AZOP (Croatia) - Decision 29-11-2021
| AZOP - Decision 29-11-2021 | |
|---|---|
 | |
| Authority: | AZOP (Croatia) |
| Jurisdiction: | Croatia |
| Relevant Law: | Article 5(1)(a) GDPR Article 6(1)(c) GDPR Article 15 ZSPNIFT Article 79 ZSPNIFT |
| Type: | Complaint |
| Outcome: | Rejected |
| Started: | |
| Decided: | 29.11.2021 |
| Published: | 19.10.2023 |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | Decision 29-11-2021 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Croatian |
| Original Source: | AZOP (in HR) (in HR) |
| Initial Contributor: | leeve |
The DPA confirmed that the processing of personal data under the Prevention of Money Laundering and Financing of Terrorism Act is legally based on Article 6(1)(c) GDPR, which allows processing necessary for compliance with a legal obligation.
English Summary
Facts
The DPA received a complaint regarding a violation of the protection of personal data of X (the data subject). In this regard, the data subject stated that the company in question (the data controller) asked her for a copy of her personal document - identity card when updating her personal data in accordance with special regulations.
As evidence of her allegations, the data subject submitted to the DPA the controller's response, information on the processing of personal data, and the email correspondence between the data subject and the data controller.
In this specific case, the "Prevention of Money Laundering and Financing of Terrorism Act (Zakon o sprečavanju pranja novca i financiranja terorizma - ZSPNIFT)" applies, which prescribes measures, actions, and procedures that oblige entities and competent state bodies to prevent and detect money laundering and terrorist financing.
Article 15 ZSPNIFT mandates customer due diligence, including identity verification via reliable sources, collecting data on the purpose and nature of business relationships, ongoing transaction monitoring to ensure consistency with the customer's profile and risk assessment, verifying the source of funds if needed, and maintaining up-to-date documentation.
Furthermore, Article 79 ZSPNIFT requires that collected documentation include records used to verify the customer’s identity, such as copies of official personal documents or extracts from relevant registers.
The data subject was contacted via letter and telephone to update his personal data and submit a copy of her ID card, as required by ZSPNIFT. The data controller provided the applicant with the choice of how to submit the ID card copy, as evidenced by a letter dated 16 July 2021. The data controller, justified the collection and processing of personal data, including the ID card copy, as necessary to fulfill its legal obligation to verify customer identity under the Act.
Holding
The DPA held that the collection and processing of personal data, including an ID card copy, by the controller is lawful under Article 6(1)(c) GDPR when performed to fulfill legal obligations prescribed by ZSPNIFT.
The DPA stated that state that the controller had a justified reason based on the ZSPNIFT for which it is obliged to unequivocally establish the identity of the client by collecting a copy of the applicant's identity card, as well as a certain amount of personal data.
Furthermore, the DPA held that personal data must be processed lawfully under one of the legal bases set out in Article 6 of the GDPR, and the principles of lawfulness, fairness, and transparency require the data subject to be informed about the processing procedure and its purposes. In this case, the DPA found that the controller fulfilled its obligation under Article 13 of the GDPR by informing the data subject about the processing of his personal data, as evidenced by the correspondence and the document detailing the information on the processing.
In this administrative procedure, it was determined that the conditions for fair and lawful processing of personal data, as per Articles 5 and 6 of the GDPR, were met. The data controller demonstrated a lawful legal basis for processing the data subject's personal data, including the collection of a copy of his ID card. As a result, the data subjects's personal data was processed in a fair, lawful, and transparent manner in accordance with GDPR requirements.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.
REPUBLIC OF CROATIA PERSONAL DATA PROTECTION AGENCY CLASS: NUMBER: Zagreb, 29 November 2021 Personal Data Protection Agency pursuant to Article 57(1) and 58(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L119 (hereinafter: the General Data Protection Regulation), Article 34 of the Act on the Implementation of the General Data Protection Regulation (Official Gazette, No. 42/2018) and Article 96 of the Act on General Administrative Procedure (Official Gazette, No. 47/09), in connection with a request for the determination of a violation of the right to personal data protection X issues the following DECISION The request of X for establishing a violation of the right to personal data protection is rejected as unfounded. R e a n t i o n The Personal Data Protection Agency (hereinafter referred to as: the Agency) has received a request for establishing a violation of the right to personal data protection X (hereinafter referred to as: the applicant) in which the applicant essentially states that she believes that her right to personal data protection has been violated by the company Y (hereinafter referred to as: the company). In this regard, the applicant states that the company in question asked her for a copy of her personal document-identity card when updating her personal data in accordance with special regulations. As evidence of her allegations, the applicant submits to the Agency the company's response dated 27 August 2021 to the applicant, information on the processing of personal data, a letter sent to the company in question by the applicant dated 23 March 2021, the company's response dated 16 July 2021, the applicant's objection to the response, and e-mail correspondence between the company in question and the applicant. The request is not well-founded. 1 In addition to the above, we would like to point out that since 25 May 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ EU 119, has been directly applicable in all Member States of the European Union, including the Republic of Croatia. Article 4.1 of the General Data Protection Regulation defines personal data as any data relating to an identified or identifiable individual (the “data subject”); An identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual According to Article 4.2. of the General Data Protection Regulation, processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. According to Article 5 of the General Data Protection Regulation, personal data must be processed lawfully, fairly and transparently in relation to the data subject, collected for specified, explicit and legitimate purposes, adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. The same Article also stipulates that personal data must be accurate and, where necessary, kept up to date, and that every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (principle of accuracy of personal data). Furthermore, according to Article 6 of the General Data Protection Regulation, processing is lawful only if and to the extent that at least one of the following is met: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (b) processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary to protect the vital interests of the data subject or another natural person; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data. In addition, Article 13 of the General Data Protection Regulation stipulates what information the controller must provide to the data subject, as a natural person, if personal data are collected from the data subject himself (the name of the company or organisation processing your data (including the contact details of the data protection officer, if any); the purposes for which the company/organisation will use your data; the categories of personal data concerned; the legal basis for the processing of your personal data; the period for which your data will be stored; other companies/organisations that will receive your data; whether the data will be transferred outside the EU; your fundamental rights in the field of data protection). In this specific case, the Law on the Prevention of Money Laundering and Financing of Terrorism (Official Gazette, No. 108/17, 39/19) is applicable, which prescribes measures, actions and procedures that obliged entities and competent state bodies undertake to prevent and detect money laundering and financing of terrorism and other preventive measures aimed at preventing the use of the financial system for money laundering and financing of terrorism. Article 9 of the aforementioned Law prescribes the parties obliged to apply the aforementioned Law, which includes activities carried out by an electronic money institution. The measures, actions and procedures for the prevention and detection of money laundering and financing of terrorism specified in this Law are implemented before and/or during each transaction, as well as when concluding legal transactions through which assets are acquired or used, and in other forms of disposal of funds, rights and other assets that can be used for money laundering and financing of terrorism. Article 15 of the Anti-Money Laundering and Terrorist Financing Act stipulates that customer due diligence includes, among other things, measures to establish the customer's identity and verify their identity on the basis of documents, data or information obtained from a credible, reliable and independent source, including, if the customer has one, a qualified certificate for an electronic signature or electronic seal. It also includes collecting data on the purpose and intended nature of the business relationship and other data in accordance with this Act and the by-laws adopted on its basis, and continuous monitoring of the business relationship, including the control of transactions carried out by the customer during the business relationship in order to ensure that the transactions carried out are in accordance with the knowledge of the obligor about the customer, business profile, risk profile, including, where appropriate, data on the source of funds, whereby the documentation and data at the obligor's disposal must be up-to-date (Article 15 of the Act). Article 20, paragraph 3 of the aforementioned Act stipulates that, in addition to the data referred to in paragraph 1 of this Article, the obliged entity shall also obtain other data to the extent necessary for assessing the risks of money laundering and terrorist financing in accordance with the provisions of this Act and on the basis of the subordinate legislation adopted thereunder. Similarly, Article 37, paragraph 2, item 4 of the same Act stipulates that the obliged entity is obliged to regularly check and update the collected documents and data on the party, the beneficial owner of the party and the risk profile of the party, and to check whether the party or the beneficial owner of the party has become or ceased to be a politically exposed person. 3 Furthermore, Article 79 of the Act on the Prevention of Money Laundering and Financing of Terrorism states that the documentation collected during the application of this Act and the subordinate legislation adopted on its basis must include, among other things, documentation on the basis of which the identity of the party was established (copy of an official personal document, copy of an extract from a court or other register, etc.). In this administrative matter, from the submitted documentation, it was undoubtedly established that the applicant is a user of the services of company Y. It was also established in the proceedings that the company in question invited the applicant to update her personal data and submit a copy of her personal document - identity card, by sending a letter to her home address and contacting her by telephone. Likewise, the applicant was given the opportunity to freely decide how she would submit a copy of her identity card, which is evident from the letter sent to the applicant on 16 July 2021. Accordingly, taking into account the provisions of the General Data Protection Regulation and the provisions of the Act on the Prevention of Money Laundering and Financing of Terrorism, as a separate law, in this administrative procedure it has been determined that in this specific case the collection and processing of personal data of the company in question as the controller is permitted for the purpose of fulfilling the legal obligations, i.e. the legal obligations of the controller of personal data, as prescribed by the Act on the Prevention of Money Laundering and Financing of Terrorism. Therefore, having in mind the legal provisions of the Act on the Prevention of Money Laundering and Financing of Terrorism, and in relation to the collection of a copy of a personal document - an ID card, we state that the company in question as the controller has a justified reason based on the aforementioned Act for which it is obliged to unequivocally establish the identity of the client (applicant) by collecting a copy of the ID card, and thus a certain scope of the personal data of the applicant. Furthermore, we state that at the time of determining the means of processing and at the time of the processing itself, it is the obligation of each controller to determine, depending on the nature, scope and purpose of the processing of personal data, protection measures that guarantee the secure, fair and lawful processing of personal data and the effective application of the principles of data protection (in particular, taking into account the necessity of data processing for each specific purpose, reducing the amount of data collected as well as the scope of data during processing, determining data retention periods, their availability, etc.). Likewise, from the aspect of the regulations regulating the protection of personal data, we point out the obligation to respect the principles of lawfulness, fairness and transparency of the processing of personal data of the data subject, which means that personal data must be processed lawfully - with the existence of one of the legal bases established by Article 6 of the General Data Protection Regulation. We also state that the principles of fair and transparent processing require that the data subject be informed of the processing procedure and its purposes. Therefore, the company in question was obliged to inform the requester of the purpose of processing her personal data and the legal basis for processing personal data. 4 In accordance with the above, taking into account the principles and actions of the controller, we state that the company in question in this specific case informed the applicant about the processing of her personal data in accordance with Article 13 of the General Data Protection Regulation, which is evident from the correspondence between the applicant and the company in question and from the document Information on the processing of personal data. Therefore, following all of the above, in this administrative procedure it was determined that in this specific case the conditions for fair and lawful processing of personal data from Articles 5 and 6 of the General Data Protection Regulation were met, all because the company in question proved the existence of a lawful legal basis for the processing of the applicant's personal data in the specified scope of collecting personal data and collecting a copy of the personal document - identity card. Therefore, the applicant's personal data were processed in a fair, lawful and transparent manner as required by the provisions of the General Data Protection Regulation. In accordance with the above, it was decided as in the Disposition of the decision. INSTRUCTION ON LEGAL REMEDY No appeal is allowed against this decision, but an administrative dispute may be initiated before the Administrative Court in X within 30 days from the date of delivery of the decision. DEPUTY DIRECTOR Igor Vulje Submit: 1. X 2. Y 3. Filing, here 5
