Persónuvernd (Iceland) - 2020010394: Difference between revisions

From GDPRhub
 
(5 intermediate revisions by 2 users not shown)
Line 48: Line 48:
}}
}}


The Icelandic DPA stated that a municipality and a trade union had breached Article 6(1) GDPR when sharing a complainant’s data without her knowledge.  
The Icelandic DPA stated that a municipality and a trade union did not comply with Article 6(1) GDPR when sharing complainant’s data without a legal basis.  


== English Summary ==
== English Summary ==
Line 71: Line 71:


<pre>
<pre>
    Dissemination of personal information between a municipality and a trade union
  Ruling
      Case no. 2020010394
   
     
        5.5.2021
       
 
      The Data Protection Authority has ruled in a case where a complaint was made about disclosure
personal information between the municipality and the complainant's trade union in connection with
reimbursement of the costs of studies which the complainant pursued in parallel with his work. Í
The complaint states that the municipality sent personal information about the complainant
her union with a question about whether her studies were eligible for a grant
the union, but with the inquiry were copies of the complainant's accounts due
of the courses. In the union's response, he said that the study was eligible and that
the complainant had already received his studies paid for in full from the study fund
the union, as well as the dates and amount of the payments. According to answers
responsible party and the information available in the case was considered by the Data Protection Authority
was not authorized to share the information and that it did not
complies with Act no. 90/2018, on personal protection and processing of personal information.


   


   
On 16 April 2021, the Data Protection Authority issued a ruling in case no. 2020010394 (formerly 2019101965):
    Ruling
On April 16, 2021, the Data Protection Authority announced the following
ruling in case no. 2020010394 (formerly 2019101965): I. Proceedings 1. Abstract
caseOn October 16, 2019 received
Privacy complaint from [A] (hereinafter the complainant) over disclosure
personal information between [municipality X] and [trade union Y]. By letters dated January 7, 2020,
[X] and [Y] were invited to provide explanations regarding the complaint. Answer [Y]
received by email on 14 p.m. and reply [X] was received by letter dated. 23. s.m.
By letter dated On 9 June this year, the complainant was invited to appear
comments on the responses of the responsible party. The complainant's reply was received
e-mail 2 July s.á. There were no comments on the answers
guarantor but on behalf of the complainant it was stated that she requested a ruling on them
processing of personal data in question.In the resolution of the case has been
cover all of the above data, although not specifically stated
all of them in the following ruling.The handling of this case has been delayed
due to a lot of work at the Data Protection Authority. 2. Perspectives
The complainant's complaint states that the complainant has
requested that her workplace, [Z], would contribute to the cost of training as
she worked concurrently. It is stated that the complainant handed over his boss
receipts for costs and that the payroll department [X] should have paid those costs.
On Monday 14 October 2019, however, the complainant was forwarded
an e-mail from his boss at [Z] accompanying the union's response
her, [Y]. The e-mail stated that she had already received the cost
paid by the union. Finally says that has not been contacted
her or her boss. Instead, the municipality had direct contact
with her union to get information about the study and the courses that
she had been paid from the union's funds and to the union
has provided that information. The complaint was also accompanied by a copy of an email from
the union stating that the complainant had been paid for the courses
fully from the union's study fund, as well as the dates and amount of the payments. The complainant considers that it has
has been violated because she or her boss have not been contacted
and asked for receipts but the municipality had obtained information from
her union, without her knowledge, of the studies and courses she took
has been paid for from the union's funds.3
guarantor - [union Y] In reply [Y] states that the union has replied to an e-mail that
received from the Human Resources Manager [X] on October 14, 2019. The e-mail was
asked whether the union paid for a course taken by the complainant and
an attachment from the complainant was accompanied by receipts from the complainant regarding the person in question
courses. In the union's reply, it was reported that she had
received these courses paid for by the union, as well as dates and amount
payments to the complainant. Other views were not put forward by him
of the union. 4. Perspectives
responsible party - [municipality X] In reply [X] states that on 14 October 2019 there was an e-mail
sent to [Y] with an inquiry about whether the union's vocational training fund
paid for courses specified on the complainant's receipts that followed
by e-mail [X] to the union. The answer says that the query has
was sent where the rules of procedure [X] provided that the conditions for
the municipality allocated grants for studies of this kind was to employees
first exercised their right to allocation from vocational training and career development funds. It also says that when the inquiry was sent, it had sources
for the processing of personal data have not been kept in mind where the purpose
has only been gathering information on whether the Vocational Training Fund
the union paid for the course in question. There was therefore no complainant
reported that the inquiry would be sent to the union. Furthermore
says that procedures have been reviewed and that cases such as this will not be ensured
repeat itself.II.Conditions and conclusion 1. Scope - Responsible Scope of Act no. 90/2018, on personal data protection and processing
personal information, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the law,
and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers
processing of personal information that is partially or fully automated and processing with
methods other than automating personal information that is or should be
part of a file.This case concerns the sending of e-mails containing
personal information about the complainant between [municipality X] and [the trade union
Y]. In that respect and with
In view of the above provisions, this case concerns the processing of personal data
which falls within the competence of the Data Protection Authority. The person responsible for the processing of personal information complies with Act no.
90/2018 is named the responsible party. As such, [X] and [Y] are each considered
be responsible for the processing of the personal information they share
emails.2.Legitiveness of processingAll
the processing of personal data must be subject to one of the authorization provisions
Article 9 Act no. 90/2018. In addition, the processing of sensitive personal information will be involved
comply with any of the additional conditions of paragraph 1. Article 11 of the Act. According to point 5. Article 9 Act no. 90/2018 and item e of the first paragraph. Article 6
Regulation (EU) 2016/679, the processing of personal data is permitted if it is
necessary for a project carried out in the public interest or in its application
public authority exercised by the responsible party. Then there is the processing of personal information
if it is necessary in the interests of legitimate interests as a guarantor or a third party
a party may exercise the interests or fundamental rights and freedoms of the data subject who
demand that the protection of personal information be more important, cf. 6. tölul. Article 9 Act no.
90/2018 and item f of the first paragraph. Article 6 Regulation (EU) 2016/679. In addition to the authorization according to the above, there will be processing
personal data to meet all the basic requirements of the first paragraph. Article 8 Act no. 90/2018,
sbr. Article 5 Regulation (EU) 2016/679. Among other things, it stipulates that
personal information shall be processed in a lawful, fair and transparent manner
towards the data subject (point 1); that they should be obtained in clearly specified,
legitimate and objective purposes and not further processed in other and
incompatible purpose (paragraph 2); and that they should be adequate, appropriate
and not in excess of what is necessary in view of the purpose of the processing (point 3). January 23, 2020, says no
authorizations for the processing of personal information have been taken into account in the dissemination
information about the complainant to the union. If the purpose was only
to obtain information on whether the study in question was eligible for a grant from a vocational training fund
of the trade union.In the answer of [trade union Y], dated January 14, 2020, states that
the union only answered a query received by the union from [X]
by e-mail on October 14, 2019. The municipality's inquiry was asked
whether the Vocational Training Fund paid for certain courses and in response
the union was informed that the complainant had already received the courses
paid in full from the Vocational Training Fund, in addition to the amount of the grants and
the dates of the payments. According to the answers of the responsible party and the information available in
In this case, the disclosure of the above personal information was not authorized
according to Article 9. Act no. 90/2018, Coll. Article 6 Regulation (EU) 2016/679. When
for that reason, it is the opinion of the Data Protection Authority that the processing of [municipality X] and [the trade union
Y] of the personal information of the complainant did not comply with Act no. 90/2018, um
privacy and processing of personal information. C o r d a r d a r o r d: Processing of [municipality X] and [trade union Y]
personal information about [A] did not comply with Act no. 90/2018, on privacy
and processing of personal information.Privacy, 16 April 2021Helga Þórisdóttir Helga
Sigríður Þórhallsdóttir


I.
Procedure
1.
Outline of case
On October 16, 2019, the Data Protection Authority received a complaint from [A] (hereinafter the complainant) about the sharing of personal information between [municipality X] and [trade union Y].
By letters dated On January 7, 2020, [X] and [Y] were invited to provide explanations regarding the complaint. Answer [Y] was received by e-mail on the 14th cm and answer [X] was received by letter dated. 23. cm By letter dated On 9 June this year, the complainant was invited to submit comments on the responses of the guarantors. The complainant's reply was received by e-mail on 2 July. It did not comment on the responses of the responsible party, but the complainant stated that she requested a ruling on the processing of personal information in question.
In resolving the case, all of the above documents have been taken into account, although not all of them are specifically described in the following ruling.
The handling of this case has been delayed due to heavy work at the Data Protection Authority.
2.
The complainant's views
The complaint states that the complainant requested that her workplace, [Z], contribute to the cost of studies she pursued in parallel with her work. It also states that the complainant handed over receipts to his superior for costs and that the payroll department [X] should have paid those costs. On Monday, October 14, 2019, the complainant, on the other hand, received an e-mail from her boss at [Z] accompanying her union's response, [Y]. The e-mail stated that she had already received the costs from the union. Finally, she or her boss was not contacted. Instead, the municipality had contacted her union directly to obtain information about the studies and courses she had been paid for from the union's funds and that the union had provided that information.The complaint was also accompanied by a copy of an e-mail from the union stating that the complainant had received the courses paid in full from the union's study fund, as well as the dates and amount of the payments.
The complainant considers that she was violated because she or her boss were not contacted and asked for receipts, but the municipality obtained information from her union, without her knowledge, about the studies and the courses she was paid for. from union funds.
3.
Perspectives of the guarantor - [union Y]
In its reply [Y] states that the trade union replied to an e-mail received from the Human Resources Manager [X] on 14 October 2019. The e-mail asked if the trade union paid for a course taken by the complainant and in the attachment to the e-mail were receipts from the complainant. of the courses in question. In the union's reply, it was stated that she had received these courses paid for by the union, as well as the dates and amount of payments to the complainant. No other views were expressed by the union.
4.
Perspectives of the responsible party - [municipality X]
In reply [X] states that on 14 October 2019, an e-mail was sent to [Y] asking if the union's vocational training fund paid for courses specified on the complainant's receipts that accompanied [X]'s e-mail to the union. The answer states that the inquiry was sent as work rule [X] stipulated that the condition for the municipality to allocate grants for this type of study was that employees first exercised their right to allocation from vocational education and training funds.
It is also stated that when the inquiry was sent, the authorizations for the processing of personal information were not taken into account, as the purpose was only to obtain information on whether the Trade Union's Vocational Training Fund paid for the courses in question. The complainant had therefore not been informed that the inquiry would be sent to the trade union. It also says that procedures have been reviewed and it has been ensured that cases like this will not be repeated.
II.
Assumptions and conclusion
1.
Scope - Responsible party
Scope of Act no. 90/2018, on personal data protection and the processing of personal data, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automatic and the processing by other methods than automatic of personal data that are or are to become part of a file.
This case concerns the sending of e-mails containing personal information about the complainant between [municipality X] and [trade union Y]. In this respect and in the light of the above provisions, this case concerns the processing of personal data which falls within the competence of the Data Protection Authority.
The person responsible for the processing of personal information complies with Act no. 90/2018 is named the responsible party. As such, [X] and [Y] are each considered to be responsible for the processing of the personal information they shared in e-mails.
2.
Legality of processing
All processing of personal data must be covered by one of the authorization provisions of Article 9. Act no. 90/2018. In addition, the processing of sensitive personal data must comply with one of the additional conditions of the first paragraph. Article 11 of the Act.
According to point 5. Article 9 Act no. 90/2018 and item e of the first paragraph. Article 6 of Regulation (EU) 2016/679, the processing of personal data is permitted if it is necessary for a project carried out in the public interest or in the exercise of public authority by the responsible party. The processing of personal data is also permitted if it is necessary in the interests of legitimate interests that the responsible party or a third party safeguards, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data outweigh, cf. 6. tölul. Article 9 Act no. 90/2018 and item f of the first paragraph. Article 6 Regulation (EU) 2016/679.
In addition to the authorization according to the above, the processing of personal information must satisfy all the basic requirements of the first paragraph. Article 8 Act no. 90/2018, Coll. Article 5 Regulation (EU) 2016/679. Among other things, it stipulates that personal information shall be processed in a lawful, fair and transparent manner towards the data subject (point 1); that they shall be obtained for clearly defined, legitimate and objective purposes and not further processed for other and incompatible purposes (point 2); and that they shall be sufficient, appropriate and not in excess of what is necessary for the purpose of the processing (point 3).
In the answer of [municipality X], dated 23 January 2020, states that no authorization was taken into account for the processing of personal information when disseminating information about the complainant to the trade union. If the purpose was only to obtain information on whether the study in question was eligible for a grant from the union's vocational training fund.
In the reply of [trade union Y], dated 14 January 2020, states that the union only answered a question received by the union from [X] by e-mail on 14 October 2019. The municipality's inquiry asked whether the vocational training fund paid for certain courses and the union's answer stated that the complainant had already received the courses are paid for in full from the vocational training fund, as well as the amount of the grants and the date of the payments.
According to the answers of the responsible party and the information available in this case, the disclosure of the above-mentioned personal information according to Article 9 was not authorized. Act no. 90/2018, Coll. Article 6 Regulation (EU) 2016/679. For that reason alone, it is the opinion of the Data Protection Authority that the processing of [municipality X] and [trade union Y] of personal information about the complainant was not in accordance with Act no. 90/2018, on personal protection and processing of personal information.
Ruling:
The processing of [municipality X] and [trade union Y] of personal information about [A] was not in accordance with Act no. 90/2018, on personal protection and processing of personal information.
</pre>
</pre>

Latest revision as of 10:03, 18 May 2021

Persónuvernd (Iceland) - 2020010394
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 6 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 05.05.2021
Published: 07.05.2021
Fine: None
Parties: n/a
National Case Number/Name: 2020010394
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Icelandic
Original Source: Personuvernd (in IS)
Initial Contributor: n/a

The Icelandic DPA stated that a municipality and a trade union did not comply with Article 6(1) GDPR when sharing complainant’s data without a legal basis.

English Summary

Facts

The DPA received a complaint about the sharing of personal data between a municipality and a trade union.

The complainant requested that her workplace contribute to the cost of studies she pursued in parallel with her work. However, she was informed by an e-mail that she had already received the reimbursement from the union. The municipality obtained information about the studies and courses she had been paid for from the union's funds directly from the union. The complainant argued that her rights were violated because nor she nor her boss were not contacted and asked for receipts.

According to the municipality, when the inquiry was sent, the authorizations for the processing of personal information were not taken into account. The complainant had not been informed about the inquiry. The municipality also stated that procedures have been reviewed and it has been ensured that cases such as this will not be repeated.

Holding

The DPA stated that the disclosure of the complainant's personal data was not authorized. For that reason alone, it is the opinion of the DPA that the processing of a municipality and of a trade union of personal information about the complainant was not in accordance with Article 6 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

 Ruling


On 16 April 2021, the Data Protection Authority issued a ruling in case no. 2020010394 (formerly 2019101965):

I.
Procedure

1.
Outline of case

On October 16, 2019, the Data Protection Authority received a complaint from [A] (hereinafter the complainant) about the sharing of personal information between [municipality X] and [trade union Y].

By letters dated On January 7, 2020, [X] and [Y] were invited to provide explanations regarding the complaint. Answer [Y] was received by e-mail on the 14th cm and answer [X] was received by letter dated. 23. cm By letter dated On 9 June this year, the complainant was invited to submit comments on the responses of the guarantors. The complainant's reply was received by e-mail on 2 July. It did not comment on the responses of the responsible party, but the complainant stated that she requested a ruling on the processing of personal information in question.

In resolving the case, all of the above documents have been taken into account, although not all of them are specifically described in the following ruling.

The handling of this case has been delayed due to heavy work at the Data Protection Authority. 

2.
The complainant's views

The complaint states that the complainant requested that her workplace, [Z], contribute to the cost of studies she pursued in parallel with her work. It also states that the complainant handed over receipts to his superior for costs and that the payroll department [X] should have paid those costs. On Monday, October 14, 2019, the complainant, on the other hand, received an e-mail from her boss at [Z] accompanying her union's response, [Y]. The e-mail stated that she had already received the costs from the union. Finally, she or her boss was not contacted. Instead, the municipality had contacted her union directly to obtain information about the studies and courses she had been paid for from the union's funds and that the union had provided that information.The complaint was also accompanied by a copy of an e-mail from the union stating that the complainant had received the courses paid in full from the union's study fund, as well as the dates and amount of the payments.

The complainant considers that she was violated because she or her boss were not contacted and asked for receipts, but the municipality obtained information from her union, without her knowledge, about the studies and the courses she was paid for. from union funds.
3.
Perspectives of the guarantor - [union Y]

In its reply [Y] states that the trade union replied to an e-mail received from the Human Resources Manager [X] on 14 October 2019. The e-mail asked if the trade union paid for a course taken by the complainant and in the attachment to the e-mail were receipts from the complainant. of the courses in question. In the union's reply, it was stated that she had received these courses paid for by the union, as well as the dates and amount of payments to the complainant. No other views were expressed by the union.

4.
Perspectives of the responsible party - [municipality X]

In reply [X] states that on 14 October 2019, an e-mail was sent to [Y] asking if the union's vocational training fund paid for courses specified on the complainant's receipts that accompanied [X]'s e-mail to the union. The answer states that the inquiry was sent as work rule [X] stipulated that the condition for the municipality to allocate grants for this type of study was that employees first exercised their right to allocation from vocational education and training funds.

It is also stated that when the inquiry was sent, the authorizations for the processing of personal information were not taken into account, as the purpose was only to obtain information on whether the Trade Union's Vocational Training Fund paid for the courses in question. The complainant had therefore not been informed that the inquiry would be sent to the trade union. It also says that procedures have been reviewed and it has been ensured that cases like this will not be repeated.

II.
Assumptions and conclusion

1.
Scope - Responsible party

Scope of Act no. 90/2018, on personal data protection and the processing of personal data, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automatic and the processing by other methods than automatic of personal data that are or are to become part of a file.

This case concerns the sending of e-mails containing personal information about the complainant between [municipality X] and [trade union Y]. In this respect and in the light of the above provisions, this case concerns the processing of personal data which falls within the competence of the Data Protection Authority.

The person responsible for the processing of personal information complies with Act no. 90/2018 is named the responsible party. As such, [X] and [Y] are each considered to be responsible for the processing of the personal information they shared in e-mails.

2.
Legality of processing

All processing of personal data must be covered by one of the authorization provisions of Article 9. Act no. 90/2018. In addition, the processing of sensitive personal data must comply with one of the additional conditions of the first paragraph. Article 11 of the Act.

According to point 5. Article 9 Act no. 90/2018 and item e of the first paragraph. Article 6 of Regulation (EU) 2016/679, the processing of personal data is permitted if it is necessary for a project carried out in the public interest or in the exercise of public authority by the responsible party. The processing of personal data is also permitted if it is necessary in the interests of legitimate interests that the responsible party or a third party safeguards, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data outweigh, cf. 6. tölul. Article 9 Act no. 90/2018 and item f of the first paragraph. Article 6 Regulation (EU) 2016/679.

In addition to the authorization according to the above, the processing of personal information must satisfy all the basic requirements of the first paragraph. Article 8 Act no. 90/2018, Coll. Article 5 Regulation (EU) 2016/679. Among other things, it stipulates that personal information shall be processed in a lawful, fair and transparent manner towards the data subject (point 1); that they shall be obtained for clearly defined, legitimate and objective purposes and not further processed for other and incompatible purposes (point 2); and that they shall be sufficient, appropriate and not in excess of what is necessary for the purpose of the processing (point 3).

In the answer of [municipality X], dated 23 January 2020, states that no authorization was taken into account for the processing of personal information when disseminating information about the complainant to the trade union. If the purpose was only to obtain information on whether the study in question was eligible for a grant from the union's vocational training fund.

In the reply of [trade union Y], dated 14 January 2020, states that the union only answered a question received by the union from [X] by e-mail on 14 October 2019. The municipality's inquiry asked whether the vocational training fund paid for certain courses and the union's answer stated that the complainant had already received the courses are paid for in full from the vocational training fund, as well as the amount of the grants and the date of the payments.

According to the answers of the responsible party and the information available in this case, the disclosure of the above-mentioned personal information according to Article 9 was not authorized. Act no. 90/2018, Coll. Article 6 Regulation (EU) 2016/679. For that reason alone, it is the opinion of the Data Protection Authority that the processing of [municipality X] and [trade union Y] of personal information about the complainant was not in accordance with Act no. 90/2018, on personal protection and processing of personal information.
Ruling:

The processing of [municipality X] and [trade union Y] of personal information about [A] was not in accordance with Act no. 90/2018, on personal protection and processing of personal information.