AZOP (Croatia) - Decision 23-03-2023: Difference between revisions

AZOP - Decision 23-03-2023
Authority:	AZOP (Croatia)
Jurisdiction:	Croatia
Relevant Law:	Article 11 GDPR Article 12(2) GDPR Article 15 GDPR Article 17 GDPR Article 17(3)(e) GDPR
Type:	Complaint
Outcome:	Rejected
Started:
Decided:	23.03.2023
Published:	24.11.2023
Fine:	n/a
Parties:	n/a
National Case Number/Name:	Decision 23-03-2023
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Croatian
Original Source:	AZOP (in HR)
Initial Contributor:	co

The Croatian DPA held that a controller had lawfully rejected an access request on the basis of Article 12(2) GDPR, as it was unable to identify the data subject.

English Summary

Facts

The office of a municipality of a city in Croatia received an anonymous letter containing intimate photos of a person. A data subject claimed that those photos were concerning her, thus made an access request under Article 15 GDPR to the office and also requested her personal data to be deleted under Article 17 GDPR. The data subject also claimed that such data constituted biometric data.

The office, as a controller, responded stating that it did have knowledge about the events which might possibly be related to the data subject but that it was not possible for it to determine the identity of the person in the pictures. Hence the processor refused to comply with the data subject’s access request.

Following this, the data subject filed a complaint with the Croatian DPA (AZOP) claiming that the controller violated her GDPR rights by not responding to her access request and she also stated that the controller further processed her personal data by making it available to various unauthorized persons as well as to the public through media articles.

In its submissions to the AZOP, the controller clarified that it did not unlawfully transmit or use personal data of the applicant, pointing out that it has learned about events that may have been related to the applicant, but from the information provided it was not possible to determine with certainty the identity of the person and its connection with other contents that were provided to the controller. Further, the controller underlined that it took all necessary measures to prevent the possibility of misuse or any other illegal and unauthorized actions related to the deletion of personal data. In conclusion, the controller stated that, upon request of the State Attorney, it sent the disputed letter to the employees of the Police Department of the city, as authorized officials, which was declared to be a confiscated object. Further, it was submitted that the two news articles mentioned by the data subject do not contain any personal data allowing data subjects to be identified.

Holding

The AZOP, first of all clarified that the photos in question may constitute personal data, but not biometric data as they do not fulfil the requirements of Article 4(14) GDPR.

Secondly, the AZOP ascertained whether the controller had rightfully responded to the data subject’s access request. Making reference to Recital 63 and Article 12(1) GDPR, the AZOP underlined that controllers should provide data subjects with all the information requested in Article 15 GDPR. However, the AZOP underlined that under Article 12(2) GDPR, a controller may refuse to comply with an access request if it proves that it is unable to determine the identity of the data subject. In this case, the controller did prove its inability to identify with certainty the data subject

Thirdly, since the disputed letter and pictures were confiscated by the police, the controller was also justified for not complying with the data subject’s request of deletion of her personal data under Article 17(3)(e) GDPR.

Last, the AZOP also found that the newspaper articles mentioned by the data subject did not contain any personal data relating to her, this none of her data was published unlawfully.

For all of the above reasons, the AZOP dismissed the complaint as unfounded.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.

1
REPUBLIC OF CROATIA
PROTECTION AGENCY
PERSONAL DATA
CLASS:
NUMBER:
Zagreb, March 23, 2023.
Personal Data Protection Agency based on Article 57, paragraph 1 and Article 58, paragraph 1.
Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals
in connection with the processing of personal data and the free movement of such data and the placement
out of force of Directive 95/46/EC (hereinafter referred to as the General Data Protection Regulation) SL EU 119,
Article 34 of the Act on the Implementation of the General Regulation on Data Protection ("Official Gazette" No. 42/18)
and Articles 41 and 96 of the Law on General Administrative Procedure ("Official Gazette" No. 47/09 and
110/21), and regarding the request to determine the violation of the right to the protection of personal data X
brings the following
SOLUTION
X's request to establish a violation of the right to personal data protection is rejected as
ungrounded.
Form layout
The Agency for the Protection of Personal Data (hereinafter: the Agency) received a request for
determination of violation of the right to personal protection of X, represented by lawyer Y (hereinafter:
the applicant) in which the applicant states that City X, City Office X u
received a letter from an anonymous person in March 2021, which, among other things, contains
intimate photographs of the applicant (which the applicant states in her application as
biometric data) and continued with the further processing of her personal data, in the manner
that they were available to various unauthorized persons, as well as to the public through media captions.
Furthermore, the applicant states that she addressed the City with a submission dated May 3, 2021
X, City Office X and requested access to her personal data in accordance with the provisions of the General
regulations on data protection, as well as deleting your personal data. In this regard, the applicant
points out that City X, City Office X by letter dated May 5, 2021, KLASAX,
UR NO: X refused to deliver what was requested and stated that he had acquired certain knowledge about the events
2
which, possibly, are related to her, without specifying what it is about, therefore she states what she thinks
that there was a violation of her rights to the protection of personal data.
The request for determining the violation of the right to the protection of personal data is attached
power of attorney from June 2, 2021, a copy of an anonymous letter, the applicant's submission from
On May 3, 2021, sent to City X, City Office X requesting the acquisition of data
and secondly, the response of the City X, City Office X, CLASS: X, ID NO: X dated May 5, 2021.
of the year, a copy of the newspaper article published in the weekly "X" from April 25, 2021 under
with the title "X?" and a copy of the newspaper article published in the daily newspaper "X" from April 27
2021 under the title "X", subtitle "X".
The request is not founded.
Acting on the received request, the Agency filed (CLASS: X, CODE:
X) requested a statement from City X, City Office X regarding the circumstances of the specific case.
As requested, City X, City Office X expressed its opinion with a submission, CLASS: X
NUMBER: X stating in detail how it was sent on the received request of the applicant
through a lawyer (received on May 4, 2021) in his official statement
from May 5, 2021 to the applicant (CLASS: X, CODE: X) stated the same
that in accordance with the powers of his action he did not distribute it, nor in any way
transferred or used the personal data of the applicant without authorization. In this regard, City X, City
Office X points out that it gained knowledge about events that were possibly related to
the applicant, but it was not possible to determine with certainty from the submitted notifications
the identity of the person and his connection with other content that was delivered to City X,
City office X. In this connection, it should be noted that City office X is not authorized to determine identity
natural persons, nor does it have the necessary possibilities and instruments for determination
above, and especially not on the basis of knowledge from the content of the specific case
received. Despite this, City Office X has taken all the necessary and possible actions for which it is
authorized to prevent the slightest possibility of misuse or any other
illegal and unauthorized actions related to the disposal of personal data. In conclusion, the City
X, City Office X states that it was given on May 20, 2021 to employees of the Ministry
of internal affairs of the Police Administration X handed over a letter which, possibly, was related to
the applicant, since they are authorized persons ex officio, and upon request
Municipal State Attorney's Office, from the City Office X stated and requested. In this connection
City X, City Office X emphasizes that on the same occasion an official certificate of
confiscation of objects or written documents.
In this regard, and considering that City X, City Office X, with its statement, is not
provided evidence that employees of the Ministry of Internal Affairs, Police Administration X
submitted a letter which, possibly, was related to the applicant, the Agency is
by submission, CLASS: X, CODE: X requested the delivery of a copy of the official certificate of
confiscation of objects or written documents.
3
As requested, City X, City Office X, CLASS: X, CODE: X delivered
To the Agency, a copy of the Certificate of Temporary Confiscation of Items issued by the Ministry
of Internal Affairs, Police Department X, General Crime Service, number: X dated May 20
in 2021.
Also, by looking at the delivered copy of the newspaper article published in the weekly "X"
from April 25, 2021 under the title "X?" and a copy of the newspaper article published in
to the daily press "X" from April 27, 2021 under the title "X", subtitle "X", clearly
is that they do not contain any personal data, that is, it cannot be determined from them
identity of a natural person.
First of all, it should be noted that from May 25, 2018, in the Republic of
In Croatia, Regulation (EU) 2016/679 of the European Parliament and the Council of 27
of April 2016 on the protection of individuals in connection with the processing of personal data and on free movement
such data and on the repeal of Directive 95/46/EC (General Protection Regulation
data) SL EU L119.
The General Data Protection Regulation in Article 4, Paragraph 1, Point 1 stipulates that they are personal
data all data relating to an individual whose identity has been determined or can be determined, a
an individual whose identity can be established is a person who can be identified directly or
indirectly, especially with the help of identifiers such as name, identification number, information about
location, network identifier or with the help of one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that individual.
Therefore, we state that the photo belongs to personal data as defined by the subject
article, however, it does not constitute biometric data.
In this regard, we point out that Article 4, Paragraph 1, Point 14 stipulates that
"biometric data" means personal data obtained through special technical processing in connection with
physical characteristics, physiological characteristics or behavioral characteristics of an individual which
enable or confirm the unique identification of that individual, such as facial photographs or
dactyloscopic data.
Therefore, biometric processing of personal data would be considered as processing in
which, by means of mathematical algorithms, biometric data is connected with an exact one
person, i.e. that processing in which the computer system automatically through, for example,
physiological characteristics determine the identity of a certain person, and what is it about in the specific case at all
it wouldn't work.
Pursuant to Article 5 of the General Data Protection Regulation, personal data must be: (a)
lawfully, fairly and transparently processed with respect to the data subject ("lawfulness, fairness,
transparency"); (b) collected for special, explicit and legal purposes and may not be used further
process in a way that is inconsistent with those purposes ("purpose limitation"); (c) appropriate,
relevant and limited to what is necessary in relation to the purposes for which they are processed ("reduction
4
amount of data"); (d) accurate and as necessary up-to-date; every reasonable measure must be taken
in order to ensure that personal data that are not accurate, taking into account the purposes for which
process, delete or correct without delay ("accuracy"); (e) stored in a form that enables
identification of the respondent only for as long as is necessary for the purposes for which it is personal
data processing ("storage limitation"); (f) processed in the manner in which it is secured
adequate security of personal data, including protection against unauthorized or illegal access
processing and from accidental loss, destruction or damage by applying appropriate technical or
organizational measures ("integrity and confidentiality").
Furthermore, in accordance with Article 6 of the General Data Protection Regulation, processing is only lawful
if and to the extent that at least one of the following is met: (a) the subject has given consent
to process your personal data for one or more specific purposes; (b) processing is necessary for
execution of a contract to which the respondent is a party or to take action upon request
of the respondent before the conclusion of the contract; (c) processing is necessary to comply with the controller's legal obligations
processing; (d) processing is necessary to protect the key interests of the data subject or other natural person;
(e) processing is necessary for the performance of a task of public interest or in the exercise of official authority
processing manager; (f) the processing is necessary for the legitimate interests of the controller or a third party
parties, except when those interests are stronger than the interests or fundamental rights and freedoms of the respondents who
require the protection of personal data.
We emphasize that in relation to a specific case, the introductory statement (63) should be taken into account
General Data Protection Regulation, according to which the data subject should have the right of access
collected personal data relating to him and exercise that right easily and in
at reasonable intervals in order to be aware of the processing and verify its legality.
As it follows from Article 12, paragraph 1 of the General Data Protection Regulation, the data controller
undertakes appropriate measures to provide the respondent with all the information referred to in Articles 13 and 14.
and all communications from Articles 15 to 22 and Article 34 in connection with processing in summary,
transparent, comprehensible and easily accessible form, with the use of clear and simple
language. The information is provided in writing or by other means, inter alia, if it is
conveniently, electronically. If requested by the respondent, information may be provided verbally
through, provided that the identity of the respondent has been established by other means.
The processing manager facilitates the exercise of the data subject's rights from Articles 15 to 22 of the U
in the cases referred to in Article 11, paragraph 1, the processing manager may not refuse to act on the request
of the respondent for the purpose of exercising his rights from articles 15 to 22, unless the manager
processing proves that it is not able to determine the identity of the respondent (Article 12. paragraph 2. General
regulations on data protection).
Article 12, paragraph 3 of the General Data Protection Regulation stipulates that the data controller
upon request, provides the respondent with information on the actions taken from Articles 15 to 22. General
data protection regulations without undue delay and in any case within one month
from the receipt of the request. This deadline can be extended by an additional two months if necessary,
taking into account the complexity and number of requests. The data controller informs the respondent about each
5
such extension within one month from the receipt of the request, together with the reasons
delays.
Article 15, paragraph 1 of the General Regulation on Data Protection stipulates that the respondent has
the right to receive confirmation from the data controller as to whether personal data relating to him are being processed
and if such personal data is processed, access to personal data and the following information:
(a) processing purposes; (b) categories of personal data in question; (c) recipients or
categories of recipients to whom personal data has been disclosed or will be disclosed to them, in particular
recipients in third countries or international organizations; (d) if possible,
the intended period in which the personal data will be stored or, if this is not possible,
the criteria used to determine that period; (e) the existence of the right to be from the manager
request correction or deletion of personal data or restriction of processing of personal data
relating to data subjects or rights to object to such processing; (f) the right to submit
complaints to the supervisory body; (g) if personal data is not collected from the data subject, to each
available information about their source; (h) the existence of automated decision-making, which
includes the creation of profiles from Article 22 paragraphs 1 and 4 and, at least in these cases, meaningful
information about the logic in question, as well as the importance and anticipated consequences of such logic
processing for the respondent.
Furthermore, Article 17 of the General Regulation on Data Protection stipulates the "right to be forgotten"
according to which the respondent has the right to obtain from the controller the deletion of personal data which
are related to him without unnecessary delay and the data controller is obliged to delete personal data
data without undue delay if the personal data is no longer necessary in relation to the purposes for
which have been collected or otherwise processed; the subject withdraws the consent that is being processed
bases in accordance with Article 6, paragraph 1, point (a) or Article 9, paragraph 2, point (a) and
if there is no other legal basis for processing and in other categorically stated cases
in the subject article. However, paragraph 3 of the same article of the General Data Protection Regulation
exceptions to the deletion of personal data are prescribed.
In this administrative matter, it follows from the submitted/collected documentation that the City
X, City Office X received a letter from an anonymous person in March 2021, which,
among other things, it contained intimate photos of the applicant. Furthermore, it was established that
the applicant addressed the City X, City Office with a submission dated May 3, 2021
X and requested access to her personal data in accordance with the provisions of the General Regulation on Protection
data, as well as deleting your personal data. In this regard, it was determined that City X is City
office X, as processing manager, responded to the applicant's request with a letter dated May 5
in 2021, stating how he gained knowledge about events that were possibly related to
the applicant, but it was not possible to determine with certainty from the submitted notifications
the identity of the person and its connection with other content. In conclusion, it was established that the City
X, City Office X on May 20, 2021, at the request of the Municipal State Attorney's Office,
employees of the Ministry of Internal Affairs, Police Administration X handed over the disputed letter and
on that occasion, an official certificate of confiscation of the object, i.e. a written one, was issued.
6
Therefore, in this administrative matter, it was determined that City X, City Office X as
the processing manager responding back to the applicant's request, with a submission dated May 5
2021 acted in accordance with Article 12, paragraph 2 of the General Data Protection Regulation, considering
to the fact that he explained to the applicant that in the specific case he could not determine the identity of the person
whose photos he received through an anonymous submission. So, even though the applicant is in compliance
with Article 15 of the General Regulation on the Protection of Personal Data requested access to their personal data
data, in this particular case the controller acted correctly when taking into account
the provisions of Article 12, paragraph 2 of the General Regulation, refused to comply with the applicant's request for the purpose
exercising her rights, for the reason that he could not determine with certainty the identity of the person whose
received the photos.
Likewise, given that the dispute is in writing with accompanying photographs
of the applicant was taken from the processing manager by the Ministry of Internal Affairs, Police
Administration X at the request of the Municipal State Attorney's Office, deletion of personal data
of the applicant in the specific case is not applicable, taking into account Article 17.
paragraph 3 point e) of the General Data Protection Regulation.
Therefore, the applicant's request is in the part in which she claims that she was not provided
access to her personal data, i.e. how the manager refused to delete her personal data
data, should have been rejected as unfounded.
Also, related to the applicant's allegations about the forwarding of her personal data
to other unauthorized recipients, it should be pointed out that the same applicant is nothing
proved, nor was it established in the proceedings that such an unauthorized act occurred in the specific case
forwarding.
Finally, regarding the applicant's allegations about the availability of her personal data
in the public, more precisely by their publication in the media, we state that it has been established that the newspaper
articles referred to by the applicant ("X?" published in the weekly "X" from April 25, 2021.
and "X", subtitled "X", published in the daily newspaper "X" from April 27, 2021.)
do not contain personal data of the applicant, therefore that part of the request should have been rejected as
ungrounded.
As a result of the above, in the entire procedure it was determined that there was no
violation of the applicant's right to protection of personal data.
Due to the aforementioned circumstances, it was decided as in the Proclamation of the Decision.
7
LEGAL REMEDY
No appeal is allowed against this decision, but an administrative dispute can be initiated before the Administrative Court
by the court in X within 30 days from the date of delivery of the decision.
DEPUTY DIRECTOR
Igor Vulje
Deliver:
1. Y
2. X
3. Stationery, here.