AKI (Estonia) - 2.1.-1/21/1550
AKI (Estonia) - 2.1.-1/21/1550 | |
---|---|
Authority: | AKI (Estonia) |
Jurisdiction: | Estonia |
Relevant Law: | Article 15 GDPR Article 23 GDPR |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | |
Decided: | 03.06.2021 |
Published: | |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | 2.1.-1/21/1550 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Estonian |
Original Source: | Data Protection Inspectorate (in ET) |
Initial Contributor: | n/a |
The Estonian DPA issued an opinion stating that a processor must respond to a pending access request or else face a EUR 2000 fine.
English Summary
Facts
The processor, Viimsi Uudised OÜ, published a story on its website featuring information about the Complainant. The Complainant responded by lodging a complaint with the DPA. The DPA reached out to the processor and asked it to either to issue a copy of the personal data to the Complaintant or to refuse to issue data by providing a clear reference to the national law that permits restriction of the rights of a person under Article 23 GDPR. The processor sent a reply but did not comply with the requests of the DPA. The data subject now submits an Art 15 GDPR access request from the processor.
Dispute
Holding
The DPA clarified that data subject has the right to inspect the data collected about him / her pursuant to Article 15 GDPR and to receive explanations on the circumstances of the processing. This provision entitles the data subject to request a copy of their personal information. There is a journalistic exception, but refusal to release personal data should be justified through description of how the data of the data subject would be detrimental to third parties if transferred to him or her.
Because the data subject can ask for personal data about himself / herself under Article 15, the processor must comply or else face a EUR 2000 fine.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Estonian original. Please refer to the Estonian original for more details.
PROTECTION OF PRIVACY AND TRANSPARENCY INTERNAL USE Holder of information: Data Protection Inspectorate The access restriction is valid until: 03.06.2096 Basis: § 35 (1) 12) of the PSA PRECAUTIONS WARNING protection of personal data in case no. 2.1.-1/21/1550 Preceptor Data Protection Inspectorate Time of precept and place 03.06.2021, Tallinn Viimsi Uudised OÜ Addressee of the precept - address: Pärnu county, Pärnu city, Pärnu city, Papli tn personal data processor 19-1, 80012 e-mail address: ivo@rullrumm.ee Member of the board of the personal data processor responsible person Copy to the applicant: xxx RESOLUTION: § 56 (1), (2) (8), § 58 (1) and personal data protection law (IPS) Articles 5 (2) and 6 of the General Regulation on the Protection of the Environment (ICZM) and Article 58 (1) (a) of the CCIP and subject to the same paragraph (e) and Article 58 (2) (d), the inspection mandatory precept: Submit to XXX a copy of what is being processed about him / her pursuant to Article 15 of the CISA personal data in so far as it does not infringe the rights and freedoms of others. I set the deadline for compliance with the precept on 18.06.2021. a. Notify the Data Protection Inspectorate of the fulfillment of the precept by the same deadline. CONTEST REFERENCE: This injunction may be challenged within 30 days by submitting either: a challenge to the Data Protection Inspectorate under the Administrative Procedure Act, or an appeal to the Tallinn Administrative Court under the Code of Administrative Court Procedure (in this case, no longer review the challenge in the same case). Contestation of a precept does not suspend the obligation to comply with the precept or the measures necessary for enforcement implementation. PENALTY MONEY WARNING: If the precept is not complied with by the specified term, the Data Protection Inspectorate shall appoint to the addressee of the precept on the basis of § 60 of the Personal Data Protection Act: penalty payment of 2000 euros. The penalty payment may be imposed repeatedly - until the precept is complied with. If the recipient does not pay Tatari 39, Tallinn 10134/627 4135 / info@aki.ee / www.aki.ee / Registry code 70004235 penalty payment, it is forwarded to the bailiff to start enforcement proceedings. In this case, additional bailiff's fees and other enforcement costs. FACTUAL FACTS: On 19.04.2021 XXX (the applicant) lodged a complaint with the Inspectorate through his representative XXX. On 21.05.2021, the Inspectorate made a proposal to Viimsi Uudised OÜ (processor) at the latest 31.05.2021 to the applicant either to issue a copy of his personal data to the applicant or to refuse clear indication of the national law which allows it Restrict the rights of a person under Article 23 of the ECHR. On 31.05.2021, the processor sent a reply to the Inspectorate, but did not comply with the proposal. On 01.06.2021, the Inspectorate clarified to the processor that regardless of the transmission entered into force not automatically terminate the supervision procedure of the Inspectorate and is mandatory to complete the proposal. It was explained to the processor that these are two separate ones procedure. The processor was also offered the opportunity for a telephone consultation, as from the latter the reply revealed that the processor had misunderstood the proposal in relation to third parties issuance of data (the proposal only required the processor to make a copy of the complainant's data and it was clarified that the refusal to release third party data under Article 15 (4) of the CCIP) communicate only in writing. Therefore, the Inspectorate has no choice but to issue this precept. CLAIMER'S EXPLANATION: Excerpt from the complaint of 19.04.2021: On 08.12.2020, the portal operator published a story on its website entitled “The title of Viimsi Locomotive 2020 1 Andres Jaanus and Märt Puust received the XXX, the title of Viimsi Brake was awarded to XXX ”(Appendix 4). That story page 4 of the pdf printout has the following text: Viimsi Brake 2020 is XXX According to the predominant opinion of the respondents (101 votes), the editorial board gave the title Viimsi Pidur 2020 alternate member of the council's Reform Party list for XXX. .Therefore, it is a valid law means a person who possesses and possesses the information required by the publishers exists. The aforementioned posts were published by Ivo Rull. This has been proven its when you move the mouse cursor by LAST NEWS onto which then a link will open as shown in the adjacent image. Summary. According to the text of the story on 08.12.2020, at least 101 different people had to be sent toimetus@viimsiuudised.ee own "voice" and (some) also justifications. So Viimsi must News OÜ has at least 101 different e-mails, to a greater or lesser extent (however at least in the form of a name) the personal data of the data subject have been processed. Viimsi Uudised OÜ is not a press release that does not approve personal data based on the public interest and journalistic activity. But even without that fact Viimsi Uudised OÜ should have issued information to the data subject regarding the processing of his or her personal data of. On 19.02.2021, the data subject sent to Viimsi Uudised OÜ through a contractual representative a letter of demand, in which he demanded, among other things, that Viimsi Uudised OÜ issue materials containing his personal data to the data subject (Annexes 5 and 6). Viimsi Uudised OÜ received the letter of request but ignored it (Annex 7). For the legal reasons below, the data subject finds that Viimsi Uudised OÜ violated it requirements for the processing of personal data and asks the Data Protection Inspectorate to start Viimsi Uudised OÜ and to oblige Viimsi Uudised OÜ to comply with the law the obligation to provide the data subject with information on the processing of his or her personal data and to issue 1In the computer network: https://viimsiuudised.ee/koik-uudised/tiitli-viimsi-vedur-2020-said-andres-jaanus-ja-mart-puust- Viimsi-piduri-tiitliga-parjati .... personal data collected about the data subject. STATEMENT OF THE PERSONAL DATA PROCESSOR: In response to 31.05.2021: In response to your proposal made on 21.05.21, I will send the Harju County Court on 01.02.2021 court ruling in civil case 2-20-19232 and the court ruling of Tallinn Circuit Court of 17.02.21 in Civil Case 2-20-19232 (attached). As you can see, there is a final court decision by which Viimsi municipal politician XXX an attempt to interfere with the independent community portal Viimsi News in the activities of data processing arguments have been rejected. I regret that XXX, through his representative XXX, has now tried to do Data Protection A tool for harassing a media channel independent of the Inspectorate. 01.06.2021 in the answer: Have you started to contest the decision made and entered into force in the court system of the Republic of Estonia? I would also like to ask you for further clarification on how XXX supports you before giving a substantive answer recommend personal data is not compromised by respondents who have assumed anonymity privacy? Have I misunderstood anything if I assume that the Data Protection Inspectorate should not be granted to defend the case not Viimsi's power politicians' interest in explaining to the reader in the survey personal data of those who have shared critical values, but instead to protect those who assumed your anonymity and privacy when participating in this survey? I am also interested in whether the Data Protection Inspectorate has processed similar ones in the past cases where, for example, someone is dissatisfied with the results of a Delfi or Postimees reader survey the politician wants to know who has critically assessed his actions by name. GROUNDS FOR THE DATA PROTECTION INSPECTORATE: I Processing of personal data First, we clarify that the General Regulation on the Protection of Personal Data (EDPS) applies to either personal data fully or partially automated processing and non-automated processing of personal data processing of such personal data if they form part of a data collection or if they are intended to be included in the data collection. Thus, for example, only those that can be processed orally cannot be required access or deletion of data. Any processing of personal data must have a legal basis which is non-exhaustive the list is set out in Article 6 (1) of the General Regulation on the Protection of Personal Data (EDPS) the processing of personal data requires one of the grounds set out in Article 9 (2) of the CCIP. Disclosure of personal data for journalistic purposes without consent can take place on the basis of § 4 of the Personal Data Protection Act. However, it is clear that the processor has a position on the applicant more information than the information disclosed in the article which is already known to the applicant and which the applicant has not requested the filing. In the present case, the applicants are interested in that article personal data collected about the applicant. II The data subject's right to inspect his or her own data The data subject has the right to inspect the data collected about him / her pursuant to Article 15 of the ICC personal data and to receive explanations on the circumstances of the processing. This provision entitles the applicant request a copy of your personal information, not other people's information. Nor does it mean the automatic right to receive a copy of a particular document. Article 15 of the under paragraph 4, the right to obtain a copy is refused in so far as it is prejudicial to other persons rights and freedoms. In addition, since the making of a media publication, it can be applied to the touch 2 also source protection for individuals. In other words, the applicant is not entitled to receive other people's names or other information. He is right to obtain data on one's own place, including any other claims or assessments of one's own place, but without the name of another person. Only the fact that another person by the controller the information provided about the complainant is in a derogatory and uncensored style, there is no basis for such refusal to issue claims or assessments. To the applicant concerning himself Refusal to disclose personal data should be justified by the way in which you provide your own data to him would be detrimental to third parties. It is the data controller 's own choice whether to provide the person with a copy of the original document / file, etc detrimental to other persons) or to make a document only about the complainant's personal data extract and provide a copy to the person. We clarify that the processor has an obligation to respond to the person 's requirement of Article 15 of the CISA within one month, and by failing to reply, the processor breached its obligation to reply. Nor did the processor perform proposal of the Inspectorate and has not replied to the complainant within the time limit set there. III Judicial proceedings vs. supervisory review proceedings We also clarify that the initiated supervision procedure is a court proceeding independent. 01.02.2021 In the ruling of Harju County Court no. 2-20-19232 the court has dismissed the applicant's request to initiate a preliminary verification procedure. The court has ruled that the applicant the purpose of initiating the pre-certification procedure is to identify the persons who provided his name the title of Viimsi Brake 2020 nominee. In summary, the court has found that the person is known the publisher, who is responsible for what has been published and against whom the complainant has the opportunity, if necessary, e.g. To apply to a court on the basis of subsection 1046 (1) of the LPA. In doing so, the court has indicated that the applicant has the possibility of ascertaining the relevant facts when the main proceedings have been instituted against the declarant. In its proceedings, the court has only assessed whether a person has the right to apply to the court for that court identify who has provided information about him to the media outlet. Submitted to the Inspectorate in the application, the person asks for personal data about himself / herself under Article 15 of the CCIP, not others people’s names, so these are different requirements that are not interdependent. However, the court did not address the request for information about the applicant in the order. /signed digitally/ Kadri Levand lawyer under the authority of the Director General 2 Pursuant to § 15 (2) of the Media Services Act, a person processing information for journalistic purposes may not publish data enabling his identification without the consent of the source of the information.