Persónuvernd (Iceland) - Case no. 2021020294: Difference between revisions
No edit summary |
mNo edit summary |
||
Line 65: | Line 65: | ||
}} | }} | ||
The Icelandic DPA rejected a data subject's complaint. It held that the controller had a legal obligation pursuant to [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]] to process her data and that it did not have to inform her about the processing of their personal data pursuant to [[Article 14 GDPR]] as it was not received | The Icelandic DPA rejected a data subject's complaint. It held that the controller had a legal obligation pursuant to [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]] to process her data and that it did not have to inform her about the processing of their personal data pursuant to [[Article 14 GDPR]] as it was not received by a third party. | ||
== English Summary == | == English Summary == |
Latest revision as of 08:50, 16 February 2023
Persónuvernd - Case no. 2021020294 | |
---|---|
Authority: | Persónuvernd (Iceland) |
Jurisdiction: | Iceland |
Relevant Law: | Article 5(1) GDPR Article 6(1) GDPR Article 6(1)(c) GDPR Article 14 GDPR |
Type: | Complaint |
Outcome: | Rejected |
Started: | |
Decided: | 23.11.2022 |
Published: | 23.11.2022 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | Case no. 2021020294 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Icelandic |
Original Source: | Icelandic DPA (in IS) |
Initial Contributor: | n/a |
The Icelandic DPA rejected a data subject's complaint. It held that the controller had a legal obligation pursuant to Article 6(1)(c) GDPR to process her data and that it did not have to inform her about the processing of their personal data pursuant to Article 14 GDPR as it was not received by a third party.
English Summary
Facts
The controller was a secondary school. The data subject had been a teacher at the school.
In November 2018, the data subject requested a meeting with her fellow teachers to discuss the case of another teacher (teacher C) who, according to her, had been bullied for years. The data subject defended teacher C and, among other things, requested that a psychologist was brought in to assess the situation. According to the school administrator, the data subject had been insulting and shown a lack of respect for her colleagues in view of the sensitive topic of discussion during the meeting. Following the incident, the administrator received emails from the data subject's fellow teachers concerning the improper behaviour of the data subject.
In February 2019, the controller was informed by the Ministry of Education about a complaint by the data subject, in which she argued that she had suffered mental abuse in the November 2018 meeting.
The same year, the school was required to rearrange its employment structure in the course of which the data subject and teacher C were dismissed. In November 2019, the school received a letter from the Parliamentary Ombudsman, requesting the school's opinion regarding the joint complaint of the data subject and teacher C, who argued that their dismissals had been illegal.
In 2021, the data subject sent a complaint to the Icelandic DPA. She argued that after she had sent her complaint to the Ministry, the school administer started collecting her personal data through her former colleagues and shared it with the Ministry. Both happened without her consent (see Article 6(1)(a) GDPR) and without informing her of the existence of the data (see Article 14 GDPR). The illegally processed personal data would be used against her in the proceedings in front of the Ministry and the Ombudsman.
The administer of the school denied having actively collected information about the data subject from other teachers. The existing information was sent by other teachers to the administrator as a reaction to the data subject's behaviour in the 2018 meeting. All emails containing personal data, to which the data subject's complain related, were dated between January and February 1, 2019. However, the Ministry did not inform the controller about the complaint procedure until February 11, 2019. The controller also argued that the personal data was created due to the administrator's work activities and was therefore not obtained from a third party. As a result, Articles 13 and 14 GDPR would not apply and the controller would be absolved of its information obligation to the data subject.
Holding
The DPA rejected the data subject's complaint.
First, it assessed based on what legal basis the school administer had processed the personal data. It noted that Article 6(1)(c) GDPR allows the processing of personal data if it is necessary to fulfil a legal obligation. Based on a national law, it was the role of the school administrator to manage the day-to-day operation and work of the school. Moreover, the DPA considered that to receive e-mails and messages from their subordinates, including regarding their well-being at work and communication with other staff, regardless of who initiates such disclosure, falls within the work cycle of a school administrator. Therefore, the DPA held that the controller had processed the personal data on a valid legal basis.
Second, the DPA considered whether the controller upheld the Article 5(1) GDPR principles "fairness and transparency" and whether the data subject was adequately informed pursuant to Article 14 GDPR. The DPA argued that if processing of personal data was based on the nature of the working relationship between the supervisor and subordinates, as outlined above, the personal data would not be considered to be obtained from a third party. However, Article 14 GDPR would only apply if personal data had been collected from a third party. Consequently, the information obligations of controllers pursuant to Article 14 GDPR would not have to be upheld in order to meet Article 5(1) GDPR's requirements for fairness and transparency.
Lastly, the DPA held that the controller was also under a legal obligation to share the concerned personal data with the Minister of Education and Culture, as the school falls under the supervision of the Minister. Consequently, there was a legal obligation to hand over documents after a relevant request. Here as well, the personal data was processed lawfully pursuant to Article 6(1)(c) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.
Solutions Processing of personal information by an educational institution Case no. 2021020294 23.11.2022 In general, individuals have the right to know when their personal data is processed. When employers process personal data about their employees, their processing is in certain cases necessary to fulfill a legal obligation. It is especially important that employers can educate their employees when working with employees' personal data. In this case, the processing of the data was based on the nature of the working relationship between superiors and subordinates, and it was not obtained from a third party in the sense of the law, so the complainant did not have to be informed about the collection of information. ---- Personal data protection ruled in a case where a complaint was made about the processing of personal data by an educational institution. More specifically, a complaint was made about the collection of personal information about the complainant from fellow teachers and their dissemination to the Ministry of Education and Culture and the Parliamentary Ombudsman without the complainant's consent and without the complainant being informed of the existence of the data. The conclusion of the Personal Protection Agency was that the educational institution's processing of the complainant's personal information was in accordance with the Act on Personal Protection and Processing of Personal Information. Ruling about a complaint about the processing of personal data by [educational institution X] in case no. 2021020294: i Procedure 1. Outline of a case On February 1, 2021, Personal Data Protection received a complaint from [A] (hereinafter the complainant) about the processing of personal data about her by the [educational institution X] (hereinafter X). More specifically, a complaint was made about the collection of personal information about the complainant from her fellow teachers and their dissemination to the Ministry of Education and Culture and the Parliamentary Ombudsman, without the complainant's consent and without her having been informed of the existence of the aforementioned data. Personal protection invited [X] to comment on the complaint by letter, dated May 10, 2022, and the school's answers were received by letter, dated 30 June s.á The complainant was then given the opportunity to provide comments on [X]'s answers by letter, dated July 4, s.á. Answers were received from the complainant's lawyer by letter, dated 22 July s.á. When resolving the case, all the above-mentioned documents have been taken into account, although not all of them are separately explained in the following ruling. The processing of the case has been delayed due to the heavy workload at Personal Protection. 2. Complainant's point of view The complainant relies on the fact that [administrator X] started collecting information about her from her identified fellow teachers after the complainant submitted a complaint to the Ministry of Education and Culture, due to communication difficulties with the school's officials, on January 15, 2019. The complainant considers [administrator X] have collected personal information about her with the purpose of using it against her both for their answers to the Ministry of Education and Culture and to justify her dismissal from work in April 2019, but the complainant considered the dismissal illegal and directed a complaint to the Ombudsman for that reason. The complainant stated that she had neither given her consent to such information gathering nor had she been warned about it. In addition, the complainant never enjoyed the right to object to the aforementioned data when it was communicated by [administrator X] to the Ministry of Education and Culture and to the Parliamentary Ombudsman. 3. point of view [X] It is stated in paragraph [X] that the school is a state institution that falls under the administration of the state. The school operates, in addition to the general laws that apply to the institutions of the executive power, on the basis of Act no. no. 115/2011, on the Government Council of Iceland. Furthermore, the school has a legal obligation to ensure a healthy and safe working environment for employees based on Act no. 46/1980, on facilities, hygiene and safety in workplaces, and in order to take action to prevent bullying in the workplace, cf. provisions of regulation no. 1009/2015, on measures against bullying, sexual harassment, gender-based harassment and violence in the workplace. [X]'s report states that the origin of the case can be traced to the fact that the complainant requested a meeting with his fellow teachers and [administrator X], in order to discuss the case of another teacher (C) who believed that he had been bullied and disrespected by by his colleagues. The meeting took place in November 2018, where the complainant stated that his fellow teachers and C had bullied C for years and demanded that a named psychologist be brought in to assess it. In the opinion of [Manager X] and other managers who attended the meeting, the complainant's behavior at the aforementioned meeting was characterized by a lack of tempering, discretion and respect for colleagues in view of the sensitive and complex topic of discussion. There was an uproar at the meeting after the complainant made his statements. Following case C and the insults that the complainant presented at the meeting in November 2018, [administrator X] received the response of the complainant's fellow teachers to the meeting and information about other issues they had noticed, including the complainant's communication and behavior towards his fellow teachers. In February 2019, the school received a letter from the Ministry of Education and Culture informing about the complainant's complaint, to the effect that she believed she had been bullied and mentally abused by other attendees at the aforementioned meeting in November 2018. At the end of the 2018 school year- In 2019, the shortening of studies to the matriculation examination was implemented at [X] and in order to respond to that, the school had to optimize, among other things by reducing the number of permanent staff. On the basis of a coordinated and comprehensive assessment of the staff, in the departments where the number of teachers had to be reduced, a decision was made to dismiss the complainant in April 2019. In November 2019, the school received a letter from the Parliamentary Ombudsman, requesting the school's opinion regarding of the joint complaint of the complainant and C, on the basis that their dismissals had been illegal. [X] denies that [administrator X] collected information about the complainant from her fellow teachers after the complainant submitted a complaint to the Ministry of Education and Culture or to use as a justification for the complainant's dismissal. It is stated that [administrator X] neither took the initiative to obtain this information nor requested it. These are e-mails and reports sent by the complainant's fellow teachers to [administrator X], together with the meeting minutes [administrator X] from a meeting requested by the complainant's fellow teachers, due to concerns about the complainant's behavior. It is pointed out that the documents containing personal information about the complainant and on which the complainant bases his complaint are dated January and February 1, 2019, with the exception of the undated statement of a certain teacher that was received by [administrator X] following the meeting in November 2018. However, [Manager X] first received information about the complainant's complaint to the Ministry of Education and Culture through a letter from the Ministry that was received by the school on 11 February 2019, dated 6 February s.á. A copy of the letter from the Ministry was included with [X]'s message to the Personal Protection Agency. It is also referred to that the complainant's dismissal was due to the necessary streamlining of the school's work and was based on the results of a coordinated and comprehensive evaluation of the staff together with the management's own experience of dealing with the complainant. It is stated that the Parliamentary Ombudsman has completed the examination of the case regarding the complainant's complaint by letter dated 22 September 2020, stating that his examination did not reveal that the dismissal of the complainant or C was contrary to the law or based on unreasonable considerations. Following the complainant's complaint to the Ministry of Education and Culture, the Ministry requested information on whether the complainant's complaint regarding bullying had been processed in accordance with the response plan according to regulation no. 1009/2015, on measures against bullying, sexual harassment, gender-based harassment and violence in the workplace. At the same time, [X]'s comment on the report and other information that had not appeared in the case file was requested. The communication of personal information about the complainant to the Ministry of Education and Culture has been carried out according to the Ministry's request due to the handling of a case that started with the complainant's complaint and is therefore based on a clear and unambiguous legal obligation [X], cf. Number 3. Article 9 Act no. 90/2018, among other things according to Article 14 Act no. 115/2011, on the Government Council of Iceland. Refers [X] to the decision of the Personal Protection Authority from 7 December 2021, in case no. 2020010563, the above in support. Also, [X] considers the school's authority to share personal information about the complainant to the Parliamentary Ombudsman, on the occasion of the complainant's complaint to the ombudsman, falling outside the scope of Act no. 90/2018, cf. Paragraph 5 Article 4 of the Act, and thus outside the scope of the Data Protection Authority with reference to the aforementioned decision of the organization from December 7, 2021. [X] is also based on the fact that the personal information that forms the basis of the complainant's complaint was created in [X]'s activities and was therefore not obtained from a third party. As a result, the provisions of Articles 13 and 14 of Regulation (EU) 2016/679 does not apply and therefore the school should not have informed the complainant specifically about the existence of the data on which the complainant bases his complaint or should have given her the opportunity to comment on them. II. Conclusion 1. Scope – Partial rejection Scope of law no. 90/2018, on personal protection and processing of personal data, and regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thus the authority of Personal Protection, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partially or fully automated and the processing of personal data that is or is to become part of a file by methods other than automatic. This case concerns the processing of personal information about the complainant at [X] and its transmission to the Ministry of Education and Culture and to the Parliamentary Ombudsman. Accordingly, and taking into account the above-mentioned provisions, this case concerns the processing of personal data that falls under the authority of the Personal Protection Agency. The person responsible for the processing of personal information is compatible with Act no. 90/2018 is the named responsible party. According to number 6 Article 3 of the Act, it refers to an individual, legal entity, government or other entity that alone or in cooperation with others determines the purposes and methods of processing personal data, cf. Number 7. Article 4 of the regulation. [X] is considered to be the party responsible for said processing according to Act no. 90/2018, on personal protection and the processing of personal data, and regulation (EU) 2016/679, since it is generally understood that the responsible party is the organization or company concerned and not individual employees, whether it is managers or ordinary employees. According to paragraph 5 Article 4 Act no. 90/2018, the law and regulation (EU) 2016/679 do not apply to the processing of personal data that takes place in connection with the work of the Alþingi and its institutions and investigative committees. According to paragraph 1 Article 1 Act no. 86/1997, on the Parliamentary Ombudsman, Alþingi elects the Parliamentary Ombudsman for four years. In addition, the role of the ombudsman is to supervise the administration of the state and municipalities in the manner specified in the law. From the aforementioned legal provisions, it is clear that the processing of personal information that takes place in connection with the work of the Parliamentary Ombudsman falls outside the scope of Act no. 90/2018, cf. Paragraph 5 Article 4 them, and thus outside the scope of the Data Protection Authority. In light of the fact that the Data Protection Authority is not competent to rule on the legality of information gathering by the Parliamentary Ombudsman, cf. above, it is the institution's opinion that it is also not competent to rule on the legality of sharing personal information based on the office's legitimate request for data and information. For that reason, the part of the complaint, which concerns the sharing of personal information with the Parliamentary Ombudsman, is dismissed. In other respects, the complaint concerns the processing of personal data which falls under the authority of the Personal Protection Agency according to Act no. 90/2018. 2. Lawfulness of processing All processing of personal data must be covered by one of the authorized provisions of Article 9. Act no. 90/2018, cf. Article 6 of regulation (EU) 2016/679. For example, it is possible to work with personal data if it is necessary to fulfill a legal obligation that rests on the responsible party, cf. Number 3. of the legal provision and point c of the regulatory provision. When assessing authorization for processing, provisions in other laws that are applicable in each case must also be taken into account. In particular, law no. 92/2008, on secondary schools, and law no. 115/2011, on the Government Council of Iceland. In Article 6 Act no. 92/2008, on secondary schools, states that the role of the headmaster is to manage the day-to-day operation and work of secondary schools and to ensure that the school work is in accordance with laws, regulations, the main curriculum and other valid instructions at all times. In the opinion of the Data Protection Authority, it must be considered that it falls within the scope of work of school administrators to receive e-mails and messages from their subordinates, i.a. regarding their well-being at work and communication with other staff, regardless of who initiates such disclosure. Is such processing of personal information based on the nature of the working relationship between the supervisor and subordinates. The data that the complainant submits as the basis of his complaint to Personal Protection was not obtained from a third party in the sense of Act no. 90/2018, but as stated in section II.1. above, the party responsible for the processing of personal information is the organization or company in question and not individual employees, and other employees are thus not considered third parties in that sense. Article 14 comes. of the regulation therefore not for examination as here, so that the complainant would have had to be informed about the collection of information so that it would have been compatible with the requirement of fairness and transparency, item 1. Article 8 Act no. 90/2018, cf. point a, paragraph 1 Article 5 of regulation (EU) 2016/679. The only conclusion from the case data is that [administrator X] received the data in question before the school was informed of the complainant's complaint to the Ministry of Education and Culture. According to all of the above, it must be considered that personal information about the complainant has been obtained for a legitimate and objective purpose and not further processed for other and incompatible purposes, in accordance with item 2. Article 8 Act no. 90/2018, cf. b-point 1. paragraph Article 5 of the regulation. It has been stated by [X] that the sharing of personal information about the complainant to the Ministry of Education and Culture was based on the school's clear and unambiguous legal obligation, cf. Number 3. Article 9 Act no. 90/2018, among other things according to Article 14 Act no. 115/2011, about the Government of Iceland, but the complainant had sent a message to the ministry requesting an investigation into the alleged bullying towards her in accordance with regulation no. 1009/2015, on measures against bullying, sexual harassment, gender-based harassment and violence in the workplace. In paragraph 1 Article 14 Act no. 115/2011 states that the minister can demand from the administrative authority, which is subordinate to him, the information and explanations he needs to perform his supervisory role. The provision contains a broad authority for the minister to demand information and explanations. [X] works according to law no. 92/2008, on secondary schools, and falls under the supervision of the Minister of Education and Culture. As it happened here, and with reference to the fact that it was a specific case that was being processed by the ministry, there was therefore a legal obligation on [X] to hand over the documents to the minister in accordance with the relevant request. The request in question was worded in general terms and included an assessment of what data it was necessary to hand over to [X]. As is the case here, the Personal Protection Agency does not see a reason to revise that assessment. Could the processing therefore rely on number 3. Article 9 Act no. 90/2018, cf. c-point 1. paragraph Article 6 of regulation (EU) 2016/679. Since the said data was not obtained from a third party within the meaning of Act no. 90/2018, cf. mentioned above, comes Article 14. of the regulation is not considered regarding the sharing of personal information about the complainant to the Ministry, and the processing of the personal information will therefore also be considered to have been in accordance with item 1. Paragraph 1 Article 8 Act no. 90/2018, cf. point a, paragraph 1 5 of the regulation, since the case in question started with the complainant's own statement to the Ministry. Is the above result of the Personal Protection Authority in accordance with the institution's ruling from December 7, 2021, in case no. 2020010563. In view of the above, it is the conclusion of the Data Protection Authority that the processing that is being resolved here is in accordance with Act no. 90/2018, on personal protection and processing of personal information, cf. regulation (EU) 2016/679. Ruling: The processing of [X]'s personal information about [A] was in accordance with the provisions of Act no. 90/2018, on personal protection and processing of personal information, cf. regulation (EU) 2016/679. Privacy, November 23, 2022 Helga Sigríður Þórhallsdóttir Edda Þuríður Hauksdóttir