AZOP (Croatia) - Decision 24-01-2022

From GDPRhub
AZOP - Decision 24-01-2022
LogoHR.png
Authority: AZOP (Croatia)
Jurisdiction: Croatia
Relevant Law: Article 4 GDPR
Article 5 GDPR
Article 6 GDPR
Postal Service Act
Type: Complaint
Outcome: Rejected
Started:
Decided: 24.01.2022
Published: 24.01.2022
Fine: n/a
Parties: Center for Social Welfare
National Case Number/Name: Decision 24-01-2022
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Croatian
Original Source: AZOP (in HR)
Initial Contributor: Karlo

The DPA rejected complaint of the data subject who had stated that his rights were violated because data controller sent compensation via postal service.

English Summary

Facts

The DPA received a request for determination of violation of the right in which data subject states that the Center for Social Welfare brought Decision by which the data subject is recognized with a guaranteed minimum of compensation. In this regard, the data subject points out how his compensation for the September was not paid through a current account, but the employee of the Croatian Post has brought him compensation. On that occasion employee asked him for his ID card. Therefore, the data subject considers that data controller disclosed his personal data about him as a user of the social benefit without his authorization.

Holding

The DPA rejected the complaint.

It emphasized that the right to protection of personal data is not absolute right, and it should be considered in relation to its function in society and harmonized with other fundamental rights in accordance with the principle of proportionality. Also, DPA noted that Postal Service Act prescribe the conditions for performance of its services. In connection, GTC of Croatian Post prescribe in article 47 that the sender, receiver or other authorized person proves his identity, between among other things, with an identity card, and the type and number of the identification document that established the identity it is entered in the corresponding place of the postal document.

Namely, in the specific case there was a legitimate purpose and legal basis from Articles 5 and 6 of the GDPR for forwarding certain personal data to Croatian Post.

DPA pointed out that the method of delivery/payment of the user's minimum fee is not in jurisdiction of this Agency, but it is the decision of the data controller himself in accordance with the special regulation.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.

REPUBLIC OF CROATIA
PROTECTION AGENCY
PERSONAL DATA
CLASS:
NUMBER:
Zagreb, January 24, 2022.
Personal Data Protection Agency, OIB: 28454963989 based on Article 57 paragraph
1 and Article 58 paragraph 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27
2016 on the protection of individuals in connection with the processing of personal data and on the free movement of such data
data and repealing Directive 95/46/EC (hereinafter referred to as the General Protection Regulation
data) SL EU 119, Article 34 of the Law on the Implementation of the General Regulation on Data Protection ("People's
novine" no. 42/18) and Article 96 of the Act on General Administrative Procedure ("Narodne novine" no.
47/09 and 110/21), and regarding the request to determine the violation of the right to the protection of personal data
x yields the following
SOLUTION
Request x to establish a violation of the right to personal data protection is rejected as
ungrounded.
Form layout
The Agency for the Protection of Personal Data (hereinafter: the Agency) received a request for
determination of violation of the right to protection of personal data x (hereinafter: the applicant)
in which he states that the Center for Social Welfare y (hereinafter referred to as the processing manager) brought
Decision, CLASS..., NUMBER: ... by which the applicant is recognized with a guaranteed minimum
compensation and in which it is determined that the same will be paid to the applicant as a beneficiary on a monthly basis,
through the competent center for social welfare to a current account. In this regard, the applicant points out how
his compensation for the month of September was not paid through a current account, but through the company of Croatia
pošte d.d. and points out that an employee of the said company visited him when he arrived at his home
address, asked for an identity card and the signing of the receipt. Therefore, the applicant considers it as it is
the processing manager disclosed personal data about him as a user of the Social Center without authorization
care and society Hrvatska pošta d.d.
2
Along with his request, the applicant submitted the Decision of the Center for Social Welfare y, CLASS:
.., NUMBER: ... from ... year; Decision of the Center for Social Welfare y, CLASS: .., NUMBER: .. of
... years; Complaint sent to the Center for Social Welfare y and the response from the Center for Social Welfare y,
CLASS: .., NUMBER: .... years.
The request is not founded.
First of all, it should be noted that from May 25, 2018, in the Republic of
In Croatia, Regulation (EU) 2016/679 of the European Parliament is directly and bindingly applied
of the Council of April 27, 2016 on the protection of individuals in connection with the processing of personal data and on
free movement of such data and repealing Directive 95/46/EC (General
data protection regulation) SL EU L119.
The General Data Protection Regulation in Article 4, Paragraph 1, Point 1 stipulates that they are personal
data all data relating to an individual whose identity has been determined or can be determined, a
an individual whose identity can be established is a person who can be identified directly or
indirectly, especially with the help of identifiers such as name, identification number, information about
location, network identifier or with the help of one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that individual.
Pursuant to Article 5 of the General Data Protection Regulation, personal data must be: (a)
lawfully, fairly and transparently processed with respect to the data subject ("lawfulness, fairness,
transparency"); (b) collected for specific, express and lawful purposes and may not be further
process in a way that is inconsistent with those purposes ("purpose limitation"); (c) appropriate,
relevant and limited to what is necessary in relation to the purposes for which they are processed ("reduction
amount of data"); (d) accurate and as necessary up-to-date; every reasonable measure must be taken
in order to ensure that personal data that are not accurate, taking into account the purposes for which
process, delete or correct without delay ("accuracy"); (e) stored in a form that enables
identification of the respondent only for as long as is necessary for the purposes for which it is personal
data processing ("storage limitation"); (f) processed in the manner in which it is secured
adequate security of personal data, including protection against unauthorized or illegal access
processing and from accidental loss, destruction or damage by applying appropriate technical or
organizational measures ("integrity and confidentiality").
Furthermore, in accordance with Article 6 of the General Data Protection Regulation, processing is only lawful
if and to the extent that at least one of the following is met: (a) the subject has given consent
to process your personal data for one or more specific purposes; (b) processing is necessary for
execution of a contract to which the respondent is a party or to take action upon request
of the respondent before the conclusion of the contract; (c) processing is necessary to comply with the controller's legal obligations
processing; (d) processing is necessary to protect the key interests of the data subject or other natural person;
(e) processing is necessary for the performance of a task of public interest or in the exercise of official authority
processing manager; (f) the processing is necessary for the legitimate interests of the controller or a third party
parties, except when those interests are stronger than the interests or fundamental rights and freedoms of the respondents who
require the protection of personal data.
3
Also, it should be emphasized that the right to protection of personal data is not absolute
the law itself must be considered in relation to its function in society and it should be harmonized
with other fundamental rights in accordance with the principle of proportionality.
As a separate law, we cite the Postal Services Act ("Narodne novine", number:
144/12, 153/13, 78/15 and 110/19) regulating postal services, prescribe the conditions for
performance of these services and for the provision and financing of universal service, govern the rights,
obligations and responsibilities of providers and users of postal services, conditions of access to the postal network,
issuance of postage stamps of the Republic of Croatia and surcharge stamps is determined by jobs
Croatian regulatory agencies for network activities in the part related to regulatory
tasks in the field of postal services, performing inspection supervision in the field of postal services
services, and regulate other issues related to the performance of postal services.
Also, Article 44 of the aforementioned Act stipulates that the provider of postal services
obliged to adopt general conditions for the performance of postal services in domestic and/or international
traffic. Based on the quoted article, Hrvatska pošta d.d. is on July 1, 2021.
passed the General Terms and Conditions for the provision of universal services, which regulate the manner and conditions
performance of the universal service provided by HP-Hrvatska pošta d.d., delivery deadlines,
method and conditions of payment for postal services, method of marking payment for postal services on
to the postal shipment, the responsibility of HP d.d. and compensation for damage and the submission and settlement procedure
complaints of users of postal services.
In this connection, it is necessary to point out article 47 of the aforementioned General Terms and Conditions, in which
stipulated that the sender, receiver or other authorized person proves his identity, between
among other things, with an identity card, and the type and number of the identification document that established the identity
it is entered in the corresponding place of the postal document.
Furthermore, by looking at the Answer, CLASS: .., CODE: .. from ... which is the Center for
social care y as a processing manager delivered to the applicant, it is clear that the manager
processing, informed the applicant that he had sent the amounts through the mail.
As a result of the above, on the basis of the submitted evidence in this administrative matter it was established
that the Center for Social Welfare, as the processing manager, did not provide personal data for use
of the applicant for this to an unauthorized recipient/third party and in this sense the request
rejects the applicant as unfounded.
Namely, in the specific case there was a legitimate purpose and legal basis from Article 5 i
6. General regulations on data protection for forwarding certain personal data to a third party
(company Hrvatska pošta d.d.), and all so that the applicant could realize the right that belongs to him
in accordance with the adopted Decision, CLASS: .., NUMBER: .. from the year ... or the right to
guaranteed minimum compensation.
4
In this regard, it should be emphasized that in the conducted procedure it was not determined that
personal data of the applicant were forwarded by the processing manager to the company
Hrvatska pošta d.d. to a greater extent than is necessary for the specific purpose of guaranteed delivery
minimum fees and that the applicant has not proven in any way that the information about him is as
to the user of the Center for Social Care, disclosed to a third party without authorization.
Likewise, in the specific case it was established that the company Hrvatska pošta d.d.
during the delivery/payment of the guaranteed minimum compensation, it complied with the prescribed procedures and
in accordance with Article 47 of the General Terms and Conditions for the provision of universal services, identity verification
of the applicant as the payee.
Additionally, and further to the applicant's statement that he is guaranteed a minimum compensation
should have been paid to the current account as determined by the Decision, CLASS: .., NUMBER: ...
from ... year, we point out that the method of delivery/payment of the user's minimum fee is not in
jurisdiction of this Agency, but it is the decision of the processing manager himself in accordance with the special
regulation.
In conclusion, and taking into account all the circumstances of the specific case, there is no evidence that
indicate that the applicant's personal data were processed contrary to the General provisions
regulations on data protection.
Due to the aforementioned circumstances, it was decided as in the Proclamation of the Decision.
LEGAL REMEDY
No appeal is allowed against this decision, but an administrative dispute can be initiated before the Administrative Court
by the court in Zagreb within 30 days from the date of delivery of the decision.
DEPUTY DIRECTOR
Igor Vulje
Deliver:
1.
2.
3. Stationery, here.