AZOP (Croatia) - Decision of 28 August 2019

From GDPRhub
AZOP (Croatia) - Decision of 28 August 2019
LogoHR.png
Authority: AZOP (Croatia)
Jurisdiction: Croatia
Relevant Law: Article 4(1) GDPR
Article 5(1) GDPR
Article 6(1) GDPR
Article 17(1)(d) GDPR
Article 25(1) GDPR
Article 25(2) GDPR
Article 100 Budget Act
Article 12(5) Budget Act
Article 27 Ordinance on Financial Reporting in Budget Accounting
Article 7(2) Ordinance on Financial Reporting in Budget Accounting
Article 13 Ordinance on Financial Reporting in Budget Accounting
Article 14 Ordinance on Financial Reporting in Budget Accounting
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 28.08.2019
Fine: None
Parties: Health Center
National Case Number/Name: Decision of 28 August 2019
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Croatian
Original Source: AZOP (in HR)
Initial Contributor: tom_vranovic

The Croatian DPA ordered the controller to comply with the data subject's erasure request, because it unlawfully published the data subject's personal data on their website, in violation of Article 5 and Article 6 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The controller is a health clinic and has been in an ongoing legal dispute with data subject (for unknown reasons). The data subject requested the controller to erase her personal data because her name and surname were published in a document called "Notes to the financial statements for the period from 1.1.2018 to 31.12.2018". This document was publicly available on the controller's website. The controller refused to comply with the data subject's request, so the data subject filed a complaint with the DPA.

The Croatian DPA (AZOP) requested the controller to stipulate the legal basis and purpose of the processing, and why they refused to comply with the data subject's request. The controller stated that it had a legal obligation to publish the personal data. They explained that, according to national law, they were obligated to publish annual financial statements on its website. Moreover, as part of this obligation, they also had to publish details that provide further explanation to the financial data. These details were published in the above-mentioned document. Since the controller and the data subject were in a legal dispute, and information on disputes must be published in these financial notes, the controller claimed that it had to publish the data subject's personal data.

Holding[edit | edit source]

The DPA upheld the data subject's complaint.

The DPA considered that it follows from national law that the controller is obligated to publish an annual financial statement, with supplementary notes that provide further explanation on, inter alia, the controller's ongoing legal disputes. However, the national legislation does not prescribe that these notes must contain the name and surname of the parties in the dispute, since a description of the dispute suffices. Hence, the DPA concluded that the controller had no legal basis to publish the data subject's personal data, in violation of Article 5, Article 6, and Article 25 GDPR. It ordered the controller to comply with the data subject's erasure request pursuant to Article 17(1)(d) GDPR, and to take appropriate measures to protect personal data to ensure that the document is not searchable via Google search.

Comment[edit | edit source]

The DPA stated that the controller (also) violated Article 25 GDPR because they published the data subject's personal data on their website, without a legal basis. Unfortunately, the legal reasoning is unclear. One can assume that the controller neglected to implement appropriate technical and organisational measures that ensure adherence to data protection principles, such as the principle of data minimisation. However, a violation of (one of) these principles does not necessarily lead to a violation of Article 25 GDPR, and it is thus unclear what measures the controller had neglected to implement.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.

REPUBLIC OF CROATIA PROTECTION AGENCY PERSONAL DATA CLASS: 
REGISTRATION NUMBER: 
Zagreb, 28 August 2019 
The Personal Data Protection Agency pursuant to Articles 57 (1) and 58 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data repealing Directive 95/46 / EC (General Data Protection Regulation) SLEU L119 (hereinafter: the General Regulation) and Art. Of the Act Implementing the General Regulation on Data Protection, Official Gazette, no 42/18) and Article 42, paragraphs 1 and 2 and Article 96, paragraph 1 of the General Administrative Procedure Act (Official Gazette 47/09), upon request for protection of rights xy  
RESOLUTION 
1. The request for a violation of the right to protection of personal data xy is founded. 
2. It is established that the publication of the name and surname xy in the document "Notes to the financial statements for the period from 1.1.2018 to 31.12.2018" and which was published on the website of the Health Center was the processing of personal data contrary to Articles 5 and 6. General data protection regulations. 
3. The Health Center is ordered to delete the personal data of person xy, and all other physical data persons listed in the document "Notes to the financial statements for the period from 1.1.2018 to 31.12.2018" and which is published on the website of the Health Center, all in accordance with Article 17, paragraph 1 (d) of the General Data Protection Regulation . 
O b r a z l o ž e n j e 
The Agency for Personal Data Protection (hereinafter: the Agency) received a request xy (hereinafter: the applicant) stating that the publication of her personal data in the document "Notes to the financial statements for the period from 1.1.2018-31.12.2018. "And which was published on the website of the Health Center, her personal data was violated. 
The request is founded. 
Acting upon the received request, the Agency requested a statement from the Health Center on the availability of the applicant's personal data, more precisely on the legal basis and purpose of publishing the applicant's personal data. 
The health center has stated that it is obligated as a budget obligor in accordance with Article 12, paragraph 5. of the Budget Act and Article 27 of the Ordinance on Financial Accounting publish the annual financial statements on its website no later than 8 days from the date surrenders. They further state that in accordance with Article 7, paragraph 2 of the said Ordinance, the financial report of the budget users of the state budget for the financial year consists of Balance sheets, Statements of income and expenditure, receipts and expenditures, Statements of expenditures by functional classification, statements of changes in the value and volume of assets and liabilities and Notes. They also state that in accordance with Article 13 of the same Ordinance, the Notes supplement the data with the financial report, and in accordance with Article 14, the obligatory notes to the Balance Sheet are a list of contractual relationships and the like that meet certain conditions and a list of ongoing litigation. As the Health Center had indicted the applicant, they were obliged to state the same in the Notes. The General Data Protection Regulation stipulates in Article 4 (1) (1) that personal data are all data relating to an identified or identifiable individual, and the identifiable individual is a directly identifiable person. or indirectly, in particular with the help of identifiers such as name, identification number, location data, network identifier or by means of one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual. 
Pursuant to Article 5 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC below: General Data Protection Regulation personal data must be processed lawfully, fairly and transparently with regard to the respondent (principle of legality, fairness and transparency); collected for special, explicit and legitimate purposes and may not be further processed in a way that is not in accordance with those purposes (purpose limitation principle); appropriate, relevant and limited to what is necessary in relation to the purposes in which they are processed (the principle of reducing the amount of data); accurate and, where appropriate, up-to-date (principle of accuracy); kept in a form that allows identification of respondents only for as long as it is necessary for the purposes for which personal data are processed (storage restriction principle); processed in a way that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage through the application of appropriate technical or organizational measures (principle of integrity and confidentiality). 
Article 6 of the General Data Protection Regulation stipulates that processing is lawful only if and to the extent that at least one of the following conditions has been met: the respondent has given his or her consent to the processing of his or her personal data for one or more specific purposes; processing is necessary for the performance of the contract to which the respondent is a party or in order to take action at the request of the respondent prior to the conclusion of the contract; processing is necessary to comply with the legal obligations of the processing manager; processing is necessary to protect the key interests of the respondent or other natural person; processing is necessary for the performance of a task of public interest or in the performance of the official authority of the controller; processing is necessary for the legitimate interests of the controller or a third party, except when those interests are stronger than the interests or fundamental rights and freedoms of respondents who require the protection of personal data. 
Article 17 of the General Data Protection Regulation stipulates that the respondent has the right to obtain from the controller the deletion of personal data relating to him without undue delay and the controller has the obligation to delete personal data without undue delay if one of the conditions is met, inter alia, personal data are no longer necessary for the purposes for which they were collected or otherwise processed. 
Article 25 of the General Data Protection Regulation stipulates that taking into account the latest developments, cost of implementation and the nature, scope, context and purposes of processing, as well as risks of different levels of probability and seriousness for the rights and freedoms of individuals , and at the time of determining the means of processing and at the time of processing, implement appropriate technical and organizational measures, such as pseudonymisation, to enable effective application of data protection principles, such as data reduction, and the inclusion of safeguards in order to meet and protect the rights of respondents. The controller shall implement appropriate technical and organizational measures to ensure that only personal data necessary for each specific processing purpose are processed in an integrated manner. This obligation applies to the amount of personal data collected, the scope of their processing, the storage period and their availability. Specifically, such measures ensure that personal data are not automatically, without the intervention of an individual, available to an unlimited number of individuals. 
The Budget Act (Official Gazette, Nos. 87/08 and 136/12, 15/15), more precisely Article 12, paragraph 5, stipulates that local and regional self-government units, budgetary and extra-budgetary users publish annual financial reports on their website no later than eight days from the date of their submission. 
The Ordinance on Financial Reporting in Budget Accounting (Official Gazette, Nos. 03/15, 93/15, 135/15, 2/17, 28/17 112/18) adopted pursuant to Article 100 of the Budget Act stipulates that are notes supplementing the data with the financial statements. Notes can be descriptive, numerical or combined. They are marked with ordinal numbers with reference to the AOP the label of the report to which they refer. Mandatory Notes to the Balance Sheet are: 1. List of contractual relations and the like which, subject to the fulfillment of certain conditions, may become liabilities or assets (letters of credit, mortgages, etc.) and 2. List of ongoing litigation. The list of ongoing litigation referred to in paragraph 1 of this Article must contain a summary description of the nature of the dispute, an assessment of the financial impact that may arise from the litigation as a liability or asset and the estimated time outflow or inflow of funds. Units of local and regional self-government, budgetary and extra-budgetary users publish annual financial reports on their websites no later than eight days from the day of their submission (Articles 13 and 14). 
Following the above in this administrative matter, it was determined that the personal data of the applicant, namely her name and surname, are publicly available on the official website of the Health Center in the document "Notes to the financial statements for the period from 1.1.2018 to 31.12.2018." that the said document was published in accordance with Article 12 of the Budget Act and Article 27 of the Ordinance on Financial Reporting in Budget Accounting. Pursuant to Articles 13 and 14 of the aforementioned Ordinance, the notes are a supplement to the financial report and part of the mandatory notes is a list of ongoing litigation. However, the mentioned special Act and the Ordinance adopted on the basis thereof do not state that the list of disputes must contain the name and surname of the person / persons against whom the budget user is conducting a dispute, but stipulate that the list should contain a concise description of the nature of the dispute. as a liability or asset and the estimated time of outflow or inflow of assets.
Therefore, the Health Center had a legal basis for publishing this document on the website, but there is no legal basis and legal purpose for publishing personal data of the applicant as well as all other natural persons with whom the Health Center is litigating. personal data without a legal basis contrary to Articles 5, 6 and 25 of the General Data Protection Regulation. Therefore, the Health Center, as the controller, is ordered to act in accordance with the provisions of the General Data Protection Regulation when processing personal data processed and published in documents, to delete personal data of the applicant and all other persons listed in the document in accordance with Article 17. paragraph 1 (d) and to take appropriate measures to protect personal data so that the document is not searchable via Google search. 
Following the above, it was decided as in the operative part of the Decision. 
INSTRUCTIONS ON LEGAL REMEDY 
No appeal is allowed against this decision, but an administrative dispute may be initiated before the Administrative by the court within 30 days from the day of delivery of the decision. 
DIRECTOR 
Anto Rajkovača