IP - 7121-1/2020/369: Difference between revisions

From GDPRhub
(Created page with "Category:Article 58(3) GDPR {| class="wikitable" style="width: 25%; margin-left: 10px; float:right;" ! colspan="2" |IP - 07121-1/2020/387 |- | colspan="2" style="padding:...")
 
No edit summary
Line 1: Line 1:
[[Category:Article 58(3) GDPR]]
[[Category:Article 58(3) GDPR]]
{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"
{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"
! colspan="2" |IP - 07121-1/2020/387
! colspan="2" |IP - 7121-1 / 2020/369
|-
|-
| colspan="2" style="padding: 20px; background-color:#ffffff" |[[File:logoSI.png|center|250px]]
| colspan="2" style="padding: 20px; background-color:#ffffff" |[[File:logoSI.png|center|250px]]
Line 11: Line 11:
[[Category: Slovenia]]
[[Category: Slovenia]]
|-
|-
|Relevant Law:||[[Article 9 GDPR]]
|Relevant Law:||[[Article 6 GDPR]]
[[Article 7 GDPR]]
 
[[Article 8 GDPR]]
 
[[Article 13 GDPR]]
|-
|-
|Type:||Opinion
|Type:||Opinion
|-
|-
|Outcome:||n/a
|Outcome:||Non-binding
|-
|-
|Decided:||20. 3. 2020
|Decided:||20. 3. 2020
Line 27: Line 32:
|Parties:||anonymous
|Parties:||anonymous
|-
|-
|National Case Number:||07121-1 / 2020/387
|National Case Number:||7121-1 / 2020/369
|-
|-
|European Case Law Identifier:||n/a
|European Case Law Identifier:||n/a
Line 36: Line 41:
Slovenian
Slovenian
|-
|-
|Original Source:||[https://www.ip-rs.si/vop/?tx_jzgdprdecisions_pi1%5BshowUid%5D=1374 Informacijski Pooblaščenec (SI)]
|Original Source:||[https://www.ip-rs.si/vop/?tx_jzgdprdecisions_pi1%5BshowUid%5D=1375 Informacijski Pooblaščenec (SI)]
|}
|}


The Slovenian Supervisory Authority (IP) issued an opinion as foreseen under [[Article 58 GDPR#3|Article 58(3) GDPR]] on the issue of the health data sharing under [[Article 9 GDPR]] in the employer - employee context. It held that there is no reason to collect such data by all organisations and companies, since in principle such information is provided through the National Institute of Public Health (NIJZ) epidemiological service. For all the other cases, the respective exceptions under Article 9(2) GDPR may apply.
The Slovenian Supervisory Authority (IP) issued an opinion as foreseen under [[Article 58 GDPR#3|Article 58(3) GDPR]] on the issue of the validity of consent to access digital content and online classrooms during the state of emergency in the Slovenia. The IP found that the consent may be given in writing, electronically or in another appropriate manner, and in any case should fulfill the requirements under [[Article 7 GDPR|Article 7]] and [[Article 8 GDPR]].


==English Summary==
==English Summary==


===Facts and questions arising===
===Facts and questions arising===
The IP received a request whether at the time of the pandemic, an employee may be required to notify an employer about the infection with the corona virus. The purpose of such notification would be to ensure safe working conditions in the unit where the employee performs their work.     
Various providers have opened up their digital content to provide free access to this content for students and students, and some are looking to gain access to creating classrooms by groups of students' online addresses.   
 
The IP received a request from the principals whether the consent would be valid if the students gave it electronically via e-mail, and not in the written form, since a handwritten consent cannot be obtained during the pandemic period.     


===Holding===
===Holding===
The IP was of the view that the employer may request that employees inform the employer about the infection, if the NIJZ deems it necessary. Such information falls under the special category personal data under Article 9 GDPR. The processing of such data is prohibited unless one of the exceptions referred to in Article 9(2) GDPR applies.   
The IP clarified that under the GDPR consent does not have to be handwritten. According to [[Article 4(11) GDPR]], ''"consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her"''. Consent may therefore be given in writing, electronically or in another appropriate manner.   


In the event of the COVID-19 pandemic, which threatens both the individual and public health, these exceptional circumstances may require measures that interfere with the processing of special category personal data. The IP held that the measures that otherwise interfere with the processing of special category personal data may be in the interests of protecting the vital interests of employees, the legitimate interests of the company, and in the public interest.
The IP further provided that the validity of consent must be subject to the conditions laid down in [[Article 7 GDPR]].  


If such a member of the medical staff decided that an obligation to process the health data exists, the explicit consent cannot be a suitable basis for processing since the legal basis derives from the above mentioned rules and labor law. The principle of proportionality should always be respected and only the data that is necessary to achieve the purpose should be processed. However, this information must be adequately protected by the employer. In principle, statistics (eg, only information on the occurrence of an infection in a particular company, class, floor, etc.) are sufficient to provide further information, without other information that enables the individual to be identifiable.  
Additionally, in this case, the IP also reiterated the provisions of [[Article 8 GDPR]] on conditions applicable to child's consent in relation to information society services.


Therefore, there is no reason to collect such data in all organizations and companies, since in principle such information is provided through the NIJZ epidemiological service. Should the NIJZ epidemiological service in a particular institution confirm a case of infection with the new coronavirus either among employees or among users, the NIJZ epidemiologist will immediately contact the organisation and give them clear instructions on the follow-up procedures and measures to be taken.
Against this background, consent may also be given by electronic means subject to the conditions set out in Articles 7 and 8 GDPR.


The IP invited to get familiar with detailed information on the processing of personal data at the time of pandemic, which it made available on its website:
It is also recalled that individuals need to be properly informed before giving their consent - they should be clearly informed of what personal data will be processed, for what purposes, about their rights, etc., as required by [[Article 13 GDPR]].  
 
<nowiki>https://www.ip-rs.si/news/responsible-learning-</nowiki> all- is- crucial-in-the-virus-crisis-1170/


==Comment==
==Comment==
Line 63: Line 68:


==Further Resources==
==Further Resources==
''Share blogs or news articles here!''
The IP invited to get familiar with more information on their website concerning the provision of information to the individuals ahead of the collection of their consent:
 
https://www.ip-rs.si/fileadmin/user_upload/doc/vzorci/VZOREC_OBVESTILA_POSAMEZNIKOM_GLEDE_OBDELAVE_OSEBNIH_PODATKOV.docx
 
More information about the consent:
 
Infographics: https://www.ip-rs.si/fileadmin/user_upload/png/infografike/pravne_podlage_zasebni_sektor_s_pogoji_privolitve.pdf
 
Specific Consent Subpages: https://www.ip-rs.si/zakonodaja/reforma-evropskega-zakonodajnega-okvira-za-varstvo-osebnih-podatkov/kljucna-podrocja-uredbe/privolitev/


==English Machine Translation of the Decision==
==English Machine Translation of the Decision==
Line 71: Line 84:
<pre>
<pre>
Date: 03/20/2020
Date: 03/20/2020
Title: Obligation to inform the employer of individual occurrences of the COVID-19 virus
Title: Opinion on consent to access digital classrooms
Number: 07121-1 / 2020/387
Number: 7121-1 / 2020/369
Subject matter: Employment relations, Specific types, Legal bases
Subject matter: Information for the individual, Legal bases, Consent, Education
Legal act: Opinion
Legal act: Opinion
The Information Commissioner (hereinafter referred to as IP) has received your question whether it is permissible, at the time of the epidemic, to require the worker to notify the employer in the event of coronavirus infection. Namely, we need the information to ensure safe working conditions in the unit where the worker performs his work.
The Information Commissioner (hereinafter: IP) has received your letter asking us for an opinion on the validity of consent to access digital content and online classrooms during the state of emergency in the Republic of Slovenia. Various providers have opened up their digital content to provide free access to this content for students and students, and some are looking to gain access to creating classrooms by groups of students' online addresses. The principals have contacted you with a question as to whether the consent would be valid if the students submitted it electronically via e-mail, even if they were not signed in their own hands, since the consent cannot be obtained during this time, since it is inadvisable to advise leaving home.
On the basis of the information you have provided to us, in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Directive 95/46 / EC (hereinafter referred to as the General Data Protection Regulation or Decree), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette RS, No. 94/07-UPB1, hereinafter ZVOP- 1) and Article 2 of the Information Commissioner Act (Official Gazette RS, No. 113/05, hereinafter ZInfP) provide IP explanations.
On the basis of the information you have provided, hereinafter referred to as Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and Directive 95/46 / EC (hereinafter: the General Decree), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette RS, No. 94/07, officially consolidated text, hereinafter ZVOP-1), and 2 Article 43 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter ZInfP), we provide our non-binding opinion on your question.
It is not possible to speak automatically and in all cases of such an obligation on the employee. However, such an obligation of the employee may be ordered by an individual company or organization at the discretion of the competent institutions and the authorized person for occupational health (depending on the specific nature and organization of work) and taking into account the ZDR-1 in connection with sectoral regulations and measures for ensuring health and safety at work. This is a question that needs to be answered primarily by the health care profession, especially by an authorized occupational health officer. So if this is the nature of work, where, despite quarantine, workers come to work or were at work at a time when they could infect others and infection information may be relevant to the employer because of the urgent need to take the necessary measures to protect the vital interests of employees or third parties, such a requirement could be justified in the given emergency.  
The IP makes it clear that an individual's consent under the General Regulation is not necessarily a mere handwritten consent. According to Article 4 (11) of the General Regulation, 'consent of the data subject' means any voluntary, explicit, informed and unambiguous statement of the will of the data subject by which he expresses himself with a statement or clear affirmative action consent to the processing of personal data relating to him. Consent may therefore be given in writing, electronically or in another appropriate manner.
According to the NIJZ, employers should alert or urge sick workers to stay home and follow the instructions. The NIJZ also provided accurate instructions on how to deal with a respiratory illness in the workplace. Epidemiological service the competent health care institutions are the only persons who can give the sick persons the only concrete instructions on the measures in case of confirmed infection, as well as the companies and / or companies. provide guidance to organizations where such employees were present.
The validity of consent must be subject to the conditions laid down in Article 7 of the General Regulation:
The eligibility of such an obligation therefore depends on the type of work involved, how the employer has arranged it and the nature of the work (eg the risks of infection and consequently the measures are different in the case of work with people, health professionals, teachers, work involving close work). contacts).
1. Where processing is based on consent, the controller must be able to demonstrate that the data subject has consented to the processing of his personal data.
Employers are not entitled to the processing of employees' health data, including information about the diagnosis, body temperature of employees, etc., in accordance with the provisions of labor law. Generally, with regard to employer notification obligations, the provisions of the ZDR-1 apply, which are the same for the public and private sectors. In accordance with Article 35 of the ZDR-1, the worker is obliged to observe and implement the rules and measures on safety and health at work and to carry out his work carefully in order to protect his life and health and the life and health of others. In accordance with Article 36 of the ZDR-1, an employee must also inform the employer of material circumstances that affect or could affect the fulfillment of his contractual obligations, and of any changes to the data that affect the fulfillment of his employment rights. The worker must inform the employer of any threatening danger to life, health or material damage he or she perceives at work. Therefore, the employer may request that employees be informed of the infection, if the occupational health care professional or the competent authority (NIJZ) deems it necessary. Such information is a specific type of personal data and the General Regulation in Article 9 stipulates that its processing is prohibited unless one of the exceptions referred to in Article 9 (2) is given. In the event of an epidemic emergency when we are dealing with the spread of COVID infections -19, and which threatens both the health of the individual and public health, these special circumstances may require measures that also interfere with the processing of specific types of personal data. It should be borne in mind that measures that otherwise interfere with the processing of specific types of personal data may also be in the interests of protecting the vital interests of employees, the legitimate interests of the company and also in the public interest. However, this is a question that needs to be answered primarily by the medical profession, in the case described above, in particular by an authorized occupational health officer. If such an obligation exists, specific consent is not foreseen, since the legal basis derives from the abovementioned rules and labor law, always the principle of proportionality should be respected and only the data necessary to achieve the purpose should be processed. However, this information must be adequately protected by the employer, and without the appropriate legal basis, it is not entitled to forward it. In principle, statistics (eg, only information on the occurrence of an infection in a particular company, class, floor, etc.) are sufficient to provide further information, without other information that enables the individual to be identifiable.
2. Where the consent of the data subject is given in a written statement relating to other matters, the request for consent shall be submitted in a manner clearly distinguishable from other matters, in an understandable and easily accessible form; and in clear and simple language. Parts of such declaration that constitute a violation of this Regulation shall not be binding.
Therefore, there is no reason to collect such data in all organizations and companies, since in principle such information is provided through the NIJZ epidemiological service. Should the NIJZ epidemiological service in a particular institution confirm a case of infection with the new coronavirus either among employees or among users, the NIJZ epidemiologist will immediately contact the institution and give him clear and clear instructions on the follow-up procedures and measures to be taken. In the course of the epidemiological examination, the epidemiologist, in an interview with the patient, identifies all the persons with whom the patient has been in contact. According to the definition of the case, he then orders further action - whether individuals will be tested, quarantined, or will receive instructions for self-observation, etc.
3. The data subject shall have the right to withdraw his / her consent at any time. Revocation of consent shall not affect the lawfulness of the processing on the basis of consent prior to its revocation. The data subject shall be informed before consent. Consent is as easy to revoke as to give.
IP has posted information on the processing of personal data in this regard on its website:
4. In determining whether consent has been given on a voluntary basis, it shall in particular take into account whether the performance of the contract, including the provision of the service, is conditional on consent to the processing of personal data which is not required for the performance of the contract in question.
https://www.ip-rs.si/news/responsible-learning- all- is- crucial-in-the-virus-crisis-1170/
As in this case, students are also reminded of the provisions of Article 8 of the General Regulation on the conditions applicable to the consent of the child in relation to information society services:
For specific guidance on how to act in the event of a case of infection between persons (employees, students or students, clients) in a particular institution, building, etc. however, we suggest that you contact the NIPH, which can provide you with clear and clear guidance on what to do next and what steps you can take.
1. Where point (a) of Article 6 (1) applies, in respect of information society services offered directly to the child, the processing of the child's personal data is lawful when the child is at least 16 years old. When a child is under the age of 16, such processing is lawful only if and to the extent that such consent is given or approved by the holder of parental responsibility for the child.
To this end, NIJZ provides up-to-date information for the general and professional public on the NIJZ website www.nijz.si and on social media channels. For general questions, toll-free telephone numbers 080 14 04 are available to residents every day between 8am and 8pm, and NIJZ's General Public Telephone Numbers 031 646 617 and 031 619 118 are open daily between 9am and 5pm. where an expert is available to talk to concerned residents and try to answer their specific questions.
Member States may stipulate a lower age for this purpose, provided that this age is not less than 13 years.
An IP outside the inspection process and in advance may not and cannot judge what specific information may, or even must, be processed in relation to the current situation, but only by the competent institutions.
2. In such cases, the operator shall make reasonable efforts to verify that parental responsibility for the child has given or given consent, taking into account available technology.
Best regards,
3. Paragraph 1 shall not affect the general contract law of the Member States, such as the rules on the validity, formation or effect of a contract relating to a child.
Prepared by:
Against this background, consent may also be given by electronic means subject to the conditions set out in Articles 7 and 8 above.
Alenka Jerše, univ. dipl. right.
It is also recalled that individuals need to be properly informed before giving their consent - they should be clearly informed of what personal data will be processed, for what purposes, what their rights, etc., as required by Article 13. with the provisions of Article 13 you have on the IP website a form that may be helpful to you - it is appropriate to provide the form properly to the individuals concerned before giving their consent or when they do invites them to give their consent so that they are properly informed of what they are consenting to:
Deputy Information Commissioner
https://www.ip-rs.si/fileadmin/user_upload/doc/samples/ SAMPLE_ NOTIFICATIONS_POSITION_GLEDE_OBDELAVE_PERSONAL_DATA.docx
You can also find more information about consent in our:
Infographics: https://www.ip-rs.si/fileadmin/user_upload/png/infographics/legal_subscriptions_private_sector_s_requirements_approval.pdf
    Specific Consent Subpages:
https://www.ip-rs.si/legislation/reforma-european-legislative-framework-for-security-private-data/key-area-regulations/acceptance/
With respect,
Mojca Prelesnik, univ. dipl. right.,
Mojca Prelesnik, univ. dipl. right.,
Information Commissioner
Information Commissioner
Prepared:
Mag. Andrej Tomsic,
Deputy Information Commissioner


</pre>
</pre>

Revision as of 12:08, 7 April 2020

IP - 7121-1 / 2020/369
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 6 GDPR

Article 7 GDPR

Article 8 GDPR

Article 13 GDPR

Type: Opinion
Outcome: Non-binding
Decided: 20. 3. 2020
Published: n/a
Fine: none
Parties: anonymous
National Case Number: 7121-1 / 2020/369
European Case Law Identifier: n/a
Appeal: n/a
Original Language:

Slovenian

Original Source: Informacijski Pooblaščenec (SI)

The Slovenian Supervisory Authority (IP) issued an opinion as foreseen under Article 58(3) GDPR on the issue of the validity of consent to access digital content and online classrooms during the state of emergency in the Slovenia. The IP found that the consent may be given in writing, electronically or in another appropriate manner, and in any case should fulfill the requirements under Article 7 and Article 8 GDPR.

English Summary

Facts and questions arising

Various providers have opened up their digital content to provide free access to this content for students and students, and some are looking to gain access to creating classrooms by groups of students' online addresses.

The IP received a request from the principals whether the consent would be valid if the students gave it electronically via e-mail, and not in the written form, since a handwritten consent cannot be obtained during the pandemic period.

Holding

The IP clarified that under the GDPR consent does not have to be handwritten. According to Article 4(11) GDPR, "consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her". Consent may therefore be given in writing, electronically or in another appropriate manner.

The IP further provided that the validity of consent must be subject to the conditions laid down in Article 7 GDPR.

Additionally, in this case, the IP also reiterated the provisions of Article 8 GDPR on conditions applicable to child's consent in relation to information society services.

Against this background, consent may also be given by electronic means subject to the conditions set out in Articles 7 and 8 GDPR.

It is also recalled that individuals need to be properly informed before giving their consent - they should be clearly informed of what personal data will be processed, for what purposes, about their rights, etc., as required by Article 13 GDPR.

Comment

Share your comments here!

Further Resources

The IP invited to get familiar with more information on their website concerning the provision of information to the individuals ahead of the collection of their consent:

https://www.ip-rs.si/fileadmin/user_upload/doc/vzorci/VZOREC_OBVESTILA_POSAMEZNIKOM_GLEDE_OBDELAVE_OSEBNIH_PODATKOV.docx

More information about the consent:

Infographics: https://www.ip-rs.si/fileadmin/user_upload/png/infografike/pravne_podlage_zasebni_sektor_s_pogoji_privolitve.pdf

Specific Consent Subpages: https://www.ip-rs.si/zakonodaja/reforma-evropskega-zakonodajnega-okvira-za-varstvo-osebnih-podatkov/kljucna-podrocja-uredbe/privolitev/

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Slovenian original for more details.

Date: 03/20/2020
Title: Opinion on consent to access digital classrooms
Number: 7121-1 / 2020/369
Subject matter: Information for the individual, Legal bases, Consent, Education
Legal act: Opinion
The Information Commissioner (hereinafter: IP) has received your letter asking us for an opinion on the validity of consent to access digital content and online classrooms during the state of emergency in the Republic of Slovenia. Various providers have opened up their digital content to provide free access to this content for students and students, and some are looking to gain access to creating classrooms by groups of students' online addresses. The principals have contacted you with a question as to whether the consent would be valid if the students submitted it electronically via e-mail, even if they were not signed in their own hands, since the consent cannot be obtained during this time, since it is inadvisable to advise leaving home.
On the basis of the information you have provided, hereinafter referred to as Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and Directive 95/46 / EC (hereinafter: the General Decree), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette RS, No. 94/07, officially consolidated text, hereinafter ZVOP-1), and 2 Article 43 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter ZInfP), we provide our non-binding opinion on your question.
The IP makes it clear that an individual's consent under the General Regulation is not necessarily a mere handwritten consent. According to Article 4 (11) of the General Regulation, 'consent of the data subject' means any voluntary, explicit, informed and unambiguous statement of the will of the data subject by which he expresses himself with a statement or clear affirmative action consent to the processing of personal data relating to him. Consent may therefore be given in writing, electronically or in another appropriate manner.
The validity of consent must be subject to the conditions laid down in Article 7 of the General Regulation:
1. Where processing is based on consent, the controller must be able to demonstrate that the data subject has consented to the processing of his personal data.
2. Where the consent of the data subject is given in a written statement relating to other matters, the request for consent shall be submitted in a manner clearly distinguishable from other matters, in an understandable and easily accessible form; and in clear and simple language. Parts of such declaration that constitute a violation of this Regulation shall not be binding.
3. The data subject shall have the right to withdraw his / her consent at any time. Revocation of consent shall not affect the lawfulness of the processing on the basis of consent prior to its revocation. The data subject shall be informed before consent. Consent is as easy to revoke as to give.
4. In determining whether consent has been given on a voluntary basis, it shall in particular take into account whether the performance of the contract, including the provision of the service, is conditional on consent to the processing of personal data which is not required for the performance of the contract in question.
As in this case, students are also reminded of the provisions of Article 8 of the General Regulation on the conditions applicable to the consent of the child in relation to information society services:
1. Where point (a) of Article 6 (1) applies, in respect of information society services offered directly to the child, the processing of the child's personal data is lawful when the child is at least 16 years old. When a child is under the age of 16, such processing is lawful only if and to the extent that such consent is given or approved by the holder of parental responsibility for the child.
Member States may stipulate a lower age for this purpose, provided that this age is not less than 13 years.
2. In such cases, the operator shall make reasonable efforts to verify that parental responsibility for the child has given or given consent, taking into account available technology.
3. Paragraph 1 shall not affect the general contract law of the Member States, such as the rules on the validity, formation or effect of a contract relating to a child.
Against this background, consent may also be given by electronic means subject to the conditions set out in Articles 7 and 8 above.
It is also recalled that individuals need to be properly informed before giving their consent - they should be clearly informed of what personal data will be processed, for what purposes, what their rights, etc., as required by Article 13. with the provisions of Article 13 you have on the IP website a form that may be helpful to you - it is appropriate to provide the form properly to the individuals concerned before giving their consent or when they do invites them to give their consent so that they are properly informed of what they are consenting to:
https://www.ip-rs.si/fileadmin/user_upload/doc/samples/ SAMPLE_ NOTIFICATIONS_POSITION_GLEDE_OBDELAVE_PERSONAL_DATA.docx
You can also find more information about consent in our:
Infographics: https://www.ip-rs.si/fileadmin/user_upload/png/infographics/legal_subscriptions_private_sector_s_requirements_approval.pdf
     Specific Consent Subpages:
https://www.ip-rs.si/legislation/reforma-european-legislative-framework-for-security-private-data/key-area-regulations/acceptance/
With respect,
Mojca Prelesnik, univ. dipl. right.,
Information Commissioner
Prepared:
Mag. Andrej Tomsic,
Deputy Information Commissioner