IP (Slovenia) - 07100-17-2023-7

From GDPRhub
Revision as of 16:40, 19 December 2023 by Ar (talk | contribs)
IP - 07100-17-2023-7
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law:
Article 12 ZVOP-2
Article 14 ZVOP-2
Article 15 ZVOP-2
Type: Complaint
Outcome: Partly Upheld
Started:
Decided: 25.10.2023
Published: 18.12.2023
Fine: n/a
Parties: n/a
National Case Number/Name: 07100-17-2023-7
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Slovenian
Original Source: Informacijski pooblaščenec (in SL)
Initial Contributor: ar

The Slovenian DPA decided that while the controller did not comply with the access request when the complaint was filed, it later remedied the violation by providing the complainant information regarding his application process for a public tender.

English Summary

Facts

On 14 July 2023, the Slovenian DPA received a complaint from a data subject alleging a violation of his right to access by the controller. The complainant declared that the controller had refused to grant him access to his data relating to the application process for a public tender. The controller had explained that it could not comply on the basis of professional secrecy.

The DPA noted that the controller had not yet provided the applicant with all the personal data requested. Nonetheless, given that during the proceedings an individual has the right to be informed of the controller's response, the DPA asked the controller whether it could provide the complainant the full response to the complaint, which would implicitly make the controller comply with the initial request. On 25 August 2023, the controller provided an affirmative reply.

Thus, on 20 September 2023, the DPA invited the complainant to inform it within ten days whether he wanted to withdraw the complaint or maintain it since he received the requested personal data. The complainant did not respond to the DPA’s query.

Holding

From the access request made by the complainant on 1 May 2023 and subsequent correspondence with the data controller, the DPA noted that the complainant requested from the controller several data: information about the score obtained and the assessment process, information on what his ranking was, and the number of points compared to the highest number of points in the written test.

On the basis of the information, the DPA concluded that the controller did not comply with the complainant's access request at the time of the submission of the request, on 14 July 2023, thus breaching Article 15 of the National Data Protection Act 2022 (ZVOP-2) in conjunction with Articles 12 and 14 ZVOP-2. However, the DPA acknowledged that the controller had subsequently fulfilled its obligations under Articles 12, 14 and 15 ZVOP-2 since it had given the complainant access to all the personal data requested: it had communicated the total number of points and the ranking to the complainant, with further explanations.

As the complainant did not respond to the request for declaration within the deadline and the controller did not send any comments, the DPA considered that the controller, following the DPA's inquiry, had remedied its breach of the right of access.

Comment

It must be noted that the GDPR does envisage the possibility of remedying a breach of the right to access. However, pursuant to the GDPR, such a remedy does not preclude a controller from being held accountable and liable. This interpretation is, however, seemingly present in the Slovenian National Data Protection Act, transposing the GDPR - making the compatibility of the national law with the GDPR dubious.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.