AZOP (Croatia) - Decision 28-08-2019: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Croatia |DPA-BG-Color= |DPAlogo=LogoHR.png |DPA_Abbrevation=AZOP (Croatia) |DPA_With_Country=AZOP (Croatia) |Case_Number_Name=Decision of 28 A...")
 
(→‎Facts: Restructured summary, and added some details and the comment)
Line 63: Line 63:
}}
}}


DPA held that data controller(s) must have a legal basis to process data subject personal information. If there is none, data controller(s) must comply with data subject's request to erase its personal data and delete them without undue delay.  
The Croatian DPA (AZOP) ordered the controller to comply with the data subject's erasure request, because it unlawfully published the data subject's personal data on their website, in violation of [[Article 5 GDPR#|Article 5]] and [[Article 6 GDPR]].  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
Data subject requested from the Health Center erasure of its personal data published in a note of the official financial statement which was published on the Health Centre's web page. Health Center refused to erase the Data Subject's personal data justifying that it was its legal obligation to publish all judicial proceedings that are still pending a court decision.  
The controller is the Health Center (a health clinic) and had indicted the data subject (for unknown reasons). The data subject requested the Health Center to erase her personal data because her name and surname were published in a document called "Notes to the financial statements for the period from 1.1.2018 to 31.12.2018". This document was publicly available on the controller's website. The controller refused to comply with the data subject's request, so the data subject filed a complaint with the DPA.  


Upon refusal to erase its personal data, Data Subject filled a complaint with the DPA.
The DPA requested the controller to stipulate the legal basis and purpose of the processing, and why they refused to comply with the data subject's request. The controller stated that it had a legal obligation to publish the personal data. They explained that, according to national law, they were obligated to publish annual financial statements on its website. Moreover, as part of this obligation, they must also publish details that provide further explanation to the financial data. These details were published in the above-mentioned document. Since the controller and the data subject were in a legal dispute, and information on disputes must be published in these financial notes, the controller claimed that it had to publish the data subject's personal data.


=== Holding ===
=== Holding ===
DPA reasoned that Health Center can lawfully process personal data only if one of the basis laid down in Article 6(1) is met. Considering the lawfulness, DPA concluded that the Budget Law and its By-laws do grant the right to Health Center to publish all judicial proceedings still pending a decision. However, they do not require nor impose that personal information of the parties has to be published as well. Therefore, the DPA concluded that Health Center did not have a legal basis to process the personal information of the Data Subject and has ordered the Health Center to comply with the Data Subject's request and erase its personal data.  
The DPA upheld the data subject's complaint.  
 
The DPA considered that it follows from national law that the controller is obligated to publish an annual financial statement, with supplementary notes that provide further explanation on, inter alia, the controller's ongoing legal disputes. However, the national legislation does not prescribe that these notes must contain the name and surname of the parties in the dispute, since a description of the dispute suffices. Hence, the DPA concluded that the controller had no legal basis to publish the data subject's personal data, in violation of [[Article 5 GDPR#|Article 5]], [[Article 6 GDPR|Article 6]], and [[Article 25 GDPR]]. It ordered the controller to comply with the data subject's erasure request pursuant to [[Article 17 GDPR#1|Article 17(1)(d) GDPR]], and to take appropriate measures to protect personal data to ensure that the document is not searchable via Google search.  


== Comment ==
== Comment ==
''Share your comments here!''
The DPA stated that the controller (also) violated [[Article 25 GDPR]] because they published the data subject's personal data on their website, without a legal basis. Unfortunately, the legal reasoning is unclear. One can assume that the controller neglected to implement appropriate technical and organisational measures that ensure adherence to data protection principles, such as the principle of data minimisation. However, a violation of (one of) these principles does not necessarily lead to a violation of [[Article 25 GDPR]], and it is thus unclear what measures the controller had neglected to implement.


== Further Resources ==
== Further Resources ==

Revision as of 10:25, 15 March 2022

AZOP (Croatia) - Decision of 28 August 2019
LogoHR.png
Authority: AZOP (Croatia)
Jurisdiction: Croatia
Relevant Law: Article 4(1) GDPR
Article 5(1) GDPR
Article 6(1) GDPR
Article 17(1) GDPR
Article 25(1) GDPR
Article 25(2) GDPR
Article 100 Budget Act By-law
Article 12 (5) Budget Act
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 28.08.2019
Fine: None
Parties: Health Center
National Case Number/Name: Decision of 28 August 2019
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Croatian
Original Source: AZOP (in HR)
Initial Contributor: tom_vranovic

The Croatian DPA (AZOP) ordered the controller to comply with the data subject's erasure request, because it unlawfully published the data subject's personal data on their website, in violation of Article 5 and Article 6 GDPR.

English Summary

Facts

The controller is the Health Center (a health clinic) and had indicted the data subject (for unknown reasons). The data subject requested the Health Center to erase her personal data because her name and surname were published in a document called "Notes to the financial statements for the period from 1.1.2018 to 31.12.2018". This document was publicly available on the controller's website. The controller refused to comply with the data subject's request, so the data subject filed a complaint with the DPA.

The DPA requested the controller to stipulate the legal basis and purpose of the processing, and why they refused to comply with the data subject's request. The controller stated that it had a legal obligation to publish the personal data. They explained that, according to national law, they were obligated to publish annual financial statements on its website. Moreover, as part of this obligation, they must also publish details that provide further explanation to the financial data. These details were published in the above-mentioned document. Since the controller and the data subject were in a legal dispute, and information on disputes must be published in these financial notes, the controller claimed that it had to publish the data subject's personal data.

Holding

The DPA upheld the data subject's complaint.

The DPA considered that it follows from national law that the controller is obligated to publish an annual financial statement, with supplementary notes that provide further explanation on, inter alia, the controller's ongoing legal disputes. However, the national legislation does not prescribe that these notes must contain the name and surname of the parties in the dispute, since a description of the dispute suffices. Hence, the DPA concluded that the controller had no legal basis to publish the data subject's personal data, in violation of Article 5, Article 6, and Article 25 GDPR. It ordered the controller to comply with the data subject's erasure request pursuant to Article 17(1)(d) GDPR, and to take appropriate measures to protect personal data to ensure that the document is not searchable via Google search.

Comment

The DPA stated that the controller (also) violated Article 25 GDPR because they published the data subject's personal data on their website, without a legal basis. Unfortunately, the legal reasoning is unclear. One can assume that the controller neglected to implement appropriate technical and organisational measures that ensure adherence to data protection principles, such as the principle of data minimisation. However, a violation of (one of) these principles does not necessarily lead to a violation of Article 25 GDPR, and it is thus unclear what measures the controller had neglected to implement.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.

REPUBLIC OF CROATIA
PROTECTION AGENCY
PERSONAL DATA
CLASS:
REGISTRATION NUMBER:
Zagreb, 28 August 2019
Personal Data Protection Agency pursuant to Article 57 (1) and (58) of the Regulation
(EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to
with the processing of personal data and on the free movement of such data and on revocation
Directive 95/46 / EC (General Data Protection Regulation) SLEU L119 (hereinafter: General
regulation) and Article 34. Of the Act Implementing the General Regulation on Data Protection, Official Gazette, no
42/18) and Article 42, paragraphs 1 and 2 and Article 96, paragraph 1 of the General Administrative Procedure Act
(Official Gazette No. 47/09), upon request for protection of rights xy
RESOLUTION
1. The request for a violation of the right to protection of personal data xy is founded.
2. It is established that by publishing the name and surname xy in the document “Notes to the financial
reports for the period from 1.1.2018 to 31.12.2018. ”which was published online
personal data was processed on the website of the Health Center contrary to Articles 5 and 6.
General data protection regulations.
3. The Health Center is ordered to delete the personal data of person xy, and all other physical data
persons listed in the document “Notes to the financial statements for the period from
1.1.2018-31.12.2018. ”Which was published on the website of the Health Center, a
all in accordance with Article 17 (1) (d) of the General Data Protection Regulation.
O b r a z l o ž e n j e
The Agency for Personal Data Protection (hereinafter: the Agency) received a request xy (hereinafter)
in the text: the applicant) stating that by publishing her personal data in
document "Notes to the financial statements for the period from 1.1.2018 to 31.12.2018" and which is
published on the website of the Health Center there was a violation of her personal data.
The request is founded.
Acting upon the received request, the Agency requested a statement from the Health Center Fr.
the availability of the applicant's personal data, in particular on the legal basis and purpose of the publication
personal data of the applicant.
The health center has stated that it is obligated as a budget obligor in accordance with Article 12, paragraph
5 of the Budget Act and Article 27 of the Ordinance on Financial Accounting shall be published annually
financial statements on its website no later than 8 days from the date
surrenders. They further state that in accordance with Article 7, paragraph 2 of the said Ordinance, financially
the report of budget users of the state budget for the budget year consists of
Balance sheets, Statements of income and expenditure, receipts and expenditures, Statements of expenditure
according to functional classification, reports on changes in value and volume of assets and
commitment and Notes. They also state that, in accordance with Article 13 of the same Ordinance, the Notes are supplements
data with the financial report, and in accordance with Article 14, the mandatory notes to the Balance Sheet are a list
contractual relationships and the like that are the fulfillment of certain conditions may become a liability or an asset
and a list of ongoing litigation. Since the Health Center has filed an indictment against him
the applicants were obliged to state the same in the Notes.
The General Data Protection Regulation stipulates in Article 4 (1) (1) that personal data are all
data relating to an individual whose identity has been or can be established, and an individual whose
identity can be established is a person who can be identified directly or indirectly, especially with
help of identifiers such as name, identification number, location data, network identifier
or by one or more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of that individual.
In accordance with Article 5 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of individuals with regard to the processing of personal data and on the free movement of such data
and repealing Directive 95/46 / EC hereinafter referred to as the General Data Protection Regulation
personal data must be processed lawfully, fairly and transparently with respect to the respondent
(principle of legality, fairness and transparency); collected in special, explicit and lawful
purposes and may not be further processed in a way that is not in line with those purposes (principle
purpose limitation); appropriate, relevant and limited to what is necessary in relation to the purposes
in which they are processed (the principle of reducing the amount of data); accurate and up - to - date if necessary (principle
accuracy); kept in a form that allows identification of respondents only for as long as
it is necessary for the purposes for which personal data are processed (storage restriction principle);
processed in a way that ensures adequate security of personal data, including
protection against protection against unauthorized or unlawful processing and against accidental loss, destruction or
damage by applying appropriate technical or organizational measures (principle of integrity and
confidentiality).
Article 6 of the General Data Protection Regulation stipulates that processing is lawful only if and in
to the extent that at least one of the following is met: the respondent has given consent to processing
their personal data for one or more special purposes; processing is necessary for execution
a contract to which the respondent is a party or to take action at the request of the respondent before
concluding contracts; processing is necessary to comply with the legal obligations of the processing manager; processing is
necessary to protect the key interests of respondents or other natural persons; processing is necessary for the performance of a task of public interest or in the performance of the official authority of the controller;
processing is necessary for the legitimate interests of the processing manager or a third party, except when they are from
these interests are stronger interests or fundamental rights and freedoms of respondents that require the protection of personal
data.
Article 17 of the General Data Protection Regulation stipulates that the respondent is entitled to a leader
processing to obtain the deletion of personal data relating to him without undue delay
and the controller has an obligation to delete personal data without undue delay if any
fulfilled one of the conditions, among other things, personal data are no longer necessary in relation to the purposes in
which have been collected or otherwise processed.
Article 25 of the General Data Protection Regulation stipulates that taking into account the latest
achievements, the cost of implementation and the nature, scope, context and purposes of processing, as well as the risks of different
level of probability and seriousness for the rights and freedoms of individuals arising from processing
data, the controller, both at the time of determining the means of processing and at the time of processing,
implements appropriate technical and organizational measures, such as pseudonymization, for
enabling the effective application of data protection principles, such as volume reduction
data, and the inclusion of safeguards in the processing in order to meet the requirements of this Regulation, and
protect the rights of respondents. The processing manager implements the appropriate technical and organizational
measures to ensure that only personal data that are
necessary for each specific processing purpose. This obligation applies to the amount collected
personal data, the scope of their processing, the storage period and their availability. More precisely,
such measures ensure that personal data are not automatic, without the intervention of an individual,
available to an unlimited number of individuals.
The Budget Act (Official Gazette, Nos. 87/08 and 136/12, 15/15), more precisely Article 12.
paragraph 5 stipulates that local and regional self-government units, budgetary
and extrabudgetary users publish annual financial reports on their websites
pages no later than eight days from the date of their submission.
Ordinance on financial reporting in budget accounting (Official Gazette)
No. 03/15, 93/15, 135/15, 2/17, 28/17 112/18) adopted pursuant to Article 100 of the Law on
the budget stipulates that the notes supplement the data with the financial statements. Notes can
be descriptive, numerical or combined. They are marked with ordinal numbers with reference to the AOP
the label of the report to which they refer. Mandatory Notes to the Balance Sheet are: 1. List of contractors
relationships and the like which, subject to the fulfillment of certain conditions, may become an obligation or an asset (given
letters of credit, mortgages, etc.) and 2. List of pending litigation. List of litigation in
the course referred to in paragraph 1 of this Article must contain a concise description of the nature of the dispute, an assessment of the financial
the effect that may result from litigation as a liability or asset and the estimated time
outflow or inflow of funds. Units of local and regional self-government, budgetary
and extrabudgetary users publish annual financial reports on their websites
pages no later than eight days from the date of their submission (Articles 13 and 14)
Following the above in this administrative matter, it was determined that the personal data of the applicant
requests more precisely her name and surname publicly available on the official website of the Health Center
in the document “Notes to the financial statements for the period from 1.1.2018 to 31.12.2018.” It was further established that the said document was published in accordance with Article 12 of the Law on Budget and
Article 27 of the Ordinance on Financial Reporting in Budget Accounting. Accordingly
Articles 13 and 14 of the said Ordinance supplement the notes to the financial report and are part of the mandatory ones
notes is a list of ongoing litigation. However the above special Act and on the basis
it is not stated in the adopted Ordinance that the list of disputes must contain the name and surname
persons / persons against whom the budget user is litigating it is already prescribed that the list should
contain a concise description of the nature of the dispute, an assessment of the financial impact that may result from
litigation as a liability or asset and the estimated time of outflow or inflow of funds.
Therefore, the Health Center had a legal basis for publishing this document on the website,
however, there is no legal basis and legitimate purpose for publishing the applicant's personal data
requirements as well as all other natural persons with whom the Health Center in question is litigating
thereby publishing personal data without a legal basis contrary to Articles 5, 6 and 25.
General data protection regulations. Therefore, the Health Center is instructed as the treatment manager to
when processing personal data that it processes and publishes in documents, it acts in accordance with it
with the provisions of the General Data Protection Regulation, to delete the applicant's personal data
and all other persons listed in the document in question in accordance with Article 17.
paragraph 1 (d) and to take appropriate measures to protect personal data as the document does not
would be searchable via Google search engine.
Following the above, it was decided as in the operative part of the Decision.
INSTRUCTIONS ON LEGAL REMEDY
No appeal is allowed against this decision, but an administrative dispute may be initiated before the Administrative
by the court within 30 days from the day of delivery of the decision.