IP - 0610-376/2020/35
IP - 0610-376/2020/35 | |
---|---|
Authority: | IP (Slovenia) |
Jurisdiction: | Slovenia |
Relevant Law: | Article 13(1) GDPR Article 13(2) GDPR Article 58(2)(a) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 15.03.2021 |
Published: | 15.04.2021 |
Fine: | None |
Parties: | Ministry of Public Administration |
National Case Number/Name: | 0610-376/2020/35 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Slovenian |
Original Source: | GDPR+ (via IP’s zip) (in SL) |
Initial Contributor: | GDPR+ |
IP held that the Ministry did not provide the relevant information under Article 13 of the GDPR when applying for interest in vaccination on the eUpava (eGovernment) portal.
English Summary
Facts
The ministry collected expressions of interest for vaccination against COVID -19 on the website https://e-uprava.gov.si/podrocja/sociala-zdravje-smrt/zdravje/vloga-cepljenje.html, and from the beginning of the expression of interest, the list became a list for vaccination. Information under Article 13 were not provided.
Dispute
Holding
Pursuant to Article 58(2)(a) of the General Regulation, controllers are reminded that the use or aggregation with other databases or other forms of further processing of personal data of individuals who have already submitted or are about to submit an application for vaccination against COVID-19 through the eGovernment portal constitutes a breach of the GDPR. Controllers must restrict the processing of personal data of individuals who have already submitted an application through the eGovernment portal.
Controllers must ensure fair and transparent processing of personal data in such a way that all persons who have already submitted, or are about to submit, an application for registration of interest in vaccination against COVID -19 through the eGovernment portal receive, in a concise, transparent, intelligible and easily accessible form and in plain and simple language, all the information referred to in Article 13(1) and (2) of the GDPR, focusing on the identification of the controller(s), the precise purpose of the processing and the legal basis for the processing, as well as the rights of individuals in this context.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.
Interim decision of the Information Commissioner on the collection of expressions of interest for vaccination on the eGovernment portal GDPR planet 46 minutes ago Updated: April 15, 2021 Number: 0610-376 / 2020 to / 35 Date: March 15, 2021 Information Commissioner (hereinafter: IP) by an authorized official, State Supervisor for Personal Data Protection (, pursuant to Articles 2 and 8 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, Nos. 113/05 and 51/07 - ZUstS- A (hereinafter: ZInfP), Articles 37 and 54 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 86/04 as amended; hereinafter: ZVOP-1), Articles 29 and 32 of the Inspection Act supervision (Official Gazette of the Republic of Slovenia, No. 56/02 as amended; hereinafter: ZIN), Article 58 (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation, hereinafter "the General Regulation"); and 221.of the General Administrative Procedure Act (Official Gazette of the Republic of Slovenia, No. 80/99, as amended, hereinafter ZUP) in connection with para. Article 3 of the ZIN, in the matter of performing inspection control over the implementation of the provisions of ZVOP-1 and the General Decree on taxpayers Ministry of Public Administration, Tržaška cesta 21, 1000 Ljubljana, National Institute of Public Health, Trubarjeva cesta 2, 1000 Ljubljana and Ministry of Health, Štefanova ulica 5, 1000 Ljubljana (hereinafter: taxpayers), ex officio issue PROVISIONAL DECISION Pursuant to Article 58 (2) (a) of the General Regulation, taxpayers are warned that the use or aggregation with other databases or other forms of further processing of personal data of individuals who have already submitted an Application for Vaccination against COVID-19 via the eGovernment portal or will just submit it, with the exception of notification under point 2 of the operative part of this decision, constitutes a breach of the General Regulation, so taxpayers must limit the processing of personal data of individuals who have already submitted an Application via the eGovernment portal. to declare interest in vaccination against COVID-19 or to submit it, by preventing any further use of the collected personal data of individuals through technical and organizational measures. Taxpayers must provide a fair and transparent processing of personal data in a way that all individuals who are on the portal eGovernment has already submitted an application for expressions of interest for vaccination against COVID-19, or it just will be placed in a concise, transparent, comprehensive and easily accessible form and in clear and simple language to ensure all information specified in paragraphs 1 and 2 of Article 13 of the General Regulation , with an emphasis on indication of the administrator / s, the precise purpose of the processing and the legal basis for processing, and an indication of individuals' rights in this regard. Taxpayers must implement the measures referred to in points 1 and 2 of the operative part of this decision within three (3) days of receiving this decision. Taxpayers must notify the Information Commissioner in writing of the implemented measures and restrictions referred to in points 1 and 2 of the operative part of this Decision no later than three (3) days after the implemented measures and restrictions . The notification must also contain indications and evidence that they have implemented the measures and restrictions referred to in points 1 and 2 of the operative part of this Decision and in what manner they have implemented them. No specific costs were incurred in this proceeding. Justification: 1. Purpose and content of inspections IP, ex officio, after receiving the report that the website https://e-uprava.gov.si/podrocja/sociala-zdravje-smrt/zdravje/vloga-cepljenje.html started collecting citizens' interest in vaccination v. COVID-19, where individuals are not informed of either the legal basis or the purpose of collecting personal data, against taxpayers the Ministry of Public Administration (hereinafter: MPA), the National Institute of Public Health (hereinafter: NIJZ) and the Ministry of Health (hereinafter: MH) introduced the procedure of inspection control over the implementation of the provisions of ZVOP-1 and the General Regulation. 2. Indication of the provisions on which the interim decision is based Personal data means any information relating to an identified or identifiable individual, and an identifiable individual is one that can be identified directly or indirectly, in particular by providing an identifier such as name, identification number, location data, web identifier, or an indication of one or more factors which characterize the physical, physiological, genetic, mental, economic, cultural or social identity of that individual (Article 4 (1) of the General Regulation). However, the processing of personal data is any act or set of actions carried out in relation to personal data or sets of personal data with or without automated means, such as collecting, recording, editing, structuring, storing, adapting or modifying, retrieving, viewing, use, disclosure through transmission, dissemination or other facilitation of access, adaptation or combination, restriction, deletion or destruction (Article 4 (2) of the General Regulation). Not all personal data in themselves enjoy protection under ZVOP-1 and the General Regulation, but they receive this protection only in the case of the processing of personal data in whole or in part by automated means and for processing other than automated means in the case of for personal data which form part of a personal data file or are intended to form part of a personal data file (Article 2 (1) of the General Regulation). The general legal basis for the processing of personal data is governed by Article 6 of the General Regulation, according to which the processing of personal data is considered lawful only if at least one of the conditions set out in the first paragraph of that Article is met. However, the legal basis for the processing of specific types of personal data, such as health data, is set out in Article 9 of the General Regulation. Also, despite the application of the General Regulation, the provisions of the first, second and fourth paragraphs of Article 9 of ZVOP-1, which regulate the legal bases for the processing of personal data in the public sector, are still valid. Thus, personal data may be processed in the public sector if the processing of personal data and the personal data being processed is provided for by law. The law may stipulate that certain personal data may be processed only with the personal consent of the individual. Holders of public authority may also process personal data on the basis of the personal consent of an individual without a basis in law, when it is not a question of performing their tasks as holders of public authority. Exceptionally, however, those personal data which are necessary for the exercise of lawful powers, tasks or obligations of the public sector shall be processed, provided that such processing does not interfere with the legitimate interest of the individual,to which the personal data relate. Any processing of personal data must at the same time comply with the basic principles of processing as set out in Article 5 of the General Regulation, and the controller must at all times be able to demonstrate that he processes personal data in accordance with the basic principles of processing and complies with all requirements imposed by the General Regulation and national regulations on personal data protection (in the Republic of Slovenia this is ZVOP-1). Personal data must be as follows: processed lawfully, fairly and transparently in relation to the data subject (" lawfulness, fairness and transparency "); collected for specified, explicit and legitimate purposes and may not be further processed in a way incompatible with those purposes (' purpose limitation '); relevant, relevant and limited to what is necessary for the purposes for which they are processed (" minimum amount of data "); accurate and, where necessary, up-to-date (' accuracy '); kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; (" Storage restriction "); they shall be processed in such a way as to ensure adequate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage by appropriate technical or organizational measures (" integrity and confidentiality "). According to Article 4 (7) of the General Regulation, the term controller means a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of processing; where the purposes and means of processing are determined by Union law or the law of a Member State, the controller or the specific criteria for his appointment may be determined by Union law or by the law of a Member State. Furthermore, Article 26 of the General Data Protection Regulation provides that joint controllers are the ones who jointly determine the purposes and methods of processing . According to Article 4 (8) of the General Regulation, the term processor means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller. The processor therefore acts in the name and for the purpose of the controller and does not process personal data for its own purpose but for the purpose determined by the controller and must act only on the instructions of the controller. The relationship between them must be defined by a contract or other written act, which must contain certain prescribed components (Article 28 of the General Regulation). Article 13 (1) of the General Regulation provides that where personal data relating to a data subject are obtained from that data subject, the controller shall provide the data subject with all the following information when obtaining the personal data [1]. : the identity and contact details of the operator and his representative, if any; the contact details of the data protection officer, if any; the purposes for which personal data are processed, as well as the legal basis for their processing; where the processing is based on point (f) of Article 6 (1), the legitimate interests pursued by the controller or a third party; users or categories of users of personal data, where they exist; where applicable, information that the controller intends to transfer personal data to a user in a third country or international organization, where necessary to ensure fair and transparent processing, as well as other information defined in the second paragraph of the same article, namely: the period of retention of personal data or, where this is not possible, the criteria used to determine that period; the existence of the right to require the controller to access personal data and to rectify or delete personal data or to restrict processing in relation to the data subject, or the existence of a right to object to the processing and the right to data portability; the existence of the right to withdraw consent at any time, without prejudice to the lawfulness of the data processing carried out on the basis of the consent until its withdrawal; the right to lodge a complaint with the supervisory authority; whether the provision of personal data is a legal or contractual obligation and whether the individual must provide personal data and what are the possible consequences if such data are not provided; the existence of automated decision-making. 3. Findings of the IP and explanations and views of taxpayers The IP is the MPA with letter no. 0610-376 / 2020/ 3 of 11 December 2020 called for the following explanations and documentation: the purpose of collecting expressions of interest for vaccination against COVID-19 via the eGovernment portal; legal bases for the processing of personal data of individuals through the eGovernment portal; the period of storage of the obtained personal data of individuals, the purpose of processing the unique personal identification number (EMŠO) and the individual's contact data (telephone number and e-mail address), taking into account the principle of the minimum amount of data; the manner in which individuals are made aware of the information referred to in Article 13 of the General Regulation when submitting their application (where the individual information referred to in Article 13 of the General Regulation is available to individuals). The taxpayer was also asked to provide a specific notification to the individual, who will receive it as part of the described notification stated in the application. From the response of the MPA no. 061-6 / 2020-2 of 16 December 2020 states that: the purpose of the application, as is clear from the application itself and the confirmation e-mail [2] and SMS [3] , is to identify the high interest in vaccination against COVID-19 and to inform the next steps regarding the course of vaccination; the expressed interest will certainly contribute to the preparation of a plan for the purchase of the vaccine and the subsequent implementation of vaccination, but the IP should contact the Ministry of Health and the NIJZ, which are responsible for ordering the vaccine and carrying out vaccination; the IP can obtain an answer from the NIJZ or MZ, which are responsible for the implementation of the vaccination itself, to the question of what the notification to the individual regarding the vaccination will look like; The MPA is not the competent ministry responsible for preparing the legal basis in a specific case, or the IP should contact the Ministry of Health regarding the legal basis and the period of storage of obtained personal data of individuals; the IP should contact the Ministry of Health and the NIJZ, which are responsible for vaccination, regarding the purpose of collecting the EMŠO, telephone number and e-mail address; regarding the provision of information referred to in Article 13 of the General Regulation to individuals when submitting an application, the IP should contact the Ministry of Health. It is not clear from the MPA's explanations of 16 December 2020 on what legal basis and for what purpose the personal data of individuals and who is their controller are processed through the e-Administration portal, more precisely the application for registration of interest in vaccination. According to the instruction of the obligor to the supervisory body to contact the NIJZ and the Ministry of Health for clarifications regarding the legal basis for the processing of personal data in the relevant field, the IP by letter no. 0610-376 / 2020/ 5 of 18 December 2020, called on the NIJZ to provide the following explanations, documentation and statements: who is the actual controller of personal data collected through the application submitted on the eGovernment portal and what is the role of the MPA, MH and NIJZ. However, if the NIJZ is the actual (or joint) controller of personal data, the following must also be provided: the legal basis and purpose of the processing of personal data; periods and locations of storage of acquired personal data; the purpose of processing the unique personal identification number (EMŠO) and individual contact data (telephone number and e-mail address), taking into account the principle of minimum data volume; the method of informing individuals when submitting the application with the information referred to in Article 13 of the General Regulation (where the individual information referred to in Article 13 of the General Regulation is available to individuals); specific notification to the individual,which he will receive in the context of the described information stated in the application. The IP also informed the NIJZ about the capture of screen images on the eGovernment portal (https://e-uprava.gov.si/podrocja/sociala-zdravje-smrt/zdravje/vloga-cepljenje.html ) of 10 December 2020, from which it follows that before submitting the application - the individual had to use e-identity, mark the boxes with the following content “YES, I express interest in vaccination with the vaccine against COVID-19 with an EU marketing authorization when it is available in Slovenia” and “I agree to the processing of personal data for the purpose of informing about vaccination options against COVID-19 when it becomes available in Slovenia. ” [4] The IP of the taxpayer also informed that the already obtained explanations of the MPA do not show on what legal basis and for what purpose the personal data of individuals are processed through the e-Government portal and who is their controller, and pointed out the statements of the Prime Minister Janez Janša and the government Speaker on the COVID-19 disease epidemic Jelko Kacin, from which it follows that the expressed interest in vaccination against COVID-19 on the eGovernment web portal means placing in the queue for vaccination, and these statements are inconsistent with written explanations to the individual when submitting mentioned applications on the eGovernment portal [5] . From the answer of NIJZ, no. 061-4 / 2020-3 of 23 December 2020 states that: The NIJZ did not participate in the development and establishment of an online collection of citizens' interest in vaccination against COVID-19, or was invited only to a preliminary meeting to explain its views on the establishment and meaning of such an expression of interest by citizens in the further development of the solution. however, he did not participate; was informed about the establishment of the online form from the media; the online form was not established by the NIJZ and therefore the data collected through it are not under the control of the NIJZ; The NIJZ does not have information on how to inform individuals on the basis of their request about further steps regarding vaccination and in what way; The NIJZ was not aware of the content of the SMS message that the individual receives after the successful submission of the application; The NIJZ is not the controller of personal data collected through the submitted application on the eGovernment portal; The NIJZ sent an invitation to the Ministry of Public Administration to provide explanations regarding the use of his signature as well as his e-mail address, but has not yet received a response in this regard. It was therefore clear from the NIJZ's explanations of 23 December 2020 that the NIJZ is not the controller of personal data processed through the submitted application and that it was not aware of the content of the message received by the individual after submitting the application (ie that the NIJZ recorded interest in vaccination against COVID-19). According to the explanations of the Ministry of Public Administration on the competent ministry for the preparation of the legal basis for the processing of personal data in the relevant field and the fact that the NIJZ has declared that it is not the controller of personal data collected by submitting an application for interest in vaccination on the eGovernment portal, the IP also introduced an inspection procedure against the Ministry of Health. By letter no. 0610-376 / 2020/8 of 23 December 2020 called on the Ministry of Health to provide the following explanations, documentation and statements: to clarify which authority and exactly which person ordered the establishment of a personal data file vaccination against COVID-19 on the eGovernment portal; to clarify who the actual operator is subject personal data and what is the role of the MPA, NIJZ and the obligor; that in case the controller (or joint controller) provides an explanation on which legal basis and for what purpose the personal data of individuals are processed through the eGovernment portal; which person at the taxpayer is responsible for this personal data file; who has access to this personal data file and for what specific purposes; how individuals are made aware of all the information referred to in Article 13 of the General Regulation when submitting their application and where the individual information referred to in Article 13 of the General Regulation is made available to individuals. The Ministry of Health was also asked to indicate, insofar as it is the controller (or joint controller): the period and location of storage of the obtained personal data of individuals; a concrete example of notification to an individual,which he will receive in the context of the described information stated in the application; the purpose of processing the unique personal identification number (EMŠO) and the individual's contact data (telephone number and e-mail address), taking into account the principle of the minimum amount of data. Due to the delay in submitting the response to the IP call, on 5 January 2021 the State Supervisor conducted a telephone interview with the State Secretary at the Ministry of Health, Mag. Marija Magajne. She explained that she was not aware of the IP call and undertook to provide explanations by Thursday 7 January 2020. She also explained that the Ministry of Health is not the controller of personal data collected on the basis of an application submitted via the eGovernment portal (see Official note on telephone interview, No. 0610-376 / 2020/ 9 of 5 January 2021). Because IP, despite the call to the liable party, which was served on him on 24 December 2020 and the telephone conversation with the Secretary of State, Mag. Marija Magajna on 5 January 2020, did not receive the required explanations until 11 January 2021, on 11 January 2021 the State Supervisor again conducted a telephone interview with Mag. Marija Magajne, who explained that they have a problem with the taxpayer with the preparation of the answer to question no. 1 (ie which authority and exactly which person ordered the establishment of a personal data file, which is created by submitting an application for registration of interest in vaccination against COVID-19 on the eGovernment portal), as they do not find related documentation in the archive and reiterated that The Ministry of Health is certainly not the controller of the personal data in question (see the Official Note on the telephone interview, No. 0610-376 / 2020/10 of 11 January 2021). From the answer of MH no. 1711-4 / 2020/32 of 11 January 2021, it follows that the Ministry of Health does not have documentation from which it would be evident which body or specific person ordered the establishment of the collection "Collection of citizens' interest in vaccination against COVID-19" and that the Ministry of Health is neither the controller of the said personal data file nor has access to it. According to the answers received from all three taxpayers, the IP by letter no. 0610-376 / 2020 to / 10 [6] z dne 12. 1. 2021 MJU pozval k posredovanju naslednjih pojasnil oziroma dokumentacije: kateri organ in natančno katera oseba je odredila vzpostavitev zbirke osebnih podatkov, ki nastaja z oddajo vloge na portalu eUprava oziroma, kdo je opredelil namen in sredstva ter izdal navodilo za izdelavo omenjene spletne strani; kdo je dejanski upravljavec predmetnih osebnih podatkov; ali je MJU aplikacijo za oddajo omenjene vloge razvil s svojimi viri in kdo jo vzdržuje; s katerimi registri se omenjena aplikacija povezuje; kdo ima dostop do predmetnih osebnih podatkov in za kakšne namene; posredovanju odgovora NIJZ v zvezi z uporabo njegovega podpisa in e-naslova pri oddaji vloge. IP je v predmetnem dopisu zavezanca seznanil, da se je za pojasnila glede pravne podlage za obdelavo osebnih podatkov, ki se zbirajo preko eUprave, kot je tudi sicer predlagal zavezanec, obrnil na NIJZ in MZ oziroma, zoper njiju uvedel postopek inšpekcijskega nadzora in da sta oba pojasnila, da nista upravljavca osebnih podatkov, ki se obdelujejo preko oddane vloge za prijavo interesa za cepljenje. Iz pridobljenih pojasnil pa še izhaja, da spletni obrazec ni bil vzpostavljen s strani NIJZ, da zbrani podatki niso pod nadzorom NIJZ, da MZ nima dostopa do zbranih podatkov preko omenjene vloge in tudi ne razpolaga z dokumentacijo, iz katere bi bilo razvidno, kateri organ ali konkretna oseba je odredila vzpostavitev predmetne zbirke osebnih podatkov. IP je v pozivu zavezancu tudi izpostavil izjavi predsednika Vlade RS in vladnega govorca, iz katerih izhaja, da izkazani interes za cepljenje preko eUprave pomeni postavitev v čakalno vrsto, in sta v neskladju s pisnimi navodili posamezniku pri oddaji omenjene vloge na portalu eUprava (gl. Priloga 4) and, contrary to the instructions given to citizens at the time, to express their interest in vaccination to their chosen personal doctor, who will put them on a waiting list and also inform them about further instructions regarding vaccination [7] . From the response of the MPA no. 061-6 / 2020-5 of 18 January 2021 states that: the establishment of the application was agreed between the Ministry of Health, the NIJZ and the MPA; the content of the application for the declaration of interest in vaccination was determined by the Ministry of Health and the NIJZ, and the MPA enabled its publication on the eGovernment portal and that the MPA is not even competent to define the purpose of the application; is the controller of personal data collected through the submitted application to the eGovernment, NIJZ, which can access the data through the documentary system Krpan; the application was developed by an external contractor, as the establishment of the application required verification mechanisms (matching name, surname and EMŠO and control of the correctness of e-mail address entry) and that software upgrades were required when establishing mechanisms for accepting applications and confirmation SMS; in the application submission process, only the verification of the correspondence of the applicant's data (name, surname and EMŠO) with the data in the CRP is performed; has access to the data from the submitted application of the NIJZ and that the IP should contact him regarding the purpose of the collected data; the MPA merely advised NIJZ representatives on the content of the confirmation message; It was in the common interest of the MPA, NIJZ and MH, epidemiologists and other representatives of the health profession to assist in their work in the fight against the COVID-19 epidemic. For this purpose, they wanted to check the readiness of the population for vaccination (in terms of planning the purchase of vaccines). At the time, the most optimal version seemed to be to collect this interest / applications through eGovernment, which is an important communication channel with citizens, which then proved to be correct, as the response was massive in a relatively short time. This alone is important information for the profession in dealing with the epidemic. By letter no. 0610-376 / 2020 to / 12 [8] of 19 January 2021, the NIJZ informed that in connection with the collection of citizens' interest in vaccination against COVID-19 via the eGovernment portal, it had ex officio introduced an inspection procedure against three taxpayers (MPA, MH and NIJZ), whose statements contradictory, as the MPA explained that the NIJZ is the actual controller of personal data processed through the submitted application for registration of interest in vaccination, that only the NIJZ has access to the personal data in question, that the establishment of the application was agreed between MH, NIJZ and MPA and that its content was determined by the NIJZ and the Ministry of Health, while the MPA enabled the submission of the application on the eGovernment portal. Due to the contradictory statements of individual taxpayers, the IP still does not have information on who is the (joint) controller of the personal data in question, which are collected through the eGovernment portal.Also, the mentioned taxpayers still did not unambiguously explain the purpose of collecting expressions of interest for vaccination against COVID-19 via the e-Uprava portal, as declarations of interest for vaccination are also collected from selected personal physicians, according to publicly available information. As part of the public presentation of the vaccination plan against COVID-19, NIJZ Director Milan Krek explained that the vaccination of individuals who do not belong to the risk group will take place in the order of applications submitted through eGovernmentthat vaccination of individuals who do not belong to the risk group will take place in the order of applications submitted through eGovernmentthat vaccination of individuals who do not belong to the risk group will take place in the order of applications submitted through eGovernment[9]. The NIJZ provides conflicting information to the public and thus also to individuals whose personal data are processed. In the context of the personal data processing in question, the transparency of the processing is also disputable, as individuals are not adequately informed about the data controller, the purposes of processing and retention periods, or the legal basis for the processing of personal data. In view of the above, the IP requested the obligor to comment on the explanations of the MPA from which it follows that he is the controller of the personal data of the NIJZ, the statements of the NIJZ director Milan Krek regarding the vaccination of non-risk groups and the explanations of the MPA the content of the application for the declaration of interest in vaccination is determined by the NIJZ and the Ministry of Health. The taxpayer was also asked to provide: information on the content, place, time, participants,the conclusions or conclusions of the preliminary meeting which he mentions in his reply of 23 December 2020; a call addressed to the MPA regarding the use of the signature and e-mail address of the NIJZ and a response from the MPA in this regard. However, if, according to the explanations prepared on 23 December 2020, the taxpayer subsequently became the controller of personal data, the following explanations and documentation: since when does he or she enjoy the status of controller of personal data; on what legal basis and for what purpose through the submitted application on the eGovernment portal, processes personal data of individuals; which person at the taxpayer is responsible for this personal data file and to whom and for what purposes the access to it is provided;how individuals are made aware of all the information referred to in Article 13 of the General Regulation when submitting their application and where the individual information referred to in Article 13 of the General Regulation is made available to individuals; the purpose of collecting the processing of the unique personal identification number (EMŠO) and the individual's contact data (telephone number and e-mail address), taking into account the principle of the minimum amount of data; forwarding a specific case of notification to the individual who will receive it as part of the described notification stated in the application. On 25 January 2021, in connection with the IP's request for the provision of explanations, documentation and statement, no. 0610-376 / 2020/ 12 of 19 January 2021 received a call from the director of the NIJZ Milan Krek, who explained that the database collected through the eGovernment portal is extremely valuable for the NIJZ and that the NIJZ wants to use IP to find a solution for its preservation and further use. The NIJZ has access to the mentioned data, but they do not actually access or use it, as they are aware of the absence of an appropriate legal basis. Regarding the purpose or reason for collecting this data, Milan Krek explained that in the meantime the "interest has been upgraded" in such a way that the successful submission of the application also means placing it in the order of vaccination. At the time of the interview, a legal basis for the use of data collected through the eGovernment portal was being prepared. The Ministry of Health is preparing a new program, with the help of which the database, which will be obtained from the application on eGovernment,paired with a database that is already in zNET (data on individuals who have applied for vaccination with a personal doctor and in a health center are already being collected here) or, the database will be transferred from the MPA to zNET. After a telephone conversation with the director of the NIJZ, Milan Krek, the NIJZ provided written explanations at the request of the IP (ref. No. 061-4 / 2020-5 of 25 January 2021), from which it follows that: A preliminary meeting at which the NIJZ explained its view on the establishment and meaning of the operation of the possibility of expressing interest by citizens through the eGovernment portal took place in November and that the NIJZ does not have the minutes of the meeting; Regarding Milan Krek's statement regarding the establishment of the order of applications of risk-free groups for vaccination through eGovernment, it should be clarified that regardless of who and on what basis started collecting interest in vaccination, the fact that citizens expressed interest in vaccination and expect to be invited to vaccination based on the interest expressed. As a result, the NIJZ is of the opinion that the collected applications should be properly transferred to the health care system, as otherwise there would be immeasurable damage to the promotion of vaccination and vaccination of the population; in view of the purpose pursued by vaccination, it is essential to communicate with the public in an appropriate manner that does not cause harm to the vaccination measure; The Ministry of Health and the NIJZ are preparing an information solution that will enable ordering vaccinations within eHealth, in accordance with the applicable legal bases; After the establishment of the new vaccination application system, which will be collected within the eGovernment portal, the NIJZ will take over and discuss it within the new solution in an appropriate manner. According to the content of the written explanations received by the NIJZ dated 25 January 2021, on 26 January 2021 the State Supervisor conducted a telephone interview with Milan Krek, the director of the NIJZ. I reminded the above that if the IP does not receive comprehensive answers or explanations to all the questions from the summons, a misdemeanor procedure will be initiated against him as the responsible person of the public institution (as was also explained in the summons). Director NIJZ has committed to provide full written explanations to the mid-27th 1st 2021 but only IP that received only on Friday, 29. 1. 2021. The subject explained (letter NIJZ, no. 061-4 / 2020-6 with on 29 January 2021) it follows that: on the basis of a telephone conversation between the State Supervisor and Director Milan Krek, the MPA informed the MPA that before submitting the application, the individual should be informed of the purpose of submitting the application (ordering the vaccination service), as presented in the media; the MPA undertook to update the entry point in accordance with the requirements of the NIJZ and IP; The NIJZ is preparing to upgrade the zVem portal in such a way that it will be possible to subscribe to an individual through the application, as well as centrally order patients for vaccination services, which will include healthcare providers, and that when the application is ready for use, the NIJZ will after confirmation by the person who submitted the application in which he / she expressed an interest in vaccination, provide him / her with the date and place of vaccination; NIJZ will take over the data currently collected in the database and place it in the health system, in accordance with the applicable legal bases for the operation of NIJZ and eHealth, within ZZDej and ZZPPZ and that until then no one uses this database (not even NIJZ), as the mentioned program has not been established yet; the NIJZ will regulate the relationship between the NIJZ and the MPA with a special document and will be forwarded by the IP; It is in the interest of the inhabitants of the Republic of Slovenia and the NIJZ that the data collected from the database be used in a lawful manner and thus enable faster vaccination of the population, which is absolutely necessary in the current situation. By letter no. 0610-376 / 2020/ 14 of 19 January 2021, the MPA informed that the NIJZ had stated in the inspection procedure that it was not the controller of personal data processed through the submitted application for registration of interest in vaccination, that the collected data were not under its control. and did not participate in the establishment of an online collection of citizens' interest in vaccinating against COVID-19 (he was only invited to a preliminary meeting to present his views on the establishment and meaning of such an opportunity for citizens to express interest) and form from the media and that it does not have information that it will inform citizens on the next steps regarding vaccination based on their request. The MPA was also informed by the IP,that due to conflicting statements of individual taxpayers (MPA, NIJZ, MH), the IP still does not have information on who is the controller of the personal data collected through the eGovernment portal and that taxpayers are still not unambiguous in the inspection procedure explain the purpose of collecting expressions of interest for vaccination against COVID-19 via the eGovernment portal. Expressions of interest in vaccination are also expected to be collected from selected personal physicians, and the NIJZ director even explained during the public presentation of the vaccination plan against COVID-19 that vaccination of individuals who do not belong to the risk group will take place in the order of applications eGovernment portal. Therefore, the IP requested the MPA to submit the following documentation or clarify:information on the content (minutes or possible official notes of the participants), place, time, participants, resolutions or conclusions of the preliminary meeting referred to by the NIJZ and held in November 2021; documentation confirming the MPA's statements that the establishment of the application on the eGovernment portal was agreed between all three taxpayers (MPA, NIJZ, MZ) and statements that the content of the application was confirmed by the MZ and NIJZ; an explanation of the date from which the NIJZ enjoys the status of personal data controller; providing data on a person (name and surname, job title and description of tasks performed) who issued instructions to the MPA for the development of the said web application, data on the external contractor and maintainer of the web application and a response sent by the MPA to the MPA in connection with the call regarding the use of the signature and e-mail address of the NIJZ.resolutions or conclusions of the preliminary meeting referred to by the NIJZ and held in November 2021; documentation confirming the MPA's statements that the establishment of the application on the eGovernment portal was agreed between all three taxpayers (MPA, NIJZ, MZ) and statements that the content of the application was confirmed by the MZ and NIJZ; an explanation of the date from which the NIJZ enjoys the status of personal data controller; providing data on a person (name and surname, job title and description of tasks performed) who issued instructions to the MPA for the development of the said web application, data on the external contractor and maintainer of the web application and a response sent by the MPA to the MPA in connection with the call regarding the use of the signature and e-mail address of the NIJZ.resolutions or conclusions of the preliminary meeting referred to by the NIJZ and held in November 2021; documentation confirming the MPA's statements that the establishment of the application on the eGovernment portal was agreed between all three taxpayers (MPA, NIJZ, MZ) and statements that the content of the application was confirmed by the MZ and NIJZ; an explanation of the date from which the NIJZ enjoys the status of personal data controller; providing data on a person (name and surname, job title and description of tasks performed) who issued instructions to the MPA for the development of the said web application, data on the external contractor and maintainer of the web application and a response sent by the MPA to the MPA in connection with the call regarding the use of the signature and e-mail address of the NIJZ.which confirms the statements of the Ministry of Public Administration that the establishment of the application on the eGovernment portal was agreed between all three taxpayers (MPA, NIJZ, MZ) and the statements that the content of the application was confirmed by the Ministry of Health and NIJZ; an explanation of the date from which the NIJZ enjoys the status of personal data controller; providing data on a person (name and surname, job title and description of tasks performed) who issued instructions to the MPA for the development of the said web application, data on the external contractor and maintainer of the web application and a response sent by the MPA to the MPA in connection with the call regarding the use of the signature and e-mail address of the NIJZ.which confirms the statements of the Ministry of Public Administration that the establishment of the application on the eGovernment portal was agreed between all three taxpayers (MPA, NIJZ, MZ) and the statement that the content of the application was confirmed by the Ministry of Health and NIJZ an explanation of the date from which the NIJZ enjoys the status of personal data controller; providing data on a person (name and surname, job title and description of tasks performed) who issued instructions to the MPA for the development of the said web application, data on the external contractor and maintainer of the web application and a response sent by the MPA to the MPA in connection with the call regarding the use of the signature and e-mail address of the NIJZ.providing data on the person (name and surname, job title and description of tasks performed) who issued instructions to the MPA for the development of the said web application, data on the external contractor and maintainer of the web application and the response sent to the MPA by the NIJZ in connection with the call regarding the use of the signature and e-mail address of the NIJZ.providing data on a person (name and surname, job title and description of tasks performed) who issued instructions to the MPA for the development of the said web application, data on the external contractor and maintainer of the web application and a response sent by the MPA to the MPA in connection with the call regarding the use of the signature and e-mail address of the NIJZ. From the response of the MPA, opr. no. 061-6 / 2020-7 of 26 January 2021, the following explanations are provided regarding the content of the preliminary meeting: That on 25 November 2020 the Minister of Health Tomaž Gantar sent an e-mail to the Minister of Public Administration Boštjan Koritnik containing a draft scenario for conducting mass testing, in which IT support for this process was key, and that the MPA immediately received of the aforementioned writing began with an analysis of possible solutions in the direction of using existing solutions. Due to the complexity of the scenario, additional questions arose in the search for solutions, and in agreement with the Ministry of Health, the MPA convened a preliminary meeting between representatives of the MPA, the Ministry of Health and the NIJZ, which took place through MS Teams. That at the meeting held on 3 December 2020, representatives of the MPA, NIJZ and MH [10] analyzed the draft scenario for mass testing of the population by regions, which was submitted to the MPA on 25 November 2020 and a picture of the process and concluded that the participants in the meeting do not have sufficient information and that coordination meetings are still taking place at the level of the NIJZ, MORS and MH. That after the preliminary meeting, the MPA prepared a proposal of the form / application for collecting interest for vaccination, which was also sent to the NIJZ and MH for review and supplementation, and that the final agreement on the content of the application and the establishment was made orally (between the Minister of Health , Minister of Public Administration and Director of the NIJZ). The content of the form and the confirmation e-mail were coordinated between the Ministry of Health and the Ministry of Public Administration, and the content of the form was orally confirmed to the Minister of the Ministry of Public Administration by the Minister of Health and the NIJZ Director. That the main purpose of the application is to check the interest among citizens regarding readiness for vaccination, which would help to properly organize the vaccination process itself in order to curb the spread of COVID-19 disease. The NIJZ has been the actual controller of personal data since the application was established on the eGovernment portal, as it is also the coordinator of activities related to vaccination, or the NIJZ director has spoken several times about further consideration of these applications in vaccination. As both the Ministry of Health and the NIJZ did not have the appropriate IT infrastructure in such a short time as required due to poor epidemiological results, the MPA enabled technical implementation to establish both the application and the backlog records in which submitted applications are stored managed by the MPA). That the NIJZ can access the collected data via the Krpan information system. That the initial request for the production of the application was submitted by the Minister of Health Tomaž Gantar, and the final approval of the production by the Minister of Public Administration Boštjan Koritnik. That the application for the registration of interest in vaccination is established on the eGovernment portal maintained by the company SRC doo, and the back-end system in which the submitted applications are stored is the Krpan information system maintained by the companies MARG INŽENIRING DOO, APS PLUS, napredne poštne storitve doo and AVTENTA, napredne poslovni rešitve doo That the MPA received a call from the NIJZ on 21 December 2020 regarding the use of the NIJZ signature and e-mail address, but the MPA did not respond to it, as the NIJZ director gave the Minister of Public Administration consent to use it. During the inspection procedure, the taxpayer of the Ministry of Public Administration submitted the following documentation (within the letter No. 061-6 / 2020-7 of 26 January 2021): an e-mail ………… of 4 December 2020 addressed to ……… ..and forwarded for information ………… containing a confirmatory text [11] to be received by the individual after the successful submission of the application and to which the Ministry of Health should decide and two screenshots, which represent the form for registering interest in vaccination; a letter from the Minister of Health Tomaž Gantar to the Minister of Public Administration Boštjan Koritnik dated 25 November 2020, containing a draft idea for mass testing of the population by region; a picture of the process of ordering testing; an invitation to a meeting held on 3 December 2020, the subject of which was the establishment of an e-Ordering System for testing for COVID-19 and related e-correspondence between taxpayers' representatives; e-mail from the MPA employee z. dated 13 December 2020 to the NIJZ employee ………… regarding the text of the confirmation e-mail and SMS notification, which will be sent to individuals upon registration; e-correspondence dated 4 December 2020 regarding the agreement between the representatives of the MPA and the Ministry of Health on the content of the form, the purpose of the application and the legal basis and information received by the individual when submitting the application regarding the processing of personal data. Regarding the detected change in the text in the Form for expressing interest in vaccination against the COVID-19 virus, on 3 February 2021, the State Supervisor conducted a telephone interview with …………. [12] , Director of the Office for the Development of Digital Solutions at the Ministry of Public Administration, who also participated in the preparation of the content of the form, which is published on the eGovernment portal. Also on the same day, the IP received written explanations from the above-mentioned interview regarding the change of the text in the form and on 4 February 2020 the change of the text of the form, which was harmonized with the NIJZ on 4 February 2021 was also corrected by the end of the week (ie by 7 February 2021) on the eGovernment portal. The following follows from the written oral explanations of the MPA employee: That they have administrative rights in relation to the submitted applications for the registration of interest in vaccination through the eGovernment portal, MPA (system administrator) and NIJZ (director), but so far no one has accessed the data collected through the submitted forms. That she is aware that the legal basis for the processing of personal data collected through the forms submitted on the eGovernment portal should be regulated by the Intervention Measures Act to mitigate the consequences of the second wave of the COVID-19 epidemic (PKP6). That she does not know that the purpose of the submitted application on the eGovernment portal is to register in the order for vaccination. That a contractual processing contract under Article 28 of the General Regulation is likely to be concluded between the NIJZ and the MPA. That, in her personal opinion, there is a dilemma whether the NIJZ and the Ministry of Health are not joint managers. Da je MJU po pregledu zapisov v razvojnih dnevnikih ugotovil, da je dne 12.1.2021 naredil napako pri nameščanju nove verzije eUprave (ta verzijo je bila nameščena z novo funkcionalnostjo čezmejne prijave, ki jo MJU dela v mednarodnem projektu). Pri nameščanju je MJU ta del besedila, ki je vezan na posebno razvojno komponento, napačno kopiral. Glede na navedeno, je bilo do 12. 1. 2021 besedilo na obrazcih: »DA, izražam interes za cepljenje s cepivom proti COVID-19 z dovoljenjem za promet v EU, ko bo dostopno v Sloveniji.” in “Strinjam se z obdelavo osebnih podatkov za namen obveščanja o možnostih cepljenja proti COVID-19, ko bo to dostopno v Sloveniji.« Od 12. 1. 2021 pa vsebuje besedilo, ki predhodno sicer ni bilo dogovorjeno: »Da, želim se cepiti, ko bo potekalo množično cepljenje.« in »Potrjujem resničnost podatkov, navedenih v vlogi, ter pod kazensko in materialno odgovornostjo jamčim za njihovo verodostojnost.«. That the described error will be eliminated by February 7, 2021 with the amended text, which was harmonized with the NIJZ on February 4, 2021. That it follows from the proposed amended text that the purpose of submitting an application through the eGovernment portal is to collect citizens' interest in vaccinating against COVID-19 and that citizens are given the opportunity to express their wish to be vaccinated as soon as possible. The interest shown by citizens will be used in the system of ordering vaccinations in health care institutions. On the basis of the facts thus established, the IP concluded that: From 8 December 2020, an application for collecting citizens' interest in vaccination against COVID-19 is available on the eGovernment portal, which is supposed to be simple, free and non-binding and can be submitted in two ways: using e-identity (qualified digital certificate or smsPass) or without the use of e-identity (by manually entering the e-mail address and other necessary data) [13] . According to the GOV.SI portal, the MPA, based on the requests of the Ministry of Health and the health profession, prepared a simple application to collect the interest of citizens for vaccination against covid-19, which gives them the opportunity to express their desire to be vaccinated. as soon as possible and that the following information is provided to individuals regarding the method of submitting the application: "If citizens choose an application using e-identity, most of the data will be filled in automatically from the Central Register of Residents and the personal profile of the registered user. Only the phone number will need to be checked or changed. Anyone can submit an application without the use of e-identity, even if they do not use eGovernment or do not have a digital identity. In this case, citizens must enter all the data manually. Care must be taken to ensure that the data is entered correctly. Optionally, they can also enter a mobile phone number for later communication. After the successful submission, all users - both those who submitted an application using e-identity and thosewho submitted an application without the use of e-identity - from the back-office system of the National Institute of Public Health to the entered e-mail address received a certificate of intent to vaccinate against covid-19” [14] . According to the explanations obtained by the IP from the MPA, epidemiologists and other representatives of the health profession wanted to check the readiness of the population for vaccination (in terms of planning vaccine purchases) and that the MPA enabled " only "technical implementation for the establishment of the application (as it manages the eGovernment portal) and back-end records in which the submitted applications are stored (Krpan system, which is also managed by the MPA) and that the NIJZ can access the collected data (through the Krpan information system) submitted applications. The Ministry of Health does not have access to the submitted applications or the subject collection. The administrative rights related to the submitted applications for the expression of interest for vaccination through the eGovernment portal were granted to the MPA (system administrator) and the NIJZ (director), but so far no one has accessed the data collected through the submitted forms. The eGovernment portal is maintained by the company SRC doo, and the Krpan information system by MARG INŽENIRING DOO, APS PLUS, napredne poštne storitve doo and AVTENTA, napredne poslovni rešitve doo The NIJZ confirms the MPA's allegations that it is granted access to the submitted applications, but does not actually access them, as it is allegedly aware of the absence of a legal basis for the processing of obtained personal data. All three taxpayers deny that they are controllers of personal data collected through the eGovernment portal, with the MPA explicitly stating that the NIJZ has been the actual controller of personal data since the beginning of the application. It follows from the e-correspondence sent by the MPA that the establishment of the application on the eGovernment portal was agreed between the MPA, the MoH and the NIJZ, and the reason for this is the preliminary meeting of 3 December 2020, which was convened mainly due to implementation of the idea for mass testing of the population by region, provided by the Ministry of Public Administration of the Ministry of Public Administration and should also be relevant in the light of mass vaccination in 2021. It follows from the e-mail of the MPA (……… ..) dated 13 December 2020 to the NIJZ (iz ..) that the text of the confirmation e-mail was “ Dear Sir, We have recorded your interest in vaccination against COVID We will inform you of the next steps regarding the course of vaccination when the vaccine is obtained.Hello, National Institute of Public Health This is an automatically generated message to which you do not reply.This message was sent from a documentary system Krpan ") and SMS notifications (" We have recorded your interest in vaccination against COVID-19. Greetings, NIJZ ") coordinated with the Ministry of Health and that the NIJZ was asked to notify any necessary changes. The e-correspondence of 4 December 2020 between the representatives of the Ministry of Public Administration and the Ministry of Health raises a dilemma regarding the content of the confirmation message itself as well as its signatory (among other things, the Ministry of Health was proposed as the signatory of the confirmation message). The State Secretary of the MPA, Mag. Peter Geršak also forwarded the content of the form and the text of the confirmation message to the NIJZ employee (…………) for information and asked him for advice on the suitability of the text. It follows from the e-correspondence of 4 December 2020 between the representatives of the Ministry of Public Administration and the Ministry of Health that the Secretary of the Ministry of Health ………… also addressed the issue of legal basis, purpose of personal data processing and the controller's question [15] . There is a definition of the questions addressed, but it is clear from the e-mail …………. of 4 December 2020 at 11:01 that if the purpose of submitting the application is only to gather the number of interested parties to estimate the amount of vaccine and to invite actual application for the vaccination date, then the individual should obtain the following information when submitting the application: »Yes, I express a general interest in vaccination with the vaccine against COVID-19 with the permission of this transport in the EU, when it will be available in Slovenia as part of organized vaccination campaigns or in the vaccination center or vaccination site or at my personal doctor. I agree that the MPA / MH / NIJZ obtains the date of birth and municipality of residence from the Central Population Register and processes data on my interest in vaccination in order to notify me by e-mail when the website for registration for vaccination dates is available . «. IP notes that in the period from 8 December 2020 to 2 February 2021, the application form for expressions of interest for vaccination against COVID-19 on the eGovernment portal changed at least once (12 January 2021) with regard to purpose of personal data processing) [16] : Form no. 1: By submitting an application, an individual expresses an interest in vaccination with a vaccine against COVID-19 with a marketing authorization in the EU when it becomes available in Slovenia and agrees to consent to the processing of personal data for the purpose of informing about vaccination with COVID-19 when it becomes available in Slovenia. The text of the confirmation email: “ Dear! We have recorded your interest in vaccination against COVID-19. Once the vaccine with the marketing authorization is available, we will inform you of the next steps regarding the course of vaccination. Sincerely, National Institutes of Public Health This is an automatically generated message that you do not reply to. This message was sent from the Krpan documentary system . " The text of the confirmation SMS notification: “ We have recorded your interest in vaccination against COVID-19. Greetings, NIJZ . " Form no. 2 [17] : By submitting the application, the individual expresses an interest in being vaccinated when the mass vaccination takes place and declares that he / she confirms the truthfulness of the data stated in the application and under criminal and material liability guarantees his / her authenticity. The text of the confirmation email: “ Dear! We have recorded your interest in vaccination against COVID-19. Once the vaccine with the marketing authorization is available, we will inform you of the next steps regarding the course of vaccination. Sincerely, National Institutes of Public Health This is an automatically generated message that you do not reply to. This message was sent from the Krpan documentary system . " The text of the confirmation SMS notification: “ We have recorded your interest in vaccination against COVID-19. Greetings, NIJZ . " In both cases, the submission of the application, the individual receives a certificate of applications submitted, the contents of which read: " On ... the ... you have selected the recipient of the National Institute for Public Health Successful Online submitted an application: Application for expressions of interest for vaccination against COVID-19 - ... Application number : ……. Date:… .. State portal eGovernment . « [18] IP notes that the oral (see UZ on the telephone interview of 25 January 2021) and written explanations (see the NIJZ's reply of 29 January 2021) of the NIJZ director show that in the meantime the purpose for which the the individual submitted the application changed ("upgraded") and that the NIJZ requested the MPA to supplement the form on the eGovernment portal accordingly, thus determining the purpose of processing. Despite the change in the content of the form on 12 January 2021, the text of the confirmation message remains the same. The IP also notes that the notifications in question given to individuals when submitting an application for a declaration of interest in vaccination do not meet the requirements of Article 13 of the General Regulation. The content of Form no. 2 also appears in e-mails mag. Peter Geršak, State Secretary, in respect of which he asked the representatives of the Ministry of Health (……….), MPA (M.) And NIJZ (…………) for an opinion and, last but not least, it was not approved. The final agreement for the establishment and the content of the form itself was agreed orally between the Minister of Health (Tomaž Gantar), the Minister of Public Administration (Boštjan Koritnik) and the Director of the NIJZ (Milan Krek). None of the taxpayers explained on what legal basis the personal data of individuals are collected through the submitted application for registration of interest in vaccination (Form No. 1). The MPA did not respond to the NIJZ's written request regarding the use of his signature and e-mail address in the successful submission of an application for the expression of interest in vaccination, as the use was orally agreed between the NIJZ director and Minister Boštjan Koritnik. Based on the instructions of the Ministry of Health to health centers, applications for vaccination of individuals at the end of 2021 began to be collected through health centers and personal physicians, and then NIJZ director Milan Krek explained at a press conference held on 12 January 2020 that risk groups the application is submitted to a personal doctor (where the doctors did not receive instructions for the selection of the first ten patients), and the risk-free ones are submitted via the eGovernment portal, where the individual is also placed in a queue. IP notes that the text of the description of the purpose of the application submitted via the eGovernment portal has changed over a period of time, as well as unclear explanations of where (given the location in the risk / risk group) to actually apply for vaccination (eg personal doctor) and what happens if a citizen has submitted an application through eGovernment and has also expressed an interest in his personal doctor. IP also notes that when submitting an application through eGovernment, individuals were never provided with information on which group of the population the application is intended for (risk / non-risk), nor is it clear that persons belonging to the risk group must apply for vaccination at your chosen doctor. NIJZ is preparing to upgrade the zVem portal. Only after a successful upgrade (when the application is ready for use) should it take over the management of data collected through the eGovernment portal and, after confirmation by the person who submitted the application expressing interest in vaccination, provide him with the date and end of vaccination. It is clear from Mario Fafangel's explanations for 24 hours on 2 February 2021 [19] that there are currently two application routes running in parallel (expression of interest via the eGovernment portal and with a personal doctor) and that the desire to combine the two systems in the short term into one modern information system that will go from vaccine logistics, to a priority algorithm, ordering and recording in the register of vaccinated persons that a person has been vaccinated. 4. Clarification by the taxpayers of the facts and circumstances relevant to the issuance of the decision The State Supervisor informed the taxpayers by letter no. 0610-376 / 2020/26 of 5 February 2021, in accordance with the provisions of Articles 9, 138 and 146 of the ZUP, gave the opportunity to state all the facts and circumstances (see item 2 of the reasoning of the decision in question), which are relevant to the issuance of the decision or, pending the findings of the IP, which show that: all taxpayers (MPA, MH and NIJZ) are joint controllers of personal data [20] , which are collected through the submitted Application for registration of interest in vaccination against COVID-19 via the eGovernment portal, as it is from the explanations and documentation provided by MPA, It is evident that the coordination on the purpose and manner of processing personal data to be collected through the submitted application on the eGovernment portal took place mainly between representatives of the Ministry of Health and the Ministry of Public Administration, and the final agreement on the establishment of the form and its content was orally accepted by all three , whereby the director of the NIJZ agreed to use the signature of the NIJZ or its e-mail address; taxpayers, as joint managers, have not agreed on the joint management referred to in Article 26 of the General Regulation; taxpayers have not demonstrated on what legal basis the personal data of individuals who submitted an application for registration of interest in vaccination on the eGovernment portal are processed, which shows not only that there is a suspicion of illegal acquisition of personal data but also that the entire personal data subject leads illegally; The absence of a legal basis for the processing of personal data of individuals indirectly proves that taxpayers did not proceed with the impact assessment, although according to the List of Personal Data Processing Actions Required to Perform an Impact Assessment in Relation to Personal Data Protection under Article 35/4 of the regulation adopted by the IP on 24 May 2018, morals (see item 5 of the list); taxpayers have not shown that the submitted applications of individuals are collected for the purpose of applying for vaccination against COVID-19 and inclusion on the waiting list; taxpayers have not demonstrated how to inform individuals when submitting an application with the information referred to in Article 13 of the General Regulation (and where individual information referred to in Article 13 of the General Regulation is available to individuals); In addition to the absence of the information provided for in Article 13 of the General Regulation, taxpayers did not demonstrate how they informed individuals at the time of application who the controller of personal data collected through the submitted application for registration of interest in vaccination against COVID 19 via the eGovernment portal; When processing personal data, taxpayers did not comply with the principle of minimum data, which requires the controller to try to collect only the data he needs to achieve the purpose or to collect only those data that are relevant, relevant and mentioned for the purpose of collection. , thus preventing the collection of personal data "in stock"; taxpayers did not follow the principle of fairness in the collection of personal data, as it is likely that many individuals submitted the application, based on conflicting explanations of the purpose of the application submitted by government officials, in order not to miss the COVID-19 vaccination process. as follows from the findings of the subject procedure, was never intended or. given the intended purpose of the processing, it could never have been intended; It is not clear from the application for submitting an application for the expression of interest in vaccination, to whom it is actually intended (risk / non-risk groups and who is included in each group) and that the authorities explained where the individual should show interest in vaccination from 8. 12 2021 continued to be amended several times, but taxpayers ignored the fact that certain members of the non-risk group may not be able to submit applications via the eGovernment portal due to personal circumstances (eg financial status, education). Until the findings of the inspection procedure and the legal basis according to which the IP assessed that taxpayers collecting personal data collected through the application for registration of interest in vaccination on the eGovernment portal are not carried out in accordance with the provisions of ZVOP-1 and the General Regulation, defined only by the MPA and the MoH. From the answer of MZ, opr. no. 1711-4 / 2020/48 of 18 February 2020, the following clarifications are issued: That former Minister Tomaž Gantar is no longer at the Ministry of Health and that the Ministry of Health cannot provide his response to the allegations of an oral agreement between the Minister of Public Administration, the Minister of Health and the Director of the National Institute of Public Health to establish an application for interest collection eGovernment. The Ministry of Health does not agree with the finding that together with the MPA and the NIJZ it has the role of a joint controller of personal data obtained through eGovernment, as the Ministry of Health did not determine the purpose (reason, scope, goal) or processing methods (means and methods). Otherwise, the Ministry of Health also does not technically have access to the mentioned data and does not process them in any way. Talks are underway with the NIJZ on the establishment of information support for vaccination orders (the NIJZ is preparing draft investment documentation), which is in line with the Vaccination Strategy [21] no. 18100-41 / 2020/5 , adopted by the Government of the Republic of Slovenia on 3 December 2020, where on page 9 the task of the Ministry of Health can be traced to prepare an information solution for ordering patients for vaccination. The above-mentioned conversations assume that the data will be processed exclusively by the NIJZ. The Ministry of Health therefore believes that it would be sensible and in the interest of citizens who have submitted an application to the eGovernment to find a solution (while meeting the legal requirements for personal data protection) that would allow the new information solution to provide healthcare providers. will carry out vaccinations, use the data already collected in the said application. That in case the purpose of submitting the application is to apply for vaccination (ie the person's wish to receive the date and location of vaccination against COVID-19 over time) and to be included in the order book, the manager is the NIJZ, he does not agree with the NIJZ's finding personal data or illegal management of a personal data file. According to Annex 2 of the Health Care Databases Act (Official Gazette of the Republic of Slovenia, No. 65/00, 47/15, 31/18, 152/20 - ZZUOOP, 175/20 - ZIUOPDVE and 203/20 - ZIUPOPDVE) NIJZ processes the data for the "eReferral and eOrder" collection for the purpose of enabling patients to order in the order books, whereby the data are submitted to the database by patients, and providers who participate in the patient's medical treatment are entitled to them. The collection can keep EMŠO, patient contact information and order information in the order book.In view of the above, in the opinion of the Ministry of Health, the NIJZ has a legal basis for the processing of data from the said application. From the response of the MPA, opr. no. 061-6 / 2020-9 of 15 February 2021, the following explanations are issued: That the MPA is neither the controller nor the joint controller of personal data, as it did not (co) determine the purposes and means of processing, but in agreement with the Ministry of Health and the NIJZ only enabled the technical implementation of the application on the eGovernment and hinterland portal portal. The role of the MPA as only a processor ("system host") is evident from the draft agreement on the processing of personal data in the process of submitting applications for collecting interest for vaccination against COVID-19, which has already been approved by the NIJZ and will be forwarded to the IP as soon as it is signed. by the responsible persons of the MPA and the NIJZ. That the agreement on the processing of personal data, which contains all the elements referred to in Article 28 of the General Regulation, is in the signing phase between the MPA and the NIJZ, where the MPA is the processor of personal data and the NIJZ the controller of personal data. That the MPA as a processor of personal data cannot define itself as a legal basis for the processing of personal data. That the MPA cannot identify itself as a processor of personal data until the impact assessment referred to in Article 35 of the General Regulation has been abandoned. That the MPA cannot be identified as a processor of personal data until the IP finds that the taxpayers have not shown that the submitted applications of individuals are collected for the purpose of applying for vaccination against COVID-19 and inclusion on the waiting list. That the MPA cannot define itself as a processor of personal data until the finding of the IP that the taxpayers have not demonstrated the manner of informing individuals when submitting the application with the information referred to in Article 13 of the General Regulation. That the MPA cannot identify itself as a processor of personal data until the IP finds that, in addition to the absence of information referred to in Article 13 of the General Regulation, taxpayers have not demonstrated how they informed individuals who submitted the personal data controller. collected through the submitted application. That the MPA as a processor of personal data cannot be defined until the finding of the IP on non-compliance with the principle of minimum volume of data in the processing of personal data. That the state portal eGovernment enables the submission of an application for a demonstrated interest in vaccination using e-Identity and without the use of e-Identity. When applying using e-Identity, errors in data entry cannot occur, as the individual proves himself / herself with his / her e-Identity (with a qualified digital certificate). As the scope of the use of e-Identity in Slovenia for business with the state is extremely low, in order to get a true picture of the interest of citizens in vaccination, an application without the use of e-Identity was also made possible. In this application, it is possible to control the matching of the name and surname with EMŠO from the CRP (in the way that the entered data match the data in the CRP; if the data do not match, the user cannot submit the application). Errors may occur when entering an email address or phone number. The MPA received two such notifications,which were immediately forwarded to the NIJZ. That the MPA cannot be defined as a processor of personal data until the IP finds that the data subjects did not observe the principle of fairness in the collection of personal data. That the MPA cannot be defined as a processor of personal data until the IP finds that the application for submitting an application for registration of interest in vaccination does not show to whom it is actually intended, that the explanations of government officials as to where an individual should show interest in vaccination and that the taxpayers neglected the personal circumstances of the members of the risk-free group. The IP was informed by the MPA and the NIJZ on 3 March 2021 that the MPA and the NIJZ had signed an agreement on contractual processing of personal data in accordance with Article 28 of the General Regulation, which shows that the NIJZ is the controller of personal data collected through applications submitted on the eGovernment portal, although the said taxpayer rejected the status of the manager in the IP transitional declarations. 5. Established facts Based on the submitted agreement on contractual processing of personal data between the MPA and the NIJZ, the IP concludes that the decision does not reflect the actual state of relations between the taxpayers, as the findings of the inspection procedure show that the taxpayers are joint controllers of personal data. therefore, it had to conclude (together with the Ministry of Health) the joint management agreement provided for in Article 26 of the General Regulation. The defined purpose and legal basis are the basis for the lawful processing of personal data. The task of the controller is to determine the appropriate legal basis for the processing of personal data after determining the purpose. As previously explained (see explanation of item 2), the processing of personal data is legal only if such processing is allowed, and the controller must be able to prove the compliance of personal data processing with a specific legal basis or legality of data processing in accordance with the principle of liability. The general legal basis for the processing of personal data is governed by Article 6 of the General Regulation, which lists in paragraph 1 the various possible legal bases for the processing by public authorities in the performance of their tasks [22] , namely: (a) the data subject has consented to the processing of his or her personal data for one or more specified purposes (CONSENT); IP points out at this point that in the event of a change in the purpose of processing or use of personal data for a new purpose that was not provided, the controller in the case of using the legal basis for personal data processing requires the consent of the individual. (b) the processing is necessary for the performance of a contract to which the data subject is a party or for the performance of measures at the request of such data subject before the conclusion of the contract (CONTRACT); (c) processing is necessary to fulfill a legal obligation applicable to the controller (LEGAL OBLIGATION); (d) processing is necessary for the protection of the vital interests of the data subject or other natural persons (LIFE INTERESTS); IP points out that the processing of personal data on this legal basis must be necessary or can in principle only be carried out when the processing cannot clearly be carried out on another legal basis (see recital 46 of the General Regulation). The vital interests of a natural person may justify the processing of personal data. It does not matter whether the data is being processed by a person who is in danger of death or by another person. It is important to protect the vital interests of the individual through processing. (e) processing is necessary for the performance of a task in the public interest or in the exercise of public authority conferred on the controller (PERFORMANCE OF A PUBLIC TASK); Member States may, in accordance with paragraph 2 of Article 6 of the General Regulation, maintain or introduce more detailed provisions in order to adapt the processing of the rules of this Regulation concerning the processing of personal data to ensure compliance with points (c) and (e) of paragraph 1. processing requirements and other measures to ensure lawful and fair processing. Under Article 6 (3) of the General Regulation, the legal basis referred to in points (c) and (e) of paragraph 1 is determined by Union law or the law of the Member State applicable to the controller. In accordance with the cited provisions, despite the application of the General Regulation, the provisions of the first, second and fourth paragraphs of Article 9 of ZVOP-1, which regulates the legal basis for the processing of personal data in the public sector, are still valid in the Republic of Slovenia. Given that the subject-matter processing of personal data of individualswho have submitted an application for the expression of interest in vaccination against COVID-19 via the eGovernment portal is not determined by law or Union law in the manner provided for in Article 6 (3) of the General Regulation, the processing of their personal data on the basis of point ( e) may be exceptionally admissible if the conditions referred to in the fourth paragraph of Article 9 of ZVOP-1 were met, ie if the processing of certain personal data is necessary for the exercise of lawful powers, tasks or obligations of the public sector and if such processing does not interfere in the legitimate interest of the data subject. Such a legal basis is therefore a processing that is necessary for the performance of a task in the public interest or in the exercise of public authority, and the processing itself is not specifically determined by law. This alone is out of the question,if the controller could fulfill his task without processing personal data, as in this case the condition of urgency would be dropped (eg if in this case the controller's intention was only to obtain information on the number of citizens interested in vaccination, which will help in the process of purchasing vaccine , then the condition of urgency is not given). The legal basis for the processing of specific types of personal data, such as health data [23] , is set out in Article 9 of the General Regulation , namely that the first paragraph prohibits the processing of personal data revealing racial or ethnic origin, political opinion, religious or philosophical beliefs or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying an individual, health-related data or data relating to an individual's sexual life or sexual orientation, and paragraph 2 further provides that paragraph 1 shall not apply. applies if one of the following applies: (a) the data subject has given his or her explicit consent to the processing of that personal data for one or more specific purposes, except where Union law or the law of a Member State provides that the data subject may not waive the prohibition on personal data. referred to in paragraph 1; (b) processing is necessary for the purposes of fulfilling the obligations and exercising the prerogatives of the controller or data subject in the field of labor law and social security and social protection law, where Union law or the law of a Member State or a collective agreement so permits. a Member State providing adequate safeguards for the fundamental rights and interests of the data subject; (c) processing is necessary to protect the vital interests of the data subject or of another individual where the data subject is physically or legally incapable of giving consent; (d) processing in the course of its lawful activities by appropriate safeguards shall be carried out by an institution, association or any other non-profit body with a political, philosophical, religious or trade union aim and provided that the processing concerns only members or former members of the body or persons in regular contact with him regarding his intentions, and that personal data are not transferred outside that body without the consent of the data subjects; (e) the processing relates to personal data published by the data subject himself; (f) processing is necessary for the enforcement, enforcement or defense of legal claims or whenever the courts exercise their jurisdiction; (g) processing is necessary for reasons of overriding public interest under Union law or the law of a Member State, which is proportionate to the objective pursued, respects the essence of the right to data protection and provides appropriate and specific measures to protect the fundamental rights and interests of the data subject. ; (h) treatment is necessary for the purposes of preventive or occupational medicine, assessment of the employee's ability to work, medical diagnosis, provision of medical or social care or treatment, or management of health or social care systems and services under Union or Member State law or under a health contract. workers and shall be subject to the conditions and protective measures referred to in paragraph 3 of this Article; (i) processing is necessary for reasons of public interest in the field of public health, such as protection against serious cross-border health risks or ensuring high standards of quality and safety of healthcare and medicines or medical devices, under Union law or Member State law providing appropriate and specific measures to protect the rights and freedoms of the data subject, in particular the protection of professional secrecy; (j) processing is necessary for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Article 89 (1) under Union law or the law of a Member State commensurate with the objective pursued, respects the essence of the right to data protection; provides appropriate and specific measures to protect the fundamental rights and interests of the data subject. IP considers that in this particular case it is such an important processing of personal data that would require legal regulation of the processing of personal data in such a way that the law would regulate in accordance with Article 6 (3): the types of data processed; the data subjects concerned; the subjects to whom personal data may be disclosed and the purposes for which they may be disclosed; purpose restrictions; retention periods; and processing operations and processing operations, including measures to ensure lawful and fair processing. In the absence of a legal basis, the controller should justify the necessity of processing in terms of the fourth paragraph of Article 9 of ZVOP-1, according to which the processing of certain personal data is exceptionally permissible if necessary for the exercise of legal powers,tasks or obligations of the public sector and if such processing does not interfere with the legitimate interest of the data subject. As previously stated, the application for the registration of interest in vaccination on the eGovernment portal was established on 8 December 2020, and in the meantime its content has changed (on 12 January 2021), but not on the basis of NIJZ instructions. see Annexes 4 and 5 of IP document No. 0610-376 / 2020/26 of 5.22021 ). Despite the changed application, neither the text of the confirmation e-mail nor the text of the confirmation SMS notification has changed. Also, the information to individuals regarding the purpose of the submitted application, which is available to individuals as news regarding the submission of the application on the gov.si portal (News) and within the accompanying text before the start of the application procedure, has not changed. document IP, No. 0610-376 / 2020/26 of 5 February 2021). The text of the application itself was therefore erroneously changed on 12 January 2021, but has remained the same to this day. As follows from the explanations of the Ministry of Public Administration of 4 February 2021, the Ministry of Public Administration and the NIJZ coordinated the change of the text on the eGovernment portal, which was carried out in the afternoon on the same day. The capture of screenshots on 4 March 2021 by the State Supervisor shows the following: It is therefore evident from the capture of screenshots that on 4 February 2021 (in the afternoon) [24] on the eGovernment portal, following the instructions of the NIJZ, the accompanying text to the application for the expression of interest in vaccination was changed in such a way that individuals are informed that the interest of the individual expressed by the application will be used in the vaccination ordering system in healthcare facilities. The first obligation that the controller (s) should fulfill in accordance with the principle of liability set out in Article 5 of the General Regulation before the personal data are processed is to define the purpose for which the personal data of individuals will be processed. The definition of purpose is not only a precondition for determining the legal basis, but also for determining the necessary scope of data to be collected and the retention period for such data. As follows from the correspondence between civil servants who participated in the preparation of the content of the application, the purpose for which personal data of individuals will be processed through the submitted application, established on 8 December 2020, was not to establish the order of vaccination (last but not least this also follows from the MPA's explanations, to which the IP attaches great importance,as the Minister of Public Administration, together with the Director of the NIJZ and the Minister of Health, reached a final agreement on the content of the application and the presentation of the application by the Minister of Public Administration at the Government press conference on 8 December 2020[25] ; in addition, this also follows from the findings of the Health Inspectorate of the Republic of Slovenia, presented at a press conference on 11 March 2021 [26]). Despite previous written invitations from the NIJZ to provide explanations regarding the purpose of personal data processing, IP or substantiation of the legal basis for the processing in question and explanations regarding the manner of providing information to individuals referred to in Article 13 of the General Regulation, he did not receive appropriate explanations, as the NIJZ initially even denied the status of controller. As follows from the explanations of the NIJZ director during the public presentation of the vaccination plan against COVID-19 on 13 January 2021 and his oral explanations to the state supervisor on 25 January 2021, the interest shown by the individual with the submitted application was upgraded in that successful submission of the application also means placement in the vaccination order. However, as follows from the established facts, the NIJZ, in the context of the information provided to individuals at the time of submitting the application,has never given either an explicit and unambiguous explanation of who is the controller of personal data, nor an explanation that the application is established through eGovernment for the purpose of establishing the order of vaccination, or that an individual with a successful application through the eGovernment portal will be included in order of vaccination (however, this does not even follow from the National Vaccination Strategy against Covid-19 of 3 December 2020 and the National Vaccination Strategy against COVID-19, Version II, from 1 March 2021or that an individual with a successfully submitted application via the eGovernment portal will be included in the vaccination order (this does not even follow from the National Vaccination Strategy against Covid-19 of 3 December 2020 and the National Vaccination Strategy against COVID-19, Version II , dated March 1, 2021or that an individual with a successfully submitted application via the eGovernment portal will be included in the vaccination order (this does not even follow from the National Vaccination Strategy against Covid-19 of 3 December 2020 and the National Vaccination Strategy against COVID-19, Version II , dated March 1, 2021[27]). In accordance with the principle of legal certainty, the addressees of legal norms must be informed of the latter in a timely and complete manner. The ongoing interpretation of individual participants in Government press conferences regarding the importance of the application from the point of view of legal certainty cannot be decisive in determining the purpose of the application and the related purpose of personal data processing. The information referred to in Article 13 of the General Regulation, which should be provided in one place by the controller in a way that is easily accessible and comprehensible, should give the individual, in addition to information on the controller and other specific information, a clear answer to the question. the data will actually be processed. However, these data are not reliable and predictable for individuals at the moment, as the controller has also changed the wording of the purpose over the period.Thus, the current information to individuals when submitting an application for an expression of interest in vaccination does not indicate that the application is being processed for the purpose of inclusion in the vaccination order, nor does it indicate the current actual course of vaccination of at-risk groups. run by personal physicians. As stated above, this also follows from the findings of the Health Inspectorate presented at the press conference on 11 March 2021.presented at a press conference on 11 March 2021.presented at a press conference on 11 March 2021. Pursuant to Article 6 (4) of the General Regulation, the controller may process personal data for a purpose other than that which was primarily collected, but in this case the controller must make an assessment before the change, in which case he should comply with the criteria set out in Article 6. (4) General Regulations. The application of Article 6 (4) of the General Regulation to a change in the purpose of the processing is not possible if the legal basis for the processing of personal data collected for the original purpose was law (Article 6 (1) (c) of the General Regulation). According to the information on the eGovernment portal, individuals are not provided with information on the legal basis for the processing of their personal data according to the purpose pursued by the controller, or information on the controller (s) of the said data. Upravljavci bi morali poskrbeti, da je obdelava osebnih podatkov posameznikov, ki so oddali vlogo za prijavo interesa za cepljenje, zakonita, poštena in pregledna. Načelo preglednosti zahteva, da so vse informacije in sporočila, ki se nanašajo na obdelavo osebnih podatkov, lahko dostopna in razumljiva ter izražena v jasnem in preprostem jeziku. To načelo zadeva zlasti informacije o istovetnosti upravljavca/ih in namenih obdelave ter dodatne informacije za zagotovitev poštene in pregledne obdelave glede zadevnih posameznikov in njihove pravice do pridobitve potrdila in sporočila o obdelavi osebnih podatkov v zvezi z njimi (39. uvodna izjava Splošne uredbe). Določbi člena 12 in 13 Splošne uredbe sta odraz omenjenih dveh načel, po katerih mora upravljavec sprejeti ustrezne ukrepe, s katerimi zagotovi posamezniku, na katerega se nanašajo osebni podatki, vse informacije o tem kdo obdeluje osebne podatke (naziv in kontaktne podatke upravljavca/ev), zakaj obdeluje podatke (for what purpose and on what legal basis), koliko časa se bodo hranili pridobljeni podatki (opredeli se čas hrambe osebnih podatkov, kjer pa to ni mogoče, vsaj kriterije, po katerih se določi čas hrambe), kakšen pravice imajo posamezniki (posamezniki imajo v razmerju do upravljavca/ev določene pravice v zvezi s svojimi osebnimi podatki, in sicer pravico do: dostopa, popravka, izbrisa, omejitve obdelave, preklica privolitve, ugovora in prenosljivosti; kje jih lahko uveljavljajo in da lahko vložijo pritožbo pri IP), ali se izvaja profiliranje ali avtomatizirano odločanje. Kadar pa upravljavec namerava nadalje obdelovati osebne podatke za namen, ki ni namen, za katerega so bili osebni podatki zbrani, pa je treba posamezniku sporočiti ta drug namen. Predhodno naštete informacije, ki jih mora zagotoviti upravljavec skladno s členom 13 Splošne uredbe, je treba skladno s členom 12 zagotoviti v jedrnati, pregledni (informacije morajo biti podane na učinkovit in jedrnat način, ob tem pa morajo biti ločene od drugih morebitnih obsežnih dodatnih informacij, ki se neposredno ne nanašajo na samo obdelavo), razumljivi in lahko dostopni obliki (informacije morajo biti objavljene na vidnem mestu in prilagojene naslovnikom) ter jasnem in preprostem jeziku. 6. Concluding remarks The manager or. personal data controllers are not only responsible for compliance with all the principles set out in Article 5 of the General Regulation, but also for demonstrating compliance itself. It is therefore the duty and burden of proof on the controller to demonstrate that he has provided individuals with all the information referred to in Article 13 of the General Regulation and that his processing is lawful. The first paragraph of Article 221 of the ZUP stipulates that if, given the circumstances of the case, it is unavoidable that a decision is issued before the end of the procedure, which temporarily regulates individual issues or relationships, such a decision is issued on the basis of information existing when issue. Such a decision must explicitly state that it is provisional. IP ugotavlja, da je glede na okoliščine primera neogibno potrebno, da se v skladu z 221. členom ZUP zavezancem izda začasna odločba, s katero se bosta začasno uredili vprašanji zagotavljanja informacij posameznikom iz člena 13 Splošne uredbe in namena obdelave osebnih podatkov, na podlagi podatkov, ki obstajajo ob njeni izdaji. An interim decision means the enforcement of a certain right, in this case the right to protection of personal data. IP notes that the restriction on the processing of personal data and the arrangements for providing information to individuals under Article 13 of the General Regulation, under which the data subject will have to provide clear contact details of the controller, purpose and legal basis for processing personal data, are essential to prevent further damage that could result from the processing of personal data contrary to the principle of liability and legality and non-compliance with the purpose limitation principle set out in Article 5 (1) (b), as the data held by IP do not indicate that the processing of personal data vaccination order or any other purpose inconsistent with that,of which the individual is clearly and unambiguously informed when submitting the application. As a result of the above, the IP had no choice but to, pursuant to Article 54 of ZVOP-1, points (a), (d) and (f) of Article 58 (2) of the General Regulation, Articles 29 and 32 of the ZIN and Article 221 ZUP, in connection with the second paragraph of Article 3 of the ZIN, issues the decision in question, which will at least temporarily regulate the described situation, as otherwise follows from the operative part of this decision. The fifth paragraph of Article 29 of the ZIN stipulates that if the inspector has ordered the elimination of irregularities and deficiencies and set a deadline for the obligor to eliminate them, he must immediately inform the inspector of the rectified irregularities. Accordingly, taxpayers must notify the IP in writing of the implemented measures referred to in points 1 and 2 of the operative part of this decision no later than three (3) days after the elimination of the irregularity . The notification must also contain statements and evidence that the taxpayers have implemented the measures referred to in points 1 and 2 of the operative part of this decision and in what way they have implemented them, such as e.g. a screen image of the eGovernment portal on which all the required information referred to in Article 13 of the General Regulation is published; the text of an e-mail sent in relation to information under Article 13 of the General Regulation to individuals who have already submitted an application and proof that these e-mails were actually sent; a statement that the taxpayers have ceased or will not use the obtained data for purposes incompatible with the purposes for which the personal data were originally collected. Since, in accordance with Article 55 of ZVOP-1, no appeal is possible against this decision, in accordance with para. Article 224 of the ZUP becomes final upon the moment of service of this decision on the liable party. In accordance with para. Article 224, this decision also becomes enforceable when the deadline specified in point 1 expires. the operative part of this decision. The decision is issued ex officio and is free of charge on the basis of Article 22 of the Administrative Fees Act (Official Gazette of the Republic of Slovenia, No. 106/10 - official consolidated text, 14/15 - ZUUJFO, 84/15 - ZZelP-J, 32 / 16 , 30/18 - ZKZaš and 189/20 - ZFRO). The ruling on the costs of the procedure is based on the provision of the first paragraph of Article 31 of the ZIN, according to which the costs of the inspection procedure, which were necessary to establish the facts proving that the taxpayer violated a law or other regulation, are borne by the taxpayer. The liable party did not notify the costs of the procedure during the procedure, but no special costs of the procedure were incurred by the body. Lesson on remedy : This decision is final in the administrative procedure. Pursuant to the provision of Article 55 of ZVOP-1, no appeal is allowed against this decision, but it is permissible to initiate an administrative dispute. An administrative dispute shall be initiated by a lawsuit filed within 30 days of service of the decision with the Administrative Court of the Republic of Slovenia, Fajfarjeva 33, 1000 Ljubljana. The action may be sent by post, filed in writing or orally on the record in court. The application, with any annexes, shall be filed in at least three copies. This decision must also be accompanied by the original or a copy of the decision. … State Supervisor for Personal Data Protection Serve: Ministry of Health, Štefanova ulica 5, 1000 Ljubljana: in person according to the ZUP; NIJZ, Trubarjeva cesta 2, 1000 Ljubljana; Ministry of Public Administration, Tržaška cesta 21, 1000 Ljubljana; archive, tu. [1] A sample notification to individuals regarding the processing of personal data (Article 13 of the General Regulation) is also available on the IP website: https://www.ip-rs.si/obrazci/varstvo-osebnih-podatkov/ . [2] Country supervisor of the 12 1 2021 the successful submission of an application from cepljenje@nijz.si received an email with the following content: " Sir! We have recorded your interest in vaccination against COVID-19. Once the vaccine with the marketing authorization is available, we will inform you of the next steps regarding the course of vaccination. Best regards, National Institute of Public Health. This is an automatically generated message that you do not reply to. This message was sent from the Krpan documentary system . ”Cf. Annex 2 of the IP document, no. 0610-376 / 2020/26 of 5 February 2021. [3] On 12 January 2021, upon successful submission of the application, the State Supervisor received an SMS with the following content: “ We have recorded your interest in vaccination against COVID-19. Greetings, NIJZ. «Gl. Annex 3 of the IP document, no. 0610-376 / 2020/26 of 5 February 2021. [4] Ch. Annex 1 of the IP document, no. 0610-376 / 2020/26 of 5 February 2021. [5] https://novice.svet24.si/clanek/novice/slovenija/5fd74ea6dc41c/gre-zgolj-za-izkaz-interesa-za-cepljenje-ali-tudi-postavitev-v-vrsto-oboje-je-pojasnil -cacin (February 1 , 2021) https://www.delo.si/novice/slovenija/zmeda-s-cakalno-vrsto-za-cepivo-proti-covidu-19/ (February 1, 2021) [6] Due to a posting error, it is in fact a document whose sequence number is 12 and not 10. [7] https://www.rtvslo.si/zdravje/novi-koronavirus/po-zdravstvenih-domovih-razlicno-zbirajo-podatke-kdo-bi-se-cepil/547408 (2 February 2021). https://www.zd-lj.si/zdlj/index.php?option=com_content&view=article&id=673:cepljenje-proti-covid-19&catid=152&lang=sl&Itemid=2093 (2. 2. 2021) [8] Due to an error in the posting, it is in fact a document whose serial number is 15 and not 12. [9] https://www.nijz.si/sites/www.nijz.si/files/uploaded/nacrt_cepljenja_nijz.pdf . According to a publicly available PowerPoint presentation, individuals who consider themselves to be one of the risk groups opt for vaccination from their personal physician. Individuals who do not belong to one of the risk groups can get vaccinated by registering at the eGovernment, where they enter their data and will be notified of the time and place of vaccination in the order of registration after the vaccination of risk groups. "However, if you do not belong to the risk group, apply for vaccination by submitting an application to the eGovernment. When the vaccine is available, you will be notified of the time and location of the vaccination site. Vaccination will take place in the order of registration, explained the director of the NIJZ Milan Krek. " Source: https://www.gov.si/novice/2021-01-12-predstavitev-nacrta-cepljenja-proti-covid-19/ [10] ............................................................................................. [11] “Dear Sirs, Thank you for your interest in being vaccinated against the SARS-CoV-2 virus. We will inform you about the next steps regarding the course of vaccination on the contact details you provided at the time of registration. Greetings, Ministry of Health. " [12] Ch. Uz on the telephone conversation of 3 February 2021, opr. no. 0610-376 / 2020/23 of 4 February 2021. [13] https://www.gov.si/novice/2020-12-08-na-portalu-euprava-je-od-danes-na-voljo-vloga-za-zbiranje-interesa-drzavljanov-za-cepljenje -proti-covid-19 / (2. 2. 2021) [14] https://www.gov.si/novice/2020-12-08-na-portalu-euprava-je-od-danes-na-voljo-vloga-za-zbiranje-interesa-drzavljanov-za-cepljenje -proti-covid-19 / (2. 2. 2021) [15] “ What is the legal basis for this and who is the data controller, will we decide (is it a collection based on consent) or do we use any of the bases in the law on collections (in the second case it can be a CRPP)? Given the functions it has, the Ministry of Health does not need access to this data at the individual level, this should probably be the NIJZ (now, according to the signatory, it sounds like we are processing these lists at the Ministry of Health), but this will be clear after determining the legal basis of the previous sentence . " [16] Ch. Official website review note, no. 0610-376 / 2020/22 of 1 February 2021. [17] Ch. Annex 5 and Annex 7 of IP document no. 0610-376 / 2020/26 of 5 February 2021. [18] Ch. Annex 6 of the IP document, no. 0610-376 / 2020/26 of 5 February 2021. [19] https://www.24ur.com/novice/korona/ponekod-kmalu-na-vrsti-starejsi-od-70-let.html (2 February 2021) [20] Ch. IP Recommendations on Joint Managers, no. 0712-6 / 2019/1 of 21 January 2019: https://www.ip-rs.si/fileadmin/user_upload/Pdf/Priporocila/Priporocila_Informacijskega_Pooblascenca_glede_skupnih_upravljavcev_21jan2019.pdf [21] https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwixqcDa1f PuAhXjwQIHHV_rAVAQFjAAegQIARAD & url = https% 2% %A% -zbirno-infografike-vlada% 2FCepljenje% 2FNacionalna-strategija-cepljenjaproti-COVID-19.doc & usg = AOvVaw14EyFz4QnfEyJDDhVslLBG. [22] The legal basis of legitimate interest referred to in point (f) of Article 6 (1) applies only to the private sector. [23] Ch. EDPB Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak. Source: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202003_healthdatascientificresearchcovid19_en.pdf . [24] Ch. written explanations of Kristina Valenčič, Director of the Office for the Development of Digital Solutions at the Ministry of Public Administration, dated 3 March 2021. [25] The link to the Government press conference is available at: https://siol.net/novice/slovenija/se-nameravate-cepiti-proti-covid-19-izrazite-interes-na-spletu-obrazec-540813 . [26] https://www.24ur.com/novice/korona/cepljenje-steje-le-prijava-pri-osebnem-zdravniku.html . [27] https://www.gov.si/assets/ministrstva/MZ/DOKUMENTI/Koronavirus/Cepljenje/Nacionalna-strategija-cepljenja-proti-COVID-19_1.3.2021.pdf ( March 9 , 2021) automated decision / processing COVID-19 digital Another information for the individual