IP - 07121-1/2020/1555

From GDPRhub
Revision as of 12:04, 16 September 2020 by Hk (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
IP - 07121-1/2020/1555
LogoSL.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 6(1)(c) GDPR
Article 6(1)(e) GDPR
Type: Advisory Opinion
Outcome: n/a
Started:
Decided:
Published: 09.09.2020
Fine: None
Parties: n/a
National Case Number/Name: 07121-1/2020/1555
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Slovenian
Original Source: Informacijski pooblaščenec (in SL)
Initial Contributor: n/a

The Slovenian DPA issued guidance stating that schools could only create a list of pupils who refused to wear protective facemasks if it had a legal basis for doing so. It also said that parents could be asked to sign a statement authorising schools to keep records of such a list, only if the signature of the parents was freely given, specific, informed, and unambiguous.

English Summary

Facts

The Slovenian DPA issued guidance on whether schools are allowed to create lists of students who refuse to wear protective facemaks. The DPA was also asked whether parents could be required to sign a statement authorizing a school to keep records of such a list.

Dispute

Whether schools are allowed to create lists of students who refuse to wear masks at school, as per instruction from the Ministry of Education, Science and Sport.

Whether parents are required to sign a statement which authorizes the school to keep such records.

Holding

Regarding the first question of whether schools are allowed to create lists of students refusing to wear protective masks, the DPA stated that it will depend on whether the school has a legal basis for this processing operation. If they are relying on consent as their legal basis, this needs to be voluntary, specific, informed, and unambiguous. In the event that there is a duty to sign a statement, then this consent will not be deemed to be voluntary. The DPA then held that the only appropriate legal basis for the processing of personal data of school children is 6(1)(c) GDPR or 6(1)(e) GDPR. With regards to whether there were any national laws in place that permitted the processing of student data in relation to wearing protective masks, the IP held that neither the Slovenian Infectious Diseases Act nor the Ordinance on Interim Measures to Reduce the Risk of SARS-CoV- 27 provide for this, so they cannot be relied on.

Regarding the second question of whether parents are required to sign a statement which authorizes the school to keep such records of pupils, the DPA said if a statement is to be signed by parents, it must be done in accordance with the conditions for consent. In other words, the statement needs to be signed in a manner which is voluntary, specific, informed, and unambiguous.

Finally, the DPA said it was in the process of introducing a new procedure of inspection over the implementation of laws regarding the protection of personal data.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.

On 7 September 2020, the Information Commissioner (hereinafter IP) received your request for an opinion regarding the lists of students who do not wish to wear protective masks. You are interested in whether schools are allowed to work and submit lists of students who refuse to wear protective masks at school under the instructions of the Ministry of Education, Science and Sport. Are parents required to sign a statement authorizing the school to keep records?

On the basis of the information you have provided to us, in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Directive 95/46 / EC (hereinafter the General Regulation on Data Protection), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07-UPB1, hereinafter ZVOP-1) and 2 In accordance with Article of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter ZInfP), we provide our non-binding opinion on your question.

Based on the known information, it is crucial whether the data you state that the school wants to collect and record could be placed among the data for which the school has a legal basis for their processing in any of the applicable laws. No law explicitly requires this.

Any consent as a legal basis for data processing must be voluntary (without coercion), specific, informed and unambiguous (in principle, also determined by law in the public sector when it comes to performing public tasks). If it is a duty or conditionality to sign a certain statement, then it is not possible to speak of consent as defined by the General Data Protection Regulation.

The IP cannot give a final answer on the legality of the described request of the school in the opinion, so we are conducting an inspection procedure in connection with the stated dilemma. It verifies the existence of a legal basis for the described treatments.

There must be an appropriate and lawful legal basis for any processing of personal data. These are set out in Article 6 (1) of the General Data Protection Regulation and are for the public sector, which includes educational institutions such as primary and secondary schools, as follows:

• consent where public tasks are not involved (point (a)),

• the conclusion or performance of a contract (point (b)),

law (point (c)),

protection of vital interests (point (d)),

• implementation of a public task (point (e) in connection with the fourth paragraph of Article 9 of ZVOP-1).

 

According to IP, the only appropriate legal basis for the processing of personal data of school children is 6 (1 (c)) or 6 (1 (e)) of the General Regulation on Data Protection, as processing is necessary to fulfill the legal obligation that applies to the controller or. in relation to the performance of public tasks. Exceptions are certain data, where, in addition to the law, consent is also required, which is already determined by law.

The processing of personal data in the implementation of primary and secondary education is defined by the Primary School Act (ZOsn) 1, the Gymnasiums Act (ZGim) 2, the Vocational Education and Training Act (ZPSI-1) 3 and the Education Organization and Financing Act (ZOFVI). ) 4. Schools process personal data on pupils / students and their parents on the basis of Article 95 of the ZOsn or Article 42 of the ZGim or Article 86 of ZPSI-1, and more detailed rules are also contained in the Rules on the collection and protection of personal data in the field of primary education5. ZOFVI also contains a provision regarding the processing of personal data, namely Article 119 of this Act stipulates as a teacher's obligation "the collection and processing of data in connection with the performance of educational and other work".

The laws in the field of primary and secondary education therefore specify which types of databases and records are kept by primary and secondary schools and when the data of pupils / students may be collected on the basis of personal consent or consent of parents or guardians of children when it comes to the implementation of a public educational program. According to the IP, the data you state that the school wishes to collect and record would be difficult to place among the data for which the school is based, in which of the laws listed.

However, for such processing of pupils' personal data in connection with the wearing of protective masks to be lawful in the current epidemiological situation, it cannot be traced either in the Infectious Diseases Act6 or in the Ordinance on Interim Measures to Reduce the Risk of SARS-CoV- 27, issued on 3 September 2020. The latter explicitly stipulates that this decree (which stipulates the mandatory use of protective masks in enclosed public spaces) does not apply to educational institutions and organized sports activities, for which the application protective masks or other forms of protection of the oral and nasal part of the face use the recommendations of the National Institute of Public Health, which are published on the website of the National Institute of Public Health.

When asked if you are required to sign a statement authorizing the school to keep these records, the IP answers that any consent must be voluntary (without coercion, trickery), specific (accurate, for a specific purpose), informed and unambiguous (understandable). only in one way). If it is a duty or conditionality to sign a certain statement, then it is not possible to speak of consent as defined by the General Data Protection Regulation. You can read more about consent on the IP website https://www.ip-rs.si/zakonodaja/reforma-evropskega-zakonodajnega-okvira-za-varstvo-osebnih-podatkov/kljucna-podrocja-uredbe/privolitev/ . Where the legal basis for the processing of personal data is the law, it is not necessary to obtain additional consent for the collection and transmission of personal data at all.

Since the IP has already received several questions or. reports of alleged violations regarding the collection and transmission of personal data of students in connection with the wearing of protective masks, also introduced a procedure of inspection control over the implementation of laws in the field of personal data protection. The process is ongoing, so we can't give you a more specific answer at this time. We suggest that you follow our website www.ip-rs.si , where the IP will publish its findings after the inspection.

We advise you to read more about the rights of the individual regarding data protection on our website www.tiodlocas.si .

All IP opinions are published and available on our website: https://www.ip-rs.si/vop/ .

Also, all key areas as regulated by the General Regulation on Data Protection are presented at: https://www.ip-rs.si/zakonodaja/reforma-evropskega-zakonodajnega-okvira-za-varstvo-osebnih-podatkov/kljucna -areas-of the regulation / , where you can find a lot of useful advice on the essential obligations of companies and other organizations for the proper implementation of personal data protection measures.

 

Greetings,

Mojca Prelesnik,

Information Commissioner

Karolina Kušević, B.Sc. dipl. prav.,
 IP consultant