AZOP (Croatia) - Decision 28-08-2019
AZOP (Croatia) - Decision of 28 August 2019 | |
---|---|
Authority: | AZOP (Croatia) |
Jurisdiction: | Croatia |
Relevant Law: | Article 4(1) GDPR Article 5(1) GDPR Article 6(1) GDPR Article 17(1) GDPR Article 25(1) GDPR Article 25(2) GDPR Article 100 Budget Act By-law Article 12 (5) Budget Act |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 28.08.2019 |
Fine: | None |
Parties: | Health Center |
National Case Number/Name: | Decision of 28 August 2019 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Croatian |
Original Source: | AZOP (in HR) |
Initial Contributor: | tom_vranovic |
The Croatian DPA (AZOP) ordered the controller to comply with the data subject's erasure request, because it unlawfully published the data subject's personal data on their website, in violation of Article 5 and Article 6 GDPR.
English Summary
Facts
The controller is the Health Center (a health clinic) and had indicted the data subject (for unknown reasons). The data subject requested the Health Center to erase her personal data because her name and surname were published in a document called "Notes to the financial statements for the period from 1.1.2018 to 31.12.2018". This document was publicly available on the controller's website. The controller refused to comply with the data subject's request, so the data subject filed a complaint with the DPA.
The DPA requested the controller to stipulate the legal basis and purpose of the processing, and why they refused to comply with the data subject's request. The controller stated that it had a legal obligation to publish the personal data. They explained that, according to national law, they were obligated to publish annual financial statements on its website. Moreover, as part of this obligation, they must also publish details that provide further explanation to the financial data. These details were published in the above-mentioned document. Since the controller and the data subject were in a legal dispute, and information on disputes must be published in these financial notes, the controller claimed that it had to publish the data subject's personal data.
Holding
The DPA upheld the data subject's complaint.
The DPA considered that it follows from national law that the controller is obligated to publish an annual financial statement, with supplementary notes that provide further explanation on, inter alia, the controller's ongoing legal disputes. However, the national legislation does not prescribe that these notes must contain the name and surname of the parties in the dispute, since a description of the dispute suffices. Hence, the DPA concluded that the controller had no legal basis to publish the data subject's personal data, in violation of Article 5, Article 6, and Article 25 GDPR. It ordered the controller to comply with the data subject's erasure request pursuant to Article 17(1)(d) GDPR, and to take appropriate measures to protect personal data to ensure that the document is not searchable via Google search.
Comment
The DPA stated that the controller (also) violated Article 25 GDPR because they published the data subject's personal data on their website, without a legal basis. Unfortunately, the legal reasoning is unclear. One can assume that the controller neglected to implement appropriate technical and organisational measures that ensure adherence to data protection principles, such as the principle of data minimisation. However, a violation of (one of) these principles does not necessarily lead to a violation of Article 25 GDPR, and it is thus unclear what measures the controller had neglected to implement.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.
REPUBLIC OF CROATIA PROTECTION AGENCY PERSONAL DATA CLASS: REGISTRATION NUMBER: Zagreb, 28 August 2019 Personal Data Protection Agency pursuant to Article 57 (1) and (58) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to with the processing of personal data and on the free movement of such data and on revocation Directive 95/46 / EC (General Data Protection Regulation) SLEU L119 (hereinafter: General regulation) and Article 34. Of the Act Implementing the General Regulation on Data Protection, Official Gazette, no 42/18) and Article 42, paragraphs 1 and 2 and Article 96, paragraph 1 of the General Administrative Procedure Act (Official Gazette No. 47/09), upon request for protection of rights xy RESOLUTION 1. The request for a violation of the right to protection of personal data xy is founded. 2. It is established that by publishing the name and surname xy in the document “Notes to the financial reports for the period from 1.1.2018 to 31.12.2018. ”which was published online personal data was processed on the website of the Health Center contrary to Articles 5 and 6. General data protection regulations. 3. The Health Center is ordered to delete the personal data of person xy, and all other physical data persons listed in the document “Notes to the financial statements for the period from 1.1.2018-31.12.2018. ”Which was published on the website of the Health Center, a all in accordance with Article 17 (1) (d) of the General Data Protection Regulation. O b r a z l o ž e n j e The Agency for Personal Data Protection (hereinafter: the Agency) received a request xy (hereinafter) in the text: the applicant) stating that by publishing her personal data in document "Notes to the financial statements for the period from 1.1.2018 to 31.12.2018" and which is published on the website of the Health Center there was a violation of her personal data. The request is founded. Acting upon the received request, the Agency requested a statement from the Health Center Fr. the availability of the applicant's personal data, in particular on the legal basis and purpose of the publication personal data of the applicant. The health center has stated that it is obligated as a budget obligor in accordance with Article 12, paragraph 5 of the Budget Act and Article 27 of the Ordinance on Financial Accounting shall be published annually financial statements on its website no later than 8 days from the date surrenders. They further state that in accordance with Article 7, paragraph 2 of the said Ordinance, financially the report of budget users of the state budget for the budget year consists of Balance sheets, Statements of income and expenditure, receipts and expenditures, Statements of expenditure according to functional classification, reports on changes in value and volume of assets and commitment and Notes. They also state that, in accordance with Article 13 of the same Ordinance, the Notes are supplements data with the financial report, and in accordance with Article 14, the mandatory notes to the Balance Sheet are a list contractual relationships and the like that are the fulfillment of certain conditions may become a liability or an asset and a list of ongoing litigation. Since the Health Center has filed an indictment against him the applicants were obliged to state the same in the Notes. The General Data Protection Regulation stipulates in Article 4 (1) (1) that personal data are all data relating to an individual whose identity has been or can be established, and an individual whose identity can be established is a person who can be identified directly or indirectly, especially with help of identifiers such as name, identification number, location data, network identifier or by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual. In accordance with Article 5 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC hereinafter referred to as the General Data Protection Regulation personal data must be processed lawfully, fairly and transparently with respect to the respondent (principle of legality, fairness and transparency); collected in special, explicit and lawful purposes and may not be further processed in a way that is not in line with those purposes (principle purpose limitation); appropriate, relevant and limited to what is necessary in relation to the purposes in which they are processed (the principle of reducing the amount of data); accurate and up - to - date if necessary (principle accuracy); kept in a form that allows identification of respondents only for as long as it is necessary for the purposes for which personal data are processed (storage restriction principle); processed in a way that ensures adequate security of personal data, including protection against protection against unauthorized or unlawful processing and against accidental loss, destruction or damage by applying appropriate technical or organizational measures (principle of integrity and confidentiality). Article 6 of the General Data Protection Regulation stipulates that processing is lawful only if and in to the extent that at least one of the following is met: the respondent has given consent to processing their personal data for one or more special purposes; processing is necessary for execution a contract to which the respondent is a party or to take action at the request of the respondent before concluding contracts; processing is necessary to comply with the legal obligations of the processing manager; processing is necessary to protect the key interests of respondents or other natural persons; processing is necessary for the performance of a task of public interest or in the performance of the official authority of the controller; processing is necessary for the legitimate interests of the processing manager or a third party, except when they are from these interests are stronger interests or fundamental rights and freedoms of respondents that require the protection of personal data. Article 17 of the General Data Protection Regulation stipulates that the respondent is entitled to a leader processing to obtain the deletion of personal data relating to him without undue delay and the controller has an obligation to delete personal data without undue delay if any fulfilled one of the conditions, among other things, personal data are no longer necessary in relation to the purposes in which have been collected or otherwise processed. Article 25 of the General Data Protection Regulation stipulates that taking into account the latest achievements, the cost of implementation and the nature, scope, context and purposes of processing, as well as the risks of different level of probability and seriousness for the rights and freedoms of individuals arising from processing data, the controller, both at the time of determining the means of processing and at the time of processing, implements appropriate technical and organizational measures, such as pseudonymization, for enabling the effective application of data protection principles, such as volume reduction data, and the inclusion of safeguards in the processing in order to meet the requirements of this Regulation, and protect the rights of respondents. The processing manager implements the appropriate technical and organizational measures to ensure that only personal data that are necessary for each specific processing purpose. This obligation applies to the amount collected personal data, the scope of their processing, the storage period and their availability. More precisely, such measures ensure that personal data are not automatic, without the intervention of an individual, available to an unlimited number of individuals. The Budget Act (Official Gazette, Nos. 87/08 and 136/12, 15/15), more precisely Article 12. paragraph 5 stipulates that local and regional self-government units, budgetary and extrabudgetary users publish annual financial reports on their websites pages no later than eight days from the date of their submission. Ordinance on financial reporting in budget accounting (Official Gazette) No. 03/15, 93/15, 135/15, 2/17, 28/17 112/18) adopted pursuant to Article 100 of the Law on the budget stipulates that the notes supplement the data with the financial statements. Notes can be descriptive, numerical or combined. They are marked with ordinal numbers with reference to the AOP the label of the report to which they refer. Mandatory Notes to the Balance Sheet are: 1. List of contractors relationships and the like which, subject to the fulfillment of certain conditions, may become an obligation or an asset (given letters of credit, mortgages, etc.) and 2. List of pending litigation. List of litigation in the course referred to in paragraph 1 of this Article must contain a concise description of the nature of the dispute, an assessment of the financial the effect that may result from litigation as a liability or asset and the estimated time outflow or inflow of funds. Units of local and regional self-government, budgetary and extrabudgetary users publish annual financial reports on their websites pages no later than eight days from the date of their submission (Articles 13 and 14) Following the above in this administrative matter, it was determined that the personal data of the applicant requests more precisely her name and surname publicly available on the official website of the Health Center in the document “Notes to the financial statements for the period from 1.1.2018 to 31.12.2018.” It was further established that the said document was published in accordance with Article 12 of the Law on Budget and Article 27 of the Ordinance on Financial Reporting in Budget Accounting. Accordingly Articles 13 and 14 of the said Ordinance supplement the notes to the financial report and are part of the mandatory ones notes is a list of ongoing litigation. However the above special Act and on the basis it is not stated in the adopted Ordinance that the list of disputes must contain the name and surname persons / persons against whom the budget user is litigating it is already prescribed that the list should contain a concise description of the nature of the dispute, an assessment of the financial impact that may result from litigation as a liability or asset and the estimated time of outflow or inflow of funds. Therefore, the Health Center had a legal basis for publishing this document on the website, however, there is no legal basis and legitimate purpose for publishing the applicant's personal data requirements as well as all other natural persons with whom the Health Center in question is litigating thereby publishing personal data without a legal basis contrary to Articles 5, 6 and 25. General data protection regulations. Therefore, the Health Center is instructed as the treatment manager to when processing personal data that it processes and publishes in documents, it acts in accordance with it with the provisions of the General Data Protection Regulation, to delete the applicant's personal data and all other persons listed in the document in question in accordance with Article 17. paragraph 1 (d) and to take appropriate measures to protect personal data as the document does not would be searchable via Google search engine. Following the above, it was decided as in the operative part of the Decision. INSTRUCTIONS ON LEGAL REMEDY No appeal is allowed against this decision, but an administrative dispute may be initiated before the Administrative by the court within 30 days from the day of delivery of the decision.