NSS - 10 As 190/2020 - 39
NSS - 10 As 190/2020 - 39 | |
---|---|
Court: | NSS (Czech Republic) |
Jurisdiction: | Czech Republic |
Relevant Law: | Article 32 GDPR Article 83(7) GDPR Czech Law on Data Processing 2019 Czech Law on Data Protection 2000 |
Decided: | 25.02.2022 |
Published: | |
Parties: | |
National Case Number/Name: | 10 As 190/2020 - 39 |
European Case Law Identifier: | |
Appeal from: | MSPH (Czech Republic) 14 A 26/2019 - 37 |
Appeal to: | Not appealed |
Original Language(s): | Czech |
Original Source: | NSS (in Czech) |
Initial Contributor: | ea |
The Czech Supreme Administrative Court held that a hospital did not amount to a public body within the meaning of Article 83(7) GDPR. According to the Court, such a body must be established by law, perform tasks in the public interest, not have its own property and be financed from public budgets.
English Summary
Facts
The Czech DPA held that the controller, a hospital, violated the duty to implement sufficient security safeguards under § 13 of the Czech Law on Data Protection 2000 (implementing the Data Protection Directive). The DPA issued a fine of 1,634 EUR to the controller. The controller requested a judicial review of the DPA's decision. The City Court of Prague (MSPH) confirmed the DPA's decision. The controller subsequently requested a judicial review at the Supreme Administrative Court (NSS). The controller claimed that although it had violated the law when the Law on Data Protection 2000 was still in force, the DPA and the MSPH should have applied the GDPR and its implementing act - the Czech Law on Data Processing 2019 - provided that it was more favourable to the controller (pursuant to Article 40(6) of the Czech Charter of Fundamental Rights and Freedoms).
In the course of deciding whether the GDPR and the Law on Data Processing 2019 must apply, the NSS had to consider if they are more favourable to the controller or not. Consequently, the NSS had to consider two questions. First, whether the controller could have benefitted from § 62(5) of the Law on Data Processing 2019 which states that the DPA shall not issue an administrative fine to public authorities and bodies as defined in Article 83(7) GDPR (Article 83(7) GDPR allows Member States to provide for such exemptions). Second, the NSS had to decide whether Article 32 GDPR was more favourable than § 13(1) of the Law on Data Protection 2000.
Holding
The NSS held that the GDPR as implemented by the Law on Data Processing 2019 was not more favourable to the controller than the Data Protection Directive as implemented by the Law on Data Protection 2000. Consequently, the NSS held that the MSPH was correct in applying the latter and confirmed its decision.
First, the NSS held that the controller could not have benefitted from the exemption for public authorities and bodies from administrative fines under § 62(5) of the Law on Data Processing 2019. This was because the controller (a hospital) was not a public authority or body within the meaning of Article 83(7) GDPR. In interpreting what amounts to a public authority or body under Article 83(7) GDPR, the NSS held that such entity will normally be established by law and designed to perform tasks in the public interest. It will not have its own property and will be financed from public budgets. It is irrelevant whether it is a public institution within the meaning of Freedom of Information Act or the Public Procurement Act, or whether it keeps medical documentation. The NSS concluded that the controller is hence not such a public authority or body as it is a joint-stock company with its own assets and budget. Although it is predominantly financed by public health insurance, such funding is not public funding because the complainant receives it in return for specific services and patients not unlike private providers. Thus, although the complainant provides healthcare that is certainly in the public interest, it does not amount to a public authority or body within the meaning of Article 83(7) GDPR.
Second, the NSS held that the duty to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk under Article 32 GDPR was not more favourable to the controller than the duty to take such measures to prevent unauthorised or accidental access to, alteration, destruction or loss of personal data, unauthorised transfers, other unauthorised processing or other misuse of personal data under § 13(1) of the Law on Data Protection 2000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Czech original. Please refer to the Czech original for more details.
10 As 190/2020 - 39 CZECH REPUBLIC JUDGMENT ON BEHALF OF THE REPUBLIC The Supreme Administrative Court ruled in a senate composed of President Ondřej Mrákota and Judge Petr Šebek and Zdeněk Kühn in the plaintiff's legal case: Tábor Hospital, a.s., Kpt. Jaroše 2000, Tábor, represented by lawyer Mgr. Jiří Jarušek, Radniční 7a, České Budějovice, against the defendant: Office for Personal Data Protection, Lt. Col. Sochora 27, Prague 7, against the chairwoman's decision Office for Personal Data Protection of 13 December 2018, ref. UOOU-08001 / 18-14, pending on the plaintiff's cassation complaint against the judgment of the Municipal Court in Prague of 20 May 2020, Ref. 14 A 26/2019 - 37, t a k t o: I. Cassation complaint. II. None of the parties is entitled to reimbursement of costs. Reason: I. Definition of the matter [1] Defendant by decision of 12 October 2018, ref. UOOU-08001 / 18-8, found plaintiff guilty of committing an offense under § 45 para. h) of Act No. 101/2000 Coll., on the protection of personal data and amendments to certain regulations ("Personal Data Protection Act"), because, as the controller of personal data, he did not take measures to ensure the security of processing personal data in connection with the keeping of electronic medical records; specifically the plaintiff was accused that from an unspecified period at least until 11 January 2018: a) audit records (logs) in the hospital information system did not make it possible to identify and verify why the electronic medical records were inspected, b) the plaintiff did not perform regular access control to electronic medical records. According to the defendant, the plaintiff thus infringed the obligation stipulated in § 13 par. 1 of the Personal Data Protection Act. It was imposed on him for that fine CZK 80,000. [2] The plaintiff appealed to the defendant's chairwoman, who concluded she confirmed the offense, but found the fine to be disproportionate and reduced it to CZK 40,000. [3] The plaintiff's action against the decision of the President of the defendant Municipal Court in Prague rejected. He concluded that, if the applicant had kept records of who and when was personal, 10 As 190/2020 recorded and processed the data, but did not insist that the reason for the access be recorded into electronic medical records and personal data processing, proceeded in contradiction with the law. The city court did not find any mistake in the fact that the law on protection was applied personal data and not Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the "Regulation"). II. Cassation proceedings [4] The plaintiff (complainant) challenged the judgment of the Municipal Court in a cassation appeal. Believes, that the judgment is unreviewable because the city court did not address its reference to the commentary to the Personal Data Protection Act. He further argued that the Municipal Court had misinterpreted Section 13 (4) letter c) of the Personal Data Protection Act and illegally assessed the question of what legal regulation they had be used. According to the complainant, the law on personal data protection should not have been applied, but Regulation, as it does not contain the obligation enshrined in § 13 par. 4 let. c) of the Protection Act personal data. Nor can such an obligation be inferred from Article 32 of the Regulation, as it does incorrectly Municipal Court. The complainant further alleged that the city court had not taken it into account when assessing the sanction later legislation (Act No. 110/2019 Coll., on the processing of personal data), which is more favorable to the complainant. The Personal Data Processing Act does not allow for storage sanction for an administrative penalty against a public body. The complainant considers that he is a public as it keeps medical documentation (according to Act No. 372/2011 Coll., on health services and conditions of their provision), is a public contracting authority (according to Act No. 134/2016 Coll., on the award of public contracts), a public institution within the meaning of Act No. 106/1999 Coll., on Free Access to Information) and its activities are largely funded public health insurance. Although the complainant is a person governed by private law, he is an established person South Bohemian Region in order to fulfill the public interest. [5] The complainant therefore requested that the SAC set aside the judgment under appeal and refer the case back to the municipal court for further proceedings. [6] The defendant disagrees with the cassation complaint and proposes to dismiss it. Judgment of the city the court also considers its decision to be in accordance with the law. He states that in his time decision on the processing of personal data has not yet been effective, but considers that that this is not a more favorable standard for the complainant, as the complainant is not a public body. III. Assessment of the case by the Supreme Administrative Court [7] The appeal is unfounded. III. 1. Unreviewability of a municipal court judgment [8] First, the SAC dealt with the alleged unreviewability of the Municipal Court judgment. [9] The unreviewability of a decision for lack of reasons must be interpreted in its own right in the real sense, ie as the impossibility of reviewing a decision for the impossibility of ascertaining the content itself or the reasons for which it was issued (cf. resolution of the Enlarged Senate of the SAC of 19 February 2008, Ref. 7 Afs 212/2006 - 76). The institute of unreviewability is not allowed arbitrarily extend and apply it to cases where the court has the substance of the objection of a party to the proceedings duly deals with and explains why it does not consider the participant's arguments to be correct, albeit explicitly in the statement of reasons for the decision does not respond to all conceivable aspects of the objection raised and commits, 10 As 190/2020 - 40 continuation partial failure to state reasons. The decision on unreviewability is reserved the most serious flaws of the decision, when for the absence of reasons or for incomprehensibility really the decision cannot be reviewed on the merits. Unreviewable decision for lack for such reasons, it has a place especially if the administrative body or court omits the participant's objection to react completely (thus also implicitly) (cf. judgments of the SAC of 17 January 2013, ref. 1 Afs 92/2012 - 45, or from June 29, 2017, ref. 2 As 337/2016 - 64). The fact that the administrative authorities cannot be overlooked and the courts are not obliged to deal with every partial objection if they oppose the participant's claim the procedure will give rise to a legal opinion in the competition of which the opposition as a whole will not stand. Such a procedure The Constitutional Court also found it constitutionally compliant in its judgment of 12 February 2009, file no. III. ÚS 989/08, according to which: “It is not a violation of the right to a fair trial if the general courts do not draw their own conclusions on the detailed opposition (and refutation) of the individual objections raised, if he opposes his own comprehensive an argumentation system that reasonably and reasonably interprets that supporting the correctness of their conclusions is itself sufficient in itself ’. [10] This was also the case here. Municipal court alleged misinterpretation § 13 par. 4 let. c) of the Personal Data Protection Act. He clearly stated why it considers it necessary for the record to include information on the reason for the processing personal data (paragraph 50 et seq. of the judgment). The municipal court therefore provided a sufficiently verifiable statement your opinion on this contentious issue. The very fact that he did not express himself to the complainant's reference to commentary literature, does not cause his inexplicability judgment. In addition, in the present case, the municipal court expressly stated in the judgment that the measure which the complainant considered sufficient to fulfill the obligation (interview with the who looked into the database) is not considered sufficient. Inexplicability is not a manifestation the complainant's unfulfilled subjective ideas about how detailed the judgment should be justified, but an objective obstacle which prevents the Court of Cassation from examining the contested decisions (cf. judgments of the Supreme Court of 28 February 2017, ref. 3 Azs 69/2016 - 24, and of 27 September 2017, Ref. 4 As 146/2017 - 35). The applicant's disagreement with the reasoning and conclusions of the judgment under appeal at the same time it does not cause its unexamination (see, for example, the judgments of the SAC of 12 November 2013, Ref. 2 As 47 / 2013- 30, or dated 29 April 2010, ref. 8 As 11/2010 - 163). III. 2. Incorrect interpretation of § 13 par. 4 let. c) of the Personal Data Protection Act [11] The complainant first argued that the municipal court had misinterpreted § 13 para. c) of the Act on the protection of personal data. [12] The complainant was found guilty by a decision of the defendant for violating Section 13 (1) of the Act on the protection of personal data. He was to do this by two acts: a) by keeping his audit records (logs) in the hospital information system did not make it possible to identify and verify why the electronic medical records were inspected, which also violated § 13 par. 4 let. C) the Personal Data Protection Act; and (b) that the complainant did not carry out regular access checks to electronic medical records. [13] According to Article 13 (1) of the Personal Data Protection Act, the controller and the processor are obliged to accept measures to prevent unauthorized or accidental access to personal data, to their personal data alteration, destruction or loss, unauthorized transfers, their other unauthorized processing, as well as misuse of personal data. This obligation applies even after the processing of personal data has ended. [14] According to § 13 par. c) of the Personal Data Protection Act is in the field of automated the controller or processor shall also be obliged to acquire the processing of personal data within the framework of the measures referred to in paragraph 1 electronic records that make it possible to identify and verify when, by whom and for what reason personal data were recorded or otherwise processed., 10 As 190/2020 [15] The complainant considers that the cited provisions do not imply an obligation to the reason for recording or other processing of personal data was included in the electronic record (log) data, but it is sufficient for this reason to be ascertainable. However, we cannot agree with that. He could be explicit purely grammatical interpretation of § 13 par. 4 let. c) of the Personal Data Protection Act to complain of the complainant, the municipal court correctly proceeded from the meaning of the cited provision and evaluated the established obligation in the context of the entire § 13 of the Personal Data Protection Act. He also referred, where appropriate, to the judgment of the Supreme Court of 30 January 2013, ref. 7 As 150/2012 - 35, in which The SAC explicitly stated that the so-called logs according to § 13 par. c) of the Personal Data Protection Act are "records of who, when and for what reason recorded or otherwise processed personal data". Only such a record, which contains information not only about who and when personal data processed, but also the reason for this processing, is then able to fulfill the meaning of the law on protection personal data, as only then can it be traceable and verifiable “who, when, how and why "it processed personal data in the information system. Such a requirement is also high preventive effect against the misuse of data from the information system, because everyone with it legally working, must be aware that it is possible to retrospectively verify who, when and in what way worked with the information system, and whether this was done legitimately. As stated by the NSS in the above judgment no. 7 As 150/2012 - 35: "any person who unlawfully manipulates data contained in a system who processes them automatically must be aware that her actions may be aided by such a record traced and detected '. [16] The NSS therefore identifies with the municipal court that it is already in the electronic record itself (log) the reason for recording or processing personal data must be included. Complainant's voucher the possibility of conducting a follow-up interview with the employee who accessed the database, and thus find out the reason for his approach, he cannot succeed, because he does not respect the wording of § 13 par. C) of the Personal Data Protection Act or the meaning of the personal data protection legislation. In such In this case, it is not possible to carry out a proper interim or ex-post check to see if it has not taken place to unauthorized access to the database. [17] The complainant's reference to the commentary on the law cannot change anything in the above on the protection of personal data. The conclusion of the municipal court does not contradict the commentary. If the comment admits the fulfillment of the obligation enshrined in § 13 par. 4 let. c) of the Protection Act personal data also "in combination with appropriate organizational measures", the complainant no such does not mention an appropriate organizational measure that would be eligible to be met. Subsequent an interview with the person who looked at the database is not such a measure. Certainly you have to agree with the complainant that the legitimacy of the reason for processing personal data must be verified the administrator himself, in principle on the basis of data provided by the person who personally accessed the data. However, this person must state the reason for looking at the database immediately before or shortly before access to personal data. You can't agree to do that the reason shall be stated only during the subsequent inspection, which may be carried out many months after such approach. First of all, he may no longer remember the specific reason at all (especially in situations where he views into the information system often, as is certainly the case for the complainant's staff), in addition the above-mentioned preventive effect is not fulfilled here. In this case, it was not inadmissible expanding interpretation of § 13 par. 4 let. c) of the Personal Data Protection Act. III. 3. Application of incorrect legislation AND) [18] The complainant disagrees with the City Court's assessment of which legislation was for him more favorable. First of all, he considers that the defendant should have applied the regulation and not the law of protection personal data., 10 As 190/2020 - 41 continuation [19] The Municipal Court ruled in favor of the complainant that in assessing which legislation is more favorable to offenders, it is not possible to limit oneself to comparing criminal rates, but it is necessary assess the specific case in advance in accordance with all the provisions of the old and new legislation and then with regard to all the provisions on the conditions of criminal (here misdemeanor) liability (also to the reasons for its termination) and punishment (also to the possibility of conditional sentence, waiver from punishment, etc.) to consider which is more favorable (judgment of the Supreme Court of 5 June 2018, Ref. 4 As 96/2018 - 45). Thus, even if the municipal court found the defendant's approach, which he considered only penalty rates, defective in this respect, agreed with the conclusion on the application of the law on protection personal data. [20] According to the Municipal Court, although the regulation contained in the Regulation does not explicitly which would correspond to § 13 par. 4 let. c) of the Personal Data Protection Act, however this obligation can be deduced from Article 32 of the Regulation. This provision regulates the obligation of administrators and processors to secure personal data by means of appropriate technical and organizational measures, among which, according to the municipal court, the obligation to ensure due diligence could also be included protection of personal data so that they cannot be accessed without giving a reason. Municipal Court to this he also referred to the judgment of the Supreme Court of 27 June 2019, ref. 4 As 140/2019 - 27, which he assessed the relationship between Section 13 (1) of the Personal Data Protection Act and Article 32 of the Regulation. [21] According to Article 32 of the Regulation, taking into account the state of the art, implementation costs, nature, scope, context and purposes of the processing, as well as risks of rights and freedoms of varying probability and severity natural persons, the controller and the processor shall take appropriate technical and organizational measures to ensure the level security corresponding to the given risk, then there is an illustrative list of security methods and the provision that, in assessing the appropriate level of safety, particular account shall be taken of the risks it poses processing, in particular accidental or unlawful destruction, loss, alteration, unauthorized disclosure personal data transmitted, stored or otherwise processed, or unauthorized access to them. [22] In the present case, the complainant was found guilty of a misdemeanor according to § 45 par. 1 let. h) of the Personal Data Protection Act, according to which the offense is committed one who, as controller, does not take or implement measures to ensure the security of the processing of personal data (§ 13). According to the statement of the contested decision of the defendant, the complainant violated § 13 par. 1 of the Act on the protection of personal data (the obligation to take measures to prevent unauthorized or accidental access to personal data, to their alteration, destruction or loss, to unauthorized transfers, to their other unauthorized processing as well as other misuse of personal data) by: (a) audit trails (logs) in the hospital information system did not make it possible to identify and verify why it was and (b) the complainant did not carry out regular inspections access to electronic medical records. [23] In the present case, the complainant was therefore found guilty of violating Section 13 (1) of the Act on the protection of personal data, which it committed in two separate negotiations. It doesn't matter of them (missing reasons for inspection in audit records) can also be subordinated to § 13 par. 4 letter c) of the Personal Data Protection Act, the defendant with regard to the conduct of the other (failure to implement regular inspections) found that by both acts the complainant had violated the more general § 13 para. 1 of the Personal Data Protection Act. It does not change the fact that the defendant's reasoning in the decision he also mentioned the violation of § 13 par. 4 let. c) of the Personal Data Protection Act (which, moreover, directly refers to § 13 par. 1), because the statement of the decision, which is binding and enforceable, found only a violation of § 13 paragraph 1 of this Act. Just in relation to the last one quoted the provision which the complainant is found to be in breach of must then be determined whether it is later legal regulation more favorable for the complainants., 10 As 190/2020 [24] As the Municipal Court rightly stated in the judgment under appeal, the SAC has already considered this issue and in the judgment no. 4 As 140/2019 - 27 concluded that Article 32 of the Regulation is not relevant to § 13 par. 1 of the Personal Data Protection Act by a more favorable regulation (paragraphs 25 et seq. of the judgment). It is therefore not decisive that Article 32 of the Regulation does not contain such specific requirements as Paragraph 13 (4) letter c) of the Personal Data Protection Act, but whether the adjustment of obligations under Article 32 of the Regulation corresponds to the regulation stipulated in § 13 par. 1 of the Personal Data Protection Act. That's right according to the NSS it is also. Both provisions regulate the obligation of the controller and the processor of personal data ensure adequate personal security through appropriate technical and organizational measures data against unauthorized disclosure or access. Being doing so in different words can't be minor interpret the differences of wording in such a way that the regulation places in contrast to the Personal Data Protection Act lower requirements for the controller or processor of personal data and that this is a legal regulation more favorable, as the complainant considers. [25] The SAC therefore agrees with the Municipal Court that the defendant did not err in concluding that that the Regulation was not more favorable to the complainant. B) [26] The complainant also argues that the municipal court should have applied the law when assessing the sanction on the processing of personal data, as it did not allow for the imposition of a sanction for an administrative public penalty entity (Section 62 (5) of the Personal Data Processing Act in conjunction with Article 83 (7) of the Regulation). [27] As stated by the Enlarged Senate of the SAC in the resolution of 16 November 2016, ref. 5 As 104/2013 - 46, if the regional court decides in the administrative judiciary on an action against the decision of the administrative body, which was guilt and punishment for an administrative offense in a situation where the law that was applied was final administrative decision is amended or repealed, it shall take into account the principle expressed in the second sentence of Article 40 (6). The Charter of Fundamental Rights and Freedoms, according to which the criminality of an act is assessed and the sentence is imposed in accordance with the law, which came into force only after the crime has been committed, if it is more favorable for the offender. [28] In this case, the judgment of the municipal court was issued on 20 May 2020. Protection Act personal data was abolished with effect from 24 April 2019 by the Personal Data Processing Act which entered into force on the same day. If only the law on personal data processing more favorable to the applicant, the municipal court had a duty to assess the legality of the sentence follow this law. [29] Pursuant to Section 62 (5) of the Personal Data Processing Act, the defendant waives storage administrative penalty also in the case of controllers and processors referred to in Article 83 (7) of the Regulation. [30] Pursuant to Article 83 (7) of the Regulation, each Member State may lay down rules concerning whether and to what extent administrative fines can be imposed on public authorities and public bodies established in that Member State. [31] In the present case, the complainant committed an offense under § 45 para. h) of the Personal Data Protection Act, which consisted of failing to take or implement security measures security of personal data processing (§ 13). It corresponds to this offense in the new legislation offense according to § 62 par. 1 let. a) of the Act on the processing of personal data in connection with Article 32 of the Regulation. [32] Pursuant to Section 62 (5) of the Personal Data Processing Act, in conjunction with Article 83 (7) the regulation, the defendant waives the imposition of an administrative penalty in the case of controllers and processors, which is a public authority and a public body. The SAC has reached the same conclusion in its judgment, 10 As 190/2020 - 42 continuation of 11 February 2020, Ref. 4 As 376/2019 - 31, as well as a commentary on the Personal Data Processing Act: "If a public authority or public body commits an offense, the Office shall waive the imposition of an administrative penalty. (see Vlachová, B., Maisner, M. Personal Data Processing Act. Comment. C. H. Beck, Prague, 2019, p. 131). [33] However, who means a public body within the meaning of this provision is the law on the processing of personal data or the regulation. It is clear from the nature of the matter that such The body will normally be established by law and be designated to perform tasks in the public interest (otherwise has not been described as public) and at the same time will not dispose of its own property, but will financed from public budgets (similarly cf. the above-cited judgment of the Supreme Court) Ref. 4 As 376/2019 - 31). On the contrary, it will be fundamentally undecided whether it is a public institution within the meaning of of the Act on Free Access to Information or by the contracting authority pursuant to the Procurement Act public procurement, or whether it keeps medical records. [34] Without the NSS now having the notion of a public entity within the meaning of § 62 para. 5 of the Act on the processing of personal data, it can be clearly concluded that the complainant such is not a public body. [35] The complainant is a public limited company with its own assets and management. It is possible agree that it is "mainly financed by public health insurance funds". However, such financing cannot be considered as financing from public budgets. Complainant as a hospital (joint stock company) it does not receive funding for its operation and functioning directly from public budgets, but receives them in return for specific actions and patients, which it "reports" to health insurance companies. After all, any other is financed in the same way entity providing medical care (private hospital or private doctor). So to be a complainant Provides health care that is certainly in the public interest, is a joint stock company that is not financed from public budgets. It is thus not a public body with which the defendant would have according to § 62 par. 5 of the Personal Data Processing Act to decide on the waiver of punishment. Thus, the Municipal Court did not err if it did not apply the law on personal data processing, as this is not more favorable to the complainant. IV. Conclusion and costs of the proceedings [36] The complainant's objections were unfounded, so the SAC rejected the cassation complaint. [37] The complainant was unsuccessful in this case and is therefore not entitled to compensation costs of the appeal proceedings. The defendant shall not incur any costs in excess of his normal official duties activities did not arise. Instruction: Appeals against this judgment are inadmissible. Done at Brno, 25 February 2022 Ondřej Mrákota President of the Senate