AZOP (Croatia) - Decision 23-03-2023
|AZOP - Decision 23-03-2023
|Article 11 GDPR
Article 12(2) GDPR
Article 15 GDPR
Article 17 GDPR
Article 17(3)(e) GDPR
|National Case Number/Name:
|European Case Law Identifier:
|AZOP (in HR)
The Croatian DPA held that a controller had lawfully rejected an access request on the basis of Article 12(2) GDPR, as it was unable to identify the data subject.
English Summary[edit | edit source]
Facts[edit | edit source]
The office of a municipality of a city in Croatia received an anonymous letter containing intimate photos of a person. A data subject claimed that those photos were concerning her, thus made an access request under Article 15 GDPR to the office and also requested her personal data to be deleted under Article 17 GDPR. The data subject also claimed that such data constituted biometric data.
The office, as a controller, responded stating that it did have knowledge about the events which might possibly be related to the data subject but that it was not possible for it to determine the identity of the person in the pictures. Hence the processor refused to comply with the data subject’s access request.
Following this, the data subject filed a complaint with the Croatian DPA (AZOP) claiming that the controller violated her GDPR rights by not responding to her access request and she also stated that the controller further processed her personal data by making it available to various unauthorized persons as well as to the public through media articles.
In its submissions to the AZOP, the controller clarified that it did not unlawfully transmit or use personal data of the applicant, pointing out that it has learned about events that may have been related to the applicant, but from the information provided it was not possible to determine with certainty the identity of the person and its connection with other contents that were provided to the controller. Further, the controller underlined that it took all necessary measures to prevent the possibility of misuse or any other illegal and unauthorized actions related to the deletion of personal data. In conclusion, the controller stated that, upon request of the State Attorney, it sent the disputed letter to the employees of the Police Department of the city, as authorized officials, which was declared to be a confiscated object. Further, it was submitted that the two news articles mentioned by the data subject do not contain any personal data allowing data subjects to be identified.
Holding[edit | edit source]
The AZOP, first of all clarified that the photos in question may constitute personal data, but not biometric data as they do not fulfil the requirements of Article 4(14) GDPR.
Secondly, the AZOP ascertained whether the controller had rightfully responded to the data subject’s access request. Making reference to Recital 63 and Article 12(1) GDPR, the AZOP underlined that controllers should provide data subjects with all the information requested in Article 15 GDPR. However, the AZOP underlined that under Article 12(2) GDPR, a controller may refuse to comply with an access request if it proves that it is unable to determine the identity of the data subject. In this case, the controller did prove its inability to identify with certainty the data subject
Thirdly, since the disputed letter and pictures were confiscated by the police, the controller was also justified for not complying with the data subject’s request of deletion of her personal data under Article 17(3)(e) GDPR.
Last, the AZOP also found that the newspaper articles mentioned by the data subject did not contain any personal data relating to her, this none of her data was published unlawfully.
For all of the above reasons, the AZOP dismissed the complaint as unfounded.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.
1 REPUBLIC OF CROATIA PROTECTION AGENCY PERSONAL DATA CLASS: NUMBER: Zagreb, March 23, 2023. Personal Data Protection Agency based on Article 57, paragraph 1 and Article 58, paragraph 1. Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals in connection with the processing of personal data and the free movement of such data and the placement out of force of Directive 95/46/EC (hereinafter referred to as the General Data Protection Regulation) SL EU 119, Article 34 of the Act on the Implementation of the General Regulation on Data Protection ("Official Gazette" No. 42/18) and Articles 41 and 96 of the Law on General Administrative Procedure ("Official Gazette" No. 47/09 and 110/21), and regarding the request to determine the violation of the right to the protection of personal data X brings the following SOLUTION X's request to establish a violation of the right to personal data protection is rejected as ungrounded. Form layout The Agency for the Protection of Personal Data (hereinafter: the Agency) received a request for determination of violation of the right to personal protection of X, represented by lawyer Y (hereinafter: the applicant) in which the applicant states that City X, City Office X u received a letter from an anonymous person in March 2021, which, among other things, contains intimate photographs of the applicant (which the applicant states in her application as biometric data) and continued with the further processing of her personal data, in the manner that they were available to various unauthorized persons, as well as to the public through media captions. Furthermore, the applicant states that she addressed the City with a submission dated May 3, 2021 X, City Office X and requested access to her personal data in accordance with the provisions of the General regulations on data protection, as well as deleting your personal data. In this regard, the applicant points out that City X, City Office X by letter dated May 5, 2021, KLASAX, UR NO: X refused to deliver what was requested and stated that he had acquired certain knowledge about the events 2 which, possibly, are related to her, without specifying what it is about, therefore she states what she thinks that there was a violation of her rights to the protection of personal data. The request for determining the violation of the right to the protection of personal data is attached power of attorney from June 2, 2021, a copy of an anonymous letter, the applicant's submission from On May 3, 2021, sent to City X, City Office X requesting the acquisition of data and secondly, the response of the City X, City Office X, CLASS: X, ID NO: X dated May 5, 2021. of the year, a copy of the newspaper article published in the weekly "X" from April 25, 2021 under with the title "X?" and a copy of the newspaper article published in the daily newspaper "X" from April 27 2021 under the title "X", subtitle "X". The request is not founded. Acting on the received request, the Agency filed (CLASS: X, CODE: X) requested a statement from City X, City Office X regarding the circumstances of the specific case. As requested, City X, City Office X expressed its opinion with a submission, CLASS: X NUMBER: X stating in detail how it was sent on the received request of the applicant through a lawyer (received on May 4, 2021) in his official statement from May 5, 2021 to the applicant (CLASS: X, CODE: X) stated the same that in accordance with the powers of his action he did not distribute it, nor in any way transferred or used the personal data of the applicant without authorization. In this regard, City X, City Office X points out that it gained knowledge about events that were possibly related to the applicant, but it was not possible to determine with certainty from the submitted notifications the identity of the person and his connection with other content that was delivered to City X, City office X. In this connection, it should be noted that City office X is not authorized to determine identity natural persons, nor does it have the necessary possibilities and instruments for determination above, and especially not on the basis of knowledge from the content of the specific case received. Despite this, City Office X has taken all the necessary and possible actions for which it is authorized to prevent the slightest possibility of misuse or any other illegal and unauthorized actions related to the disposal of personal data. In conclusion, the City X, City Office X states that it was given on May 20, 2021 to employees of the Ministry of internal affairs of the Police Administration X handed over a letter which, possibly, was related to the applicant, since they are authorized persons ex officio, and upon request Municipal State Attorney's Office, from the City Office X stated and requested. In this connection City X, City Office X emphasizes that on the same occasion an official certificate of confiscation of objects or written documents. In this regard, and considering that City X, City Office X, with its statement, is not provided evidence that employees of the Ministry of Internal Affairs, Police Administration X submitted a letter which, possibly, was related to the applicant, the Agency is by submission, CLASS: X, CODE: X requested the delivery of a copy of the official certificate of confiscation of objects or written documents. 3 As requested, City X, City Office X, CLASS: X, CODE: X delivered To the Agency, a copy of the Certificate of Temporary Confiscation of Items issued by the Ministry of Internal Affairs, Police Department X, General Crime Service, number: X dated May 20 in 2021. Also, by looking at the delivered copy of the newspaper article published in the weekly "X" from April 25, 2021 under the title "X?" and a copy of the newspaper article published in to the daily press "X" from April 27, 2021 under the title "X", subtitle "X", clearly is that they do not contain any personal data, that is, it cannot be determined from them identity of a natural person. First of all, it should be noted that from May 25, 2018, in the Republic of In Croatia, Regulation (EU) 2016/679 of the European Parliament and the Council of 27 of April 2016 on the protection of individuals in connection with the processing of personal data and on free movement such data and on the repeal of Directive 95/46/EC (General Protection Regulation data) SL EU L119. The General Data Protection Regulation in Article 4, Paragraph 1, Point 1 stipulates that they are personal data all data relating to an individual whose identity has been determined or can be determined, a an individual whose identity can be established is a person who can be identified directly or indirectly, especially with the help of identifiers such as name, identification number, information about location, network identifier or with the help of one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual. Therefore, we state that the photo belongs to personal data as defined by the subject article, however, it does not constitute biometric data. In this regard, we point out that Article 4, Paragraph 1, Point 14 stipulates that "biometric data" means personal data obtained through special technical processing in connection with physical characteristics, physiological characteristics or behavioral characteristics of an individual which enable or confirm the unique identification of that individual, such as facial photographs or dactyloscopic data. Therefore, biometric processing of personal data would be considered as processing in which, by means of mathematical algorithms, biometric data is connected with an exact one person, i.e. that processing in which the computer system automatically through, for example, physiological characteristics determine the identity of a certain person, and what is it about in the specific case at all it wouldn't work. Pursuant to Article 5 of the General Data Protection Regulation, personal data must be: (a) lawfully, fairly and transparently processed with respect to the data subject ("lawfulness, fairness, transparency"); (b) collected for special, explicit and legal purposes and may not be used further process in a way that is inconsistent with those purposes ("purpose limitation"); (c) appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed ("reduction 4 amount of data"); (d) accurate and as necessary up-to-date; every reasonable measure must be taken in order to ensure that personal data that are not accurate, taking into account the purposes for which process, delete or correct without delay ("accuracy"); (e) stored in a form that enables identification of the respondent only for as long as is necessary for the purposes for which it is personal data processing ("storage limitation"); (f) processed in the manner in which it is secured adequate security of personal data, including protection against unauthorized or illegal access processing and from accidental loss, destruction or damage by applying appropriate technical or organizational measures ("integrity and confidentiality"). Furthermore, in accordance with Article 6 of the General Data Protection Regulation, processing is only lawful if and to the extent that at least one of the following is met: (a) the subject has given consent to process your personal data for one or more specific purposes; (b) processing is necessary for execution of a contract to which the respondent is a party or to take action upon request of the respondent before the conclusion of the contract; (c) processing is necessary to comply with the controller's legal obligations processing; (d) processing is necessary to protect the key interests of the data subject or other natural person; (e) processing is necessary for the performance of a task of public interest or in the exercise of official authority processing manager; (f) the processing is necessary for the legitimate interests of the controller or a third party parties, except when those interests are stronger than the interests or fundamental rights and freedoms of the respondents who require the protection of personal data. We emphasize that in relation to a specific case, the introductory statement (63) should be taken into account General Data Protection Regulation, according to which the data subject should have the right of access collected personal data relating to him and exercise that right easily and in at reasonable intervals in order to be aware of the processing and verify its legality. As it follows from Article 12, paragraph 1 of the General Data Protection Regulation, the data controller undertakes appropriate measures to provide the respondent with all the information referred to in Articles 13 and 14. and all communications from Articles 15 to 22 and Article 34 in connection with processing in summary, transparent, comprehensible and easily accessible form, with the use of clear and simple language. The information is provided in writing or by other means, inter alia, if it is conveniently, electronically. If requested by the respondent, information may be provided verbally through, provided that the identity of the respondent has been established by other means. The processing manager facilitates the exercise of the data subject's rights from Articles 15 to 22 of the U in the cases referred to in Article 11, paragraph 1, the processing manager may not refuse to act on the request of the respondent for the purpose of exercising his rights from articles 15 to 22, unless the manager processing proves that it is not able to determine the identity of the respondent (Article 12. paragraph 2. General regulations on data protection). Article 12, paragraph 3 of the General Data Protection Regulation stipulates that the data controller upon request, provides the respondent with information on the actions taken from Articles 15 to 22. General data protection regulations without undue delay and in any case within one month from the receipt of the request. This deadline can be extended by an additional two months if necessary, taking into account the complexity and number of requests. The data controller informs the respondent about each 5 such extension within one month from the receipt of the request, together with the reasons delays. Article 15, paragraph 1 of the General Regulation on Data Protection stipulates that the respondent has the right to receive confirmation from the data controller as to whether personal data relating to him are being processed and if such personal data is processed, access to personal data and the following information: (a) processing purposes; (b) categories of personal data in question; (c) recipients or categories of recipients to whom personal data has been disclosed or will be disclosed to them, in particular recipients in third countries or international organizations; (d) if possible, the intended period in which the personal data will be stored or, if this is not possible, the criteria used to determine that period; (e) the existence of the right to be from the manager request correction or deletion of personal data or restriction of processing of personal data relating to data subjects or rights to object to such processing; (f) the right to submit complaints to the supervisory body; (g) if personal data is not collected from the data subject, to each available information about their source; (h) the existence of automated decision-making, which includes the creation of profiles from Article 22 paragraphs 1 and 4 and, at least in these cases, meaningful information about the logic in question, as well as the importance and anticipated consequences of such logic processing for the respondent. Furthermore, Article 17 of the General Regulation on Data Protection stipulates the "right to be forgotten" according to which the respondent has the right to obtain from the controller the deletion of personal data which are related to him without unnecessary delay and the data controller is obliged to delete personal data data without undue delay if the personal data is no longer necessary in relation to the purposes for which have been collected or otherwise processed; the subject withdraws the consent that is being processed bases in accordance with Article 6, paragraph 1, point (a) or Article 9, paragraph 2, point (a) and if there is no other legal basis for processing and in other categorically stated cases in the subject article. However, paragraph 3 of the same article of the General Data Protection Regulation exceptions to the deletion of personal data are prescribed. In this administrative matter, it follows from the submitted/collected documentation that the City X, City Office X received a letter from an anonymous person in March 2021, which, among other things, it contained intimate photos of the applicant. Furthermore, it was established that the applicant addressed the City X, City Office with a submission dated May 3, 2021 X and requested access to her personal data in accordance with the provisions of the General Regulation on Protection data, as well as deleting your personal data. In this regard, it was determined that City X is City office X, as processing manager, responded to the applicant's request with a letter dated May 5 in 2021, stating how he gained knowledge about events that were possibly related to the applicant, but it was not possible to determine with certainty from the submitted notifications the identity of the person and its connection with other content. In conclusion, it was established that the City X, City Office X on May 20, 2021, at the request of the Municipal State Attorney's Office, employees of the Ministry of Internal Affairs, Police Administration X handed over the disputed letter and on that occasion, an official certificate of confiscation of the object, i.e. a written one, was issued. 6 Therefore, in this administrative matter, it was determined that City X, City Office X as the processing manager responding back to the applicant's request, with a submission dated May 5 2021 acted in accordance with Article 12, paragraph 2 of the General Data Protection Regulation, considering to the fact that he explained to the applicant that in the specific case he could not determine the identity of the person whose photos he received through an anonymous submission. So, even though the applicant is in compliance with Article 15 of the General Regulation on the Protection of Personal Data requested access to their personal data data, in this particular case the controller acted correctly when taking into account the provisions of Article 12, paragraph 2 of the General Regulation, refused to comply with the applicant's request for the purpose exercising her rights, for the reason that he could not determine with certainty the identity of the person whose received the photos. Likewise, given that the dispute is in writing with accompanying photographs of the applicant was taken from the processing manager by the Ministry of Internal Affairs, Police Administration X at the request of the Municipal State Attorney's Office, deletion of personal data of the applicant in the specific case is not applicable, taking into account Article 17. paragraph 3 point e) of the General Data Protection Regulation. Therefore, the applicant's request is in the part in which she claims that she was not provided access to her personal data, i.e. how the manager refused to delete her personal data data, should have been rejected as unfounded. Also, related to the applicant's allegations about the forwarding of her personal data to other unauthorized recipients, it should be pointed out that the same applicant is nothing proved, nor was it established in the proceedings that such an unauthorized act occurred in the specific case forwarding. Finally, regarding the applicant's allegations about the availability of her personal data in the public, more precisely by their publication in the media, we state that it has been established that the newspaper articles referred to by the applicant ("X?" published in the weekly "X" from April 25, 2021. and "X", subtitled "X", published in the daily newspaper "X" from April 27, 2021.) do not contain personal data of the applicant, therefore that part of the request should have been rejected as ungrounded. As a result of the above, in the entire procedure it was determined that there was no violation of the applicant's right to protection of personal data. Due to the aforementioned circumstances, it was decided as in the Proclamation of the Decision. 7 LEGAL REMEDY No appeal is allowed against this decision, but an administrative dispute can be initiated before the Administrative Court by the court in X within 30 days from the date of delivery of the decision. DEPUTY DIRECTOR Igor Vulje Deliver: 1. Y 2. X 3. Stationery, here.