AZOP (Croatia) - Decision 28-08-2019: Difference between revisions

From GDPRhub
(→‎Facts: Restructured summary, and added some details and the comment)
Line 87: Line 87:


<pre>
<pre>
REPUBLIC OF CROATIA
REPUBLIC OF CROATIA PROTECTION AGENCY PERSONAL DATA CLASS:  
PROTECTION AGENCY
REGISTRATION NUMBER:  
PERSONAL DATA
Zagreb, 28 August 2019  
CLASS:
The Personal Data Protection Agency pursuant to Articles 57 (1) and 58 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data repealing Directive 95/46 / EC (General Data Protection Regulation) SLEU L119 (hereinafter: the General Regulation) and Art. Of the Act Implementing the General Regulation on Data Protection, Official Gazette, no 42/18) and Article 42, paragraphs 1 and 2 and Article 96, paragraph 1 of the General Administrative Procedure Act (Official Gazette 47/09), upon request for protection of rights xy
REGISTRATION NUMBER:
RESOLUTION  
Zagreb, 28 August 2019
1. The request for a violation of the right to protection of personal data xy is founded.  
Personal Data Protection Agency pursuant to Article 57 (1) and (58) of the Regulation
2. It is established that the publication of the name and surname xy in the document "Notes to the financial statements for the period from 1.1.2018 to 31.12.2018" and which was published on the website of the Health Center was the processing of personal data contrary to Articles 5 and 6. General data protection regulations.  
(EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to
3. The Health Center is ordered to delete the personal data of person xy, and all other physical data persons listed in the document "Notes to the financial statements for the period from 1.1.2018 to 31.12.2018" and which is published on the website of the Health Center, all in accordance with Article 17, paragraph 1 (d) of the General Data Protection Regulation .  
with the processing of personal data and on the free movement of such data and on revocation
O b r a z l o ž e n j e  
Directive 95/46 / EC (General Data Protection Regulation) SLEU L119 (hereinafter: General
The Agency for Personal Data Protection (hereinafter: the Agency) received a request xy (hereinafter: the applicant) stating that the publication of her personal data in the document "Notes to the financial statements for the period from 1.1.2018-31.12.2018. "And which was published on the website of the Health Center, her personal data was violated.  
regulation) and Article 34. Of the Act Implementing the General Regulation on Data Protection, Official Gazette, no
The request is founded.  
42/18) and Article 42, paragraphs 1 and 2 and Article 96, paragraph 1 of the General Administrative Procedure Act
Acting upon the received request, the Agency requested a statement from the Health Center on the availability of the applicant's personal data, more precisely on the legal basis and purpose of publishing the applicant's personal data.  
(Official Gazette No. 47/09), upon request for protection of rights xy
The health center has stated that it is obligated as a budget obligor in accordance with Article 12, paragraph 5. of the Budget Act and Article 27 of the Ordinance on Financial Accounting publish the annual financial statements on its website no later than 8 days from the date surrenders. They further state that in accordance with Article 7, paragraph 2 of the said Ordinance, the financial report of the budget users of the state budget for the financial year consists of Balance sheets, Statements of income and expenditure, receipts and expenditures, Statements of expenditures by functional classification, statements of changes in the value and volume of assets and liabilities and Notes. They also state that in accordance with Article 13 of the same Ordinance, the Notes supplement the data with the financial report, and in accordance with Article 14, the obligatory notes to the Balance Sheet are a list of contractual relationships and the like that meet certain conditions and a list of ongoing litigation. As the Health Center had indicted the applicant, they were obliged to state the same in the Notes. The General Data Protection Regulation stipulates in Article 4 (1) (1) that personal data are all data relating to an identified or identifiable individual, and the identifiable individual is a directly identifiable person. or indirectly, in particular with the help of identifiers such as name, identification number, location data, network identifier or by means of one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.  
RESOLUTION
Pursuant to Article 5 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC below: General Data Protection Regulation personal data must be processed lawfully, fairly and transparently with regard to the respondent (principle of legality, fairness and transparency); collected for special, explicit and legitimate purposes and may not be further processed in a way that is not in accordance with those purposes (purpose limitation principle); appropriate, relevant and limited to what is necessary in relation to the purposes in which they are processed (the principle of reducing the amount of data); accurate and, where appropriate, up-to-date (principle of accuracy); kept in a form that allows identification of respondents only for as long as it is necessary for the purposes for which personal data are processed (storage restriction principle); processed in a way that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage through the application of appropriate technical or organizational measures (principle of integrity and confidentiality).  
1. The request for a violation of the right to protection of personal data xy is founded.
Article 6 of the General Data Protection Regulation stipulates that processing is lawful only if and to the extent that at least one of the following conditions has been met: the respondent has given his or her consent to the processing of his or her personal data for one or more specific purposes; processing is necessary for the performance of the contract to which the respondent is a party or in order to take action at the request of the respondent prior to the conclusion of the contract; processing is necessary to comply with the legal obligations of the processing manager; processing is necessary to protect the key interests of the respondent or other natural person; processing is necessary for the performance of a task of public interest or in the performance of the official authority of the controller; processing is necessary for the legitimate interests of the controller or a third party, except when those interests are stronger than the interests or fundamental rights and freedoms of respondents who require the protection of personal data.  
2. It is established that by publishing the name and surname xy in the document “Notes to the financial
Article 17 of the General Data Protection Regulation stipulates that the respondent has the right to obtain from the controller the deletion of personal data relating to him without undue delay and the controller has the obligation to delete personal data without undue delay if one of the conditions is met, inter alia, personal data are no longer necessary for the purposes for which they were collected or otherwise processed.  
reports for the period from 1.1.2018 to 31.12.2018. ”which was published online
Article 25 of the General Data Protection Regulation stipulates that taking into account the latest developments, cost of implementation and the nature, scope, context and purposes of processing, as well as risks of different levels of probability and seriousness for the rights and freedoms of individuals , and at the time of determining the means of processing and at the time of processing, implement appropriate technical and organizational measures, such as pseudonymisation, to enable effective application of data protection principles, such as data reduction, and the inclusion of safeguards in order to meet and protect the rights of respondents. The controller shall implement appropriate technical and organizational measures to ensure that only personal data necessary for each specific processing purpose are processed in an integrated manner. This obligation applies to the amount of personal data collected, the scope of their processing, the storage period and their availability. Specifically, such measures ensure that personal data are not automatically, without the intervention of an individual, available to an unlimited number of individuals.  
personal data was processed on the website of the Health Center contrary to Articles 5 and 6.
The Budget Act (Official Gazette, Nos. 87/08 and 136/12, 15/15), more precisely Article 12, paragraph 5, stipulates that local and regional self-government units, budgetary and extra-budgetary users publish annual financial reports on their website no later than eight days from the date of their submission.  
General data protection regulations.
The Ordinance on Financial Reporting in Budget Accounting (Official Gazette, Nos. 03/15, 93/15, 135/15, 2/17, 28/17 112/18) adopted pursuant to Article 100 of the Budget Act stipulates that are notes supplementing the data with the financial statements. Notes can be descriptive, numerical or combined. They are marked with ordinal numbers with reference to the AOP the label of the report to which they refer. Mandatory Notes to the Balance Sheet are: 1. List of contractual relations and the like which, subject to the fulfillment of certain conditions, may become liabilities or assets (letters of credit, mortgages, etc.) and 2. List of ongoing litigation. The list of ongoing litigation referred to in paragraph 1 of this Article must contain a summary description of the nature of the dispute, an assessment of the financial impact that may arise from the litigation as a liability or asset and the estimated time outflow or inflow of funds. Units of local and regional self-government, budgetary and extra-budgetary users publish annual financial reports on their websites no later than eight days from the day of their submission (Articles 13 and 14).
3. The Health Center is ordered to delete the personal data of person xy, and all other physical data
Following the above in this administrative matter, it was determined that the personal data of the applicant, namely her name and surname, are publicly available on the official website of the Health Center in the document "Notes to the financial statements for the period from 1.1.2018 to 31.12.2018." that the said document was published in accordance with Article 12 of the Budget Act and Article 27 of the Ordinance on Financial Reporting in Budget Accounting. Pursuant to Articles 13 and 14 of the aforementioned Ordinance, the notes are a supplement to the financial report and part of the mandatory notes is a list of ongoing litigation. However, the mentioned special Act and the Ordinance adopted on the basis thereof do not state that the list of disputes must contain the name and surname of the person / persons against whom the budget user is conducting a dispute, but stipulate that the list should contain a concise description of the nature of the dispute. as a liability or asset and the estimated time of outflow or inflow of assets.
persons listed in the document “Notes to the financial statements for the period from
Therefore, the Health Center had a legal basis for publishing this document on the website, but there is no legal basis and legal purpose for publishing personal data of the applicant as well as all other natural persons with whom the Health Center is litigating. personal data without a legal basis contrary to Articles 5, 6 and 25 of the General Data Protection Regulation. Therefore, the Health Center, as the controller, is ordered to act in accordance with the provisions of the General Data Protection Regulation when processing personal data processed and published in documents, to delete personal data of the applicant and all other persons listed in the document in accordance with Article 17. paragraph 1 (d) and to take appropriate measures to protect personal data so that the document is not searchable via Google search.  
1.1.2018-31.12.2018. ”Which was published on the website of the Health Center, a
Following the above, it was decided as in the operative part of the Decision.  
all in accordance with Article 17 (1) (d) of the General Data Protection Regulation.
INSTRUCTIONS ON LEGAL REMEDY  
O b r a z l o ž e n j e
No appeal is allowed against this decision, but an administrative dispute may be initiated before the Administrative by the court within 30 days from the day of delivery of the decision.  
The Agency for Personal Data Protection (hereinafter: the Agency) received a request xy (hereinafter)
DIRECTOR
in the text: the applicant) stating that by publishing her personal data in
Anto Rajkovača
document "Notes to the financial statements for the period from 1.1.2018 to 31.12.2018" and which is
 
published on the website of the Health Center there was a violation of her personal data.
 
The request is founded.
Acting upon the received request, the Agency requested a statement from the Health Center Fr.
the availability of the applicant's personal data, in particular on the legal basis and purpose of the publication
personal data of the applicant.
The health center has stated that it is obligated as a budget obligor in accordance with Article 12, paragraph
5 of the Budget Act and Article 27 of the Ordinance on Financial Accounting shall be published annually
financial statements on its website no later than 8 days from the date
surrenders. They further state that in accordance with Article 7, paragraph 2 of the said Ordinance, financially
the report of budget users of the state budget for the budget year consists of
Balance sheets, Statements of income and expenditure, receipts and expenditures, Statements of expenditure
according to functional classification, reports on changes in value and volume of assets and
commitment and Notes. They also state that, in accordance with Article 13 of the same Ordinance, the Notes are supplements
data with the financial report, and in accordance with Article 14, the mandatory notes to the Balance Sheet are a list
contractual relationships and the like that are the fulfillment of certain conditions may become a liability or an asset
and a list of ongoing litigation. Since the Health Center has filed an indictment against him
the applicants were obliged to state the same in the Notes.
The General Data Protection Regulation stipulates in Article 4 (1) (1) that personal data are all
data relating to an individual whose identity has been or can be established, and an individual whose
identity can be established is a person who can be identified directly or indirectly, especially with
help of identifiers such as name, identification number, location data, network identifier
or by one or more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of that individual.
In accordance with Article 5 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of individuals with regard to the processing of personal data and on the free movement of such data
and repealing Directive 95/46 / EC hereinafter referred to as the General Data Protection Regulation
personal data must be processed lawfully, fairly and transparently with respect to the respondent
(principle of legality, fairness and transparency); collected in special, explicit and lawful
purposes and may not be further processed in a way that is not in line with those purposes (principle
purpose limitation); appropriate, relevant and limited to what is necessary in relation to the purposes
in which they are processed (the principle of reducing the amount of data); accurate and up - to - date if necessary (principle
accuracy); kept in a form that allows identification of respondents only for as long as
it is necessary for the purposes for which personal data are processed (storage restriction principle);
processed in a way that ensures adequate security of personal data, including
protection against protection against unauthorized or unlawful processing and against accidental loss, destruction or
damage by applying appropriate technical or organizational measures (principle of integrity and
confidentiality).
Article 6 of the General Data Protection Regulation stipulates that processing is lawful only if and in
to the extent that at least one of the following is met: the respondent has given consent to processing
their personal data for one or more special purposes; processing is necessary for execution
a contract to which the respondent is a party or to take action at the request of the respondent before
concluding contracts; processing is necessary to comply with the legal obligations of the processing manager; processing is
necessary to protect the key interests of respondents or other natural persons; processing is necessary for the performance of a task of public interest or in the performance of the official authority of the controller;
processing is necessary for the legitimate interests of the processing manager or a third party, except when they are from
these interests are stronger interests or fundamental rights and freedoms of respondents that require the protection of personal
data.
Article 17 of the General Data Protection Regulation stipulates that the respondent is entitled to a leader
processing to obtain the deletion of personal data relating to him without undue delay
and the controller has an obligation to delete personal data without undue delay if any
fulfilled one of the conditions, among other things, personal data are no longer necessary in relation to the purposes in
which have been collected or otherwise processed.
Article 25 of the General Data Protection Regulation stipulates that taking into account the latest
achievements, the cost of implementation and the nature, scope, context and purposes of processing, as well as the risks of different
level of probability and seriousness for the rights and freedoms of individuals arising from processing
data, the controller, both at the time of determining the means of processing and at the time of processing,
implements appropriate technical and organizational measures, such as pseudonymization, for
enabling the effective application of data protection principles, such as volume reduction
data, and the inclusion of safeguards in the processing in order to meet the requirements of this Regulation, and
protect the rights of respondents. The processing manager implements the appropriate technical and organizational
measures to ensure that only personal data that are
necessary for each specific processing purpose. This obligation applies to the amount collected
personal data, the scope of their processing, the storage period and their availability. More precisely,
such measures ensure that personal data are not automatic, without the intervention of an individual,
available to an unlimited number of individuals.
The Budget Act (Official Gazette, Nos. 87/08 and 136/12, 15/15), more precisely Article 12.
paragraph 5 stipulates that local and regional self-government units, budgetary
and extrabudgetary users publish annual financial reports on their websites
pages no later than eight days from the date of their submission.
Ordinance on financial reporting in budget accounting (Official Gazette)
No. 03/15, 93/15, 135/15, 2/17, 28/17 112/18) adopted pursuant to Article 100 of the Law on
the budget stipulates that the notes supplement the data with the financial statements. Notes can
be descriptive, numerical or combined. They are marked with ordinal numbers with reference to the AOP
the label of the report to which they refer. Mandatory Notes to the Balance Sheet are: 1. List of contractors
relationships and the like which, subject to the fulfillment of certain conditions, may become an obligation or an asset (given
letters of credit, mortgages, etc.) and 2. List of pending litigation. List of litigation in
the course referred to in paragraph 1 of this Article must contain a concise description of the nature of the dispute, an assessment of the financial
the effect that may result from litigation as a liability or asset and the estimated time
outflow or inflow of funds. Units of local and regional self-government, budgetary
and extrabudgetary users publish annual financial reports on their websites
pages no later than eight days from the date of their submission (Articles 13 and 14)
Following the above in this administrative matter, it was determined that the personal data of the applicant
requests more precisely her name and surname publicly available on the official website of the Health Center
in the document “Notes to the financial statements for the period from 1.1.2018 to 31.12.2018.” It was further established that the said document was published in accordance with Article 12 of the Law on Budget and
Article 27 of the Ordinance on Financial Reporting in Budget Accounting. Accordingly
Articles 13 and 14 of the said Ordinance supplement the notes to the financial report and are part of the mandatory ones
notes is a list of ongoing litigation. However the above special Act and on the basis
it is not stated in the adopted Ordinance that the list of disputes must contain the name and surname
persons / persons against whom the budget user is litigating it is already prescribed that the list should
contain a concise description of the nature of the dispute, an assessment of the financial impact that may result from
litigation as a liability or asset and the estimated time of outflow or inflow of funds.
Therefore, the Health Center had a legal basis for publishing this document on the website,
however, there is no legal basis and legitimate purpose for publishing the applicant's personal data
requirements as well as all other natural persons with whom the Health Center in question is litigating
thereby publishing personal data without a legal basis contrary to Articles 5, 6 and 25.
General data protection regulations. Therefore, the Health Center is instructed as the treatment manager to
when processing personal data that it processes and publishes in documents, it acts in accordance with it
with the provisions of the General Data Protection Regulation, to delete the applicant's personal data
and all other persons listed in the document in question in accordance with Article 17.
paragraph 1 (d) and to take appropriate measures to protect personal data as the document does not
would be searchable via Google search engine.
Following the above, it was decided as in the operative part of the Decision.
INSTRUCTIONS ON LEGAL REMEDY
No appeal is allowed against this decision, but an administrative dispute may be initiated before the Administrative
by the court within 30 days from the day of delivery of the decision.
</pre>
</pre>

Revision as of 10:26, 15 March 2022

AZOP (Croatia) - Decision of 28 August 2019
LogoHR.png
Authority: AZOP (Croatia)
Jurisdiction: Croatia
Relevant Law: Article 4(1) GDPR
Article 5(1) GDPR
Article 6(1) GDPR
Article 17(1) GDPR
Article 25(1) GDPR
Article 25(2) GDPR
Article 100 Budget Act By-law
Article 12 (5) Budget Act
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 28.08.2019
Fine: None
Parties: Health Center
National Case Number/Name: Decision of 28 August 2019
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Croatian
Original Source: AZOP (in HR)
Initial Contributor: tom_vranovic

The Croatian DPA (AZOP) ordered the controller to comply with the data subject's erasure request, because it unlawfully published the data subject's personal data on their website, in violation of Article 5 and Article 6 GDPR.

English Summary

Facts

The controller is the Health Center (a health clinic) and had indicted the data subject (for unknown reasons). The data subject requested the Health Center to erase her personal data because her name and surname were published in a document called "Notes to the financial statements for the period from 1.1.2018 to 31.12.2018". This document was publicly available on the controller's website. The controller refused to comply with the data subject's request, so the data subject filed a complaint with the DPA.

The DPA requested the controller to stipulate the legal basis and purpose of the processing, and why they refused to comply with the data subject's request. The controller stated that it had a legal obligation to publish the personal data. They explained that, according to national law, they were obligated to publish annual financial statements on its website. Moreover, as part of this obligation, they must also publish details that provide further explanation to the financial data. These details were published in the above-mentioned document. Since the controller and the data subject were in a legal dispute, and information on disputes must be published in these financial notes, the controller claimed that it had to publish the data subject's personal data.

Holding

The DPA upheld the data subject's complaint.

The DPA considered that it follows from national law that the controller is obligated to publish an annual financial statement, with supplementary notes that provide further explanation on, inter alia, the controller's ongoing legal disputes. However, the national legislation does not prescribe that these notes must contain the name and surname of the parties in the dispute, since a description of the dispute suffices. Hence, the DPA concluded that the controller had no legal basis to publish the data subject's personal data, in violation of Article 5, Article 6, and Article 25 GDPR. It ordered the controller to comply with the data subject's erasure request pursuant to Article 17(1)(d) GDPR, and to take appropriate measures to protect personal data to ensure that the document is not searchable via Google search.

Comment

The DPA stated that the controller (also) violated Article 25 GDPR because they published the data subject's personal data on their website, without a legal basis. Unfortunately, the legal reasoning is unclear. One can assume that the controller neglected to implement appropriate technical and organisational measures that ensure adherence to data protection principles, such as the principle of data minimisation. However, a violation of (one of) these principles does not necessarily lead to a violation of Article 25 GDPR, and it is thus unclear what measures the controller had neglected to implement.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.

REPUBLIC OF CROATIA PROTECTION AGENCY PERSONAL DATA CLASS: 
REGISTRATION NUMBER: 
Zagreb, 28 August 2019 
The Personal Data Protection Agency pursuant to Articles 57 (1) and 58 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data repealing Directive 95/46 / EC (General Data Protection Regulation) SLEU L119 (hereinafter: the General Regulation) and Art. Of the Act Implementing the General Regulation on Data Protection, Official Gazette, no 42/18) and Article 42, paragraphs 1 and 2 and Article 96, paragraph 1 of the General Administrative Procedure Act (Official Gazette 47/09), upon request for protection of rights xy  
RESOLUTION 
1. The request for a violation of the right to protection of personal data xy is founded. 
2. It is established that the publication of the name and surname xy in the document "Notes to the financial statements for the period from 1.1.2018 to 31.12.2018" and which was published on the website of the Health Center was the processing of personal data contrary to Articles 5 and 6. General data protection regulations. 
3. The Health Center is ordered to delete the personal data of person xy, and all other physical data persons listed in the document "Notes to the financial statements for the period from 1.1.2018 to 31.12.2018" and which is published on the website of the Health Center, all in accordance with Article 17, paragraph 1 (d) of the General Data Protection Regulation . 
O b r a z l o ž e n j e 
The Agency for Personal Data Protection (hereinafter: the Agency) received a request xy (hereinafter: the applicant) stating that the publication of her personal data in the document "Notes to the financial statements for the period from 1.1.2018-31.12.2018. "And which was published on the website of the Health Center, her personal data was violated. 
The request is founded. 
Acting upon the received request, the Agency requested a statement from the Health Center on the availability of the applicant's personal data, more precisely on the legal basis and purpose of publishing the applicant's personal data. 
The health center has stated that it is obligated as a budget obligor in accordance with Article 12, paragraph 5. of the Budget Act and Article 27 of the Ordinance on Financial Accounting publish the annual financial statements on its website no later than 8 days from the date surrenders. They further state that in accordance with Article 7, paragraph 2 of the said Ordinance, the financial report of the budget users of the state budget for the financial year consists of Balance sheets, Statements of income and expenditure, receipts and expenditures, Statements of expenditures by functional classification, statements of changes in the value and volume of assets and liabilities and Notes. They also state that in accordance with Article 13 of the same Ordinance, the Notes supplement the data with the financial report, and in accordance with Article 14, the obligatory notes to the Balance Sheet are a list of contractual relationships and the like that meet certain conditions and a list of ongoing litigation. As the Health Center had indicted the applicant, they were obliged to state the same in the Notes. The General Data Protection Regulation stipulates in Article 4 (1) (1) that personal data are all data relating to an identified or identifiable individual, and the identifiable individual is a directly identifiable person. or indirectly, in particular with the help of identifiers such as name, identification number, location data, network identifier or by means of one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual. 
Pursuant to Article 5 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC below: General Data Protection Regulation personal data must be processed lawfully, fairly and transparently with regard to the respondent (principle of legality, fairness and transparency); collected for special, explicit and legitimate purposes and may not be further processed in a way that is not in accordance with those purposes (purpose limitation principle); appropriate, relevant and limited to what is necessary in relation to the purposes in which they are processed (the principle of reducing the amount of data); accurate and, where appropriate, up-to-date (principle of accuracy); kept in a form that allows identification of respondents only for as long as it is necessary for the purposes for which personal data are processed (storage restriction principle); processed in a way that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage through the application of appropriate technical or organizational measures (principle of integrity and confidentiality). 
Article 6 of the General Data Protection Regulation stipulates that processing is lawful only if and to the extent that at least one of the following conditions has been met: the respondent has given his or her consent to the processing of his or her personal data for one or more specific purposes; processing is necessary for the performance of the contract to which the respondent is a party or in order to take action at the request of the respondent prior to the conclusion of the contract; processing is necessary to comply with the legal obligations of the processing manager; processing is necessary to protect the key interests of the respondent or other natural person; processing is necessary for the performance of a task of public interest or in the performance of the official authority of the controller; processing is necessary for the legitimate interests of the controller or a third party, except when those interests are stronger than the interests or fundamental rights and freedoms of respondents who require the protection of personal data. 
Article 17 of the General Data Protection Regulation stipulates that the respondent has the right to obtain from the controller the deletion of personal data relating to him without undue delay and the controller has the obligation to delete personal data without undue delay if one of the conditions is met, inter alia, personal data are no longer necessary for the purposes for which they were collected or otherwise processed. 
Article 25 of the General Data Protection Regulation stipulates that taking into account the latest developments, cost of implementation and the nature, scope, context and purposes of processing, as well as risks of different levels of probability and seriousness for the rights and freedoms of individuals , and at the time of determining the means of processing and at the time of processing, implement appropriate technical and organizational measures, such as pseudonymisation, to enable effective application of data protection principles, such as data reduction, and the inclusion of safeguards in order to meet and protect the rights of respondents. The controller shall implement appropriate technical and organizational measures to ensure that only personal data necessary for each specific processing purpose are processed in an integrated manner. This obligation applies to the amount of personal data collected, the scope of their processing, the storage period and their availability. Specifically, such measures ensure that personal data are not automatically, without the intervention of an individual, available to an unlimited number of individuals. 
The Budget Act (Official Gazette, Nos. 87/08 and 136/12, 15/15), more precisely Article 12, paragraph 5, stipulates that local and regional self-government units, budgetary and extra-budgetary users publish annual financial reports on their website no later than eight days from the date of their submission. 
The Ordinance on Financial Reporting in Budget Accounting (Official Gazette, Nos. 03/15, 93/15, 135/15, 2/17, 28/17 112/18) adopted pursuant to Article 100 of the Budget Act stipulates that are notes supplementing the data with the financial statements. Notes can be descriptive, numerical or combined. They are marked with ordinal numbers with reference to the AOP the label of the report to which they refer. Mandatory Notes to the Balance Sheet are: 1. List of contractual relations and the like which, subject to the fulfillment of certain conditions, may become liabilities or assets (letters of credit, mortgages, etc.) and 2. List of ongoing litigation. The list of ongoing litigation referred to in paragraph 1 of this Article must contain a summary description of the nature of the dispute, an assessment of the financial impact that may arise from the litigation as a liability or asset and the estimated time outflow or inflow of funds. Units of local and regional self-government, budgetary and extra-budgetary users publish annual financial reports on their websites no later than eight days from the day of their submission (Articles 13 and 14). 
Following the above in this administrative matter, it was determined that the personal data of the applicant, namely her name and surname, are publicly available on the official website of the Health Center in the document "Notes to the financial statements for the period from 1.1.2018 to 31.12.2018." that the said document was published in accordance with Article 12 of the Budget Act and Article 27 of the Ordinance on Financial Reporting in Budget Accounting. Pursuant to Articles 13 and 14 of the aforementioned Ordinance, the notes are a supplement to the financial report and part of the mandatory notes is a list of ongoing litigation. However, the mentioned special Act and the Ordinance adopted on the basis thereof do not state that the list of disputes must contain the name and surname of the person / persons against whom the budget user is conducting a dispute, but stipulate that the list should contain a concise description of the nature of the dispute. as a liability or asset and the estimated time of outflow or inflow of assets.
Therefore, the Health Center had a legal basis for publishing this document on the website, but there is no legal basis and legal purpose for publishing personal data of the applicant as well as all other natural persons with whom the Health Center is litigating. personal data without a legal basis contrary to Articles 5, 6 and 25 of the General Data Protection Regulation. Therefore, the Health Center, as the controller, is ordered to act in accordance with the provisions of the General Data Protection Regulation when processing personal data processed and published in documents, to delete personal data of the applicant and all other persons listed in the document in accordance with Article 17. paragraph 1 (d) and to take appropriate measures to protect personal data so that the document is not searchable via Google search. 
Following the above, it was decided as in the operative part of the Decision. 
INSTRUCTIONS ON LEGAL REMEDY 
No appeal is allowed against this decision, but an administrative dispute may be initiated before the Administrative by the court within 30 days from the day of delivery of the decision. 
DIRECTOR 
Anto Rajkovača