IP (Slovenia) - 0603-47/2022/7: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(One intermediate revision by the same user not shown)
Line 63: Line 63:
}}
}}


A police officer accessed data from the police system without legal basis, in violation of Articles [[Article 5 GDPR|5(1)(a), (b)]] and [[Article 6 GDPR|6]], resulting in a fine of €500.
The Slovenian DPA fined a police officer €500 for accessing data from the police system without any legal basis, in violation of Articles [[Article 5 GDPR|5(1)(a), (b)]] and [[Article 6 GDPR|6]].  


== English Summary ==
== English Summary ==
Line 78: Line 78:


== Comment ==
== Comment ==
Slovenia implemented GDPR very recently. Altough there was a national privacy law, this decision is one of the first ones based on GDPR.  
Slovenia implemented GDPR very recently. Altough there was a national privacy law, this decision is one of the first ones based on GDPR. The activity apparently did not fall under Directive (EU) 2016/680 but the GDPR. The decision does not give explanation on this but it is probably because the police officer acted for his own personal agenda.  


== Further Resources ==
== Further Resources ==

Latest revision as of 15:18, 26 April 2023

IP - 0603-47/2022/7
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: 500 EUR
Parties: n/a
National Case Number/Name: 0603-47/2022/7
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Slovenian
Original Source: Solvenian DPA (in SL)
Initial Contributor: ls

The Slovenian DPA fined a police officer €500 for accessing data from the police system without any legal basis, in violation of Articles 5(1)(a), (b) and 6.

English Summary

Facts

A police officer (controller) used his work computer and credentials to access personal data of five people in the police system. The data he accessed included names, surnames, addresses, car registration numbers and mentions in reports. He however did not need to access these data in the performance of his official duties.

Holding

The DPA held that these data were originally collected to carry out tasks by the police for lawful purposes. However, the police officer processed the data in a manner incompatible with these purposes, in violation of Article 5(1)(b).

As he did not have to deal with these data in the performance of his job, the controller could not rely on a legal basis under Articles 5(1)(a) and 6(1).

The DPA consequently fined the controller €500

Comment

Slovenia implemented GDPR very recently. Altough there was a national privacy law, this decision is one of the first ones based on GDPR. The activity apparently did not fall under Directive (EU) 2016/680 but the GDPR. The decision does not give explanation on this but it is probably because the police officer acted for his own personal agenda.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.

Number: 0603-47/2022/7
Date: 9 February 2023

The information officer (hereinafter: the misdemeanor authority) issues an authorized official ex officio on the basis of the second paragraph of Article 51 and Article 46 of the Act on Misdemeanors (Official Gazette of the Republic of Slovenia, No. 29/11-UPB8, 21/13, 111/ 13, 74/14 – Sec. US, 92/14 – Sec. US, 32/16, 15/17 – Sec. US, 73/19 – Sec. US, 175/20 – ZIUOPDVE and 5/21 – Sec. US; hereinafter: ZP-1), Articles 2 and 8 of the Information Commissioner Act (Official Gazette of the RS, no. 113/05 and 51/07 – ZUstS-A, hereinafter: ZInfP) and when applying the second paragraph 2 of Article ZP-1 and the first paragraph of Article 119 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 163/22; hereinafter ZVOP-2), in the offense proceedings against the offender _________________ (hereinafter the offender), due to offenses under the second paragraph of Article 97 of ZVOP-2 in connection with point 1 of the first paragraph of Article 97 of ZVOP-2, the following


DECISION ON OFFENSES


Violator: ___________________, employed as a police officer at _________________ at the time of committing the offences

liable for five (5) misdemeanors
according to the second paragraph of Article 97 of ZVOP-2, in connection with point 1 of the first paragraph of Article 97 of ZVOP-2,


which he did by being a police officer, on 1/3/2022, in the premises of ________________, using an individual personal password, in the Information Telecommunication System of the Police (ITSP) in the Event Log of the Operational Communication Center ___________ (DDOKC) through the records listed below of events conducted an inspection of the personal data of the following individuals (the individual whose personal data he processed and the document in which his personal data were located is indicated in brackets):

• ___________ (name and surname, date of birth, address of residence, information about the registration number of the vehicle she was driving and the information that she was in the process of violating the CPP), which were in the record of the event DDOKC no. _______________,

• ______________ (name and surname, address of residence and information about the fact that the person announced that a group of younger boys was going from house to house), which were in the record of the event DDOKC no. ______________,

• _____________ (name and surname, date of birth, address of residence and information about the fact that the person was mentioned in an anonymous notification regarding the matter in the area of __________), which were located in the record of the event DDOKC no. _____________,

• ____________ (name and surname, residential address and information about the fact that the person reported a dispute with a partner), which were in the record of the event DDOKC no. _______________,

• _______________ (name and surname and information about the fact that the person announced the detention of two foreigners at the railway station in Vuzenica), which were located in the record of the event DDOKC no. ______________,

however, he further processed (retrieved and viewed) the personal data of the specified individuals, which were collected for the purposes of carrying out the lawful tasks of the Police and for other lawful purposes, in a manner incompatible with these specified and lawful purposes, as he did not treat the specified individuals in any police or other procedure that he would lead or participate in as part of the performance of his duties and tasks as a police officer and therefore processed their personal data without a justified and legal reason related to the performance of his official duties as a police officer, from these and the reasons for the mentioned subpoenas and inspections or the processing of personal data also had no legal basis, since none of the conditions for such processing from the first paragraph of Article 6 of the General Data Protection Regulation were met, which means that five times (that is, by processing personal data of each of the listed individuals separately) violated the fundamental principles for processing personal data, as specified in (a) and (b) points of the first paragraph of Article 5 and the first paragraph of Article 6 of the General Data Protection Regulation.

The violator made illegal calls and searches using the central and local computer of the Police, in which, as a police officer, he was authorized to process personal data for the purposes of performing official duties, i.e. with the resources of the Police and in the exercise of the powers of the state body - the Police, which he was a police officer, according to the provisions of the Act on Police Tasks and Powers and other laws, authorized to perform and within the framework of which he was also authorized to access the central computer of the Police with his individual personal password, as a result of which for offenses based on the 1st par. Article 15 of ZP-1 and Paragraph 1 15a. Article ZP-1 is responsible as a responsible person of a state body.

Therefore, the violator, when applying the second paragraph of Article 2 of ZP-1 and the first paragraph of Article 119 of ZVOP-2, based on the second paragraph of Article 97 of ZVOP-2 in connection with point 1 of the first paragraph of Article 97 of ZVOP-2 and when using of the third paragraph of Article 52 of ZP-1 in conjunction with Articles 114 and 115 of ZVOP-2 and the first, second and third paragraphs of Article 26 of ZP-1, and when applying the first paragraph of Article 27 of ZP-1,

clauses:

• for the offense under point 1: FINE 200 euros;
• for the offense under point 2: FINE 200 euros;
• for an offense according to point 3: FINE 200 euros;
• for a misdemeanor under point 4: 200 euro FINE;
• for an offense according to point 5: A fine of 200 euros.

Then, in accordance with the 2nd par. Article 27 of ZP-1 in conjunction with paragraphs 2 and 3. Article 26 and taking into account the 4th indent of the 2nd par. of Article 17 of ZP-1 to the violator for all the listed offenses of the same type in a row, instead of a single sanction (fine), which in total amounts to 1,000 euros,

and with words
single sanction:

A fine of 500 euros.


The violator must pay the fine to transaction account no. 01100-8450051825 (according to the attached UPN - universal payment order).

Based on the first paragraph of Article 143, in connection with the first paragraph of Article 144 and the second paragraph of Article 58 of the ZP-1, the violator must pay a court fee. The court fee, which is assessed to the violator for the imposed fine according to tariff number 8111 of the Court Fees Act (Official Gazette of the RS, No. 37/08, with amendments, hereinafter referred to as ZST-1), must be paid to the transaction account no. 01100-8450162502 (according to the attached UPN - universal payment order), in the amount of 50 euros.

The violator must pay the entire amount of the imposed fine and the court fee within 15 days after the finality of the decision on misdemeanors. After the deadline for payment has passed, the violator can request payment of the fine and the costs of the procedure in installments from the authority responsible for forced recovery (FURS). If the violator does not pay the fine and the costs of the procedure within the specified period, the unpaid fine and the costs of the procedure will be collected compulsorily. If it is not possible to recover the fine even under compulsion, the fine imposed on the violator may, in accordance with the law, be enforced by alternative imprisonment. If the violator, due to his financial situation or ability to pay, who would be entitled to regular free legal aid according to the material criteria from the law regulating free legal aid, cannot pay the fine and the costs of the procedure in the amount of at least 300 euros, he may, at the latest until the deadline expires for payment, he submits a proposal to the authority that issued the decision, that the payment of the fine and costs of the procedure be replaced by work for the general benefit.


LEGAL LESSON: A request for judicial protection is allowed against a decision on misdemeanors. The request must be announced in writing within eight days of receiving the decision at the Information Commissioner, Dunajska 22, 1000, Ljubljana, otherwise it is considered that the beneficiary of the request (infringer, legal representative or defender) has waived the right to request judicial protection. The notice of request is sent by post or delivered directly in two copies and is considered timely if submitted on the last day of the deadline for submitting the notice of request by registered mail or directly to the authority that issued the decision. The announced filing of a request for judicial protection may be withdrawn until the deadline for filing the announcement of this request expires.

If the beneficiary of the request for judicial protection does not announce or withdraws the announcement within the legal deadline for filing this request, it is considered that he has waived the right to request for judicial protection.

If none of the beneficiaries of the request for judicial protection announces this request, the misdemeanor authority does not make a decision on misdemeanors with reasons, but it is considered that a final decision has been served on the date of service of the decision without reasons, which with the expiration of the deadline for announcing the request for judicial protection becomes final.

When at least one of the beneficiaries of the request for judicial protection announces the filing of this request, a written decision on misdemeanors with reasons is drawn up and sent no later than 30 days after the announcement of the filing of the request for judicial protection is received. In this case, the decision with reasons is served on all beneficiaries of the request for judicial protection.

A violator who does not announce a request for judicial protection against a decision on misdemeanors shall pay half the amount of the fine (250 euros) within eight days after the deadline for announcing a request for judicial protection has expired, otherwise he must pay the full amount of the fine within the deadline specified in the sentence this decision. Within the same deadline, which is specified in the pronouncement of the decision, the violator who announces a request for judicial protection against the decision, but then does not file a request against the decision with reasons, must also pay the entire amount of the imposed fine.

If the violator pays half of the fine before the expiration of the deadline for announcing the request for judicial protection, the request for judicial protection against the decision is not allowed, except in the case where the violator had to pay the fine before the expiration of the deadline for announcing the request in accordance with the provisions of ZP-1.

Under the conditions and in accordance with the regulations governing the financial operations of the offense authority, the violator can pay the fine and the costs of the procedure also with a non-cash means of payment.