IP (Slovenia) - 0611-608/2021/9
IP (Slovenia) - 0611-608/2021/9 | |
---|---|
Authority: | IP (Slovenia) |
Jurisdiction: | Slovenia |
Relevant Law: | Article 4(1) GDPR Article 4(2) GDPR Article 4(15) GDPR Article 5(1) GDPR Article 9(1) GDPR Article 9(2) GDPR Article 13(1) GDPR Article 13(2) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 18.01.2022 |
Published: | 15.02.2022 |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | 0611-608/2021/9 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Slovenian |
Original Source: | Informacijski Pooblascenec (Slovenian DPA) (in SL) |
Initial Contributor: | Sara Horvat |
The Slovenian DPA held that a company could have informed its employees about their proximity with COVID-19 high-risk contacts within its workplace, without disclosing the full name of the infected employees, in violation of Article 5(1)(c) GDPR.
English Summary
Facts
The controller is an employer (company) that had dealt with a mass infection of COVID-19 at the company. To prevent this from happening again, the controller collected the full name and medical condition of employees who were positive with COVID (the data subjects). It then sent out an email to all of the other employees who may have been in contact with an infected employee, by informing them of the person who had been tested positive for COVID. Moreover, the controller did not keep a database of all persons infected with COVID and had informed all employees about their rights under Article 13 GDPR.
The DPA started an investigation ex officio into the processing of health data and whether the controller was compliant with the GDPR.
Holding
The DPA noted that informing employees who may have been in contact with an employee of the fact that they have been in contact with an infected colleague, was a preventive measure of public health protection. However, it found that the controller could have also informed these employees without disclosing the infected employees' full name. According to the DPA, the objective of preventing a mass-spreading could still have been achieved this way. Consequently, the DPA found that the controller unlawfully processed the infected employee's health data, pursuant to Article 9 GDPR, and violated the principle of data minimisation, Article 5(1)(c) GDPR.
The DPA ordered, pursuant to Article 58(2)(d), to bring the controller's processing operations into compliance with Article 5(1)(c) GDPR and Article 9 GDPR, and thus to inform employees who had contact with a positive employee, without providing that positive employees' name.
Comment
There is no detailed information whether the controller complied sufficiently with Article 13(1) and Article 13(2). Moreover, although health data was being processed and the DPA referred to Article 9 GDPR, it did not specify which exception of Article 9(2) was applicable.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.
Number: 0611-608 / 2021/9 Date: January 18, 2022 Information Commissioner (hereinafter: IP) by an authorized official, State Supervisor for Personal Data Protection…, pursuant to Articles 2 and 8 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/2205, 51/07 – ZUstS- A (hereinafter: ZInfP), Article 54 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07 - official consolidated text and 177/20, hereinafter: ZVOP-1), Articles 57 and 58 of the EU Regulation ) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation); and Article 32 of the Inspection Supervision Act (OJ RS, No. 43/2007 - UPB1 and 40/14, hereinafter: ZIN), in the case of performing inspection supervision against the liable party… (registration number:…, hereinafter: the liable party) regarding the processing of employees' health data and the method of informing employees about the health s employees suffering from covid-19 disease caused by SARS-CoV-2 coronavirus, ex officio DECISION 1. The liable party: must: Stop informing employees about the results of testing specific employees in a way that informs employees about employees who have contracted covid-19 disease, name and surname, and take measures to prevent this from happening in the future. In each specific case, the taxpayer must assess whether the method of notification complies with the principle of minimum data (proportionality), which stipulates that the processing of personal data must be also data from which it is possible to deduce the identifiability of the individual) relevant, relevant and limited to what is necessary for the purposes for which they are processed. 2. The liable party must implement the measure referred to in point 1 of the operative part of this Decision within fifteen (15) days of receiving this Decision. 3. The liable party must notify the Information Commissioner in writing of the implemented measures referred to in point 1 of the operative part of this decision no later than five (5) days after the elimination of the irregularity. The notification must also contain indications and evidence that the liable party has implemented the measures referred to in point 1 of the operative part of this decision and in what manner they have implemented them. 4. No special costs have been incurred by the Authority in this procedure, and the liable party shall bear its own costs of the inspection procedure. O b r a z l o ž i t e v I. Indication of the provisions on which the decision is based: Personal data means any information relating to an identified or identifiable individual, and an identifiable individual is one that can be identified directly or indirectly, in particular by providing an identifier such as name, identification number, location data, web identifier, or an indication of one or more factors which characterize the physical, physiological, genetic, mental, economic, cultural or social identity of that individual (Article 4 (1) of the General Regulation). Information on an individual's state of health means personal data relating to an individual's physical or mental health, including the provision of health services, and discloses information on his or her state of health (Article 4 (15) of the General Regulation). However, the processing of personal data is any act or series of actions performed in relation to personal data or sets of personal data with or without automated means, such as collecting, recording, editing, structuring, storing, adapting or modifying, retrieving, viewing, use, disclosure through mediation, dissemination or otherwise making available, adapting or combining, restricting, deleting or destroying (Article 4 (2) of the General Regulation). The processing of personal data also means the disclosure of personal data through the transmission, dissemination or other provision of access to personal data. The data on the incidence of covid-19 disease is data related to health or data on the health status of an individual (Article 4 (15) of the General Regulation). The legal basis for the processing of specific types of personal data, such as health data, is set out in Article 9 of the General Regulation, which provides that the processing of personal data revealing racial or ethnic origin, political opinion, religion or philosophy is prohibited. belief or union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying an individual, health data or data relating to an individual's sexual life or sexual orientation, and the second paragraph further provides that paragraph 1 shall not apply if one of the following applies: (a) the data subject has given his or her explicit consent to the processing of that personal data for one or more specified purposes, except where Union law or the law of a Member State provides that the data subject may not derogate from the prohibition referred to in paragraph 1; (b) processing is necessary for the purposes of fulfilling the obligations and exercising the prerogatives of the controller or data subject in the field of labor law and social security and social security law, where Union law or the law of a Member State or a collective agreement so permits. in accordance with the law of the Member State providing for adequate safeguards for the fundamental rights and interests of the data subject; (c) processing is necessary for the protection of the vital interests of the data subject or of another data subject where the data subject is physically or legally incapable of giving consent; (d) processing in the course of its lawful activities is carried out with appropriate safeguards by an institution, association or any other non-profit body for political, philosophical, religious or trade union purposes and provided that the processing concerns only members or former members of the body or persons , who are in regular contact with him regarding his intentions, and that personal data are not transferred outside this body without the consent of the data subjects; (e) the processing relates to personal data published by the data subject; (f) processing is necessary for the enforcement, enforcement or defense of legal claims or where any courts exercise their jurisdiction; (g) the processing is necessary for reasons of overriding public interest under Union law or the law of a Member State commensurate with the objective pursued, respects the essence of the right to data protection and provides appropriate and specific measures to protect the fundamental rights and interests of the data subject. relate to personal data; (h) treatment is necessary for the purposes of preventive or occupational medicine, assessment of the employee's ability to work, medical diagnosis, provision of medical or social care or treatment, or management of health or social care systems and services under Union or Member State law or in accordance with a contract with a healthcare professional and subject to the conditions and safeguards referred to in paragraph 3; (i) processing is necessary for reasons of public interest in the field of public health, such as protection against serious cross-border health risks or ensuring high standards of quality and safety of healthcare and medicines or medical devices, under Union law or the law of the Member State appropriate and specific measures to protect the rights and freedoms of the data subject, in particular the protection of professional secrecy; (j) the processing is necessary for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Article 89 (1) under Union law or the law of a Member State commensurate with the objective pursued. data protection and provides appropriate and specific measures to protect the fundamental rights and interests of the data subject. The personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 where they are processed or processed by a professional subject to professional secrecy under Union or Member State law or the rules laid down by determined by the competent national authorities or by another person who is also subject to the obligation of professional secrecy in accordance with Union law or the law of a Member State or with rules laid down by the competent national authorities. Member States may maintain or introduce additional conditions, including restrictions, on the processing of genetic, biometric or health data. Article 5 of the General Regulation sets out the principles relating to the processing of personal data, namely that personal data must be: (a) processed lawfully, fairly and transparently in relation to the data subject ("legality, fairness and transparency"); (b) collected for specified, explicit and legitimate purposes and may not be further processed in a way incompatible with those purposes; further processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Article 89 (1) shall not be considered incompatible with the original purposes ('purpose limitation'); (c) relevant, relevant and limited to what is necessary for the purposes for which they are processed ('minimum amount of data'); (d) accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that inaccurate personal data are erased or corrected without delay, taking into account the purposes for which they are processed ('accuracy'); (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for a longer period if they are processed solely for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Article 89 (1), subject to appropriate technical and organizational measures. regulations to protect the rights and freedoms of the data subject ("storage restriction"); (f) be processed in a manner that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage by appropriate technical or organizational measures ("integrity and confidentiality"). The operator is responsible for compliance with paragraph 1 and must also be able to demonstrate this compliance ('liability'). II. IP findings and explanations and positions of the obligor: During the inspection procedure, the liable party was reminded that in the procedure before the IP he had to tell the truth and the consequences of a false confession. During the proceedings, the liable party explained the following, namely that: does not keep records of covid-19 cases, estimates that there were approximately… patients; the procedure of informing employees about patients with covid-19 disease is carried out by informing the patient by phone… the taxpayer stays at home or in quarantine until recovery, if no high-risk contacts have occurred , the taxpayer warns by e-mail all employees who are or could be in high-risk contact with the sick person (providing the person's name and test result); in principle informs only persons who came into direct contact with an infected or sick person in the course of the work process, exceptionally acted differently when the virus first entered…, as it was not possible to identify who was in high-risk contact. A questionnaire was sent to the employees, on the advice of occupational medicine, so that high-risk contacts could be traced as soon as possible. During the month…, however,… it sent an individual questionnaire to all employees on the connection with high-risk groups in order to organize work in a way that would minimize the impact on potentially endangered employees or employees who are close to people at risk; have adopted the Rules on procedures and measures for personal data protection (adopted on the basis of cooperation between employees and the union), and in specific cases collected data… as… and organizer of the work process, communication was by telephone, patients were properly informed about the content has no written evidence; Lovni the work process is… specific, work usually takes place in smaller but often flexibly composed…. Potential high-risk contacts between employees cannot always be assumed. In the last two years, work has been going on in extremely difficult circumstances. The taxpayer submitted the following documentation: emails to employees of ... On the basis of the Obligor's acquaintance with the findings in the inspection procedure and the call for clarification before the decision no. … Of… provided evidence that he had informed employees of their rights to information in accordance with Article 13 of the General Regulation and stated that he had observed the principle of proportionality in notifying infections by providing the name of infected employees by e-mail of… infections that are expected to occur at least… before detection and work in small… and the likelihood that all employees have come into contact with an infected employee (the liable party has… employees and external collaborators). He went on to state that they had been informed exclusively by e-mail of…, as all of them had been exposed to high-risk contact, and no information on the infection outside of that had been provided. III. Reasons for such a decision in the light of the facts established: On the basis of the inspection procedure carried out so far, the IP establishes the following facts. The person responsible for the SARS-CoV-2 coronavirus database does not keep employees informed of covid-19 patients in order to protect the health of employees and ensure a healthy working environment, but informing employees about the infection could and had to do so in such a way that he would not provide a specific name and surname when he provided information on persons suffering from covid-19 from the e-mail address zaposle… to employees with the name and surname in an e-mail dated…, that even insofar as the messages sent were forwarded to all employees who may have been able to come to t with the sick person. i. high-risk contact, the taxpayer should not provide the name and surname, as it would be sufficient to notify the infection and provide such a hidden copy - depending on the circumstances of the case, the taxpayer will have to decide in each case whether such initiation should be provided to a particular circle of employees or all. The taxpayer should not provide the names and surnames of individuals suffering from covid-19 disease by processing their health data by passing it on to individuals, as such information may be provided without providing a specific name and surname. If the taxpayer considers that anyone who could be in the taxpayer's registered office during a certain period could come into high-risk contact, he should further examine and substantiate why the general notice without mentioning a specific individual in such a way that he would not determined or identifiable would not achieve the same purpose. IP notes that the taxpayer could send the same content of the message even without the name and surname of the employees, while achieving the same purpose of preventing the spread of infectious diseases. High-risk contacts could be sought individually, without disclosing the individual suffering from the disease, to all employees. Consequently, such information, in particular with the name and surname, resulted in unlawful processing of personal data and breach of the minimum data principle set out in Article 5 (1) (c) of the General Regulation, as the taxpayer could achieve the same effect and already with a general notice without stating the name and surname, which could also be sent to all listed stakeholders, if he found that in certain premises and in a certain period of time according to the specifics of the work process at the taxpayer, there was t. i. high-risk contact. IV. Conclusion: Point (d) of Article 58 (2) of the General Regulation provides that the supervisory authority shall order the controller or processor to comply with the provisions of the processing, if applicable, in a specified manner and within a specified time limit. In view of the explained reasons, due to the identified irregularities, pursuant to Articles 2 and 8 of the ZInfP, point 1 of the first paragraph of Article 54 of ZVOP-1, the first paragraph of Article 32 of the ZIN and point (d) of Article 58 (2) of the General order the elimination of identified irregularities and the harmonization of the processing of personal data with the provisions of Article 5 (1) (c) of the General Regulation and Article 9 of the General Regulation, as set out in point 1 of the operative part of this Decision. The fifth paragraph of Article 29 of the ZIN stipulates that if the inspector has ordered the elimination of irregularities and deficiencies and set a deadline for the obligor to eliminate them, he must immediately inform the inspector of the rectified irregularities. In accordance with the above, the liable party must notify the IP in writing of all implemented measures referred to in point 1 of the operative part of this decision no later than five (5) days after the elimination of the irregularity. The notification must also contain indications and evidence that the liable party has implemented the measures referred to in point 1 of the operative part of this decision and in what manner he has implemented them. The ruling on the costs of the procedure is based on the provision of the first paragraph of Article 31 of the ZIN, according to which the costs of the inspection procedure, which were necessary to establish the facts proving that the taxpayer violated a law or other regulation, the taxpayer suffers. The liable party did not notify the costs of the procedure during the procedure, but no special costs of the procedure were incurred by the body. This decision is issued ex officio and is based on Article 22 of the Administrative Fees Act (Official Gazette of the Republic of Slovenia, No. 106/10 - official consolidated text, 14/15 - ZUUJFO, 84/15 - ZZelP-J, 32/16 , 30/18 - ZKZaš and 189/20 - ZFRO) tax free. LEGAL REMEDY: This decision is final in the administrative procedure. In accordance with the provision of Article 55 of ZVOP-1, no appeal is allowed against it, but it is permissible to initiate an administrative dispute. An administrative dispute shall be initiated by filing a lawsuit with the Administrative Court, Fajfarjeva 33, 1000 Ljubljana, within thirty (30) days of its service. The action shall be brought directly in writing before that court or shall be sent to it by post. It is considered to have been filed in time if it is submitted by registered mail by the last day of the claim deadline. In addition to the contested decision, the original, transcript or copy must be accompanied by one copy or copy of the lawsuit and attachments for the defendant, if someone is affected by the administrative act, but also for him. … Serve: …