IP (Slovenia) - 0602-11/2024/9: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Slovenia |DPA-BG-Color= |DPAlogo=LogoSI.png |DPA_Abbrevation=IP |DPA_With_Country=IP (Slovenia) |Case_Number_Name=0602-11/2024/9 |ECLI= |Original_Source_Name_1=IP (Slovenia) |Original_Source_Link_1=https://www.ip-rs.si/fileadmin/user_upload/zip/Ponovna_uporaba/2024/julij/Julij_2024-Odlocbe-ZIN.zip |Original_Source_Language_1=Slovenian |Original_Source_Language__Code_1=SL |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_...") |
m (wording changed - short summary, facts and holding) |
||
Line 61: | Line 61: | ||
}} | }} | ||
The DPA declared the controller violated [[Article 12 GDPR|Article 12 GDPR]] and [[Article 17 GDPR|Article 17 GDPR]] by failing to request erasure request in timely manner. | The DPA declared the controller violated [[Article 12 GDPR|Article 12 GDPR]] and [[Article 17 GDPR|Article 17 GDPR]] by failing to request erasure request in timely manner. No corrective measures were imposed as the controller remedied the breach, deleting the data during the investigation. | ||
== English Summary == | == English Summary == | ||
Line 71: | Line 71: | ||
The data subject lodged a complaint with the Slovenian DPA (IP). | The data subject lodged a complaint with the Slovenian DPA (IP). | ||
Within the examination proceedings, the controller explained they deleted data subject’s data according to his request. However, the controller had no data confirming the kinship between the data subject and his daughter. Because of that, the daughter’s data was not initially deleted, | Within the examination proceedings, the controller explained they deleted data subject’s data according to his request. However, the controller had no data confirming the kinship between the data subject and his daughter. Because of that, the daughter’s data was not initially deleted. However, during the examination proceedings the controller deleted the daughter’s data. | ||
=== Holding === | === Holding === |
Revision as of 11:53, 3 September 2024
IP - 0602-11/2024/9 | |
---|---|
Authority: | IP (Slovenia) |
Jurisdiction: | Slovenia |
Relevant Law: | Article 12(3) GDPR Article 17 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 17.06.2024 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 0602-11/2024/9 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Slovenian |
Original Source: | IP (Slovenia) (in SL) |
Initial Contributor: | wp |
The DPA declared the controller violated Article 12 GDPR and Article 17 GDPR by failing to request erasure request in timely manner. No corrective measures were imposed as the controller remedied the breach, deleting the data during the investigation.
English Summary
Facts
A data subject and her daughter were users (members) of service provided by a data controller.
The data subject requested a data controller to erase the personal data concerning her as well as personal data of her daughter. In an e-mail response, the controller confirmed they deleted the data. Nonetheless, it turned out daughter’s data was still processed. The data subject lodged a complaint with the Slovenian DPA (IP).
Within the examination proceedings, the controller explained they deleted data subject’s data according to his request. However, the controller had no data confirming the kinship between the data subject and his daughter. Because of that, the daughter’s data was not initially deleted. However, during the examination proceedings the controller deleted the daughter’s data.
Holding
The DPA found the controller violated Article 12 GDPR and Article 17 GDPR. The controller did not answer the data subject’s request within the time framework of Article 12(3) GDPR. Nevertheless, during the proceedings before the DPA, the controller deleted the data. Therefore, the violation was remedied and the DPA decided not make use of other corrective powers.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.
Number: 0602-11/2024/9 Date: 17 June 2024 The Information Commissioner (hereafter IP) issues, on the basis of Article 77 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals in the processing of personal data and on the free flow of such data and on the repeal of the Directive 95/46/EC (hereafter General Regulation) and Article 34 in relation to point 2 of the first paragraph of Article 55 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 163/22; hereafter ZVOP-2) and in in relation to the Act on General Administrative Procedure (Official Gazette of the Republic of Slovenia, No. 24/06 – UPB, with amendments and additions; hereinafter ZUP), in the application procedure of the applicant with a special status: ..., dated 27/02/2024 against the controller: ..., in the matter of the right to delete personal data O D L O C B O 1. It is established that the controller... at the time of filing the applicant's application... on 27/02/2024, violated Article 17 of the General Regulation in relation to Article 12 of the General Regulation and Article 14 of ZVOP-2 by failing to make an appropriate decision in time on the request to delete personal data. 2. The manager... shall not be ordered to take measures regarding the processing of personal data. 3. The applicant... is allowed to review the case file in its entirety, which is kept under no. 0602-11/2024. 4. In this procedure, the authority did not incur any special costs, and each party bears its own costs of the procedure. P r a s i o n s 1. Current course of the procedure and relevant information On February 8, 2024 and February 18, 2024, the applicant submitted a request to the administrator for deletion from ... and deletion of her daughter's personal data. The administrator replied to the applicant by e-mail on 19 February 2024, namely that he had deleted the data. Against this answer, on 27/02/2024, the applicant filed a report with the IP, in which she stated that she is still a member... and that the administrator is illegally continuing to process her daughter's personal data. On March 5, 2024, the IP asked the operator to make a full written decision on the applicant's request in accordance with Articles 12 and 17 of the General Regulation in relation to Article 14 of the ZVOP-2. The administrator's response was received by the IP on 25/03/2024. He stated that, following IP's request, he decided to comply with the applicant's request for deletion from ... and to delete the requested personal data, and also informed her in writing on 21/03/2024 by e-mail. At the same time, he explained why the procedures related to her request for deletion were not carried out correctly. Therefore, on 04/05/2024 the IP sent the applicant a record of essential findings and a request for clarification, to which he received a reply on 04/11/2024, from which it follows that she did not receive all the desired explanations from the controller and that her request was not decided in entirely. On April 17, 2024, the IP sent the applicant's response to the administrator and asked him to clarify her statements and provide any missing explanations and proofs. The IP received a reply from the operator on 29/04/2024. He stated that he deleted the personal data of the applicant and her daughter, which he processed as part of his membership in ..., on 7/3/2024, which he informed the applicant about on 21/3/2024. human error, and as proof that it no longer processes the applicant's personal data, he attached screenshots. With regard to the applicant's request that the administrator also provide her with information on whether the membership of ... based on her request for the deletion of her daughter's personal data also ended for someone else, the administrator explained that it does not keep records of the kinship relationships of individual members ..., because based on of received member data... cannot use its systems to connect kinship or other possible relationships between club members or entered data of children. The controller therefore explained that it does not keep records of whether other individuals have also used the personal data of the applicant's child to enroll in... The controller also sent the applicant an explanation and proof. On 17 May 2024, the IP issued a new record of findings essential for the decision in this procedure and a call for a statement before the decision, to which no party responded within the set 10-day deadline from service. Since the IP considered that the factual situation for the decision in this case was fully established, it did not perform other procedural actions. 2. Control procedure The first paragraph of Article 30 ZVOP-2 provides that an individual who believes that the processing of his personal data by the controller or processor violates the provisions of the General Regulation, this Act or other laws governing the processing or protection of personal data, or violates the provisions of related by-laws or general acts for the exercise of public powers, submits a request to the supervisory authority in accordance with the law governing the general administrative procedure, with which he requests control of the legality of the processing of his personal data, and may also propose the necessary action in accordance with to the previous article in case of established violations, so that the establishment of a legal situation is achieved. The second paragraph of the same article ZVOP-2 stipulates that each party shall bear its own costs of the procedure. Therefore, the IP considered the application in a procedure conducted at the request of the applicant with a special position, which guarantees the right to appeal under Article 77 of the General Regulation. In this supervisory procedure, he acted according to the provisions of Articles 30 to 35 of ZVOP-2 (procedure based on the application of an applicant with a special status). Among other things, this procedure is characterized by the fact that the IP acts in accordance with the investigative and regulatory powers from Article 58 of the General Regulation and Articles 28 and 29 of ZVOP-2 and in accordance with the general rules of the ZUP. IP, as a supervisory authority, after the supervision procedure has been carried out, in accordance with the first paragraph of Article 34, issues a decision which, in addition to the components specified by the law governing the general administrative procedure, contains: 1) determination of the existence or non-existence of the alleged violation of the processing of personal data of the applicant with a special position at the time of filing the application; 2) measures ordered to the manager or processor regarding the processing of personal data relating to the applicant with a special status, and the deadline for their implementation; 3) permitted scope of review of the case file for an applicant with a special status. 3. General information on the right to delete personal data On the basis of the first paragraph of Article 17 of the General Regulation, the individual to whom the personal data relates has the right in certain cases to have the controller delete the personal data relating to him without undue delay, and the controller has the obligation to delete the personal data without undue delay. An individual is entitled to deletion when one of the following reasons is given: (a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; (b) the data subject revokes the consent on the basis of which the processing takes place in accordance with point (a) of Article 6(1) or point (a) of Article 9(2), and where there is no basis for the processing other legal basis; (c) the data subject objects to the processing in accordance with Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing in accordance with Article 21(2); (d) personal data has been processed illegally; (e) personal data must be deleted to comply with a legal obligation under Union law or the law of a Member State applicable to the controller; (f) personal data were collected in connection with the offer of information society services referred to in Article 8(1). Procedural rules are regulated in Articles 11 and 12 of the General Regulation, and procedural provisions are also contained in ZVOP-2 in Articles 12 to 21. The prescribed deadline for the controller's response is one month after receiving the request. If necessary, this deadline may be extended by a maximum of two additional months, taking into account the complexity and number of requests, and the controller is obliged to inform the data subject of any such extension within one month of receiving the request together with the reasons for the delay (third paragraph 12 of the General Regulation). The form of the decision on the request for deletion and its components for the controller in a specific case is determined by Article 14 of ZVOP-2. Pursuant to this provision, the controller, which is not a state body or a self-governing local community, handles claims by individuals from Articles 15 to 22 of the General Regulation and other claims by individuals in the field of personal data protection, access to personal data, their acquisition and processing according to this or that to the law, informs the individual of the decision and, if this is the subject of the request, of the personal data relating to him, within the time limit set by the General Regulation. If the individual so requests, he can also be informed of personal data verbally. The decision must contain reasons and information about the right to appeal to the supervisory authority within 15 days of being informed of the decision in accordance with the provisions of point f) of the first paragraph of Article 15 of the General Regulation. The decision can take the form of an official note, which is sent to the individual in a way that enables them to become familiar with the decision and prove its receipt. 4. Assessment of the applicant's statements The IP notes that at the time of submitting the application on 27/02/2024, the controller had not yet adequately decided on the applicant's request for deletion of personal data, which she submitted on 8/02/2024 and supplemented it on 18/02/2024. manager. Since at that time the one-month deadline for a decision on the request had already expired, the IP judged that the controller had violated Article 17 in relation to Article 12 of the General Regulation and Article 14 of ZVOP-2. This violation was remedied by the manager after the application and summons of the IP with a reply dated 21/03/2024, which he served to both the IP and the applicant, thereby fulfilling the obligations under the aforementioned provisions. In his reply, he informed the applicant that he had granted her request for deletion of personal data. It follows from the above that the controller of personal data subsequently fulfilled the obligations under Articles 12 and 17 of the General Regulation and Article 14 of ZVOP-2 by deleting the requested personal data and notifying the applicant in writing. Therefore, in point 1 of the pronouncement of this decision, the IP found that the controller violated Article 17 of the General Regulation in relation to Article 12 of the General Regulation and Article 14 of the ZVOP-2 at the time of filing the application on 27/02/2024 by did not make an adequate decision on the request for deletion of personal data in time. Since the controller completely eliminated the identified violation of the right to erasure of personal data after filing the application, the IP did not order him to take special measures regarding the processing of the personal data of the applicant (point 2 of the pronouncement of the decision), as this would be pointless in the described circumstances. The use of the set of corrective measures from the second paragraph of Article 58 of the General Regulation is also conditioned by the fact that the measure in question is necessary to ensure compliance with this regulation (cf. point 48 of the reasoning of the final proposals of the Advocate General Priit Pikamäe dated 11/04/2024 in Case C 768/21, TR v. Land Hessen). 5. Permissible scope of file review In point 3 of the first paragraph of Article 34 of ZVOP-2, it is stipulated that the decision in the control procedure according to the provisions of this section, in addition to the components determined by the law governing the general administrative procedure, also contains the permissible scope of the review of the case file for the applicant with a special situation . The IP did not restrict the applicant's right to review the file of the case, which is kept under no. 0602-11/2024, as no reasons are given for this (point 3 of the pronouncement of the decision). 6. Costs of the procedure Pursuant to the first paragraph of Article 118 of the ZUP, the authority decides in its decision on the costs of the procedure, who bears the costs of the procedure, how much they are, and to whom and within what period they must be paid. No special costs were incurred in this control procedure (point 4 of the pronouncement of the decision). The applicant and the controller shall each cover their own costs that may have been incurred by them as a result of the procedure (second paragraph of Article 30 of ZVOP-2). In accordance with the provisions of the Administrative Fees Act (Official Gazette of the Republic of Slovenia, No. 106/10 - official consolidated text, with amendments and additions), this decision is exempt from the payment of the administrative fee. Lessons on the legal remedy: An appeal against this decision is not allowed, but it is permissible to initiate an administrative dispute. An administrative dispute is initiated by filing a lawsuit at the Administrative Court, Fajfarjeva 33, 1000 Ljubljana. The lawsuit must be filed within thirty days of the service of this decision, in writing directly to the said court or by registered mail or orally on the record. If the claim is sent by registered mail, it is considered to have arrived on time if it was sent to the post on the last day of the deadline for filing the claim. In addition to the original, transcript or copy of this decision, the lawsuit must also be accompanied by one transcript or copy of the lawsuit and attachments for the defendant, if someone is affected by the decision, as well as for him. ...., the State Inspectorate for the Protection of Personal Data