IP (Slovenia) - 07141-9/2023/10: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(One intermediate revision by the same user not shown)
Line 89: Line 89:
Thus, by making the information on the complainant's address of permanent and temporary residence accessible to the public without a legal basis, the controller infringed [[Article 6 GDPR|Article 6 GDPR]]. Given the absence of a legal basis, the controller also unlawfully refused the complainant's deletion request of the data in question, breaching [[Article 17 GDPR#1|Article 17(1) GDPR]].  
Thus, by making the information on the complainant's address of permanent and temporary residence accessible to the public without a legal basis, the controller infringed [[Article 6 GDPR|Article 6 GDPR]]. Given the absence of a legal basis, the controller also unlawfully refused the complainant's deletion request of the data in question, breaching [[Article 17 GDPR#1|Article 17(1) GDPR]].  


Pursuant to [[Article 58 GDPR#2|Article 58(2) GDPR]], the DPA ordered the controller to remedy the irregularities by making the complainant's data in the PRS inaccessible to the public within 40 days from the date of notification of the decision.
Pursuant to [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], the DPA ordered the controller to remedy the irregularities by making the complainant's data in the PRS inaccessible to the public within 40 days from the date of notification of the decision.


== Comment ==
== Comment ==

Latest revision as of 14:57, 6 December 2023

IP - 07141-9/2023/10
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 17(1) GDPR
Article 17(3)(b) GDPR
Article 58(2) GDPR
Article 43 of the National Prevention of Money Laundering and Terrorist Financing Act
Article 51 of the National Prevention of Money Laundering and Terrorist Financing Act
Type: Complaint
Outcome: Upheld
Started:
Decided: 08.09.2023
Published:
Fine: n/a
Parties: AJPES (Agency of the Republic of Slovenia for Public Legal Records and Related Services)
National Case Number/Name: 07141-9/2023/10
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Slovenian
Original Source: IP (in SL)
Initial Contributor: ar

The Slovenian DPA ordered the Agency of the Republic of Slovenia for Public Legal Records and Related Services to comply with the complainant’s deletion request under Article 17 GDPR. Contrary to national law, the Agency had published the complainant’s full address, instead of only the country of residence.

English Summary

Facts

The data subject noted that AJPES, the Agency of the Republic of Slovenia for Public Legal Records and Related Services (the controller) made available online on the Slovenian Business Register (PRS) to the public, without any legal basis, information on the address of the permanent and temporary residence of the data subject.

The data subject further argued to have sent a deletion request by e-mail concerning the personal data on 22 February 2023 and then on 24 February 2023 - requests rejected by the controller. Thus, on 27 March 2023, the data subject lodged a complaint with the Slovenian DPA.

The DPA, thus, initiated its supervision procedure against the controller on the basis of the complainant's request regarding the lawfulness of the processing of personal data.

Following the initiation of the proceedings, the controller stated that Article 51 of the National Prevention of Money Laundering and Terrorist Financing Act (Act), in conjunction with Article 43 of the Act, has, since 2016, required the public disclosure of the data of entities registered in the PRS, including information on their permanent and temporary residence.

Holding

The Slovenian DPA observed that the controller was obliged to make public the complainant's personal data, including the address of her permanent and temporary residence, on the basis of Article 51 of the Act, in conjunction with Article 43 of the Act. Such an obligation would then give rise to the exclusion ground for the right to erasure pursuant to Article 17(3)(b) GDPR.

However, the DPA noted that the controller not only published the country of residence of the complainant but also the address, which was not required under the national legislation in question. Meanwhile, Article 51(1) of the Act provides for the disclosure of the country of permanent and temporary residence and not for the specific address.

Thus, by making the information on the complainant's address of permanent and temporary residence accessible to the public without a legal basis, the controller infringed Article 6 GDPR. Given the absence of a legal basis, the controller also unlawfully refused the complainant's deletion request of the data in question, breaching Article 17(1) GDPR.

Pursuant to Article 58(2)(d) GDPR, the DPA ordered the controller to remedy the irregularities by making the complainant's data in the PRS inaccessible to the public within 40 days from the date of notification of the decision.

Comment

Due to the automated translation of the decision, we apologise for any mistakes in the translation of entities or for misunderstandings. Should you note any discrepancy, please do not hesitate to modify this page directly or let us know.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.

File history
Click on a date/time to view the file as it appeared at that time.
Date/TimeDimensionsUserComment
current14:16, 27 November 2023 (537 KB)Ar (talk | contribs)
You cannot overwrite this file.File usage
There are no pages that use this file.