Persónuvernd (Island) - Mál nr. 2022050836: Difference between revisions
No edit summary |
No edit summary |
||
(One intermediate revision by one other user not shown) | |||
Line 70: | Line 70: | ||
The data subject was told when he started his job that tachographs were installed in employee cars for security reasons. Data from the tachograph about his work performance and meal breaks was later used to justify the data subject's dismissal from the company. The data subject complained that the processing of his personal information in the run-up to his dismissal had not been compatible with the original purpose of using the technograph. Moreover, he had not been informed about the changed purpose of the tachograph before the processing took place. | The data subject was told when he started his job that tachographs were installed in employee cars for security reasons. Data from the tachograph about his work performance and meal breaks was later used to justify the data subject's dismissal from the company. The data subject complained that the processing of his personal information in the run-up to his dismissal had not been compatible with the original purpose of using the technograph. Moreover, he had not been informed about the changed purpose of the tachograph before the processing took place. | ||
The controller responded to the complaint and told the DPA that the data subject must have been aware that the tachograph in his car could have been used for the purpose of monitoring his performance and submitted their training materials as evidence to the DPA. | The controller responded to the complaint and told the DPA that the data subject must have been aware that the tachograph in his car could have been used for the purpose of monitoring his performance and submitted their training materials as evidence to the DPA. They also claimed consent as a legal basis for processing the data. | ||
=== Holding === | === Holding === | ||
The Icelandic DPA held the controller to have infringed [[Article 5 GDPR|Article 5(1)(a]]) and [[Article 5 GDPR|5(1)(b) GDPR | The Icelandic DPA held the controller to have infringed [[Article 5 GDPR|Article 5(1)(a]]) and [[Article 5 GDPR|5(1)(b) GDPR]] and reprimanded them. | ||
First, the controller claimed consent as legal basis for processing under [[Article 6 GDPR|Article 6(1) GDPR.]] The DPA noted that the power imbalance between employers and employees makes this consent forced and invalid. The DPA used a decision from the Swedish DPA which said that tachograph's can be used under [[Article 6 GDPR|Article 6(1)(f) GDPR]] if the controller can prove a legitimate interest. The DPA therefore, considered the controller to have a legal basis. | First, the controller claimed consent as legal basis for processing under [[Article 6 GDPR|Article 6(1) GDPR.]] The DPA noted that the power imbalance between employers and employees makes this consent forced and invalid. The DPA used a decision from the Swedish DPA which said that tachograph's can be used under [[Article 6 GDPR|Article 6(1)(f) GDPR]] if the controller can prove a legitimate interest. The DPA therefore, considered the controller to have a legal basis. | ||
Second, unless the relevant parties have been notified in advance of the altered purpose, it is prohibited to use personal data for different purposes than the ones previously stated. The DPA found nothing in the training materials which could have indicated a different use for the tachograph. As a result, the DPA concluded that the personal data collected was used for a purpose other than the one about which the data subject was initially informed, and noted that he was also not informed of the new change. This means the processing by the controller was not fair nor transparent, resulting an infringement of [[Article 5 GDPR|Article 5(1)(a) GDPR.]] Additionally, it indicates that further processing of his personal data was done in a way that was inconsistent with the original purpose, which contradicts [[Article 5 GDPR|Article 5(1)(b) GDPR.]] | Second, unless the relevant parties have been notified in advance of the altered purpose, it is prohibited to use personal data for different purposes than the ones previously stated. The DPA found nothing in the training materials which could have indicated a different use for the tachograph. As a result, the DPA concluded that the personal data collected was used for a purpose other than the one about which the data subject was initially informed, and noted that he was also not informed of the new change. This means the processing by the controller was not fair nor transparent, resulting an infringement of [[Article 5 GDPR|Article 5(1)(a) GDPR.]] Additionally, it indicates that further processing of his personal data was done in a way that was inconsistent with the original purpose, which contradicts [[Article 5 GDPR|Article 5(1)(b) GDPR.]] |
Latest revision as of 11:22, 13 December 2023
Persónuvernd - Mál nr. 2022050836 | |
---|---|
[[File:|center|250px]] | |
Authority: | Persónuvernd (Island) |
Jurisdiction: | Iceland |
Relevant Law: | Article 5(1)(a) GDPR Article 8(2) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | Mál nr. 2022050836 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Icelandic |
Original Source: | Mál nr. 2022050836 (in IS) |
Initial Contributor: | sh |
The Icelandic DPA reprimanded a controller for collecting data for one purpose and then using it for another.
English Summary
Facts
The Icelandic DPA received a complaint from a data subject. Their employer (the controller) had used a tachograph in a vehicle used by the data subject in his work. A tachograph is a device that records driving times and rest periods as well as periods of other work and availability taken by a driver.
The data subject was told when he started his job that tachographs were installed in employee cars for security reasons. Data from the tachograph about his work performance and meal breaks was later used to justify the data subject's dismissal from the company. The data subject complained that the processing of his personal information in the run-up to his dismissal had not been compatible with the original purpose of using the technograph. Moreover, he had not been informed about the changed purpose of the tachograph before the processing took place.
The controller responded to the complaint and told the DPA that the data subject must have been aware that the tachograph in his car could have been used for the purpose of monitoring his performance and submitted their training materials as evidence to the DPA. They also claimed consent as a legal basis for processing the data.
Holding
The Icelandic DPA held the controller to have infringed Article 5(1)(a) and 5(1)(b) GDPR and reprimanded them.
First, the controller claimed consent as legal basis for processing under Article 6(1) GDPR. The DPA noted that the power imbalance between employers and employees makes this consent forced and invalid. The DPA used a decision from the Swedish DPA which said that tachograph's can be used under Article 6(1)(f) GDPR if the controller can prove a legitimate interest. The DPA therefore, considered the controller to have a legal basis.
Second, unless the relevant parties have been notified in advance of the altered purpose, it is prohibited to use personal data for different purposes than the ones previously stated. The DPA found nothing in the training materials which could have indicated a different use for the tachograph. As a result, the DPA concluded that the personal data collected was used for a purpose other than the one about which the data subject was initially informed, and noted that he was also not informed of the new change. This means the processing by the controller was not fair nor transparent, resulting an infringement of Article 5(1)(a) GDPR. Additionally, it indicates that further processing of his personal data was done in a way that was inconsistent with the original purpose, which contradicts Article 5(1)(b) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.
Solutions Electronic monitoring by Íslandspóst Case no. 2022050836 8.12.2023 When using tachographs in vehicles used by company employees, the use must be in accordance with their clearly stated and declared purpose. If the purpose of using tachographs changes, companies must inform their employees about the changed purpose before the processing of personal data takes place. In this case, it was complained that data obtained from an employee's tachograph was used as a reason for his dismissal from work, as the employee's work performance was evaluated based on the data. ---- Personal Protection has ruled in a case where a complaint was made about the electronic monitoring of Íslandspóst through the use of a tachograph in a car that the complainant used while working at Íslandspóst. Data obtained from the tachograph was later used as a reason for the complainant's dismissal from the company. The conclusion of the Privacy Protection was that Íslandspóst's processing of the complainant's personal information in the run-up to his dismissal had not been compatible with the original purpose of using the tachograph. It was also the conclusion of the Data Protection Authority that the complainant had not been informed about the changed purpose of using the tachograph before the processing took place. Íslandspóst's use of information about the complainant from the tachograph was therefore not considered to have been in accordance with the law. Ruling about a complaint about the use of a tachograph in a car at Íslandspósti in case no. 2022050836: i Procedure On April 28, 2022, Personal Protection received a complaint from [A] lawyer, f.h. Póstmannafélag Íslands (PFÍ) on behalf of [B] (hereafter the complainant), regarding Íslandspóst's use of a tachograph in a vehicle used by the complainant in his work at the company. More specifically, the complaint relates to the fact that Íslandspóstur used material collected during the use of the tachograph for a different and incompatible purpose than was originally intended, without the employee having been informed of the changed purpose beforehand. Personal protection invited Íslandspóst to comment on the complaint in a letter dated February 27, 2023, reiterated by letter, dated 22 March s.á., and the company's answers were received on 12 April s.á. Then there was PFÍ, f.h. complainant, given the opportunity to express comments on Íslandspóst's answers by letter, dated 25. a.m., and they were received by email from PFÍ's lawyer on 27. máí s.á. When resolving the case, all the above-mentioned documents have been taken into account, although not all of them are separately explained in the following ruling. ___________________ There is a dispute about Íslandspóst's authorization to use data from the tachograph in an employee's car as justification for his dismissal from the company. PFÍ believes that by using data obtained from the tachograph in a vehicle that the complainant had used at Íslandspóstir to justify his dismissal from work, Íslandspóstir exceeded its authority under Act no. 90/2018, on personal protection and processing of personal information, and the applicable rules no. 837/2006, on electronic monitoring and processing of personal data generated during electronic monitoring. PFÍ refers to the fact that Íslandspóstur reviewed data from the tachograph of a vehicle that the complainant had used long ago in order to verify his work performance and how long his meal breaks had been. In the opinion of PFÍ, Íslandspósti was not permitted to use the data for that purpose, since the complainant had been informed at the beginning of his work that tachographs were placed in the company's employees' cars for security purposes, in order to ensure the quality of service and to monitor the employees' driving ability, to to establish whether the speed limit rules were respected. PFÍ does not believe that it is within the purpose of the processing to use the tachographs to monitor if and when an employee has decided to take a lunch break and use that information as justification for his dismissal from work. With reference to the above, PFÍ is based on the fact that the processing of personal information about the complainant was not transparent and fair, cf. Number 1. Paragraph 1 Article 8 Act no. 90/2018, and that the information was not obtained for a clearly specified, legitimate and objective purpose, cf. Number 2. Paragraph 1 Article 8 of the law. PFÍ also refers to the fact that the processing was not in accordance with the provisions of paragraph 3. Article 7 regulations no. 837/2006, since the processing was not for the purpose that the complainant was initially made aware of when he started working. Furthermore, the processing was not in accordance with Article 8. of the same rules, where it was not specifically needed to achieve a legitimate and objective purpose. Furthermore, the complainant did not receive the education he should have received regarding the processing in accordance with Article 10. the same rules. Íslandspóstur bases the processing of the personal data to which the complaint relates on item 1. Article 9 Act no. 90/2018, which authorizes the processing of personal data, if the data subject has given his consent to the processing of his personal data for one or more specific purposes. In this regard, it is pointed out that all drivers are made aware of Íslandspóst's electronic monitoring with the use of tachographs at the start of their employment, as their use is a prerequisite for the driver in question to be able to work for the company. All drivers must be provided with educational material at the start of their employment, which refers to the use of tachographs. Among other things, it is stated in the company's driver's manual, which is given to all the company's drivers at the start of their employment, that the goal of the tachograph is to improve driving style, reduce operating and damage costs, increase road safety and improve the company's image in traffic. The employee's job description also refers to the use of tachographs. With reference to the above, Íslandspóstur also believes that the company's use of the tachograph was in accordance with the provisions of Article 8. Act no. 90/2018 and rules no. 837/2006. It is based on the fact that the complainant was aware of the use of tachographs in his work for the company, cf. mentioned above, in addition to the fact that he could not have been unaware that the tachograph was located in his car, as there was a marking to that effect on the car's window. Also, the complainant must have been aware that his work performance might be examined with the help of the tachograph, especially in light of the fact that complaints had been received by the company on the eve of his dismissal due to his work performance, since he was aware that the tachograph enabled the shift managers of the driving department to monitor the location and movements of the fleet on a screen in the control center. In the opinion of Íslandspóst, it was both necessary and permissible to search the tachograph of the vehicle in question in order to obtain data that could demonstrate whether the complainant's performance was in accordance with his employment contract with the company. II. Conclusion 1. Lawfulness of processing The use of tachographs for monitoring the history of vehicles is considered electronic monitoring, cf. Number 9. Paragraph 1 Article 3 Act no. 90/2018, on personal protection and processing of personal information. There, the term electronic monitoring is defined as monitoring that is ongoing and includes the monitoring of individuals with remote or automatic equipment and is carried out in public or in an area that is normally visited by a limited group of people. According to paragraph 1 Article 14 Act no. 90/2018, electronic monitoring is always subject to the condition that it is carried out for objective purposes. Electronic monitoring of an area, where a limited group of people usually move around, is also subject to the condition that it is specifically needed due to the nature of the activities that take place there. Finally, the processing of personal data, which takes place in connection with electronic monitoring, must always satisfy one of the conditions of Article 9. Act no. 90/2018, cf. Paragraph 1 Article 6 of regulation (EU) 2016/679. One can mention that personal data can be processed if the data subject has given consent to the processing of his personal data for the benefit of one or more specific goals, cf. Number 1. of the provision and point a of the regulatory provision, or due to legitimate interests that the responsible party or a third person protects, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data outweigh, cf. Number 6. of the legal provision and section f of the regulatory provision. In addition to authorization according to the above, the processing of personal data must be compatible with all the principles of paragraph 1. Article 8 Act no. 90/2018, cf. Paragraph 1 Article 5 of regulation (EU) 2016/679. The principles stipulate, among other things, that personal data must be processed in a lawful, fair and transparent manner towards the data subject, cf. Number 1. of the legal provision and point a of the regulatory provision, and that they must be obtained for clearly specified, legitimate and relevant purposes and not further processed for other and incompatible purposes, cf. Number 2. of the legal provision and point b of the regulatory provision. Rules on electronic monitoring and processing of personal data generated during electronic monitoring, no. 837/2006, were in force at the time the events of this case took place, but the rules were established pursuant to authorization in the older Personal Protection Act, no. 77/2000, cf. later paragraph 5 Article 14 Act no. 90/2018. New rules on electronic monitoring, rules no. 50/2023, entered into force on January 10, 2023. Since this case concerns incidents that took place during the period of validity of rules no. 837/2006, the discussion and content of this ruling will take into account the above-mentioned rules when applicable, but there are no substantive changes to the rules that are being tested now, as rules no. 837/2006 based on the law on personal protection and processing of personal information, similar to the current rules. The provisions of law no. 90/2018 and regulation (EU) 2016/679 which apply at any time. Rules no. 837/2006 cover electronic monitoring that takes place in workplaces, schools and other areas where a limited group of people normally move around, cf. Paragraph 2 Article 1 of the rules. They have, among other things, to contain provisions for tachographs and electronic positioning devices. The term tachograph is in number 7. Article 2 of the rules, cf. rules no. 394/2008, defined as electronic equipment in a vehicle that processes or makes it possible to process personal data about drivers, i.e. on m. about their journeys and/or driving style. Then the term is electronic positioning equipment, cf. Number 8. same articles, cf. rules no. 394/2008, defined as electronic equipment that processes or makes it possible to process personal information about the location and travels of individuals. According to Article 6 regulations no. 837/2006, monitoring of employees' work reports depends on the fact that there is a special need for it for a more specifically specified purpose and according to Article 8. of the rules, the use of tachographs or electronic location devices for the purpose of monitoring the journeys of individuals is subject to the condition that it is specifically needed to achieve a legitimate and objective purpose. According to Article 7 of the rules, it is not permitted to retain personal data generated during electronic monitoring unless it is necessary in light of the purpose of the monitoring. In addition, personal data generated during electronic monitoring may only be used for the purpose of their collection and only to the extent that it is necessary for the purpose, cf. Paragraph 3 Article 7 of the rules. In paragraph 1 Article 17 Act no. 90/2018 imposes an obligation on the responsible party to take appropriate measures to ensure the transparency of information and notification to the registered person, cf. Article 12 of regulation (EU) 2016/679. Then the registered person has the right to information about processing, whether personal information is obtained from him or not, according to Paragraph 2 Article 17 Act no. 90/2018. This educational obligation of the responsible party towards the data subject is further guaranteed by Article 13. of regulation (EU) 2016/679. In Article 10 regulations no. 837/2006 further elaborates the training obligation of responsible parties, but the provision stipulates training to be provided to those subject to electronic monitoring. It says that they should be educated about the purpose of monitoring, who has or may gain access to the information that is collected and how long it will be kept. In addition, it says that, as appropriate, they shall, among other things, informed about which equipment will be used, the right to object to the monitoring and what the consequences may be, as well as the person's right to know what information will be created about him and to have the information corrected or deleted. 2. Conclusion This case concerns the processing of personal data obtained through the use of a tachograph in a vehicle that the complainant used as an employee of Íslandspóst. It concerns the processing of personal data that falls under the authority of the Personal Protection Agency. Íslandspóstur is considered to be the responsible party for said processing according to Act no. 90/2018, on personal protection and processing of personal data, and Regulation (EU) 2016/679. As before, Íslandspóstur reports that the processing of personal data in question is based on the employee's consent to the processing, cf. Number 1. Article 9 Act no. 90/2018 and point a of paragraph 1. Article 6 of the regulation. Personal data protection has generally considered that employers cannot base the processing of personal information about employees on their consent, since it is rarely an unforced consent due to the difference in status that is generally considered to exist between employers and employees, cf. further Article 10 of the Act and Article 7 of the regulation, which discusses the conditions for approval. Authorization for the processing cannot therefore be based on number 1. Article 9 of the law, cf. point a, paragraph 1 Article 6 of the regulation. With regard to the processing of personal data carried out through the use of tachographs, however, the Swedish Personal Protection Agency has considered that such processing can be considered permissible on the basis of item 6. Article 9 of the Act and point f of the 1st paragraph Article 6 of the regulation, if it is considered necessary due to the legitimate interests of the responsible party or a third party, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data outweigh. In this way, the processing of personal data, which is carried out through the use of tachographs for the purpose of improving driving style, reducing operating and damage costs, increasing road safety and improving the image of a company in traffic, can be considered permissible on the basis of legitimate interests. However, it is not permitted to use the material collected during the monitoring for other and incompatible purposes unless the registered persons have been informed of the changed purpose beforehand and other conditions of the law are also met. In its response to the Data Protection Agency, Íslandspóstur relies on the fact that the complainant must have been aware of the tachograph in his car and that information from it could be used for the purpose that actually existed. In this regard, Íslandspóstur has referred to the training material that is given to all employees at the start of their employment and to the employee's job description. In the opinion of the Data Protection Authority, however, there is nothing in the training that Íslandspóstur has referred to that could make it clear to the complainant that data from the tachograph could be used to check whether he fulfilled his job duties and subsequently as justification for his dismissal from work. Is it the opinion of the Data Protection Authority that the material collected through the use of the tachograph was used for a purpose other than the one the complainant was originally informed about and that he was not informed about the new purpose before. The conclusion of the Privacy Protection is therefore that the processing of Íslandspóst was not in accordance with paragraph 3. Article 7 regulations no. 837/2006, on electronic monitoring and processing of personal data generated during electronic monitoring, and not in accordance with the conditions of paragraph 1. Article 14 Act no. 90/2018 that electronic monitoring is always carried out for objective purposes. It is also the conclusion of the Personal Protection Authority that the said processing by Íslandspóst was neither transparent nor fair, cf. Number 1. Article 8 Act no. 90/2018 and point a of paragraph 1. Article 5 regulation (EU) 2016/679, nor in accordance with the original purpose of the processing, cf. Number 2. Article 8 of the Act and point b of paragraph 1 Article 5 of the regulation. For that reason, it is the conclusion of the Privacy Protection that Íslandspóst's use of information about the complainant from the driver's license did not comply with Act no. 90/2018, rules no. 837/2006 and Regulation (EU) 2016/679. Ruling: Íslandspóst's use of personal information from the tachograph in a vehicle that [B] had for use in his work did not comply with the provisions of rules no. 837/2006, on electronic monitoring and processing of personal data generated during electronic monitoring, provisions of Act no. 90/2018, on personal protection and the processing of personal data, and Regulation (EU) 2016/679 on the purpose, transparency and fairness of the processing of personal data. Privacy, November 8, 2023 Edda Úríður Hauksdóttir Ingunn Elísabet Markúsdóttir