AZOP (Croatia) - Decision of 31 May 2022
|AZOP - Decision of 31 May 2022|
|Relevant Law:||Article 25 GDPR|
Article 32 GDPR
|National Case Number/Name:||Decision of 31 May 2022|
|European Case Law Identifier:||n/a|
|Original Source:||AZOP (in HR)|
The Croatian DPA determined that a school violated Articles 25 and 32 GDPR by losing the master diploma and exam certificate of a former student.
English Summary[edit | edit source]
Facts[edit | edit source]
The data subject requested their former school (the controller) to provide them with a certified copy of their master diploma and passed master exam. Whilst obliged to maintain records of former students in its database, the controller informed that the data subject's specific file was missing and the request could not be fulfilled. Consequently, the data subject filed a complaint before the Croatian DPA claiming a breach of their right to personal data protection. While determining the factual situation of the case, the DPA found out that the controller had lost the documentation in 2019, when due to weather problems, the school had to evacuate to another building.
Holding[edit | edit source]
First, the DPA recalled that data controllers are obliged, under Articles 25 and 32 GDPR, to provide appropriate technical and organisational measures in order to ensure the security of personal data processing as well as prevent accidental loss or destruction of the data.
In the present case, it was determined that the controller lost the requested documents when renovating and relocating the equipment and furniture to another building. Therefore, the controller did not respect the principles of completeness and integrity of personal data processing.
The DPA held that appropriate measures should have been adopted, such as separating files containing personal data from other documents. It added that, especially in the education sector, it is important to continuously maintain and update the security of personal data processing as well as ensure the safe disposal of any personal data which is no longer relevant.
In conclusion, the DPA determined that the controller violated Articles 25 and 32 GDPR by not adopting appropriate measures to prevent the loss of documentation containing personal data of the data subject.
Comment[edit | edit source]
In this case, the Croatian DPA did not explain which specific corrective powers under Article 58(2) GDPR it used.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.
REPUBLIC OF CROATIA PROTECTION AGENCY PERSONAL DATA CLASS: NUMBER: Zagreb, May 31, 2022. Personal Data Protection Agency, OIB: 28454963989 based on Article 57 paragraph 1 and Article 58 paragraph 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27 2016 on the protection of individuals in connection with the processing of personal data and on the free movement of such data data and repealing Directive 95/46/EC (hereinafter referred to as the General Protection Regulation data) SL EU 119, Article 34 of the Law on the Implementation of the General Regulation on Data Protection ("People's newspaper" No. 42/18) of Article 41 and Article 96 of the Law on General Administrative Procedure ("National newspaper" No. 47/09 and 110/21), and regarding the request to determine the violation of the right to protection personal data xy provides the following SOLUTION 1. Request xy to establish a violation of the right to personal data protection is founded. 2. It is established that the loss/disappearance of documentation, more specifically the Diploma of passing master's exam No.: ... of ... year and Certificate of master's title butler NUMBER: ... No. registry books:.. from ... 2005 from the Srednje file of vocational school xx, which contains personal data xy, there was a violation of Article 25 i Article 32 of the General Regulation on data protection by Secondary Vocational School xx, as manager of personal data processing. 3. It is assigned to the Secondary Vocational School xx, as the manager of personal data processing taking appropriate technical and organizational measures to protect personal data in daily business, with the aim of protecting the respondents' personal data from loss in accordance with Article 25 and Article 32 of the General Data Protection Regulation. Form layout The Agency for the Protection of Personal Data (hereinafter: the Agency) received a request for determination of violation of the right to protection of personal data xy (hereinafter: the applicant) 2 in which the applicant essentially states how he came to know that in his the file of the xx school (hereinafter referred to as: the School) is missing his certified copy of the Passed Diploma the master's exam, as well as the certificate of master butler title, which the applicant is submitted the request to the School in 2005. The request is founded. Acting on the above-mentioned request, the Agency is for the purpose of accurate and complete determination of the factual situation in this administrative matter requested from the School a statement as to whether the file of the applicant contains a copy of the certified Diploma on passing the master's exam as well as The certificate that the applicant claims to have submitted to the School in 2005. Also from The schools were asked to state in their statement what personal data protection measures they take in accordance with articles 25 and 32 of the General Regulation on data protection, related to the protection of personal data their employees. The Agency received a statement from the School, in which they state how the director is, as a person authorized to represent the school, familiar with the applicant's petitions. Also, School in the statement, he states that as a result of the supervision of the educational inspectorate, at the beginning of the year, they came to finding out that the worker's file lacks a certified copy of the Master's Diploma exam No.: ... of ... 2005, as well as the Certificate of master butler qualification NUMBER:... No. registry books:... from... 2005. In this regard, the statement states how the applicant was contacted, who then submitted the original Diploma to the School and the Certificate, which were copied and inserted into the file in the presence of the employee with the note "09.02.2022. year - the copy is identical to the original" and the seal of the School with the signature of the secretary, which is in replacement until of the secretary's return from maternity/parental leave. Furthermore, in the statement, the School states that it stores personal data of employees in folders - personal files in an iron cabinet with a key that only the director and secretary have. The rest documentation of former employees, as well as tender documentation and School documentation from in previous years, they are in wooden cabinets with a key. Also, School in Manifestation states that this is the first case of missing documentation in the personnel file. Also, The school states in its statement that in 2019, due to weather problems, there was leaks and floods in the School in all rooms of the building and that they were distributed in several of neighboring schools, so that it is also possible that during renovation and relocation of equipment and furniture lost documentation. Following on from the above, we point out that from May 25, 2018, in all states members of the European Union, as well as in the Republic of Croatia in the area of personal data protection, directly applies Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016. on the protection of individuals in connection with the processing of personal data and on the free movement of such data and on repealing Directive 95/46/EC (General Data Protection Regulation) SL EU 119, and the Agency for the Protection of Personal Data is responsible for its application and implementation. In article 4.1. The General Data Protection Regulation stipulates that personal data is all data relating to an individual whose identity has been determined or can be determined ("the respondent"); 3 an individual whose identity can be established is a person who can be identified directly or indirectly, especially with the help of identifiers such as name, identification number, information about location, network identifier or with the help of one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual. Pursuant to Article 4.2. General data protection regulations, processing means any procedure or a set of procedures performed on personal data or on sets of personal data, either by automated or non-automated means such as collecting, recording, organization, structuring, storage, adaptation or modification, finding, performing insights, use, disclosure by transmission, dissemination or otherwise making available, matching or combining, limiting, deleting or destroying. Article 5 of the General Data Protection Regulation stipulates how personal data must be lawfully, fairly and transparently processed with respect to the respondent, collected in special, express and lawful purposes, appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed (principle of reducing the amount of data), accurate and, if necessary, up-to-date, processed in a way that ensures adequate security of personal data, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage by applying appropriate technical or organizational measures (principle of integrity and confidentiality). It is also necessary to refer to Article 6, paragraph 1 of the General Data Protection Regulation, which stipulates that the processing of personal data is legal only if and to the extent that it is at least one of the following is fulfilled: the respondent has given his consent for the processing of his personal data data for one or more special purposes; processing is necessary for the execution of the contract in which it is the respondent party or in order to take actions at the request of the respondent before concluding the contract; processing is necessary to comply with the legal obligations of the controller; processing is necessary in order to protect the key interests of the legal obligations of the controller; processing is necessary to perform the task in the public interest or when exercising the official authority of the data controller; processing is necessary for the needs of the legitimate interests of the data controller or a third party. Article 25 paragraph 2 of the General Regulation on Data Protection prescribes how the data controller implements appropriate technical and organizational measures to ensure that the integrated method, only personal data that is necessary for each specific processing purpose will be processed. This the obligation applies to the amount of personal data collected, the scope of their processing, storage period and their availability. More specifically, such measures ensure that personal data are not automatically, without individual intervention, available to an unlimited number of individuals. Article 32, paragraph 2 of the General Regulation on Data Protection stipulates that by managers and processors when assessing the appropriate level of security into account in particular take the risks posed by the processing, especially the risks of accidental or illegal destruction, loss, alteration, unauthorized disclosure of personal data or unauthorized access to personal data data that has been transferred, stored or otherwise processed. 4 In this administrative matter, it was established that the applicant's file is missing certain documentation containing the personal data of the applicant, more precisely certified a copy of the Diploma on passing the master's exam Number: ... of ... 2005, as well as the Certificate of to the acquired title of master butler URNUMBER:... No. registry books:... from .. 2005. The aforementioned results from the submitted statement of the School, as the processing manager, in which it states as the relevant documentation is missing in the applicant's file. From the established factual situation, it is clear how the documents were lost which contain personal data of the applicant. In this regard, the School as a manager of personal data processing of data, in the submitted statement states that it is possible that the documentation has disappeared lost during renovation and relocation of equipment and furniture due to weather conditions. Also, based on the documentation collected in the procedure, it was established that the School as the processing manager did not respect the principle of completeness and confidentiality of personal data processing on the basis of which it was obliged to ensure adequate security of personal data, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage by applying appropriate technical or organizational measures. Also, the School as a leader processing in accordance with the rules of security of personal data processing, is mandatory appropriate technical and organizational measures to prevent unauthorized interference data processing procedures, and what can be concluded from the specific case that it did not act in accordance with the above. As a result of the determination, we point out the need for undertaking and continuous implementation appropriate organizational and technical measures for the protection of personal data from Article 25 and Article 32. General regulations on data protection. In the specific case, above all, we indicate the need continuous education of persons employed in the processing of personal data, primarily in terms of the obligation to safely dispose and process personal data in such a way that every possibility reduce the loss/disappearance of documentation containing personal data of employees to a minimum possible measure. Also, the School, as a data controller, is obliged to introduce organizational measures to protect personal data data, for example in such a way that the documentation containing the personal data of the respondent, such as of natural persons is separated from documentation that does not contain such data. It would also be advisable keeping records when issuing certain documents at the request of respondents, such as natural persons. In addition, the School, as the manager of personal data processing, is obliged in the course of some work activities when certain documents containing personal data are transferred respondents to act with increased attention, all for the reason that there is no risk of accidental or illegal destruction, loss, alteration, unauthorized disclosure of personal data or unauthorized access to personal data that has been transferred, stored or otherwise processed. Precisely for the above-mentioned reasons, in the conducted administrative procedure it was determined how The school, as a data controller, did not take appropriate measures to protect personal data 5 of the applicant, which resulted in the loss/disappearance of the applicant's documentation request, which violated the provisions of Articles 25 and 32 of the General Data Protection Regulation. Due to the aforementioned circumstances, it was decided as in the Proclamation of the Decision. LEGAL REMEDY: An appeal against this decision is not allowed, but an administrative dispute can be initiated through a lawsuit before the Administrative Court in Osijek within 30 days from the date of delivery of this decision. DEPUTY DIRECTOR Igor Vulje