IP - 0613-438/2019/16

From GDPRhub
Revision as of 08:25, 20 April 2021 by Msm (talk | contribs)
IP - 0613-438/2019/16
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 25.03.2021
Published: 15.04.2021
Fine: None
Parties: n/a
National Case Number/Name: 0613-438/2019/16
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Slovenian
Original Source: GDPR+ (via IP’s zip) (in SL)
Initial Contributor: GDPR+

The Slovenian DPA assessed that a controller breached Article 32 GDPR by not adequately protecting the personal data of individuals, including names, addresses and ID numbers, in a criminal complaint published online.

English Summary

Facts

A controller published online an article linking to a file - a criminal complaint that contained personal data of several individuals. In doing so, the controller did not ensure adequate security of personal data.

Holding

The DPA held that the controller must, in accordance with Article 32 GDPR:

(a) cover, delete or otherwise ensure an adequate level of security of the birth data of the persons to whom it relates;

(b) secure the ID data and the data on the residence of the persons to whom it relates in such a way that it cannot be accessed; and

(c) secure the remaining personal data in such a way as to prevent unauthorized disclosure of or access to such personal data.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.

Publication of a criminal complaint - decision according to ZIN
Number: 0613-438 / 2019 / 16
Date: March 25, 2021

Information Commissioner (hereinafter IP) issue according to the State Supervisor for Personal Data Protection… on the basis of Articles 2 and 8 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05 et seq .; hereinafter ZInfP), Article 54 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia) , No 94/07 (hereinafter ZVOP-1), Article 58 (2) (d) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation; hereinafter the General Decree) and Articles 29 and 32 of the Inspection Supervision Act (Official Gazette of the Republic of Slovenia, No. 43/07 et seq .; hereinafter the ZIN), in the procedure of inspection supervision over the implementation of the provisions of ZVOP-1 and the General Decree on the liable party… (hereinafter referred to as the taxpayer) represented by…, ex officio the following 

DECISION 

The taxpayer… must, due to irregularities found in the implementation of the provisions of the General Regulation, file "…", which is a criminal complaint javno, which is publicly available on the website… which the controller is liable, in accordance with Article 32 of the General Regulation, to cover, delete or otherwise ensure an adequate level of security of a) the birth data of the individuals to whom it relates; b) EMŠO data and data on the residence of the individuals to whom the… relates, in such a way that this data will not be accessible; and c) personal data remaining in… the said individuals, in a way that prevents unauthorized disclosure or access to the said personal data. The measure referred to in point 1 of the operative part of this Decision must be executed within 5 (five) days of receipt of this decision. on the execution of the measure referred to in point 1 of the operative part of this decision within 3 (three) days after execution inform the IP in writing and submit evidence of execution. The request of the controller for reimbursement of the notified costs is rejected. The body in this procedure did not incur special costs. IP findings and statements of the liable party The subject procedure was initiated because the liable party allegedly published an article entitled »(hereinafter the relevant article) on… or on the website… (hereinafter the relevant website), which contains a hyperlink to the file - criminal complaint …, Which is supposed to contain the personal data of several individuals. On 19 January 2021, the IP inspected the relevant website and a report was drawn up on the inspection of the website. page number 0613-438 / 2019/7 of 19 January 2021. During the inspection, screenshots of the website and the article in question were taken and a .pdf file "…" (hereinafter referred to as the official computer of the State Data Protection Supervisor) was saved. file in question) - the article contained a hyperlink to the web address… where the first file in question was published. The minutes of the visit to the website number 0613-438 / 2019/7 of 19 January 2021 were served on the taxpayer, and the taxpayer was invited to comment on them. After reviewing the article in question and the file in question, the IP found that both articles (the article contained, among other things, a larger number of images of the file in question) than the file in question contained a larger number of names, surnames and functions of individuals. The file in question, which represents… ('the criminal complaint in question'), which is…, also contained the birth data of the… of the individuals to whom the criminal complaint in question relates. For each of the individuals to whom the criminal complaint in question concerned, there were two black boxes covering some of the data of those individuals. As noted during the review of the file in question, the black box data was overlaid in such a way that the text below the black box could be highlighted and copied as text. If the first file in question was opened with a .pdf file program, the black boxes that covered certain personal data of the individuals to whom the criminal complaint in question could also be removed. In this way, in addition to the names, surnames and dates of birth of the individuals to whom the criminal complaint in question relates, their EMŠO and address could also be deduced from the website itself as well as from the entry in the media register at the Ministry of Culture. that the operator of the said website or the publisher of the medium… is liable. The taxpayer is listed as the issuer… in the media record under the serial number… IP at this point explains that it is not clear who is the author of the article, because the article states only "…". Based on the established facts, IP assessed that the taxpayer , when it has published on the website… the file "…" representing the criminal complaint in question, without first covering, deleting or otherwise anonymising a) the birth data of the individuals to whom the criminal complaint relates; and b) EMŠO data and data on the residence of the individuals to whom the criminal complaint in question relates in such a way that such data cannot be accessed; and (c) the personal data of the remaining individuals mentioned in the criminal complaint and by not covering the personal data of several different individuals in the images of the relevant criminal complaint contained in the article entitled "…" of… published on the website…, did not ensure the security of personal data, as provided for in Article 32 of the General Regulation, or did not provide protection of personal data, as provided for in Articles 24 and 25 of ZVOP-1. By letter number 0613-438 / 2019/8 of 25 January 2021 called on the taxpayer's IP to identify itself, pending the findings of the IP in that letter. Insofar as irregularities or Violations of the provisions of the General Regulation or ZVOP-1 have been eliminated, which means that the data subject has ensured the security of personal data by taking measures to prevent unauthorized disclosure or access to personal data contained in: 1) the file "…", which represents the criminal complaint in question and is available on the website…, and 2) an article entitled "…" dated…, published on the website…, the taxpayer was asked to inform the IP of the manner and date of rectification of the irregularity and submit evidence from which the truth of his statements will derive. In the application of z, which, inter alia, represents the statement of the taxpayer on the facts and circumstances of the minutes number 0613-438 / 2019/7 of 19 January 2021, the taxpayer states that until disclosure personal data of individuals against whom a criminal complaint has been filed can be obtained only with a special computer program, which is not available to the average reader or web user. The average reader cannot become acquainted with such hidden personal data…. Only the use of special computer programs and advanced computer knowledge enables the disclosure of EMŠO numbers and addresses of individuals suspected of a crime. In the application of…, which represents the statement regarding the letter IP number 0613-438 / 2019/8 of 25.1.12021, ie. by acquainting itself with the findings of the IP, the liable party agrees with the position of the IP that in the case of processing (publication) of names and surnames of individuals to whom the criminal complaint relates, the liable party's right to freedom of expression prevails. The liable party states that after receiving the IP letter dated 25 January 2021, he additionally ensured the security of the suspects' personal data by covering the data on the day, month and year of birth, EMŠO and address of residence in the criminal complaint. In the criminal complaint, it also covered the names and surnames of individuals not covered by the criminal complaint in question and individuals who are not current or former highest representatives najviš and thus not relatively public figures. The personal data in the article in question were also overlapped. In both of these applications, the liable party also points out that the proceedings in question are not permitted because pre-trial proceedings are already pending against him due to the publication of the criminal complaint and article. On 25 March 2021, the IP re-examined the website in question. pages of the published article in question. In doing so, the IP finds that all personal data except the names and surnames of the accused persons and the name and surname of the then Minister were deleted from the pictures of the relevant criminal complaint contained in the article in question. In this case, IP considers that the media's right to freedom of expression prevails over the right of these individuals to the protection of personal data. Furthermore, the IP notes that the text of the article in question now contains a hyperlink to a different web address, namely…, which, when clicked, opens the web page or the .pdf file "…" (hereinafter the new file in question). The new file in question also represents the criminal complaint in question, but in this file the birth data, EMŠO and residence addresses of the persons to whom the criminal complaint relates are deleted, as well as the personal data of the remaining individuals mentioned in the criminal complaint. that their right to the protection of personal data prevailed over the debtor's right to freedom of expression. Despite other allegations by the debtor, the IP further notes that on 25 March 2021 the relevant file is still available on the website…, ie. … A file representing the criminal complaint in question and which still contains the birth data of the… individuals to whom the criminal complaint relates. For each of the individuals to whom the criminal complaint in question relates, there are two black boxes covering some of the data of these individuals. The data is covered with a black box in such a way that the text below the black box can be marked and copied in the form of text. If the file in question is opened with a program for .pdf files (for example, Adobe Acrobat Reader, Foxit Reader), the black boxes that cover certain personal data of the individuals to whom the criminal complaint relates can also be removed. In this way, in addition to the names, surnames and dates of birth of the individuals to whom the criminal complaint in question relates, their EMŠO and address could also be deduced. The file in question also contains a large amount of personal data of individuals to whom the criminal complaint does not relate. The condition of the file or in relation to the file… is therefore the same as at the time of the inspection on 19 January 2021, when the relevant website was visited. The provisions of the regulations on which the decision is based with an explanation of inspection measures are defined in the General Regulation. "Processing" in Article 4. Personal data means any information relating to an identified or identifiable individual; an identifiable individual is one that can be identified directly or indirectly, in particular by indicating an identifier such as name, identification number, location data, web identifier, or by indicating one or more factors specific to the physical, physiological, genetic , the mental, economic, cultural or social identity of that individual (point 1). Processing means any act or set of acts carried out in relation to personal data or sets of personal data with or without automated means, such as collecting, recording, editing, structuring, storing, adapting or modifying, retrieving, inspecting, using, disclosing by forwarding, disseminating or otherwise making available, adapting or combining, restricting, deleting or destroying (point 2) .According to the above definitions, name, surname, function, in some cases merely an indication of the function, and in some in connection with the name and surname), EMŠO and address, together with the name and surname, constitute personal data because they are information relating to an identified or identifiable individuals, and the publication of personal data of individuals on a website constitutes the processing of personal data.Article 32 of the General Regulation provides that controller and processor, taking into account the latest technological developments and implementation costs and the nature, extent and purposes of the processing, as well as the risk for the rights and freedoms of individuals, which differ in probability and severity, ensure an appropriate level of security in relation to the risk. According to Article 12 (12) of the General Regulation, 'breach of personal data security' means a breach of security which results in the unintentional or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed. Articles 24 and 25 of ZVOP-1 contain a similar provision, where it is stipulated that personal data controllers and contractual processors are obliged to provide protection of personal data, which protects personal data, prevents accidental or intentional unauthorized destruction of data, their change or loss and unauthorized processing of these data. It should be noted that the rules of personal data protection set out in the General Regulation and ZVOP-1 constitute the concretization of one of the human rights and fundamental freedoms of the Constitution of the Republic of Slovenia (Official Gazette of the RS, No. 33/91-I et seq .; hereinafter referred to as the Constitution). In the first paragraph of Article 38, the Constitution guarantees the human right to the protection of personal data. The Constitutional Court has repeatedly emphasized that the Constituent Assembly thus specifically protected one of the aspects of an individual's privacy, t. i. [1] Article 38 (1) of the Constitution prohibits the use of personal data contrary to the purpose of their collection, (2) determines the collection, processing, purpose of use, control and protection of the secrecy of personal data as the subject of legal regulation, and (3) it gives everyone the right to be informed of the personal data collected concerning him or her, and in the event of abuse, the right to judicial protection. At the same time, it must be borne in mind that human rights and fundamental freedoms include the right to freedom of expression. Article 39 (1) of the Constitution guarantees the freedom of expression of thought, speech and public appearance, the press and other forms of public information and expression, (2) everyone has the right to obtain information of a public nature for which he has a legitimate interest, except in cases provided by law. The activity of the media is based on the right to freedom of expression. This also follows from Article 6 of the Media Act (Official Gazette of the Republic of Slovenia, No. 110/06 et seq .; hereinafter ZMed), which stipulates that media activity is based on freedom of expression, inviolability and protection of human personality and dignity, and free movement. information and openness of the media to different opinions, beliefs and various contents, on the autonomy of editors, journalists and other authors in creating program content in accordance with program concepts and professional codes, and on the personal responsibility of journalists or other authors and contributors for the consequences of their work In accordance with the third paragraph of Article 15 of the Constitution, human rights and fundamental freedoms may be restricted primarily due to the human rights or fundamental freedoms of other people. As with the right to freedom of expression, the right to information privacy is not unlimited, it is not absolute. In the event of a collision of two coexisting rights, the conflict between the rights is reconciled with a method that theory and case law also know as practical concordance. Practical concordance means the creation of a rule that applies to a specific case, ie a rule on the coexistence of rights in specific circumstances. It is necessary to decide which right should be given priority according to the specific circumstances and which, in order to activate the necessary, constitutionally protected content of another right, should be withdrawn or part of the entitlements that make up this right should be withdrawn. that the criminal complaint in question was published because it is "…" and "…". The purpose of publishing the article in question and the file in question (hereinafter the publication in question) and the related processing (publication) of personal data of individuals is therefore to inform the public about the process of recapitalization of banks. Furthermore, it can be inferred from the fact that the taxpayer or the author of the article tried to (unsuccessfully) cover certain personal data of the individuals to whom the criminal complaint relates before publishing the file in question on the controller's website that the taxpayer or the author of the article was aware that the publication means a certain interference with the right to protection of personal data.Reporting on the time of the so-called Bank rehabilitation is a topic for which there is a strong public interest in being widely acquainted with it. It is also a topic that has been widely reported by various media in the past. For example, several years before the publication in question, the media reported that an investigation was under way into the rehabilitation of banks [3], and a few months before the publication in question, for example, that the National Investigation Committee had filed a criminal complaint with the Specialized State Prosecutor's Office [4] .As already stated, it follows from the relevant publication that its central message is reporting on the recapitalization process of banks. In order to achieve the purpose pursued by the publication in question, the processing (publication) of personal data on the day, month and year of birth, EMŠO data and the address of residence of individuals is by no means necessary. According to the IP, in order to achieve this purpose, it is not necessary to publish names, surnames and other information related to certain or identifiable individuals to whom the criminal complaint in question does not apply and individuals who are not (current or former) highest representatives… and thus not relatively public. persons. Namely, if the publication in question did not contain that personal data, it would still (could) achieve its purpose. The disclosure of this personal data is therefore, in IP's view, grossly contrary to the principle of minimum data set out in point (c) of Article 5 (1) of the General Regulation, according to which personal data must be relevant, relevant and limited to what is necessary for the purpose. , for which they are processed. At the same time, such a way of exercising the right to freedom of expression also represents an unnecessary and disproportionate interference with the right of individuals to the protection of personal data. A different position must be taken in the case of publishing the names of individuals to whom the criminal complaint relates. The Bank of Slovenia is the central bank of Slovenia and is exclusively state-owned with financial and management autonomy, which acts as the supervisory body of the Slovenian banking system. The highest representatives of such a body must meet high professional and moral standards, and by occupying such a position they also become relatively public figures, so their field of expected privacy shrinks. Given the circumstances of the specific case, IP considers that it is necessary, especially taking into account the fact that the individuals to whom or to whom the criminal complaint relates, are (then) the highest representatives of the Bank of Slovenia, in the case of processing (publication) of names and surnames. individuals in relation to the criminal complaint in question, in this particular case to give priority to the right of the data subject to freedom of expression over the right of these individuals to the protection of personal data. "Representing…, without first effectively covering, erasing or otherwise anonymising a) the birth data of the individuals to whom the criminal complaint in question relates; and b) EMŠO data and data on the residence of the individuals to whom the criminal complaint in question relates in such a way that such data cannot be accessed; and c) did not ensure the security of personal data as provided for in Article 32 of the General Regulation or did not provide protection of personal data as provided for in Articles 24 and 25 of ZVOP-1.IP. also that the liable party was acquainted with the above-mentioned findings of the IP by letter number 0613-438 / 2019/8 of 25 January 2021 and at the same time asked to comment on them. In the application dated…, which represents, inter alia, the taxpayer's statement on the facts and circumstances of the minutes number 0613-438 / 2019/7 of 19 January 2021, the taxpayer stated only that the average reader cannot get acquainted with EMŠO and the address of residence of the accused persons because they are overlaid in the "» "file, and only the use of special computer programs and advanced computer knowledge enables the disclosure of this information. IP cannot follow these statements. Namely, modern web browsers (such as Google Chrome, Mozilla Firefox or Microsoft Edge), ie programs that allow you to view web pages, among other things, allow you to open .pdf files. This allows any user who enters the… address to the "…" file in a web browser. As it was established when reviewing the said file, the data in it were overlaid with a black field in such a way that the text (EMŠO and address) under the black field could also be marked and copied. Using the function of copying and pasting (i.e. copy paste) of text is one of the most basic computer skills. However, if the said file is opened with a program for .pdf files (for example Adobe Acrobat Reader or Foxit Reader - the latter was used in this case), black boxes may be used to cover certain personal data of the individuals to whom the relevant criminal complaint relates, also removed. Thus, by copying the text or removing the black boxes, it is also easy to understand the EMŠO and the address of the accused. The taxpayer did not have any comments regarding other IP findings or other data available in the said .pdf file. The taxpayer referred to Article 11a of the Act on… as well as in the application dated…. misdemeanors (Official Gazette of the Republic of Slovenia, No. 29/11 et seq .; hereinafter ZP-1) also states that the proceedings in question are not permitted because criminal proceedings are already underway against the liable party, both of which stem from the same historical event. In relation to the said IP, he explains that the concrete procedure represents an administrative inspection procedure, ie. a procedure conducted in accordance with the provisions of the ZIN, and not a misdemeanor procedure conducted in accordance with the provisions of ZP-1. Inspection control is the control over the implementation or observance of laws and other regulations (Article 2 of the ZIN). Inspectors perform inspection tasks in order to protect the public interest and the interests of legal and natural persons (Article 5 of the ZIN). If the state supervisor for personal data protection in an inspection procedure finds that the data subject processes personal data in contravention of regulations in the field of personal data protection, he may impose one of the measures referred to in the first paragraph of Article 54 of ZVOP-1 or use one of the corrective powers referred to in the second paragraph of Article 58 of the General Regulation. It is clear from the above that the sole purpose of conducting the inspection procedure over the implementation of the provisions of ZVOP-1 and the General Regulation is to verify the (illegal) processing of personal data, and irregularities that may be detected in the inspection procedure can be eliminated. The purpose of the inspection procedure is therefore to ensure compliance with the applicable legislation. The imposition of sanctions for possible violations of the rules in the field of personal data protection is intended for another, separate procedure - the misdemeanor procedure - the rules of which are determined by ZP-1. However, the provisions of ZP-1, including Article 11.a, to which the applicant refers, apply only in misdemeanor proceedings. The inspection procedure and the misdemeanor procedure are two separate procedures, which have different and separate purposes. According to the reasoning, the taxpayer had to order the abolition of irregularities or ensuring the security of processing as provided for in Article 32 of the General Regulation, in the manner and within the time limit set out in points 1 and 2 of the operative part of this decision. The order to eliminate the identified irregularities is based on findings in the inspection procedure. The order in point 3 of the operative part that the liable party must notify the IP in writing and submit evidence of the elimination of the irregularities within 3 (three) days after the elimination of the irregularities is based on the provision of the fifth paragraph of Article 29 of the ZIN. inform the inspector immediately if the irregularities are rectified. Pursuant to Article 118 of the ZUP, a decision is made on the costs of the proceedings. The costs of the inspection procedure, which were necessary to establish the facts proving that the taxpayer violates the law or other regulation, in accordance with the first paragraph of Article 31 of the ZIN, the taxpayer suffers, so the taxpayer covers his own costs, as decided in point 4 of the disposition. As the body did not incur any special costs of the proceedings in this procedure, it has been decided in point 5 of the operative part. This decision is issued ex officio and is free of fees on the basis of Article 22 of the Administrative Fees Act (Official Gazette of the Republic of Slovenia, No. 106/10 et seq.) Instruction on legal remedy: This decision is final in administrative proceedings. Pursuant to the provision of Article 55 of ZVOP-1, no appeal is allowed against it, but an administrative dispute is possible by filing a lawsuit with the Administrative Court of the Republic of Slovenia, Fajfarjeva 33, 1000 Ljubljana, within 30 days of receiving this decision. The action shall be brought before the competent court directly in writing or sent to it by post. The application shall be accompanied by a copy of this Decision in the original or an uncertified copy. [1] Decision of the Constitutional Court no. U-I-98/11 of 26.9.2012 (point 12). [2] Supreme Court of the Republic of Slovenia Decision II Ips 340/2011 of 17 July 2014. [3] … [4]… Tagsbanking digital processing handler individual rightsGDPR planet2 minutes agoUpdated: April 15, 2021 / * <! [CDATA [* / {"@ context": "http: \ / \ / schema.org", "@ type ":" NewsArticle "," dateCreated ":" 2021-04-15T12: 53: 36 + 00: 00 "," datePublished ":" 2021-04-15T12: 53: 36 + 00: 00 "," dateModified ": "2021-04-15T12: 56: 00 + 00: 00", "headline": "Publication of a criminal complaint & ZIN decision", "name": "Publication of a criminal complaint & # 8211; decision by ZIN" according to ZIN "," keywords ":" banking, digital, processing, processor, individual rights "," url ":" https: \ / \ / gdprplanet.com \ / objava-kazenske-ovadbe-odlucba-po -zin-2 \ / "," description ":" \ u0160number: 0613-438 \ / 2019 \ / 16 Date: & nbsp; & nbsp; & nbsp; 25. & nbsp; 3. 2021 Information Commissioner (hereinafter IP ) issued by the National Data Protection Supervisor on the basis of Articles 2 and 8 "," copyrightYear ":" 2021 "," articleSection ":" Practice-public "," articleBody ":" \ n \ u0160number: 0613-438 \ / 2019 \ / 16 \ n \ n \ n \ nDate: & nbsp; & nbsp; & nbsp; 25. & nbs p; 3. 2021 \ n \ n \ n \ nInformation Commissioner (hereinafter IP) is issued by the State Supervisor for Personal Data Protection on the basis of Articles 2 and 8 of the Information Commissioner Act (Official Journal of the Republic of Slovenia, \ u0161t. & nbsp; 113 \ / 05 et seq .; hereinafter ZInfP), Article 54 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, \ u0161t. 94 \ / 07; hereinafter ZVOP-1), \ Article 58 (2) (d) of Regulation (EU) 2016 \ / 679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC General Decree on Data Protection; hereinafter referred to as the General Decree) and Articles 29 and 32 of the Inspection Supervision Act (Official Gazette of the Republic of Slovenia, No. 43/07 et seq .; hereinafter ZIN), in procedure and inspection control over the implementation of the provisions of ZVOP-1 and the General Regulation over the liable party (hereinafter the liable party), represented by the liable party \ u2026, ex officio & nbsp; the following \ n \ n \ n \ nDECISION \ u010cBO \ n \ n \ n \ nThe taxpayer \ u2026 must, due to the identified irregularities in connection with the implementation of the provisions of the General Regulation, in the file \ in accordance with Article 32 of the General Regulation, cover, delete or otherwise ensure an adequate level of security. ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? \ u00a0a) \ u00a0rodist data of the data subjects \ u00a0b) \ u00a0b) \ u00a0EM \ u00a0EM \ u0160O data and residence data of the individuals to whom the data in question relates, on that this data will not be accessible; and \ u00a0c) \ u00a0personal data of the remaining in the said individuals, in a way to prevent unauthorized disclosure or access to the said personal data. The measure referred to in point 1 of the operative part of this decision must be to be executed within 5 (five) days from the receipt of this decision. The liable party must notify the IP in writing of the execution of the measure referred to in point 1 of the operative part of this decision within 3 (three) days after execution. submit evidence of execution. The request of the person liable for the return of the notified costs shall be rejected. No special costs of the procedure have been incurred by the Authority in this procedure. \ n \ n \ n \ nExplanation \ n \ n \ n \ n \ n \ nProcedural actions, IP findings and indications of the taxpayer \ n \ n \ n \ nThe subject procedure was initiated because the taxpayer was supposed to publish an article entitled \ u00bb \ u2026 (hereinafter referred to as the article), which contains a hyperlink to the file \ u2013 criminal complaint \ u2026, which allegedly contained personal data of several individuals. \ n \ n \ n \ nIP visited the relevant website on 19 January 2021, and a report was drawn up on the visit to the website \ u0161number 0613-438 \ / 2019 \ / 7 of 19 January 2021. During the viewing, screenshots of the website in question and the article in question were made, and a .pdf file was saved on the official computer of the State Supervisor for Personal Data Protection \ u00bb \ u2026 \ u00ab (hereinafter referred to as the file in question) \ u2013 = The article contained a hyperlink to the web address at which the first file in question was published. The minutes of the visit to the website \ u0161number 0613-438 \ / 2019 \ / 7 of 19 & nbsp; 1. & nbsp; 2021 were entered in the taxpayer's and the taxpayer was invited to declare himself about it. \ N \ n \ n \ nAfter inspecting the article in question and the file in question, the IP found that both the article (the article contained, among other things, the number of images in the file in question) and the file in question contained several names, surnames, and functions. The file in question, which constitutes the criminal complaint in question ('the relevant criminal complaint'), contained the birth data of the individuals to whom the criminal complaint in question relates. For each of the individuals to whom the criminal complaint in question relates, there were two sliding fields that covered some of the data of these individuals. As it was found during the review of the file in question, the data with the \ u010dry field was overlaid in a way that the text under the dud field could be marked and copied in the form of text. If the first file in question was opened with a program for .pdf files, it was also possible to remove certain fields which covered certain personal data of the individuals to whom the criminal complaint in question relates. In this way, in addition to the names, surnames and dates of birth of the individuals to whom the criminal complaint in question relates, their EM \ u0160O and address could also be deduced. \ N \ n \ n \ nSo from the website itself. sites \ u2026 as well as from the entry in the media register at the Ministry of Culture it follows that the operator of the said website or the publisher of the media \ u2026 is liable. The taxpayer is listed as the issuer \ u2026 in the media register under the serial number \ u2016 IP at this point, explaining that it is not clear who the author of the article is, because the article only states \ u00bb \ u2026 \ u00ab. \ N \ n \ n \ nOn the basis of the established facts, the IP estimated that the taxpayer, by publishing on the web address \ u2026 & nbsp; & nbsp; the file \ u00bb \ u2026 \ u00ab, which represents the criminal complaint in question, without first covering, deleting or how else did he anonymise & nbsp; a) & nbsp; the birth data of the individuals to whom the criminal complaint in question relates; and & nbsp; b) EM \ u0160O data and residence data of the individuals to whom the criminal complaint in question relates, in such a way that this data cannot be accessed; and & nbsp; c) & nbsp; the personal data of the individuals remaining in the criminal complaint, and by appearing in the pictures of the criminal complaint in question, which contains an article entitled \ u00bb \ u2026 \ u00ab of \ u2026, published on the website \ u2026 , did not cover the personal data of several different individuals, did not ensure the security of personal data as provided for in Article 32 of the General Regulation or did not provide protection of personal data as provided for in Articles 24 and 25. ZVOP-1. \ N \ n \ n \ nWith the letter \ u0161number 0613-438 \ / 2019 \ / 8 dated 25 January 2021, the IP of the liable party was asked to comment, until the findings of the IP in the said letter. Insofar as irregularities or Violations of the provisions of the General Regulation or ZVOP-1 have been eliminated, which means that the data subject has ensured the security of personal data in a way that he has taken measures to prevent unauthorized disclosure or access to personal data. information contained in: & nbsp; 1) & nbsp; the file \ u00bb \ u2026 \ u00ab, which represents the criminal complaint in question and is available at the web address \ u2026 & nbsp ;, and & nbsp; 2) & nbsp; \ u010 the article entitled \ u00bb \ u2026 \ u00ab dated \ u2026, published on the website \ u2026 & nbsp ;, the taxpayer was asked to inform the IP of the manner and date of elimination of the irregularity and to provide evidence from which the seriousness of his statements will be derived. \ n \ n \ n \ nIn the application dated \ u2026, which, inter alia, represents the statement of the taxpayer on the facts and circumstances of the minutes \ u0161number 0613-438 \ / 2019 \ / 7 of 19 January 2021, the taxpayer states that that until the disclosure of the personal data of the individuals against whom a criminal complaint has been lodged, It is possible to come only with a special computer program, which is not available to the ordinary reader or web user. The average reader cannot become acquainted with such hidden personal data. Only the use of special computer programs and advanced computer knowledge enables the disclosure of EM numbers and addresses of individuals suspected of a crime............................................. In the application dated \ u2026, which represents the statement regarding the letter IP \ u0161number 0613-438 \ / 2019 \ / 8 dated 25.1.2021, ie. by acquainting itself with the findings of the IP, the liable party affirms the position of the IP that in the case of processing (publication) of names and surnames of individuals to whom the criminal complaint relates, the right of the liable party to freedom of expression prevails. The liable party states that after receiving the IP letter dated 25 January 2021, he additionally ensured the security of the suspects' personal data, in such a way that he covered the data on the day, month and year of birth in the criminal complaint in question, EM \ u0160O and address of residence. In the criminal complaint, he also covered the names and surnames of individuals to whom the criminal complaint in question does not refer and to individuals who are not the current or former highest representatives and thus are not relatively public figures. The personal data in the relevant article were also overlapped. In both of these applications, the liable party points out that the proceedings in question are not permitted because, due to the publication of the criminal complaint and the article in question, a pre-trial proceeding is being conducted against him. \ N \ n \ n \ nIP is on 25 March 2021 review the website in question or the article in question published on that website. In doing so, the IP finds that all personal data except the names and surnames of the accused persons and the names and surnames of the then Minister were deleted from the pictures of the relevant criminal complaint contained in the relevant article. In this case, IP considers that the right of the media to freedom of expression prevails over the right of these individuals to the protection of personal data. Furthermore, the IP notes that the text of the article in question now contains a hyperlink to another web address, namely \ u2026, which clicks to open the web page or .pdf file \ u00bb \ u2026 \ u00ab (hereinafter the new file in question). The new file in question also represents the criminal complaint in question, but this file deletes the birth data, EM \ u0160O and residence addresses of the persons to whom the criminal complaint relates, as well as the personal data of the remaining individuals mentioned in the criminal complaint, for which the IP considers that their right to protection of personal data prevailed over the right of the obligor to freedom of expression. \ n \ n \ n \ nDespite other allegations of the obligor, the IP further notes that on 25 March 2021 at the web address \ u2026 \ u0161 still accessible file in question, ie. A file representing the criminal complaint in question, which still contains the birth data of the individuals to whom the criminal complaint relates. For each of the individuals to whom the criminal complaint in question relates, there are two sliding fields that cover some of the data of these individuals. The data is overlaid with the scroll field in such a way that the text under the scroll box can be marked and copied in the form of text. If the file in question is opened with a program for .pdf files (for example, Adobe Acrobat Reader, Foxit Reader), there may be some fields that cover certain personal data of the individuals to whom the criminal complaint relates. u0161a, also removed. In this way, in addition to the names, surnames and dates of birth of the individuals to whom the criminal complaint in question relates, it was also possible to find out their EM \ u0160O and address. The file in question also contains a number of personal data of individuals to whom the criminal complaint does not relate. The status of the file or in relation to the file \ u2026 is therefore the same as the situation at the time of the inspection on 19 January 2021, when the website in question was visited. \ N \ n \ n \ nProvisions of the regulations on which the decision is based with an explanation of the inspection measures \ n \ n \ n \ n \ nGeneral Regulation defines the terms \ personal data \ u00ab and \ u00bbobdelava \ u00ab in Article 4. Personal data means any information relating to certain or specific information. \ u010dljivim individuals; An identifiable individual is one who can be identified directly or indirectly, in particular by providing an identifier such as name, identification number, location data, web identifier, or by specifying one or more factors, which are characteristic of the physical, physiological, genetic, mental, economic, cultural or social identity of that individual (point 1). Processing means any act or set of actions carried out in relation to personal data or sets of personal data, with or without automated means, such as collecting, recording, editing, structuring, storing, adapting or modifying, retrieving, viewing, using , disclosure through transmission, distribution or other access, adaptation or combination, restriction, deletion or destruction (item 2). \ n \ n \ n \ nAccording to the above definitions, name, surname , function (in some cases only an indication of the function, and in some in connection with the name and surname), EM \ u0160O and the address, together with the name and surname, constitute personal data because they are information related to a specific or and the publication of personal data of individuals on the website means the processing of personal data. \ n \ n \ n \ nIn Article 32 of the General Regulation stipulates that the controller and the processor, taking into account the latest technology separate development and implementation costs, and the nature, extent and purposes of the processing, as well as the risks to the rights and freedoms of individuals that differ in probability and severity, ensure an appropriate level of security in relation to the risk. According to point 12 of Article 4 of the General Regulation, a breach of personal data security means a breach of security which results in the unintentional or unlawful destruction, loss, alteration, unauthorized or unauthorized disclosure. access to personal data that is sent, stored or otherwise processed. A reasonably similar provision is contained in ZVOP-1 in Articles 24 and 25, where it is stipulated that personal data controllers and contractual processors are obliged to provide protection of personal data, which protects personal data, prevents Accidental or intentional unauthorized destruction of data, modification or loss, and unauthorized processing of such data. \ n \ n \ n \ nIt should be noted that the rules of personal data protection, determined by the General Decree and ZVOP-1, mean the concretization of one of the human rights and fundamental freedoms from the Constitution of the Republic of Slovenia (Official Gazette of the Republic of Slovenia, No. 33 \ / 91-I et seq .; continuation of the Constitution). In the first paragraph of Article 38 of the Constitution, the Constitution guarantees the human right to the protection of personal data. The Constitutional Court has repeatedly emphasized that the Constituent Assembly specifically protected one of the aspects of an individual's privacy, t. i. [1] Article 38 of the Constitution (1) prohibits the use of personal data contrary to the purpose of their collection, (2) stipulates the collection, processing, purpose of use, control and protection of the confidentiality of personal data as a subject of legal regulation; and (3) gives everyone the right to acquaint themselves with the collected personal data relating to him or her, and in the event of abuse also the right to judicial protection. \ N \ n \ n \ nAt the same time, it should be borne in mind that among human beings rights and fundamental freedoms include the right to freedom of expression. Article 39 (1) of the Constitution guarantees the freedom of expression of thought, speech and public appearance, the press and other forms of public information and expression, (2) everyone has the right to receive information of a public nature, for which has a legitimate legal interest in the law, except in cases stipulated by law. The activity of the media is based on the right to freedom of expression. This also follows from Article 6 of the Media Act (Official Gazette of the Republic of Slovenia, No. 110 and the following; hereinafter ZMed), which stipulates that media activity is based on freedom of expression, inviolability and protection. human personality and dignity, the free flow of information and the openness of the media to different opinions, beliefs and diverse content, the autonomy of editors, journalists and other authors in creating programming in accordance with programming concepts and professional codes, and personal liability of journalists or other authors of articles and editors for the consequences of their work. \ n \ n \ n \ nIn accordance with the third paragraph of Article 15 of the Constitution, human rights and fundamental freedoms may be limited primarily due to human rights or fundamental rights. the freedom of other people. As with the right to freedom of expression, the right to information privacy is not unlimited, it is not absolute. In the event of a collision of two coexisting rights, the conflict between the rights is harmonized with a method that theory and case law also know as practical concordance. Practical concordance means the creation of a rule valid for a concrete case, ie a rule on the coexistence of rights in concrete circumstances. It must be decided which right should be given priority in view of the specific circumstances and which right should be withdrawn or the part of the justifications that make up this right should be withdrawn in order to activate the necessary, constitutionally protected content of another right. [2] \ n \ n \ n \ nIt follows from the article that the criminal complaint in question was published because it concerns \ u00bb \ u2026 \ u00ab and \ u00bb \ u2026 \ u00ab. The purpose of the publication of the article in question and the file in question (hereinafter the publication in question) and the related processing (publication) of personal data of individuals is therefore to inform the public about the process of recapitalization of banks. Furthermore, it is possible from the fact that the taxpayer or the author of the article tried (unsuccessfully) to cover certain personal data of the individuals to whom the criminal complaint relates before publishing the file in question on the controller's website. , to conclude that the liable party or the author of the article was aware that the publication constitutes a certain interference with the right to protection of personal data. \ n \ n \ n \ nReporting the media on the so-called Bank rehabilitation is a topic for which there is a strong public interest in being thoroughly acquainted with it. It is also a topic that has been widely reported by various media in the past. For several years before the publication in question, the media reported, for example, that an investigation was under way into the rehabilitation of banks [3], and a few months before the publication in question, for example, that the National Investigation Service in connection with the rehabilitation of banks criminal complaint to the Specialized State Prosecutor's Office [4]. \ n \ n \ n \ nAs previously stated, it follows from the relevant publication that its main message value is reporting on the recapitalization process of banks. In order to achieve the purpose pursued by the publication in question, the processing (publication) of personal data on the day, month and year of birth, EM \ u0160O data and the address of residence of individuals is by no means necessary. In the opinion of the IP, in order to achieve this purpose, it is also not necessary to publish names, surnames and other information related to certain or identifiable individuals to whom the criminal complaint in question does not apply and individuals who are not (current or former). the highest representatives and thus not relatively public figures. Namely, if the publication in question did not contain this personal data, it would still be able to achieve its purpose. The disclosure of this personal data is therefore, in IP's view, in stark contrast to the principle of at least the scope of the data referred to in point (c) of Article 5 (1) of the General Regulation, according to which personal data must be relevant, relevant and relevant. limited to what is necessary for the purpose for which they are processed. At the same time, such a way of exercising the right to freedom of expression also represents an unnecessary and disproportionate interference with the right of individuals to the protection of personal data. \ N \ n \ n \ nOther position should be taken in the case of publication of names and the surnames of the individuals to whom the criminal complaint in question relates. The Bank of Slovenia is the central bank of Slovenia and is exclusively state-owned with financial and management autonomy, which acts as the supervisory body of the Slovenian banking system. The highest representatives of such a body must meet high professional and moral standards, and by occupying such a position they also become relatively public figures, so their field of expected privacy shrinks. Given the circumstances of the specific case, the IP estimates that it is necessary, especially taking into account the fact that the individuals to whom or whose conduct the criminal complaint relates, are (then) the highest representatives of the Bank of Slovenia, in the case of processing (publication) of the names and surnames of these individuals in connection with the criminal complaint in question, in this case give priority to the right of the debtor to freedom of expression over the right of these individuals to personal data protection. \ n \ n \ n \ nFrom the actual IP status concludes that the taxpayer, by publishing the file \ u00bb \ u2026 \ u00ab \ u2026, which represents \ u2026 on the web address, without first covering, deleting or otherwise \ a010de anonymised a) the birth data of the individuals to whom the criminal complaint in question relates; and b) EM \ u0160O data and residence data of the individuals to whom the criminal complaint in question relates, in such a way that such data cannot be accessed; and c) did not ensure the personal data of the individuals listed in the criminal complaint, did not ensure the security of personal data, as provided for in Article 32 of the General Regulation, or did not provide personal data protection, as provided for in Articles 24 and 25 of ZVOP -1. \ N \ n \ n \ nIn all of the above, the IP points out that the taxpayer was acquainted with the above-mentioned findings of the IP by letter \ u0161number 0613-438 \ / 2019 \ / 8 of 25 January 2021 and at the same time invited to comment on them. In the application dated \ u2026, which, inter alia, represents the taxpayer's statement on the facts and circumstances of the minutes \ u0161number 0613-438 \ / 2019 \ / 7 of 19 January 2021, the taxpayer stated only that the average \ The reader cannot be acquainted with the EM \ u0160O and the address of residence of the accused persons because they are overlaid in the file, only the use of special computer programs and advanced computer knowledge enables disclosure of this information. IP cannot follow these statements. Namely, modern web browsers (for example Google Chrome, Mozilla Firefox or Microsoft Edge) are programs that allow you to view web pages, including the ability to open .pdf files. This allows any user who enters the address \ u2026 \ u2026 \ u0026 in the web browser to access the file. As it was found during the review of the mentioned file, the data in it were overlaid with a \ n010drn field in such a way that the text (EM \ u0160O and title) under the \ n010drn field could also be marked and copied. Using the copy paste function (i.e. copy paste) of text is one of the most basic computer skills. However, if the specified file is opened with a program for .pdf files (for example Adobe Acrobat Reader or Foxit Reader \ u2013 the latter was used in this case), it is possible to enter fields with which certain personal data have been overlaid. individuals to whom the criminal complaint in question relates should also be removed. Thus, by copying the text or removing the sliding fields, it is also easy to understand the EM \ u0160O and the address of the defendants. However, the taxpayer did not have any comments regarding other IP findings or other data available in the said .pdf file. \ N \ n \ n \ nThe taxpayer did not apply in both the application dated \ u2026 and the application dated \ u2026, Referring to Article 11a of the Misdemeanors Act (Official Gazette of the Republic of Slovenia, No. 29/11 et seq .; hereinafter ZP-1), it is stated that the proceedings in question are not permitted because they are against the taxpayer. \ u017ee conducts criminal proceedings, both of which originate from the same historical event. In relation to the above IP, he explains that the concrete procedure represents an administrative and inspection procedure, ie. a procedure conducted in accordance with the provisions of the ZIN, and not a misdemeanor procedure conducted in accordance with the provisions of the ZP-1. Inspection control is the control over the implementation or observance of laws and other regulations (Article 2 of the ZIN). Inspectors perform inspection tasks in order to protect the public interest and the interests of legal and natural persons (Article 5 of the ZIN). If the State Supervisor for Personal Data Protection in a certain procedure and inspection supervision finds that the data subject processes personal data in contravention of regulations in the field of personal data protection, he may impose one of the measures referred to in the first paragraph of Article 54. ZVOP-1 or used any of the corrective powers referred to in the second paragraph of Article 58 of the General Regulation. It is clear from the above that the sole purpose of conducting the procedure and inspection control over the implementation of the provisions of ZVOP-1 and the General Regulation is to verify the (illegal) processing of personal data, whereby possible irregularities that are may be detected in the process and \ u0161 inspection, also eliminated. The purpose of the inspection procedure is therefore to ensure compliance with the applicable legislation. The imposition of sanctions for possible violations of the rules in the field of personal data protection is intended for another, separate procedure for the violation of the rules of which is determined by ZP-1. However, only in misdemeanor proceedings do the provisions of ZP-1 apply, including Article 11.a, to which the applicant refers. The inspection procedure and the misdemeanor procedure are two separate procedures, which have different and separate purposes. Article ZNfP, Article 54 of ZVOP-1 and Article 58 (2) of the General Regulation, it is necessary to order the elimination of established irregularities or to ensure the security of processing as stipulated in Article 32 of the General Regulation, namely on the basis of within the time limit as set out in points 1 and 2 of the operative part of this decision. \ n \ n \ n \ nThe order for the elimination of the identified irregularities is based on the findings in the procedure and inspection control. & nbsp; \ n \ n \ n \ nThe provision in point 3 stipulates that the liable party must notify the IP in writing of the elimination of the identified irregularities within 3 (three) days after the elimination of the irregularities and submit evidence of the elimination of the irregularities, based on the provision of the fifth paragraph 29. of the ZIN, which stipulates that the liable party must immediately notify the rectified irregularities and 61pektor. & Nbsp; \ n \ n \ n \ nOn the basis of Article 118 of the ZUP, a decision is made on the costs of the procedure in the decision. The costs of the inspection procedure, which were necessary to establish the facts proving that the taxpayer violates a law or other regulation in accordance with the first paragraph of Article 31 of the ZIN, the taxpayer suffers, so the taxpayer covers his own costs, as decided in the 4th point of the operative part. & nbsp; \ n \ n \ n \ nBecause the body did not incur special costs of the procedure in this procedure, it is thus decided in the 5th point of the operative part. & nbsp; \ n \ n \ n \ nThis decision is issued ex officio and is free of fees on the basis of Article 22 of the Administrative Fees Act (Official Gazette of the Republic of Slovenia, No. 106 \ 10 et seq.). \ n \ n \ n \ nLesson on remedy: This decision is final in the administrative procedure. According to the provision of Article 55 of ZVOP-1, no appeal is allowed against it, but an administrative dispute is possible with the filing of a lawsuit in the Administrative Court of the Republic of Slovenia, Fajfarjeva 33, 1000 Ljubljana, in within 30 days of receipt of this decision. This shall be submitted to the competent court directly in writing or sent to it by post. This decision must be accompanied by a copy of this decision in the original or an uncertified copy. \ N \ n \ n \ n \ n \ n \ n \ n \ n [1] & nbsp; Decision of the Constitutional Court \ u0161 \ u010da \ u0161t. UI-98 \ / 11 of 26 September 2012 (point 12). \ N \ n \ n \ n [2] & nbsp; Supreme Court of the Republic of Slovenia Decision II Ips 340 \ / 2011 of on July 17, 2014. \ n \ n \ n \ n [3] & nbsp; \ u2026 \ n \ n \ n \ n "[4] & nbsp; \ u2026 \ n", "publisher": {"@ id" : "# Publisher", "@ type": "Organization", "name": "GDPR planet", "logo": {"@ type": "ImageObject", "url": "https: \ / \ / gdprplanet .com \ / wp-content \ / uploads \ / 2021 \ / 03 \ /GDPR-Planet-Logo-ret.png "}," sameAs ": [" https: \ / \ / www.linkedin.com \ / in \ / klemenkraighermisic \ / "," # "]}," sourceOrganization ": {" @ id ":" # Publisher "}," copyrightHolder ": {" @ id ":" # Publisher "}," mainEntityOfPage ": { "@type": "WebPage", "@ id": "https: \ / \ / gdprplanet.com \ / objava-kazenske-ovadbe-odlucba-po-zin-2 \ /", "breadcrumb": {"@ id ":" # Breadcrumb "}}," author ": {" @ type ":" Person "," name ":" GDPR planet "," url ":" https: \ / \ / gdprplanet.com \ / members \ / ehn8n \ / "}} / *]]> * /