AKI (Estonia) - 2.1-3/22/2542

From GDPRhub
AKI - 2.1-3/22/2542
LogoEE.png
Authority: AKI (Estonia)
Jurisdiction: Estonia
Relevant Law:
§ 45 (1)(3) AvTS
§ 51 (1)(3)
§ 51 (1)(7)
§ 75ˇ1(4) VVS
§ 85(2) HMS
Type: Other
Outcome: n/a
Started: 25.10.2022
Decided: 08.12.2023
Published: 06.02.2023
Fine: n/a
Parties: Eesti Ehitusinseneride Liit MTÜ
OÜ Advokaadibüroo Tehver & Partnerid
National Case Number/Name: 2.1-3/22/2542
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Estonian
Original Source: Estonian Data Protection Inspectorate (in ET)
Initial Contributor: Norman Aasma

The Estonian DPA held that, when responding requests for access to information, professional entities must carry out a thorough balancing exercise to assess whether the personal data they hold are of public interest or are covered by the inviolability of private life, justifying any restriction to the access to information.

English Summary

Facts

An attorney-at-law submitted a request for access to information to the Estonian Association of Civil Engineers, the data controller. The association refused to provide information about applicants for qualification as engineers based on the access restriction provided for by 12(1)(35) AvTS.

The attorney filed a complaint with the Estonian claiming that this restriction applies only to data that could significantly damage the integrity of the data subject's private life and not to those related to their professional activities. The DPA issued a decision ordering the disclosure of the requested data to the extent that it does not contain restricted information and the justification of any refusal. Subsequently, the data controller provided some information to the attorney, but the attorney submitted an objection arguing that the decision was not fully complied with because data such where and how long the applicants attended school, what additional training they completed and the assessments of their level of knowledge and abilities had not been included without any justification.

On one hand, the complainant argued that the refusal to provide the information was only possible when its disclosure would lead to a significant harm to the data subject’s private sphere.  They claimed that the Estonian Association of Civil Engineers was violating their right to access public information.

On the other hand, the Estonian Association of Civil Engineers, sustained that these data concern the applicants’ private life and that the disclosure would substantially interfere on their right. It referred to the case law of the European Court of Human Rights, which highlighted that data relating to professional/commercial activities can also fall under the notion of private life information. It also alleged that there was no legal basis for making these data available for an unlimited number of persons.

Holding

While recognizing that, in general, information provided to professional organizations should be regarded as public, the DPA emphasized that this is not true to all kinds of data. It recalled that the Estonian Constitution guarantees the inviolability of private life and grants protection to personal data, including those related to a person's education and skills.

According to the DPA, there must be a balancing exercise between the right to privacy and the right to access public information. It held that the disclosure of information by Estonian Association of Civil Engineers was appropriate to the extent that it did not contain protected data. However, the DPA ordered the controller to reassess the request and to provide all the relevant information concerning works, studies and projects carried out by the applicants, except for those relating to third parties. In case the controller refuses to disclose the aforementioned data, it must explain how the disclosure would affect the inviolability of the individuals’ private life.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Estonian original. Please refer to the Estonian original for more details.

PRIVACY PROTECTION AGAINST STATE TRANSPARENCY







                                      DECISION ON APPEAL
                                             and
                               PRESCRIPTION WARNING
                           in public information case no. 2.1-3/22/2542




 ElveAdamson, lawyer of the Data Protection Inspectorate for the appeal decision and injunction
 maker

 Appeal decision and injunction
 time and place of execution 08.12.2022 in Tallinn

 Time of submission of objection 25.10.2022 (registered in the inspection on 26.10.2022)

 The owner of the information is the Estonian Construction Engineers Union, NGO
                                 address: A.H. Tammsaare tee 47, 11316 Tallinn

                                 e-mail address: info@ehitusinsener.ee

 Member of the management board of the person in charge of the whistleblower


                                 OÜVokaadibüro Tehver & Partners
 Complainant (information requester) Attorney-at-law Jaanus Tehver

                                 e-mail address: jaanus@tehver.ee


RESOLUTION:
§ 45 (1) point 1 of the Public Information Act (AvTS), § 51 (1) points 3 and 7, administrative procedure
                                                               1
(HMS) § 85 point 2 and § 75 subsection 4 of the Government of the Republic Act.
on the basis of

1) I make an appeal decision to partially satisfy the appeal;
2) I make a mandatory prescription for the holder of the information to comply with:
       Re-examine the applicant for the invitation requested by the objector in the request for information
the part of the application/request, where the most important works/projects/expertise are reflected and

issue the aforementioned part of the document to the extent that it does not include third parties
data. In the opinion of the inspectorate, the disclosure of such information does not harm those who requested the invitation
the inviolability of a person's private life, as it is not related to private life, but to professional activities. In addition, there is
corresponding data also in the building register. However, if the Union of Civil Engineers finds that their
the disclosure of data significantly infringes on the integrity of a person's private life, then justify why
the important catch is.

3) to reject the objection in the full scope of the remaining documents requested in the request for information
in terms of issuance, as the Union of Civil Engineers has duly complied with the injunction and
issued documents in the part that does not contain restricted information
4) I set December 22, 2022 as the deadline for fulfilling the injunction

Pursuant to AvTS § 52, the holder of the information must within five working days of receiving the injunction

Tatari tn 39 / 10134 Tallinn / 627 4135 / info@aki.ee / www.aki.ee
Registration code 70004235 to take measures to comply with the order and report it to Data Protection
For inspection.


DISPUTE REFERENCE:
The complainant can only appeal to the administrative court against the information holder within 30 days
in the unsatisfied part of the appeal decision (point 3 above). The complainant will receive within 30 days
apply to the administrative court against the Data Protection Inspectorate, as the Data Protection Inspectorate
violated the complainant's rights in another way during the proceedings.


The whistleblower can challenge the injunction (point 2 above) within 30 days by submitting
either:
- a complaint under the Administrative Procedure Act to the Director General of the Data Protection Inspectorate or
-appeal to the administrative court in accordance with the Code of Administrative Court Procedures (in the case of the case in question
to review the dispute in the matter).

Challenging an injunction does not suspend the obligation to fulfill it or the measures necessary for its fulfillment
implementation.


WARNING:
If the information holder fails to comply with the Data Protection Inspectorate's order, the Data Protection may
The inspection should contact the information holder's superior institution, person or entire party

to organize supervision or initiate disciplinary proceedings against the official. (AvTS §
10 subsections 1 and 4, § 53 subsection 1).

EXTORTION ALERT:
If the injunction has not been fulfilled by the set deadline, the Data Protection Inspectorate will determine
to the addressee of the injunction on the basis of § 51 (3) of the Public Information Act:
                                   Extortion money 2000 euros.


A fine may be imposed repeatedly - until the injunction is fulfilled. If the recipient does not pay
extortion money, it is forwarded to the bailiff to start enforcement proceedings. In this case, they are added
bailiff's fee and other enforcement costs for the enforcement money.


FACTUAL DISTRIBUTIONS:

    1. On 20.07.2022, Jaanus Tehver submitted a complaint to the Data Protection Inspectorate against the Civil Engineers
       Objection by the Union to the refusal to comply with his 01.06.2022 request for information.

    2. On 12.09.2022, the Data Protection Inspectorate issued an injunction-warning of the appeal decision, in which
       obliged the information holder to re-examine the claimant's request for information and issue the information
       to the extent restrictions do not apply. The inspection ordered compliance with the injunction
       by the deadline of 26.09.2022.

    3. 26.09.2022. as a fulfillment of the prescription, the Union of Construction Engineers issued the desired
       documents to the extent that no restriction was established on the basis of § 35 (1) p. 12 of the Act
    4. On 25.10.2022, Jaanus Tehver submitted an objection to the improper execution of the injunction,

       finding that the documents requested by him cannot contain information that would have
       justified to establish an access restriction on the basis of § 35 subsection 1 paragraph 12 of the AvTS.


CLAIMS AND GROUNDS OF THE COMPLAINT:

01.06.2022 I submitted an information request to the Estonian Association of Civil Engineers (EEL) (Appendix 1).



2 (9) EEL responded to the request for information on 27.06.2022. by letter (appendix 2). The answer showed that EEL refused
on the issuance of the meaningful part of the requested information with a reference on the basis of § 35 subsection 1 paragraph 12 of the AvTS
to the established access restriction.

I filed a complaint with the Data Protection Inspectorate (AKI) against the refusal to comply with the request for information.


AKI made 12.09.2022. appeal decision and injunction-warning to the EEL (public information matter no. 2.1-
3/22/1766). The content of AKI's decision (Appendix 3) was as follows: 1) I satisfy the objection 2) I make the information holder
to comply with the mandatory injunction: a) re-examine the claimant's 01.06.2022 information request
b) issue the requested information to the objector to the extent that it does not contain restricted information. Information
in case of non-issue, the refusal must be justified (AvTS § 23 paragraph 3). 3) I set a prescription
by the deadline of 26.09.2022


26.09.2022 EEL sent a letter to the objector with attached material (Appendix 4).

I find that EEL's 26.09.2022 the action qualifies as a refusal to comply with a request for information or
at least for improper fulfillment of the request for information.

I hereby submit an objection to the action of the EEL in accordance with § 46 (1) of the AvTS.


Anyone who observes EEL on 26.09.2022. copies of the documents attached to the letter, you can make sure
in that EEL has not issued (covered up or removed) practically all the information
of the relevant documents. Responding to a request for information in this way - I dare you
to call mockery -- in my opinion, clearly shows disrespect on the part of EEL
the attitude towards the complainant as well as the fact that he is being asked for the information in question.


I consider that the refusal to comply with the request for information is unlawful. To the requested information
imposing an access restriction is also illegal. I will justify my position
next. The EEL has justified the failure to issue the requested information on the basis of § 35 (1) p. 12 of the AvTS
with an established access restriction. Data can be accessed according to the referenced standard
limit if allowing access to the information would significantly harm the privacy of the data subject
immunity.


 I claim that the data to which EEL in its 26.09.2022.a. according to the letter of access restriction
established - i.e. data on where and how long the applicant attended school, which ones
through advanced training, which job applicant's character traits, health status, evaluations
to the level of his knowledge and abilities - cannot, in principle, be accessible
enabling would significantly harm the data subject's privacy (as the only exception, I can here
admit that the health status data belongs to the relevant category and if
only such data would have been removed from the documents, then I will not the actions of the information holder

would dispute). The whistleblower has not bothered to provide any justification as to how it could
in this case, the release of data removed from the documents will significantly harm
privacy of the data subject. At the same time, it is noteworthy that the documents have
access restriction established only on 09.08.2022. i.e. after EEL for the first time
refused to comply with my request for information (EEL established an access restriction AKI dispute procedure
during - therefore included EEL on 27.06.2022. a letter with false information about imposing an access restriction
about). Therefore, the establishment of the access restriction shows the EEL's desire not so much to protect

the inviolability of the data subject's private life (in which case access restrictions would have to be established
when receiving the data) but simply not to issue the information in question to me. Such behavior
qualifies as classic arbitrariness in public duty.

EEL's activity in concealing data under the label of protecting the privacy of the data subject is special
cynical given the fact that a specific data subject - a Private Person - has deemed it possible

publish the data of their educational progress to the public aimed at offering their services

3 (9) on the website

I would like to emphasize that personality characterizes one's own education, knowledge and experiences
provided the data to the professional organization for the purpose of obtaining an invitation and the person in his public
in the activity relies on the invitation attributed to him based on the same data, then it is not possible
reasonably claim that the disclosure of the data that was the basis for receiving the invitation as a response

to the request for information would significantly damage the integrity of the person's private life.
Separately, I consider it necessary to emphasize that the mere invasion of privacy (which can be
in the case of data publication, concede) does not justify imposing a data access restriction
or refusal to issue data. Failure to issue data could be legitimate
only in the event that the release would lead to a significant loss of privacy of the data subject
damage. I believe that issuing the requested data in this case will lead to such a consequence
basically cannot be brought.


Refusal to comply with information requests violates my right to receive public information from EEL. Please
AKI should satisfy this complaint and issue a mandatory order to EEL to issue me an EEL-
i 26.09.2022 documents attached to the letter in full (without removing the information contained therein
or undisguised).


 Also, I ask AKI to apply 12.09.2022 to EEL. prescribed in the injunction-warning
measures due to failure to comply with the injunction.

INFORMATION HOLDER REASONS:

Referring to your inquiry of 11.11.2022, we will answer your questions and submit them
in order:


1. Requests
We explain by category of personal data why the relevant data pertains to the Private Person
is restricted information based on AvTS § 35 (1) p. 12:
According to the information holder's explanations, 2018 and 2019 are the year of wishes of the Private Person
his jobs vary. In addition, job applicants can be in several at the same time
in employment relations. What choice does the job applicant make when entering job data

to receive an invitation to the request, can be considered as private information, as it shows the latter
the conviction of which workplace information is the most important to add in the job applicant's opinion
more relevant when submitting the relevant request.

1.2. The most important works, projects, expertises

 – to the extent that more important works, projects, expertises directly show the work experience of the applicant for the invitation,

then the level of a person's knowledge and abilities can also be deduced from this list, the disclosure of which
in its personalized form, the invitation violates the privacy of the applicant. Please note that privacy includes
The EIK also considered activities of a professional and commercial nature (EIKo 13710/88, Niemietz vs.
Germany, 16.12.1992),

In addition, according to the General Regulation on the Protection of Personal Data EU 2016/679, personal data is any kind
information about an identified or identifiable natural person ("data subject"). In this case, it works

relevant information about the person's experiences, thus also knowledge. This is personal data,
allowing access to which may significantly damage the privacy of the data subject,
e.g. allow conclusions to be drawn based on the professional applicant's (data subject's) knowledge of specific fields or
regarding their absence.

As stated in the previous answer to the Data Protection Inspectorate, the invitation applicant

to assess competence, an assessment committee has been formed by the professional committee (KutS §

4 (9)19 paragraph 1), who assesses the competence of the applicant based on the data provided by the applicant. Given
the disclosure of data to an unlimited circle of persons is not lawful, because there is no way to do so
purpose as well as legal basis.

2. Information disclosed by the person


 In order for EEL to obtain restrictions on the requested documents from the data that has already become public
to remove and issue them to the information requester, must be checked by the Data Protection Inspectorate
the content of the information on the websites referred to by the applicant and then compare them
with what was provided in the request (to avoid a situation where information is issued that was not previously available
made public). In connection with this, we ask the Data Protection Inspectorate to clarify and
specify on which legal basis EEL processes personal data in such a case? In addition, as
EEL may come into contact with the invitation applicant's data, which EEL previously had about the invitation applicant

was not, then EEL is of the opinion that the invitation to the applicant comes from the corresponding processing of personal data
to inform (Articles 12 and 14 of the General Regulation on Personal Data Protection). We ask for Data protection
Confirm the information at the inspection. EEL is ready to remove restrictions from the given data if possible
answers to the above questions, which allow the personal data of the invitation applicant in such a way
processing by EEL.


3. Minutes of the evaluation commission

The requested professional level is fully covered in the protocols of the evaluation commission, because as well
mentioned earlier, it also contains a list of areas for which it was decided not to invite the applicant
give. The information on which professional levels were given to the person has been published (p. 10), as it is public information
with data available in the register of professional activities: www.kutseregister.ee. To clarify,
Under the minutes of the 2018 evaluation committee, the explanation part is covered because it contains

only the basis of the negative decision. Explanation section under the minutes of the 2019 evaluation committee
mostly contains references to the previous negative decision and bold text which
follows the previous description of the negative decision and which in its wording suggests that
previously, a negative decision has been made regarding the invitation applicant. Also, if you cover up the explanation part,
that precedes the text in bold, it further allows for the conclusion that the invitation is on the part of the applicant
a negative decision made in some respect, which may then lead to negative decisions regarding the invitation applicant
assessments.


The data protection inspection has clarified, however, that part of the information is not covered
(words, sentences), the disclosure of which would violate the integrity of a person's private life, not the entire explanation
part. Otherwise, it should be clear on what basis the commission made a positive decision.

We explain that point 10 of the protocol of the evaluation committee contains the proposal of the evaluation committee,
in which part the invitation applicant must be given an invitation - so it is clear from the given point in which

the evaluation committee has made a positive decision. Explain the part that does not contain direct words
the description of the negative decision, giving the possibility to conclude, that the persons who were previously present
negative assessment given in terms of knowledge. At the same time, the year 2019 does not include the evaluation committee
the positive part of the explanation of the protocol, the evaluation committee's additional explanation of why the corresponding decision
is done. Therefore, if we consider the risks involved in the thickness of the 2019 evaluation committee
by publishing the explanatory part of the letter and at the same time taking into account that the evaluation committee
the proposal in which part to issue an invitation (p. 10) has been published to the information requester, the EEL finds that the invitation

based on the interests of the applicant, the corresponding text must be covered, i.e. it is restricted information.

 We refer here to the general guidelines of the Public Information Act of the Data Protection Inspectorate, where
explained that if possible, access is provided only to the requested part
of the document/information that is not affected by the restriction (§ 38, paragraph 2 of AvTS) (see instructions § 38, p. 18). Maybe
then the EEL is left with the right to decide whether it is necessary to disclose any specific information to the information requester

possible or not.

5 (9) Pursuant to § 12 (1) p. 8 of KuTS, the party giving the invitation guarantees the publication received during the invitation
not belonging to information protection. Due to this provision and considering the information requester and invitation applicant
interests, the EEL has taken the position that the interests of the applicant for the invitation to privacy prevail in this case
up the interest of the information requester. The latter is interested in relevant information, like a sworn lawyer
Jaanus Tehver also brought it up in his first argument, in order to make sure that the invitation was issued

in justification and in the actual correspondence of the qualifications of the person (data subject) with the profession,
to which the person with the invitation claims to comply.

Pursuant to Section 18(2)(6) of KutS, the vocational committee decides whether to grant a vocational qualification to a person applying for a vocational qualification or
failure to provide. The invitation to assess the applicant's competence is issued by the professional committee
formed evaluation committee (KutS § 19 subsection 1). Therefore, the competence of the applicant is still assessed
evaluation committee, not every information requester who wants information about the person with the invitation

to get acquainted with the documents.

The public can consult the professional certificate data of a person with a profession in the professional register, which
proves the compliance of the person's competence with the requirements established in the professional standard. Professional certificate
the professional who issued the professional certificate is responsible for its correctness (KutS § 21 (1)). It will also come
to take into account that according to § 21 subsection 2 of KutS, a person with a profession has the right to use a professional certificate

the professional title or its abbreviation indicated on the professional certificate during its validity and present yourself
as competent according to the professional level given to him. Therefore, as long as the professional certificate is valid,
the person with the invitation has the right to rely on it as well.

EEL notes that it is possible to revoke a professional certificate in accordance with the procedure specified in KutS.
In case of successful invalidation of the professional certificate, the person with the professional certificate has no right from earlier
use the professional name or its abbreviation indicated on the valid professional certificate and present yourself

as competent according to the given professional level.

In addition, if the information requester doubts the legality of the actions of the party giving the invitation, it is possible to initiate
supervision procedure over the activities of the person giving the invitation in accordance with the procedure provided by law

4. Reviews of the professional suitability of the applicant for the engineering profession


Requests for an invitation, content of evaluation committee protocols and reviews
parts deal with information about the level of knowledge and abilities of the applicant for the profession, the disclosure of which
an unlimited circle of persons is not allowed based on AvTS § 35 (1) p. 12, as it violates
strongly inviolability of a person's private life, promising to give certain information about the person when it becomes public
evaluations, including negative ones, which may directly affect the position of the applicant for the invitation
when providing the service. There is also no legal basis for publishing such data
purpose. The competence of a person with a profession according to the given professional level is certified by the certificate issued

professional certificate, which can be viewed by all interested parties in the professional register. If
if the information requester has doubts about the competence of the applicant for the invitation, then there is a separate provision for this in the KuTS
the possibility of revoking the professional certificate. Based on the above, EEL is of the opinion that
partial refusal to fulfill the request for information and restriction of access to the requested information
the imposition has not been unlawful.



GROUNDS FOR DATA PROTECTION INSPECTION:

Information obtained and created during the process of requesting and issuing an invitation
Acquired education and further education

The complainant has taken the position that the data to which EEL in its 26.09.2022.a. letter
according to the access restriction was established - i.e. information about where and for how long the invitation applicant
went to school, what additional training did he complete, what are the character traits of the applicant for the profession,

6 (9) health condition, assessments of the level of his knowledge and abilities - cannot be, in principle
those, to which the provision of access significantly affects the privacy of the data subject
would damage).

EEL's activity in concealing data under the label of protecting the privacy of the data subject is special
cynical given the fact that a specific data subject - a Private Person - has deemed it possible

publish the data of their educational progress to the public aimed at offering their services
on the website

If the person has submitted data characterizing his educational background and knowledge and experience
to a professional organization for the purpose of receiving an invitation, and the person relies on it in his public activities
to the invitation attributed to him on the basis of the same data, then it is not possible to reasonably claim that
disclosure of the data that was the basis for receiving the invitation in response to a request for information would be harmful

substantially inviolability of a person's private life.

The Data Protection Inspectorate does not agree with the above. To receive an invitation to a professional organization
as a rule, the data provided is not a special type of personal data, which does not mean that it cannot be received
to impose an access restriction. In the previous objection decision, the inspection indicated that it agreed
cannot, however, argue with the claimant's claim that they cannot in principle contain personal data to which

allowing access would significantly harm the privacy of the data subject.
Personal data is not only the name of the person (which is known to the information requester and which cannot be hidden
reason), however, for example, where and for how long is his private information that needs to be protected
did he go to school, what advanced training did he take, what are his character traits, healthy
condition, assessments of the level of his knowledge and abilities, etc. So you can also get a public task
the information collected during the execution must have access restrictions and must not be available to everyone.
Regarding the above, the inspection has not changed its position.


PS § 26 provides for the protection of a person's private life. The protection of personal data must also be included in this, including such
data protection regarding a person's education and skills. Paragraph 2 of § 44 of the PS states that persons have
the right to receive information from state authorities about their activities, which also includes public tasks
documents created and received during execution. This right may also be limited by the rights of other people
for protection, including the protection of privacy and personal data. This position has also been adopted
Tallinn District Court in case 3-17-458. In addition, the court has noted that even if the information no

to be recognized as information for internal use is not disclosure of personal information
allowed unconditionally.

Since two fundamental rights collide here - the right to privacy and the right to receive public information, then
here, the institution has to weigh between two fundamental rights, whether the right of the individual is greater in a specific case
privacy or the objector's right to receive public information. In borderline cases, however
to prefer an interpretation that more strongly protects privacy, rather than prioritizing it

interests of third parties.

In this case, there is no dispute that every processing of personal data affects the individual to some extent
privacy, but the question is whether it is a significant intrusion that allows
to impose an access restriction on the data contained in the document. Object of dispute
the application does not only contain the level of education, but also contains information about when in which
in the educational institution and which curriculum and at what time the person studied, which professional skills he acquired

and in the scope of which subject points
the place of participation in studies and further training over the course of approx. 20 years, including which ones
additional trainings have been completed abroad and, to the extent, disclosure of such information
to third parties already significantly infringes on the integrity of a person's private life. To add here more
the 17 years of work and internships reflected in the application, then it already enables the person as well
to profile. In the opinion of the inspectorate, disclosing information to this extent is a significant violation

inviolability of a person's private life. Therefore, the last one reflected in the kasovia statement is not subject to disclosure

7 (9) 17 years of work and internships.

It should also be taken into account that a person applying for an invitation must submit the invitation documents
to request an invitation to the provider, which does not mean that the institution can disclose this information
to an unlimited circle of persons. Here, without a doubt, the individual's right to privacy is more important than

right of third parties to receive information.

However, what concerns the claimant's remark that EEL's actions in concealing the data of the data subject
under the guise of privacy protection is particularly cynical given the fact that a specific
the data subject - Private person - has considered it possible to publish the data of his educational background
on the website aimed at offering its services to the public and relies on its public

in the activity to the invitation assigned to him on the basis of the same data. At this point I consider it necessary
explain that the person himself always has the right to access his data anywhere and to anyone
to disclose. However, institutions that have to act on the basis of the law do not have this right. Nor is it
the institution has the obligation to check whether the person has previously mentioned himself somewhere when receiving the documents
disclosed the data. The institution can only be based on the documents submitted to it and there
of the contained data. At this point, the information of the complainant remains incomprehensible to the inspection

the need to obtain, if the complainant has already received the requested information. Request for information
the purpose of the submission is primarily to request information that is not known to the person submitting the objection.

The complainant has also stated in the complaint that it is noteworthy that the documents have
the access restriction was established only on 09.08.2022, i.e. after EEL first my
refused to comply with the request for information (EEL imposed an access restriction during the AKI dispute procedure-

consequently, EEL's letter of 27.06.2022 contained the introduction of an access restriction.

The fact that the physical limitation has not been noted in the document in time does not mean that
that such a document can no longer be marked with a restriction. I agree with the objector that
if the EEL already found at the time of refusal to comply with the primary information request that the document contains
restricted information and the document did not have a restriction, it should have been done immediately.

However, the foregoing does not invalidate the restriction. I also agree with the objector that if
the request for information is refused on the grounds that it infringes on the integrity of the person's private life, then
also explain to the information requester in a comprehensible way what this important interference consists of (AvTS § 23 paragraph 3).
Here, it is not enough to merely refer to the basis of the restriction.

Most important works/projects/expertises

 In response to the inspection's inquiry, EEL has justified the request for that part which
concerns the establishment of a restriction on the work done as follows. How much more important work, projects,
examinations directly show the work experience of the job applicant, then you can also use the given list

to conclude the level of the person's knowledge and abilities, the disclosure of which in a personalized form violates the invitation
privacy of the applicant. We would like to point out that private life also includes the concept of the Court of Justice
activities of a professional and commercial nature (EIKo 13710/88, Niemietz v. Germany,
16.12.1992).

The Data Protection Inspectorate does not agree with the above. First of all, I think it is necessary to note that
the cited judgment is not relevant in this case, as it concerned the lawyer's office

searching. As the makers of building design, owner supervision and construction expertise
according to § 25 of the Construction Code, must register themselves in the register of economic activities, where there is
data of public and competent persons, then this is limited information. Building register basic regulation
In accordance with §5lg1p9, additional transactions of the building are entered in the building register with the construction of the building or construction
data of related persons. According to § 10 of the same regulation, the construction project is also entered in the building register
first and last name of the compiler (p. 5), first and last name of the person supervising the owner (p. 6),

data of the construction project expert and the building audit (p. 10 and 11). So it is

1 See also RKHKo 3-20-1265, p 24.

8 (9) in the construction register, in addition to the data of the building, also the data of the aforementioned persons involved in construction activities,
which is not restricted information, therefore the disclosure of such data cannot in any way infringe either
privacy of a person, as it is work-related information that can be carried out by a person who is
registered in the economic activity register.

Publicity of reviews

The Data Protection Inspectorate agrees with EEL that the reviewer's assessment, which also includes
gives reasons why the reviewer considers that the applicant meets/does not meet the requested professional level
assessment of the applicant's skills and knowledge. Thus, the reviews contain such positive ones

and negative reviews. Although the reviewers are certainly very competent
with individuals, however, all such assessments are somewhat subjective. Neither does the commission
decision based only on the opinion of one reviewer. If such opinions are issued to third parties
to persons, then everyone can draw their own conclusion from them, which may be adequate and may bring
negative consequences for the applicant, affecting his professional position. You can't here either
the complainant should not evaluate what decision should have been made instead of the reviewer or the committee
commission to do. The Data Protection Inspectorate finds that just as there are no teaching staff at the university

feedback to the student is public, so the review given to the professional applicant cannot be public either
in terms of knowledge and skills.

The statement of the objector, as if the disclosure of the documents requested by him could not be done in any way
to significantly infringe on a person's privacy is not appropriate. This is the invitation to give
the documents submitted and prepared during the process also contain restricted data, as already follows from the KuTS
§ 12 (1) p. 8, according to which the person giving the invitation guarantees the publication obtained in the course of giving the invitation

protection of non-proprietary information. Here, the Inspectorate fully agrees with EEL that by invitation
the competence of the person according to the given professional level is proven by the issued professional certificate, with which
it is possible for all interested parties to familiarize themselves with the professional register. In case the information requester has doubts, call
in terms of the applicant's competence, the KuTS provides a separate option for a professional certificate
for annulment.

The Data Protection Inspectorate also already explained to the complainant in the previous appeal decision that the invitation

the qualification checks the compliance of education, skills and knowledge with the requirements for granting the qualification
the giver, not every seeker. Pursuant to § 23 of the Professions Act, supervision is carried out by the person giving the profession and
on the activities of professional councils by the Ministry of Education and Research or on the basis of an administrative contract
authorized foundation. If an administrative contract has been concluded for the performance of the tasks of a professional institution, it performs
administrative supervision over the professional institution Ministry of Education and Research.


Based on the above, the Data Protection Inspectorate finds that the EEL has been issued by the complainant
requested documents to the extent that they do not contain restricted data, except in the statement
more important works, projects, expertises, which, according to the inspection, cannot be
with a limitation.

Therefore, the EEL must re-examine the part of the invitation requester's request
performed works, expertise and projects and issue the desired information to the extent that does not include

data of third parties or, in case of continued refusal, justify how such information
disclosure would significantly damage the integrity of the person's private life, if there are corresponding ones in the building register
data public. In other respects, the complaint remains unsatisfied.

/signed digitally/
ElveAdamson
lawyer

on the authority of the Director General




9 (9)