Persónuvernd (Island) - 2021122345

From GDPRhub
Revision as of 07:36, 3 April 2024 by Nzm (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Iceland |DPA-BG-Color= |DPAlogo= |DPA_Abbrevation=Persónuvernd |DPA_With_Country=Persónuvernd (Island) |Case_Number_Name=2021122345 |ECLI= |Original_Source_Name_1=Persónuvernd |Original_Source_Link_1=https://www.personuvernd.is/urlausnir/afgreidsla-samtaka-a-adgangsbeidni |Original_Source_Language_1=Icelandic |Original_Source_Language__Code_1=IS |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_S...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Persónuvernd - 2021122345
[[File:|center|250px]]
Authority: Persónuvernd (Island)
Jurisdiction: Iceland
Relevant Law: Article 15 GDPR
Type: Complaint
Outcome: Upheld
Started: 26.03.2024
Decided:
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 2021122345
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Icelandic
Original Source: Persónuvernd (in IS)
Initial Contributor: nzm

The DPA considered that a data subject may access the minutes of a meeting where he is discussed, precisely the elements concerning them, as well as the names of the participants who attended said meeting.

English Summary

Facts

An association (“controller”) held a meeting during which the data subject’s complaint regarding bullying and violence in the workplace environment was discussed. The data subject requested access to the minutes of the meeting. The controller denied this request by email.

The data subject therefore lodged a complaint with the Icelandic DPA. The controller considered that it’s interests were much stronger than those of the data subject’s right of access. It also argued that the entries of minutes of a meeting fell under working documents and were therefore exempted under Icelandic national law.

Holding

The Icelandic DPA held that under Article 15 GDPR, the data subject has the right to access information in the meeting items where he is discussed, as well as the names of the participants who attended said meeting. The DPA explained that the interests of others must be protected, therefore the data subject cannot access the minutes of the meetings in their entirety.

Therefore, the Icelandic DPA ordered the controller to provide the data subject with the name of the attendees and the information concerning him contained in the minutes of the meeting.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

Solutions

Organization's processing of access requests

Case no. 2021122345

26.3.2024

Individuals have the right to receive information about whether a company or government, or another party, processes their personal data. Individuals also have the right to request a copy of the personal information processed about them. However, the rights of an individual do not apply if the urgent interests of individuals related to the information outweigh it.

In this case, the complainant was considered to have the right to access part of the data to which he requested access.

----

Personal data protection ruled in a case where a complaint was made about the processing of a request for access to personal information. More specifically, it was complained that the association had refused the complainant's request for access to the minutes of the association's board, but the complainant had requested access to the minutes with reference to the fact that matters related to him had been discussed at the meetings. The conclusion of the Personal Protection Agency was that the interests of others had to be protected, both those who spoke at the meetings in question but also those who were discussed, and the complainant was therefore not considered to have the right to access the minutes of the meeting as a whole.

The conclusion of the Personal Protection Agency was that the complainant did, however, have the right to access the information that appeared in the specified meeting points where he was discussed. It was suggested that the organization provide the complainant with the specified information from the meeting minutes of the organization's board and send the Data Protection Authority confirmation that this had been done by April 3, 2024 at the latest.

Ruling

on a complaint about the refusal of [organization X]'s request for access to data in case no. 2021122345:

i

Procedure

On 8 December 2021, Personal Protection received a complaint from [A] (hereinafter the complainant) about the refusal of [the organization X] (hereinafter [X]) to his request for access to the minutes of the board of directors [X] from the beginning of the year 2019-2020 to July 2020, with reference to the fact that issues related to him were discussed at said meetings.

Personal protection invited [X] to comment on the complaint by letter, dated August 15, 2022, and the organization's answers were received by letter, dated 7 September s.á. The complainant was then given the opportunity to submit comments to [X]'s answers by letter, dated 8 a.m., and they were received by e-mail on 1 November s.á. [X] was given the opportunity to provide comments on the complainant's answers and they were received by the organization's letter dated March 17, 2023. By letter, dated On May 4th, the complainant was informed that the matter regarding his complaint had been put on hold at the Personal Protection Agency until the proceedings regarding his case against [X] were completed at the National Court, as in the opinion of the Personal Protection Authority, the content of the dispute was the same as the complaint his belongs to be processed by the court. By e-mail on 25 July s.á. the complainant demanded that the proceedings be held at the Personal Protection Agency and also sent the agency a copy of the judgment of the National Court from [date.] s.á. [X] informed the Personal Protection Authority that the complainant had requested permission to appeal the judgment of the National Court to the Supreme Court, and the resolution of the case was therefore still pending with the Personal Protection Authority. When it became clear that the Supreme Court had refused the complaints' request for leave to appeal, the Data Protection Authority requested a copy of the minutes of the board of directors [X] from the beginning of the year 2019-2020 to July 2020 and the requested data was received by the organization's email on February 8, 2024.

When resolving the case, all the above-mentioned documents have been taken into account, although not all of them are separately explained in the following ruling.

The treatment of the case has been delayed due to the heavy workload at the Personal Protection Agency and the aforementioned court proceedings.

___________________

There is a dispute over [X]'s denial of the complainant's request for access to his personal information in the minutes of the association's board of meetings, from the beginning of the year 2019-2020 to July 2020. The complainant requested a copy of the minutes by email to [X] on June 12, 2020. [X] denied the complainant's request by e-mail on 13 July s.á.

The complainant refers to the fact that he was an employee of [X] and the personal information appearing in the minutes of the board of directors of [X] is related to his formal complaint regarding bullying and violence in the workplace. Refusal of his request for access to the minutes constituted a violation of his express right under paragraph 2. Article 17 Act no. 90/2018 on personal protection and processing of personal information and violation of paragraph 4. Article 7 regulation no. 1009/2015 on actions against bullying, sexual harassment, gender-based harassment and violence in the workplace. According to the regulatory provision, the employer must record everything related to the handling of a case and keep the employees concerned as well as the occupational health and safety representative of the workplace informed during the handling, among other things by giving them access to all information and data in the case, taking into account the law on personal protection and handling personal information. No restrictions on his rights according to Article 17. Act no. 90/2018 is applicable in the case.

[X]'s answers refer to the fact that the right of a registered person to access their personal information is not without limitations. Based [X] on the fact that provisions 6. and 7. no. Paragraph 4 and paragraph 5 Article 17 Act no. 90/2018, on personal protection and processing of personal information, prevented the complainant from being granted access to the minutes of the board's meetings [X]. The interests of [X] in not handing over copies of the minutes regarding the complainant's case were much stronger than the interests of the complainant in order to have them handed over. In order for [X] to be able to protect its legitimate interests and fundamental rights, the organization needs to be able to make decisions that protect the organization's affairs. The complainant was dismissed from [X] [date] 2020 and it was immediately assumed that the complainant intends to seek redress if an agreement with him on a severance agreement is not reached. [X] therefore had an obvious interest in not providing information about the minutes of the board meeting where the complainant's case was discussed, as they were part of safeguarding the interests of [X] and safeguarding the association's obligations. The interests of the association would be put in serious and irreversible danger if they were obliged to hand over the minutes of the board's meetings, which discuss the preparation or individual measures and decisions taken in preparation for a case, which could later be litigated. [X] also believe that the entries in the minutes of the board meeting that defended the complainant's case, incl. personal data, fall under work documents and that it has been permitted to exempt them from access, cf. Paragraph 5 Article 17 Act no. 90/2018.

[X] also reiterates that the association's authorization to limit the complainant's access to the minutes of the board of directors [X] protects the fundamental rights of legal entities and the only main assumption that the association can operate according to its purpose at all, cf. Paragraph 1 74 of the Constitution of the Republic of Iceland, no. 33/1944.

II.

Conclusion

1.

Lawfulness of processing and outcome

This case concerns whether [X] processed the complainant's request for access to his personal information in accordance with the provisions of Act no. 90/2018 on personal protection and processing of personal data and regulation (EU) 2016/679. [X] are considered to be the responsible party for said processing according to the law and the regulation.

One of the principles of the privacy legislation prescribes transparency in the processing of personal information, cf. Number 1. Paragraph 1 Article 8 Act no. 90/2018 and point a of paragraph 1. Article 5 of regulation (EU) 2016/679. Right of access according to Article 17 Act no. 90/2018 and Article 15 of the regulation is a factor in ensuring transparency in the processing of personal information and is a prerequisite for the data subject to be able to exercise his various rights according to the legislation. The right of access must be viewed in that light. According to paragraph 1 Article 15 of the regulation, cf. Paragraph 2 Article 17 of the Act, the registered person shall have the right to receive confirmation from the responsible party as to whether personal information is being processed about him and, if so, the right to access the personal information. According to paragraph 3 of the same articles of the regulation, the responsible party must provide the data subject with a copy of the personal information that is being processed. According to paragraph 4 of the article, the right to receive a copy, referred to in paragraph 3, shall not impair the rights and freedoms of others.

Furthermore, it is prescribed in paragraph 3. Article 17 Act no. 90/2018, cf. Paragraph 1 Article 23 Regulation (EU) 2016/679, that the provisions of Article 15 of the regulation, on the rights of the data subject, does not apply if the urgent interests of individuals related to the information, including the data subject himself, outweigh.

In the case it is clear that [X]'s decision to deny the complainant's request for access to his personal information in the minutes of the association's board of meetings, from the beginning of the year 2019-2020 to July 2020, was based on the fact that it was necessary to limit the complainant's right to protect the association's legitimate interests and fundamental rights and ensure their interests in connection with a private legal dispute with the complainant in court, cf. 6. and. Number 7. Paragraph 4 Article 17 Act no. 90/2018. [X] has also referred to the fact that it was allowed to refuse the complainant's access request since the minutes in the meeting minutes of the association's board that defended the complainant's case are working documents and thus fall under the exemption of paragraph 5. Article 17 of the law. Since the proceedings regarding the complainant's case against [X] have now been completed in court, it is the opinion of the Personal Protection Agency that the above exemption provisions can no longer apply.

During the inspection by the Personal Protection staff of the data that was excluded from the complainant's access, i.e. four meeting minutes of the board [X] for the board meetings that took place in January, February, May and June 2020, it was found that they mainly contained discussions, reflections and arguments of the board members regarding matters related to issues [X]. The inspection also revealed that the minutes refer to the complainant in one place, but do not discuss specific issues related to him. As the interests of others must be protected, both those who spoke at the said meetings and also those who were discussed, the complainant is not considered to have the right to access the minutes of the meeting in their entirety, cf. Paragraph 3 Article 17 Act no. 90/2018, paragraph 4 Article 15 and paragraph 1 Article 23 of regulation (EU) 2016/679.

On the other hand, it is the opinion of the Data Protection Authority that the data subject now has the right to access the information that appears in the meeting items where he is discussed, more specifically the information that appears in [certain meeting items at the meetings of the board in] 2020 [... ]. It is also the opinion of the Personal Protection Authority that the complainant has the right to access information about the names of the participants who attended the aforementioned board meetings [during the year].

In view of the above, the Personal Protection Agency directs [X] to provide the complainant with the above information, cf. Number 3. Article 42 Act no. 90/2018. Confirmation that it has been done must be sent to Personal Protection by April 3, 2024 at the latest.

Ruling:

[X] shall provide [A] with the following information from the minutes of [X]'s board meetings concerning him:

Names of attendees and information from [certain agenda items at meetings held in 2020].

Confirmation that it has been done must be sent to Personal Protection by April 3, 2024 at the latest.

Privacy, March 6, 2024

Valborg Steingrímsdóttir Edda Úríður Hauksdóttir