AZOP (Croatia) - Decision 29-06-2022 (Center for Social Welfare)

From GDPRhub
Revision as of 12:46, 16 September 2022 by Ea (talk | contribs)
AZOP - Decision of 29 June 2022 - Center for Social Welfare
LogoHR.png
Authority: AZOP (Croatia)
Jurisdiction: Croatia
Relevant Law: Article 5 GDPR
Article 6 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 29.06.2022
Published: 15.09.2022
Fine: n/a
Parties: Centre for Social Welfare
National Case Number/Name: Decision of 29 June 2022 - Center for Social Welfare
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Croatian
Original Source: AZOP (in HR)
Initial Contributor: n/a

The Croatian DPA reprimanded the Center for Social Welfare for violating Articles 5 and 6 GDPR by publishing its employees' personal data on its bulletin board.

English Summary

Facts

In March 2022, the Center for Social Welfare (the controller) published a decision on using remaining annual leave for 2021 on its bulletin board. It included the first and last names and the number of used and remaining holidays of the data subject and other of the controller's employees.

The data subject alleged that they did not give consent to this publication. Therefore, the data subject filed a complaint at the Croatian DPA.

Holding

The DPA held that the controller did not prove the existence of a valid legal basis for the publication of employees' personal data on the bulletin board.

First, in holding that the controller could not have used its legitimate interests as a legal basis, the DPA pointed out that the controller failed to carry out a proportionality test which should consider a number of factors to ensure that the interests and fundamental rights of data subjects are taken into account.

Second, the DPA held that the controller was not under a legal obligation to process these data. Despite reference being made to Article 29 of the Croatian Labour Act, the DPA found that this Article does not, in fact, prescribe the publication of this data.

Consequently, the DPA held that the controller violated Articles 5 and 6 GDPR. It ordered the controller to stop further processing of any personal data of the data subject or other employees on its bulletin board without a valid legal basis.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.


1
REPUBLIC OF CROATIA
PROTECTION AGENCY
PERSONAL DATA
CLASS:
NUMBER:
Zagreb, June 29, 2022.
Personal Data Protection Agency OIB: 28454963989 based on Article 57 paragraph
1 and 58 paragraph 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on
the protection of individuals in connection with the processing of personal data and the free movement of such data
and repealing Directive 95/46/EC (General Data Protection Regulation) SLEU L119
(hereinafter: General Regulation), Articles 34 of the Act on the Implementation of the General Regulation on Protection
data ("Official Gazette", number: 42/2018), Article 41 and Article 96 of the Law on General
administrative procedure ("Official Gazette", number: 47/09 I 110/21), ex officio and
in connection with the request to determine the violation of the right to the protection of personal data, xy makes the following
SOLUTION
1. Request xy to establish a violation of the right to personal data protection is founded.
2. It is established that by processing the personal data of the applicant xy in such a way that
was announced by the Center for Social Welfare as an employer on the Center's bulletin board
Decision on the schedule of using the remaining annual leave for 2021
CLASS: ..., NUMBER: ... from March 2022 with personal data xy, u
scope of their first and last name/initials, number of remaining days of the year
holidays and periods of use, all without a legitimate (justified) purpose and legal
basis, i.e. contrary to the provisions of Articles 5 and 6 of the General Regulation on Data Protection.
3. The Center for Social Welfare is prohibited from any further processing of personal data,
that is, the publication of personal data of the applicant, as well as other employees
of the Center for Social Welfare on the notice board of the Center without the existence of a legal basis i
legitimate (justified) purposes in the sense of Articles 5 and 6 of the General Data Protection Regulation.
Form layout
The Agency for the Protection of Personal Data (hereinafter: the Agency) received a request for
determination of violation of the right to protection of personal data xy (hereinafter: the applicant)
in which the applicant essentially states that she is the director of the Center for Social Welfare
2
(hereinafter referred to as: Center) on ... March 2022 posted the Decision on the notice board
using his annual leave with his personal data without having given his own as described
consent/consent.
With the request for establishing a violation of the right to the protection of personal data, the applicant
of the request submitted a photo of the Schedule Decision to the Personal Data Protection Agency
of using the remaining annual leave for 2021, which contains his personal data,
as well as the data of other employees of the Center.
The request is founded.
Bearing in mind the allegations from the received request for determining the violation of the right to protection
personal data, in accordance with its powers, the Agency requested from the Center for Social Welfare
statement on the legal basis and legal purpose of the public announcement, i.e. the availability of the Decision on
the use of annual leave, which contains the personal data of the applicant, as well as others
employees of the Center in the scope of their first and last name, the number of remaining days of the year
rest and periods of use of the same.
Further to the above, the Center for Social Welfare in the statement submitted to this
She states to the Agency that on ... March 2022, the director of the Center for Social Welfare
passed the Decision on the schedule of use of the remaining annual leave for the year 2021 CLASS:
..., URBROJ: ... from ... March 2022. Furthermore, in the statement, they state that the Decision contains
first and last name of the employee, without specifying the OIB, address or other personal data of the employee, a
in particular, it does not contain any special categories of employee personal data. It's everyone's decision
delivered to the employees of the Center in such a way that it was published on the notice board. In this regard, in
statement, they state that the Decision was originally published on the Center's bulletin board in its entirety
form, but it was removed from the bulletin board and an anonymized version of it was created, which is
then posted on the bulletin board. Furthermore, in the statement, they state that the legal basis is
on the basis of which the Decision was published in an anonymized form on the notice board of the Center
the legitimate interest of the employer, who is obliged to inform all employees in a legally secure manner
schedule of using annual leave, and which obligation of the employer also constitutes the purpose of this
processing of personal data.
First of all, it should be noted that from May 25, 2018, in the Republic of
In Croatia, Regulation (EU) 2016/679 of the European Parliament is directly and bindingly applied
of the Council of April 27, 2016 on the protection of individuals in connection with the processing of personal data and on
free movement of such data and repealing Directive 95/46/EC (General
data protection regulation) SL EU L119.
The General Data Protection Regulation in Article 4, Paragraph 1, Point 1 stipulates that they are personal
data all data relating to an individual whose identity has been determined or can be determined, a
an individual whose identity can be established is a person who can be identified directly or
indirectly, especially with the help of identifiers such as name, identification number, information about
location, network identifier or with the help of one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that individual.
3
Pursuant to Article 5 of the General Data Protection Regulation, personal data must be: (a)
lawfully, fairly and transparently processed with respect to the data subject ("lawfulness, fairness,
transparency"); (b) collected for specific, express and lawful purposes and may not be further
process in a way that is inconsistent with those purposes ("purpose limitation"); (c) appropriate,
relevant and limited to what is necessary in relation to the purposes for which they are processed ("reduction
amount of data"); (d) accurate and as necessary up-to-date; every reasonable measure must be taken
in order to ensure that personal data that are not accurate, taking into account the purposes for which
process, delete or correct without delay ("accuracy"); (e) stored in a form that enables
identification of the respondent only for as long as is necessary for the purposes for which it is personal
data processing ("storage limitation"); (f) processed in the manner in which it is secured
adequate security of personal data, including protection against unauthorized or illegal access
processing and from accidental loss, destruction or damage by applying appropriate technical or
organizational measures ("integrity and confidentiality").
Furthermore, in accordance with Article 6 of the General Data Protection Regulation, processing is only lawful
if and to the extent that at least one of the following is met: (a) the subject has given consent
to process your personal data for one or more specific purposes; (b) processing is necessary for
execution of a contract to which the respondent is a party or to take action upon request
of the respondent before the conclusion of the contract; (c) processing is necessary to comply with the controller's legal obligations
processing; (d) processing is necessary to protect the key interests of the data subject or other natural person;
(e) processing is necessary for the performance of a task of public interest or in the exercise of official authority
processing manager; (f) the processing is necessary for the legitimate interests of the controller or a third party
parties, except when those interests are stronger than the interests or fundamental rights and freedoms of the respondents who
require the protection of personal data.
The Labor Law ("Official Gazette", number: 93/14, 127/17, 98/19) regulates working
relations in the Republic of Croatia, if by another law or international agreement, which is
concluded and confirmed in accordance with the Constitution of the Republic of Croatia, and published, which is in force,
not otherwise specified.
In addition, in accordance with Article 29 of the Labor Act, the personal data of workers is permitted
collect, process, use and deliver to third parties only if this is determined by this or
by another law or if it is necessary to exercise rights and obligations from the employment relationship,
that is, in connection with the employment relationship. If personal data from paragraph 1 of this article is necessary
collect, process, use or deliver to third parties in order to exercise rights and obligations
from the employment relationship, i.e. in connection with the employment relationship, the employer must in advance by regulation
about work to determine which data will be collected, processed, used or delivered to third parties for this purpose
persons.
On the basis of Article 5, paragraph 4 of the Labor Law, the Rulebook on content and method was adopted
on keeping records on workers (Official Gazette, no. 73/17), which prescribes the content of the records
on workers and working hours that the employer is obliged to manage, the way of management and time management
the period of keeping the relevant records. Article 5 paragraph 3 of the cited Ordinance stipulates
4
is how records of workers can be kept in written or electronic form, while in
Article 8 of the cited Ordinance stipulates that the record of working hours contains between
among other things, data on hours of vacation (daily, weekly and annual).
As a result of the above, in this administrative matter it was determined that the Center for Social Welfare
made a Decision on the schedule of using the remaining vacation for 2021 CLASS:
..., URBROJ: ... from ... March 2022, which contains the personal data of xy, as well as the others
employees in the scope of their first and last name, number of remaining vacation days and
of the period of use of the same which was originally published on the notice board of the Center in above
in the described form, after which it was removed and published again in an anonymized form
(instead of the first and last names, the initials of the employees of the Center are given).
In this regard, we indicate how to publish the above-mentioned personal data of the applicant
requests and other employees of the Center, we do not find a foothold in the provisions of special regulations that
regulate the field of labor relations (Labour Act, Rulebook on content and management
employee records). Namely, the mentioned Labor Law, which represents as a separate regulation
the legal basis for the processing of the employee's personal data in the sense of Article 6.1. c) General regulations on
data protection, does not prescribe the publication of the said personal data. Also, the Ordinance on
content and method of keeping records on workers does not prescribe the publication/making available
records of working hours, but only in the provisions of Article 5, paragraph 3, it is prescribed that the same
records can be kept in written or electronic form.
Regarding the subsequent publication of the Center's Decision in anonymized form on the bulletin board,
in this regard, we state that the Center, as a data controller, has not proven the existence of a legitimate purpose
and the legal basis for its publication, i.e. the same refers to a legitimate interest as a legal basis,
while ignoring that it is first of all when we talk about legitimate/legal interest
it is necessary to carry out a proportionality test in which a number of factors need to be taken into account
to ensure that the interests and fundamental rights of persons whose data are processed are taken into account.
Therefore, we hold that in this administrative matter the Center did not prove the existence of a legitimate/legal
interest in the processing of personal data of the applicant and other employees (as it is called
in the submitted statement) taking into account article 6.1. f) General regulations (he did not submit the test
proportionality). Likewise, it does not follow from the Center's statement that it was able to prove it
legality of processing based on legitimate/legal interest with regard to the exercise of rights
employees on annual leave, which derive from special regulations (Labor Act).
In this regard, from all of the above, i.e. respecting the special regulations mentioned above
which regulate the matter in question, we hold that the reasons given by the Center in the submitted
statement (that he is obliged to familiarize all employees with the schedule in a legally secure manner
of using annual leave, and which obligation of the employer also constitutes the purpose of such processing
personal data) there can be no justified reason for the publication of personal data/initials related
for the use of annual leave on the notice board of the Center, but on the contrary we hold that in concrete
case, as explained above, the provisions on transparency and fair and
lawful processing of personal data according to the General Data Protection Regulation (especially having in
see the availability of said personal data to a large number of uninterested persons).
5
Precisely for the above-mentioned reasons, this Agency established in this administrative procedure
as in the specific case for the processing of personal data of the applicant and others
employee there is no legal basis and legitimate (justified) purpose in the sense of Articles 6 and 5 of the General
regulations on data protection.
Due to the aforementioned circumstances, it was decided as in the Proclamation of the Decision.
LEGAL REMEDY:
An appeal against this decision is not allowed, but an administrative dispute can be initiated through a lawsuit
before the Administrative Court within 30 days from the date of delivery of this decision.
DEPUTY DIRECTOR
Igor Vulje