of the competition, since the published achievements cannot be changed from the date of publication of the official results.

Despite this answer, the applicant IP announced on 6/6/2023 that she insists on applying and obtaining information about the place of ranking and the recognition achieved in the competition..., which relate to her daughter. She pointed out that the manager undoubtedly has the required data and attached evidence of this, namely an extract of official results and electronic correspondence between the manager and the primary school that the daughter attends. From the content of this e-mail, it can be concluded that the requested personal data exists. At the same time, the applicant emphasized that she had already explained to the manager several times that he should inform her of the place achieved and/or recognition in the competition, which is not linked to registration on the server, and pointed out that the manager published the official results of the competition on 8 December 2022 and i.e. already had the criteria for winning individual awards in electronic and physical form, and the mentor had already been informed of her daughter's results. 

In view of this, on 08/06/2023, 03/08/2023 and again on 28/09/2023, the IP requested the operator to clarify the applicant's statements, mainly for an explanation as to whether he has information on the place of classification and the recognition achieved (gold recognition /silver recognition/acknowledgment) and in such a case to provide a copy of this data or additional justification as to why he does not have or does not provide the requested personal data. 

Since the operator did not respond to these calls, the IP called him on 9 November 2023, who, upon inquiry regarding the status of the matter, informed that the matter had not yet been resolved due to the amount of work commitments and sick leave, but that he intended to send an answer shortly and that the manager still decides in what way. Since the IP did not receive any notification from the controller even after this, on 25 April 2024 he again asked the IP to explain as soon as possible, and no later than within 15 days, how he acted in relation to the submitted application, whether he replied to the applicant in accordance with the provisions of the General regulation and ZVOP-2, or whether he resolved the matter in some other way. At the same time, he warned him that in the case of non-cooperation with the IP as a supervisory authority or due to a violation of the right to the protection of personal data, he may be criminally liable.  

The administrator then replied to the IP on 7/5/2024. He stated that he was providing information about the ranking in the competition ... in the school year 22-23, namely the competitor ..., a student of .... class in the school year 22-23, on at the national level of the competition ... placed in ... place. At the same time, he explained that if the competitor would like any printed certificates, she should contact the school or a mentor. The latter can issue a certificate of success to the competitor with the reasoning that the achievement was not entered on the ... server and that the deadline for objections, when the deficiency could still be eliminated, was missed. 

On May 8, 2024, the IP issued a record of findings essential for the decision in this procedure and a call for a statement before the decision, to which no party responded within the set 10-day deadline from service. In this record, he noted that the controller subsequently fulfilled the obligations under Article 15 of the General Regulation by communicating the requested personal data relating to the applicant's daughter.

Since the IP considered that the factual situation for the decision in this case was fully established, it did not perform other procedural actions.

2. Control procedure 

The first paragraph of Article 30 ZVOP-2 provides that an individual who believes that the processing of his personal data by the controller or processor violates the provisions of the General Regulation, this Act or other laws governing the processing or protection of personal data, or violates the provisions of related bylaws or general acts for the exercise of public powers, submits a request to the supervisory authority in accordance with the law governing the general administrative procedure, with which he requests control of the legality of the processing of his personal data, and may also propose the necessary action in accordance with to the previous article in case of established violations, so that the establishment of a legal situation is achieved. The second paragraph of the same article ZVOP-2 stipulates that each party shall bear its own costs of the procedure.

Therefore, the IP considered the application in a procedure conducted at the request of the applicant with a special position, which guarantees the right to appeal under Article 77 of the General Regulation. In this supervisory procedure, he acted according to the provisions of Articles 30 to 35 of ZVOP-2 (procedure based on the application of an applicant with a special status). Among other things, this procedure is characterized by the fact that the IP acts in accordance with the investigative and regulatory powers from Article 58 of the General Regulation and Articles 28 and 29 of ZVOP-2 and in accordance with the general rules of the ZUP.

The IP, as a supervisory authority, issues a decision in accordance with the first paragraph of Article 34, which, in addition to the components specified by the law governing the general administrative procedure, contains:
1) determination of the existence or non-existence of an alleged violation of the processing of personal data of the applicant with a special position at the time of filing the application;
2) measures ordered to the manager or processor regarding the processing of personal data relating to the applicant with a special status, and the deadline for their implementation;
3) permitted scope of review of the case file for an applicant with a special status.

3. General information on the right to access personal data

The right of an individual to be informed of their own personal data is a fundamental human right, defined in the third paragraph of Article 38 of the Constitution of the Republic of Slovenia, which stipulates that everyone has the right to be informed of the collected personal data relating to him. This right, named as the right of access of the data subject, is specified in Article 15 of the General Regulation, which stipulates that the data subject has the right to obtain from the controller 1) confirmation as to whether personal data are processed in connection with it, and when this is the case, 2) access to personal data and to a copy thereof and 3) certain information related to processing and rights, which are then listed in the General Regulation. Procedural rules are regulated in Articles 11 and 12 of this regulation, and procedural provisions are also contained in ZVOP-2 in Articles 12 to 21. 

The prescribed deadline for the controller's response is one month after receiving the request. If necessary, this deadline can be extended by a maximum of two additional months, taking into account the complexity and number of requests, and the controller is obliged to inform the data subject of any such extension within one month of receiving the request together with the reasons for the delay (third paragraph 12 of the General Regulation).

The form of the decision on the request for deletion and its components for the controller in a specific case is determined by Article 14 of ZVOP-2. Pursuant to this provision, the controller, which is not a state body or a self-governing local community, handles claims by individuals from Articles 15 to 22 of the General Regulation and other claims by individuals in the field of personal data protection, access to personal data, their acquisition and processing according to this or that to the law, informs the individual of the decision and, if this is the subject of the request, of the personal data relating to him, within the time limit set by the General Regulation. If the individual so requests, he can also be informed of personal data orally. The decision must contain reasons and information about the right to appeal to the supervisory authority within 15 days of being informed of the decision in accordance with the provisions of point f) of the first paragraph of Article 15 of the General Regulation. The decision can take the form of an official note, which is sent to the individual in a way that enables them to become familiar with the decision and prove its receipt.

4. Assessment of the applicant's statements

IP notes that at the time of filing the application on 2/5/2023, the controller did not adequately decide on the applicant's request for access to personal data, which she first submitted on 19/12/2022 and then again on 28/02/2023 and 6/4/2023 Since the one-month deadline for a decision on the request had already expired, the IP judged that the controller had violated Article 15 in relation to Article 12 of the General Regulation and Article 14 of ZVOP-2. This violation was remedied by the operator after the application and several calls to the IP with a reply dated 05/07/2024, in which he communicated the requested personal data relating to the applicant's daughter. Therefore, in point 1 of the pronouncement of this decision, the IP concluded that the controller violated Article 15 of the General Regulation in relation to Article 12 of the General Regulation and Article 14 of ZVOP-2 at the time of filing the application on 2 May 2023 by did not make a timely decision on the request for access to personal data. At the same time, the IP emphasizes that it is not competent to go into the question of the appropriateness of the conducted competition or the completeness of the existing personal data related to the competition.

Since the administrator eliminated the identified violation of the right to access personal data after filing the application, the IP did not order him to take special measures in relation to the processing of the applicant's personal data (point 2 of the pronouncement of the decision), as this would be pointless in the described circumstances. The use of the set of corrective measures from the second paragraph of Article 58 of the General Regulation is also conditioned by the fact that the measure in question is necessary to ensure compliance with this regulation (cf. point 48 of the reasoning of the final proposals of the Advocate General Priit Pikamäe dated 11/04/2024 in Case C 768/21, TR v. Land Hessen).

5. Permissible scope of file review

In point 3 of the first paragraph of Article 34 of ZVOP-2, it is stipulated that the decision in the control procedure according to the provisions of this section, in addition to the components specified by the law governing the general administrative procedure, also contains the permissible scope of the review of the case file for the applicant with a special situation . 

The IP did not restrict the applicant's right to review the file of the case, which is kept under no. 07100-10/2023, as no reasons are given for this (paragraph 3 of the pronouncement of the decision).

6. Costs of the procedure

Pursuant to the first paragraph of Article 118 of the ZUP, the authority decides in its decision on the costs of the procedure, who bears the costs of the procedure, how much they are, and to whom and within what period they must be paid. No special costs were incurred in this control procedure (point 4 of the pronouncement of the decision). The applicant and the controller shall each cover their own costs that may have been incurred by them as a result of the procedure (second paragraph of Article 30 of ZVOP-2).  

In accordance with the provisions of the Administrative Fees Act (Official Gazette of the RS, No. 106/10 - official consolidated text, with amendments and additions), this decision is exempt from the payment of the administrative fee. 


Lessons on the legal remedy:
An appeal against this decision is not allowed, but it is permissible to initiate an administrative dispute. An administrative dispute is initiated by filing a lawsuit at the Administrative Court, Fajfarjeva 33, 1000 Ljubljana. The lawsuit must be filed within thirty days of the service of this decision, in writing directly to the said court or by registered mail or orally on the record. If the claim is sent by registered mail, it is considered to have arrived on time if it was sent to the post office on the last day of the deadline for filing the claim. In addition to the original, transcript or copy of this decision, the lawsuit must also be accompanied by one transcript or copy of the lawsuit and attachments for the defendant, if someone is affected by the decision, as well as for him.


						....,
  the State Inspectorate for the Protection of Personal Data