IP (Slovenia) - SI – 07101-5-2023-16
IP - SI – 07101-5-2023-16 | |
---|---|
Authority: | IP (Slovenia) |
Jurisdiction: | Slovenia |
Relevant Law: | Article 15(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 24.02.2023 |
Decided: | 13.11.2023 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | SI – 07101-5-2023-16 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Slovenian |
Original Source: | IP (in SL) |
Initial Contributor: | n/a |
The Slovenian DPA held that a data subject was entitled to be informed of the purposes of a controller's processing log under Article 15(1)(a) GDPR. However, the DPA noted that whether the data subject is entitled to the entire processing log under an access request, must be decided on a case-by-case basis depending on the contents of the log and and applicable limitations (including derogations).
English Summary
Facts
On 17 January 2023, the data subject made an access request to Slovenia’s General Police Directorate (the controller) and requested a copy of the record of processing activities and the controller's processing log, under Article 15 GDPR.
As the controller is the Slovenian Police, the log file is a database of criminal offences committed by data subjects, photographs, fingerprints and DNA tests, but also includes information on processing operations that are not related to criminal law.
On 2 February 2023, the controller responded providing the data subject with their criminal record, offence record, photographic records, fingerprint data and DNA examination record. However, the controller refused to provide information relating to the record of processing activities and also refused to provide information concerning their processing logs.
On 24 February 2023, the data subject lodged a complaint with the Slovenian DPA concerning the controller’s refusal to provide information for their processing logs and record of processing activities. The complaint was limited to the controller's refusal to provide information regarding the purposes and the date/time of processing from the logs, and not the names of internal users.
Holding
The Slovenian DPA held that the controller was in violation of Article 15(1)(a) GDPR, as the purposes of processing of the logs fell within the scope of Article 15(1)(a) GDPR.
The Slovenian DPA considered that the information regarding the time of processing was necessary to understand the information about the purpose of the processing and to achieve the objectives of the right of access. They noted that the right to be informed about the processing of personal data does not explicitly include information about the duration of the processing, but nonetheless, it should be considered an essential part of the information about the processing of personal data.
In addition, the DPA following the EDPB’s Guidelines (2023, para 114), interpreted Article 15(1)(a) GDPR as not only imposing an obligation to provide information on the general purpose of processing of all personal data or of individual groups of data or data sets, but also specific information on a processing-by-processing basis for individual data.
Following from this interpretation of Article 15(1)(a) GDPR, the DPA held that generally the data and information contained in the processing logs are not automatically excluded from the scope of Article 15 GDPR. However, the granting of access to information contained in a controller's processing logs must be assessed on a case-by-case basis, taking into account any applicable exceptions and exclusions on the basis of compelling legitimate grounds (including, inter alia, those relating to the prevention and investigation of criminal offences).
In this case, the DPA held that there were no compelling legitimate interests overriding the data subject's right of access. As such, the data subject was entitled to be informed of the purposes and the date/time of processing from the logs. As a result, the DPA found a partial infringement of Article 15(1) GDPR. Consequently, the DPA ordered the controller to disclose the requested information.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.
1 Number: 07101-5/2023/16 Date: 3.11.2023 The Information Commissioner, acting through the Supervisory Person (hereinafter referred to as the "SP"), pursuant to Article 77 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the "General Data Protection Regulation") and Articles 30 to 34 of Regulation (EU) 2016/679 (hereinafter referred to as the "GDPR"). 163/22, hereinafter referred to as ZVOP-2), on the application of the applicant: ....., dated 21.2.2023, against the decision of the controller: MNZ, Policija, Štefanova ul. 2, 1501 Ljubljana, No. ....., dated 20.2.2023, in the matter of acquaintance with his own personal data, hereby issues the following decision in the matter of acquaintance with his own personal data DECISION: 1. it is hereby established that the controller MNZ, Policija, Štefanova ul. 2, 1501 Ljubljana, with regard to the request of 17.1.2023 from the applicant ....., has infringed Article 15(1) of the General Regulation and Article 24(2) of the General Data Protection Regulation, Article 15(1) of the General Data Protection Regulation and Article 24(2) of the General Data Protection Regulation. Article 5 of the GDPR, namely with regard to the information on the purposes and times (date and time) of the processing contained in the processing log (for the period from 5.5.2019 until the issuance of the decision), which the controller decided on in point 10 of the decision No ....., dated 20.2.2023; 2. the Operator is ordered to re-determine the applicant's request within 20 days at the latest, in accordance with Articles 18 to 25 of the GDPR, Articles 12 and 15 of the General Regulation and Articles 14 and 15 of the GDPR-2, by: making a full factual determination, i.e. a preliminary determination of the specific purposes, and assessing whether the individual processing (lines) and the data and information on the purposes give grounds for restricting the right to information under the GDPR, the PDPA and other laws; and to provide the notifier, in the light of the findings referred to in the previous indent, in so far as no grounds for restricting the right to information under the GDPR, the PDPA and other laws are provided, with an extract of the traceability log containing information on the dates of the processing (first column), the times of the processing (second column), the data (last column) and, in addition, information on the specific purposes of the individual processing, for all 366 rows, in accordance with the findings referred to in the previous indent; 3. it is concluded that, as regards the remaining part of the applicant's request and notification, the controller has not infringed Article 15 of the General Regulation and Article 24(2) of the GDPR; 4. the applicant is granted access to the administrative file No 07101-5/2023 with the IP, in respect of all documents except the processing log. However, following a final decision of the controller in a review procedure, the scope of the authorised inspection of the administrative file depends on the content of the decision. No specific costs were incurred by the IP. The applicant and the controller shall bear their own costs of the procedure. Reasoning: Relevant allegations - factual situation On 17.1.2023, the applicant, referring to the General Regulation, submitted a request for personal data to the controller, requesting a copy of the personal data and information on the processing of personal data under points (a) to (d) and (g) and (h) of the first paragraph of Article 15(1)(a) of Regulation (EC) No 1/2003. He explained that he would like to receive a copy of all personal data collected about him since 2015; he would also like to receive a copy of the accesses to his personal data, the purpose of the accesses, the dates of the accesses and the identification of the persons who carried out the accesses. On 20.2.2023, following the applicant's request, the controller issued Decision No ....., by which, on the basis of the General Regulation and the GDPR, it provided the applicant with all the information requested (points 1 to 9 and 11 of the operative part of the judgment) and provided him with a printout of the data in the criminal record, the offence record, the photographic record, the dactyloscopic record and the DNA examination record. Only in paragraph 10 of the operative part of the decision did the controller refuse the applicant's request for access to data on the internal processing of personal data (internal traceability data or data from the processing log). With regard to the refusal, the controller explained that the data requested are kept for the purpose of demonstrating the lawfulness of the processing and for the purposes of internal control, for the purpose of carrying out controls by the IP and other bodies, for the purpose of ensuring the integrity and security of the personal data, for the purpose of rectifying malfunctions of the IT system, and for the purpose of pre-trial and criminal proceedings (third paragraph of recital 22 of Article 22(1)(b) of the ECHR Decision of 12 December 2004 on the protection of personal data in criminal proceedings). The individual is not entitled to this data, as is clear from IP Opinions No 0712-1/2014/2773, No 0712-1/2014/3051 and No 0710-92/2018/4, etc. If the individual suspects unlawful processing of personal data, he/she may report the suspected breach to the IP or in the internal security procedure. On 24.2.2023, the whistleblower lodged a complaint with the IP against the rejection part of the decision. In the application, the notifier stated that it only insisted on the purpose and date of the processing in the processing log, but not on the personal names of internal users, for the period from 1 January 2021 onwards. The IP forwarded the notification to the controller for comments and requested clarification on the maintenance of the processing log. On 13.4.2023, the IP received a reply from the controller with detailed explanations on the maintenance of the processing log. On 15.5.2023, the IP sent the controller's explanations to the applicant for clarification and asked him to specify the claim. The applicant replied to the request on 17.5.2023 with a more specific and narrowed claim. On 22.5.2023, the CP requested the Controller to provide it with a complete extract of the traceability log for the period from 1.1.2021 to 20.2.2023 for the collections referred to in point 1 of the operative part of the Controller's decision. The requested extract was received by the HR on 1 June 2023. In accordance with Article 32(2) of the GDPR-2, on 10.10.2023 the IP forwarded the record of its findings to the notifier and the controller and invited them to comment on its preliminary findings. In its response, the notifier stated that it wished to continue the procedure. The operator explained that it had no objections and that it accepted the limitation of the inspection of the administrative file due to the possible restrictions under Article 25 of the ZVOPQD and Article 127 of the ZNPPol. The competence of the IP and the object and limits of the supervisory procedure Article 30(1) of the GDPR-2 provides that an individual who considers that the processing of his or her personal data by a controller infringes the provisions of the General Regulation, the GDPR-2 or other laws governing the protection of personal data (a whistleblower with a special situation) may lodge a request with the supervisory authority requesting supervision of the lawfulness of the processing of his or her personal data (a notification), and may also propose the necessary action to be taken in the event of the breaches identified, in order to achieve the restoration of the lawful state of affairs. A possible breach of the GDPR is also a breach of the right of access to one's personal data as defined in Article 15(1) of the GDPR. The IP, as supervisory authority, issues a decision after the supervision procedure in accordance with Article 34(1) of the GDPR-2. The appeal procedure is provided for in the GDPR for personal data falling under Article 1(1) of the GDPR. This provides that the ZVOPOKD "regulates the protection of the processing of personal data processed for the purposes of the exercise of these competences by the police, public prosecutors' offices, the Probation Administration of the Republic of Slovenia, the Penal Sanctions Enforcement Administration of the Republic of Slovenia and other state bodies of the Republic of Slovenia which are legally designated as competent in the fields of prevention, investigation, detection or prosecution of criminal offences or the enforcement of criminal sanctions". Article 27(1) of the GDPR provides that the supervisory authority, as the second instance authority, shall decide on an appeal by the data subject against a decision of a competent authority. In the present supervisory procedure, the IP determined whether and to what extent, i.e. with regard to which individual records, the conditions for consultation of the extract of the traceability log submitted by the controller on 1 June 2023 were fulfilled. As regards the remainder of the request, the controller has not infringed the right to be informed of personal data, since it has provided the applicant with all the information requested concerning the processing of the applicant's personal data. Moreover, the application does not relate to the remainder of the request or to points 1 to 9 and 11 and 12 of the controller's operative part of the decision. The IP also did not assess the entitlement to the personal names and SSNs of internal users in the context of the application against point 10 of the operative part of the decision, as the applicant had narrowed the request (i.e. his application no longer relates to internal users, but only to the purpose and dates of the processing), since under Article 15 of the GDPR and Article 24 of the GDPR, as well as the IP's previous practice, an individual is not in principle entitled to be informed of the identity of internal users, except in exceptional circumstances in accordance with the conditions set out in CJEU Judgment No C 579/21 ECJ. In the decision, the controller refers to the General Regulation and the GDPR as the substantive legal basis for the decision. The extraction of the traceability log would concern databases relating to criminal offences, misdemeanours, photographed persons, dactyloscopic persons and DNA tests, where the controller explains that the extraction does not only relate to processing relating to criminal offences but also to processing which does not fall within the scope of the GDPR. Therefore, the IP also decided on the whistleblower's notification on both legal bases and in a single "supervisory procedure based on a notification of a whistleblower with a special situation" under Articles 30 to 34 of the GDPR-2. This supervisory procedure consumes or also includes the appeal procedure under Article 27 of the ZVOPOKD: because the supervisory procedure gives even more procedural rights to the participants in the proceedings, because the provisions of the ZUP are also applicable in this supervisory procedure, because the uniform treatment is in line with the principle of economy and the principle of protection of the rights of the parties, without undermining the right to appeal, because, last but not least, the ZVOPOKD also provides for a supervisory procedure based on the notification of a whistle-blower with a special status in Article 33. The processing log extract in question for the period from 5.5.2019 has 366 lines with the following headings: date and time, terminal address/ip, application/node, group, user ID, user's surname, user's first name, 1 function, 1 area, 1 case/document, 2 functions, 2 areas, 2 case/documents, cr of person, person's surname, person's first name, user's parameters, data. 3. Findings in the control process 1. Pursuant to Article 15(1)(a) of the GDPR, the controller is obliged to provide the data subject with information on the purposes for which his/her personal data are processed. This does not only mean generalised information on the general purpose of the processing of all personal data or of individual groups of data or data sets, but also specific information on a processing-by-processing basis for individual data (for information purposes only, e.g. 'for the resolution of case No (...)', 'for the provision of data to the user (...)', 'for the rectification of data due to an error', 'for use in an internal complaint procedure', 'for the implementation of internal controls', 'for the verification of the alleged facts/compliance with the terms and conditions'). It does not matter where and in how many places and in what form this information is held by the controller, nor does it matter whether it is to be accessed on the basis of an internal 'analysis' and 'synthesis' of existing data, i.e. some broader enquiry (e.g. the 'analysis' and 'synthesis' of existing data, i.e. some broader enquiry (e.g. the 'analysis' and 'synthesis' of existing data). The General Regulation requires the controller to provide purpose information, but does not deal with how the controller should provide it and how much effort it should make to do so. In order to demonstrate the lawfulness of the processing of personal data, the controller must itself know the purposes for which it has processed the individual data in the specific individual processing and provide this information to the data subject. This means that he or she must find this information for himself or herself or create it by means of objectively feasible enquiries on the basis of available sources of information, provided that the processing log is such that it does not itself disclose the specific purposes. The IP notes that the extract in question does not contain the specific purposes for which personal data are processed, but that the purposes of use can be partially and indirectly inferred, in particular from the headings 'data', 'case/document' and 'field', but not without a proper interpretation by the controller. It is clear from the controller's explanations that information on the specific purposes should be obtained orally from the employees on the basis of the selected processing operations. This means that the requested information on specific purposes does not yet exist in a documented form or that the condition of a materialised form is not yet met. However, this does not mean that the purposes are not known, do not exist or cannot be obtained; only in this case could the controller refuse to provide information on the specific purposes. In order to comply with the request of the data subject, the controller is obliged to generate information on the specific purposes of the processing by means of internal enquiries, as these do not necessarily have to be set out in the processing log. It is possible to identify the specific purposes (which may be stated or derived from other documents). 2. Paragraph 114 of the European Data Protection Board Guidelines (2023) implies that information on purposes must be specific. It is not sufficient to list general purposes without clearly explaining which purposes are relevant in a specific case. If processing is carried out for several purposes, the controller must clearly explain which data are processed for which purpose. It follows from recital 83 of the judgment of the Court of Justice of the EU in Case C 579/21 (2023) that information relating to acts of access to the personal data of a data subject, concerning the dates and purposes of those acts, constitutes information which that data subject has a right to obtain from the controller pursuant to the first paragraph of Article 15(1)(b) of Directive 95/46/EC. The CJEU also stated in the aforementioned judgment that, in relation to the controller's log files, the provision of a copy of the information contained in those files may prove necessary in order to comply with the obligation to provide the data subject with access to all the information referred to in Article 15(1) of the General Regulation. The Court also stated that the processing logs disclose the existence of processing, which is information to which the data subject must have access under Article 15. Article 15 of the General Regulation; moreover, they show the frequency and intensity of the acts of consultation, which thus enable the data subject to ascertain whether the processing carried out is in fact justified by the purposes stated by the controller. The IP takes the view that the processing time is necessary to understand the information on the purpose of the processing and to achieve the purposes of the right to information. The right to information on the processing of personal data does not explicitly include information on the time of processing, but it should be considered as an essential element of information on the processing of personal data, depending on the circumstances of the individual case and if the applicant requests this information. The ED notes that the identification (specification) of the processing of personal data according to the time of processing is inextricably linked to the provision of other information on the processing of personal data to which the individual would be entitled in a specific case. It follows from recital 63 of the General Regulation that if the individual could not obtain information on the date of processing, he would not be able to exercise his right to information on processing for the purpose of knowing about the processing and verifying its lawfulness; every individual should have the right to be informed of the purposes of the processing of personal data, preferably the period for which the personal data are processed. The other fields of the specific processing log do not fall under any of the information referred to in points (a) to (h) of Article 15(1) of the GDPR or Article 24(2) of the GDPR and are not the applicant's personal data. It is data about data (data relating to the applicant's otherwise personal data) and not data directly relating to the applicant as a person. Therefore, the notifier is not entitled to these parts of the processing log and the controller has not been in breach with regard to them. An exception may be made for headings (for example, 'case/document' and 'field') which, by virtue of their content, may supplement the information on the purposes of the processing, but these headings or information will have to be identified by the controller itself as possibly forming part of the information on purposes and, consequently, disclosed to the notifier. 5. The ED agrees with the controller's view that the individual is not, as a general rule, entitled to the entire processing log (depending on its specific content, as there is a significant difference between controllers in this respect) and that the purpose of keeping a processing log is mainly to allow internal and external control of the lawfulness of the processing and to correct errors in the information system, and that the individual cannot exercise such control over the lawfulness of the processing of personal data. This position is indeed in line with the IP Opinions listed by the controller (Nos 0712-1/2014/2773, 0712-1/2014/3051 and 0710-92/2018/4), but these opinions do not explicitly provide that the data subject is not entitled to information on the purposes and the dates or times of the processing that may be contained in the processing log, but refer to the processing log in general and focus on the non-disclosure of the identity of the employees. In addition, in the specific case, more recent case law, in particular based on the above-mentioned CJEU judgment, should be taken into account. The above position does not imply that all the data contained in the processing logs, nor the information contained therein, will be available to the individual in every case and at all times. It only means that the data and information contained in the processing logs are not automatically excluded from the scope of Article 15 of the GDPR, but are nevertheless subject to the assessment of exceptions and exclusions on the basis of compelling legitimate grounds (including, inter alia, on the grounds of the prevention and investigation of criminal offences and any other legitimate grounds). 6. The same reasoning as set out in the preceding paragraphs, with reference to Article 15 of the GDPR, applies to information on the time of processing and the purposes of processing under Article 24 of the GDPR, since the substantive legal regulation of this right is the same as under the GDPR. Under Article 24(2) of the GDPR, in addition to the right to a copy of the data themselves (their content), the data subject has the right to obtain specific information on the purposes of the processing and their legal basis. 7. The IP did not necessarily need the specific information on the purposes of the individual processing contained in the processing log in question in order to take a decision on the notification: because the IP cannot even formulate them concretely in the final decision on behalf of the controller; this can only be done by the controller itself, as the specific wording of the purposes is not specified in the GDPR or in the GDPRCPR (both provisions only refer to 'purposes'); it is a 'free' or 'open' category of information; because the IP is also not allowed to mention them in the final decision, in order to be able to invoke the legal protection of the controller; because in the present case, it is not a question of fact as to whether the purposes already communicated are genuine, existent and relevant in substance, but a question of law as to whether the notifier is entitled to them; because the controller must in any event obtain the specific purposes of the individual processing, unless he finds that he does not have them (even in this case, he must inform the notifier that he has no information about the purposes or that they are unknown to him). Therefore, the IP did not ask the controller to communicate to it the specific purposes of the processing, but, by the final decision, ordered the controller to search for, identify and formulate (formulate or word) the purposes of the processing and to communicate this information to the notifier. The notifier has the possibility to lodge a separate complaint against this decision of the controller. 4. Conclusion In the light of the foregoing considerations, the decision of the Hearing Officer is as set out in paragraphs 1, 2 and 3 of the operative part of this Decision, namely: the IP found a partial infringement of Article 15 of the General Regulation and Article 24 of the GDPR as a result of the partial refusal of the request for information and, in this respect, ordered the controller to provide the notifier, after a prior ascertainment procedure, with the information from the processing log to which it is entitled, , the IP found that, as regards the remainder of the request and the notification, the controller had not infringed the data protection rules with regard to the right to know one's own personal data. Article 34(3)(1) of the GDPR-2 provides that the decision in the supervision procedure under the provisions of this Section shall, in addition to the elements laid down by the law governing the general administrative procedure, also contain the permissible scope of the examination of the file of the case for a whistleblower with a special situation. This is to be decided irrespective of the individual's request and in the event that the individual may request the IP to inspect the supervisory or administrative file on the basis of Article 82 of the C.P.A. In this respect, the IP decided in point 4 of the operative part of the present decision to allow the applicant to inspect the file of the supervisory case No 07101-5/2023, as there are no specific obstacles to the inspection, with the exception of the processing log in question, which will be accessible to the applicant in the light of the controller's final decision. Pursuant to Article 118(1) of the CPA, the Authority shall decide on the costs of the proceedings in its decision. The Authority has not incurred any specific costs in the present supervisory procedure; the notifier and the controller shall bear their own costs (point 5 of the operative part of the decision). This decision is exempt from the payment of administrative charges in accordance with the provisions of the Administrative Charges Act (ACA). Lessons on the remedy: This decision may not be appealed but may be the subject of an administrative dispute. An administrative dispute may be brought by lodging an action with the Administrative Court, Fajfarjeva 33, 1000 Ljubljana. The action must be brought within thirty days of notification of this Decision, either in writing directly before the said court or by registered post or orally on record. If the application is sent by registered post, it shall be deemed to have been received in time if it is deposited at the post office on the last day of the period for lodging the application. In addition to the original, a copy or a copy of this Decision, the application shall be accompanied by a copy or copies of the application and the annexes for the defendant and, if anyone is affected by the Decision, for him. The application shall be accompanied by a court fee. Dr. Urban Brulc, Univ. Dipl, State Data Protection Supervisor