IP (Slovenia) - 0600-3/2024/7
From GDPRhub
| IP - 0600-3/2024/7 | |
|---|---|
 | |
| Authority: | IP (Slovenia) |
| Jurisdiction: | Slovenia |
| Relevant Law: | Article 5(1)(c) GDPR Article 5(1)(d) GDPR 11(3). člen ZVOP-2 |
| Type: | Complaint |
| Outcome: | Partly Upheld |
| Started: | |
| Decided: | 06.05.2024 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 0600-3/2024/7 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Slovenian |
| Original Source: | IP (in SL) |
| Initial Contributor: | fb |
The DPA found that a controller violated the principles of accuracy and data minimization by characterising a document as a “duplicate” and submitting it to a court even though the document contained a modified and inaccurate address of a data subject.
English Summary
Facts
In 2022, the controller transmitted some personal data of the data subject to the Court of Maribor in order to start a credit recovery proceeding. More specifically, the controller provided the Court with duplicates of payment reminders sent to the data subject.
After that, the data subject sent an access request to the controller. They wanted to know, among others, the source of the address stated in the documents provided to the Court.
The controller informed the data subject that their access request had been answered by post. The data subject argued they have not received the letter and asked for the receipt of the registered mail.
On 9 October 2023, the controller sent the information requested by the data subject by email. The controller argued that the source of the address was a termination letter for a supplementary health insurance contract signed by the data subject.
On 16 January 2024, the data subject filed a complaint with the DPA. First of all, the data subject complained their access request had not been replied properly as it was incomplete and was sent by post.
Secondly, the data subject argued they had never given that address to the controller. They pointed out that they had never lived at that address and that a landfill could be found at this address.
Moreover, the data subject believed the controller had counterfeited the documents it provided to the Court of Maribor as the date stated in the documents is prior to the day in which the controller received the alleged update about their address.
The controller noted that the contested address was registered it their Central Register of Clients (CRS) system. It reiterated that the address was modified according to the information contained in a letter the data subject sent to their insurance company to terminate their supplementary health insurance contract.
As for the falsification allegations, the controller justified the discrepancy in the date of the document transmitted to the court and the data subject's address with the fact that the document submitted to the court was a recreation of the original document labeled with the date of the original but created at a later time using the address that was collected and inserted in the controller's system in the meantime.
Holding
The DPA found that the documents contained an address that was not corresponding to the original one and that, therefore, this document cannot be considered as a “duplicate” of the original one. The DPA recalled that, according to the data minimisation principle provided for by Article 5(1)(c) GDPR, personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
According to the DPA, the controller did not use the relevant data to print the duplicate, because in order to do so it should have used the original address. Therefore, the DPA found a violation of Article Article 5(1)(c) GDPR.
Moreover, the DPA noted that the document provided to the Court of Maribor contained the wrong address and, therefore, inaccurate data. As a consequence, the DPA found a violation of the accuracy principle set by Article 5(1)(d) GDPR.
As for the allegations of the data subject that the controller had violated Article 12(3) GDPR in combination with Article 15 GDPR by not replying to their access request, the DPA held that it is not competent to ascertain this violation. It recalled that, according to Article 11(3) of the Personal Data Protection Act (Zakon o varstvu osebnih podatkov - ZVOP-2), the administrative court, and not the DPA is competent to ascertain violations that happened in the past and are not existing anymore.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.
Number: 0600-3/2024/7
Date: 6/5/2024
The Information Commissioner (hereinafter: IP) issues according to the State Supervisor for the Protection of Personal Data..., on the basis of Articles 2 and 8 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, no. 113/05 and 51/07 – ZustS-A, in hereinafter: ZInfP), Articles 57, 58 and 77 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals in the processing of personal data and on the free flow of such data and on the repeal of Directive 95/ 46/EC (General Data Protection Regulation, hereinafter: General Regulation) and Articles 34 and 55 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 163/22; hereinafter: ZVOP-2), in the process, which was managed by the IP as a supervisory authority based on the application of the applicant with a special position, ... (hereinafter: the applicant) dated 16.1.2024 and 19.1.2024 against ... (hereinafter: the supervised operator) the following
DECISION:
1. It is established that the supervised operator... at the time of filing the applicant's application... on 19.1.2024:
a. violated the principle of accuracy in the processing of the applicant's personal data on duplicates of reminders 72430-2022, dated 12 May 2022 and no. 98094-2022 dated 8/6/2022 and interest calculations from 1/5/2022 to 8/9/2022 dated 16/1/2023 and interest calculations from 9/9/2022 to 11/10/2022 dated 16 1. 2023;
b. did not violate the applicant's right of access under Article 15 of the General Regulation.
2. Measures for the elimination of irregularities shall not be ordered to the supervised manager.
3. The applicant... shall not be restricted in reviewing the file of the case, which is kept at the IP under no. 0600-3/2024.
4. IP special costs were not incurred in this procedure, the applicant and the supervised operator bear their own costs of the procedure.
JUSTIFICATION
I. Actual situation
1. On January 16, 2024 and January 19, 2024, the IP received the application of the applicant with a special status in accordance with the provisions of Section 2, Chapter 4, PART I of the ZVOP-2 (in the above application). It follows from the application that on September 12, 2023, the applicant requested information from the controlled controller via e-mail regarding the processing of personal data that the controlled controller keeps about him on documents no. 72430-2022, dated 12 May 2022 and no. 98094-2022 of June 8, 2022, which the controlled administrator forwarded to the District Court in Maribor in connection with the recovery procedure. The applicant requested the following information: the reason for the inspection, the legal basis for the inspection, the source, date and type of personal data, to whom the supervised controller provided the inspected personal data.
2. On 9/10/2023, the supervised operator informed the applicant by e-mail that the response to his request of 12/9/2023 for information should be sent by (ordinary) mail. The applicant claims that he did not receive this reply by post, so on 6 December 2023 he sent a new request for a reply via e-mail, in which he also requested a copy of the delivery receipt. On the same day (December 6), the supervised operator sent the applicant a response by e-mail dated October 9, 2023, which in terms of content responds to the applicant's request for information.
3. On December 22, 2023, the applicant again sent an application to the controlled operator, in which he stated that the controlled operator did not submit a copy of the certificate of sent registered shipment. In this application, he also blamed the supervised administrator for not responding to his request regarding the source of obtaining his addresses on the documents, namely the address ..., which is located on the duplicate of reminder no. 98094-2022 and the duplicate reminder 72430-2022 and the address ..., which is located on the calculation of interest from 1/5/2022 to 8/9/2022 dated 16/01/2023 and on the calculation of interest from 9/9/2022 to 11/10 2022 dated 16.1.2023 (in addition to the calculation of interest).
4. On January 16, 2024, the applicant filed a report with the IP, in which he contested the statement from the supervised administrator's reply dated October 9, 2023, that he received the applicant's data on the basis of concluding a contract for supplementary insurance, because the documents state three different addresses. The applicant claims that he did not provide the address ... to the supervised administrator, which should justify the accusation that the supervised administrator edited or falsified the documents he submitted to the court. He also stated that he has never lived at the address ..., which is located on the interest calculations, and that there is a landfill at this location (according to Google maps).
5. On 19/01/2024, the applicant supplemented his application and submitted the response of the controlled operator, which he received on 18/01/2024. In this response, the controlled operator explained that the confirmation of the shipment dated 9/10/2023 cannot forward because he sent the answer by regular mail and not by registered mail. Regarding the source for obtaining the address of residence, he explained that in his CRS (Central Register of Customers) system, under the history of changes to the applicant's address of residence, he records two changes, namely:
• address: ...; date of entry: 29/11/2018 and
• address: ...; date of entry: 2/8/2022.
6. In this reply to the applicant, the supervised administrator also explained that a change was made to their CRS on August 2, 2022 based on the information received from the Letter on the usual withdrawal from supplementary health insurance (DZZ). The letter in which the applicant resigns from the DZZ at the insurance company Vzajemna was submitted by the supervised manager to the applicant in a response dated 18 January 2024 to the applicant's request for information.
7. In the reply dated 18/01/2024, the supervised operator also explained to the applicant why the new address of the applicant is found on both "duplicates" of reminders (Reminder No. 72430-2022, dated 12/05/2022 and Reminder No. 98094 -2022 of 06/08/2022), although the reminders are dated before the date when the data change is recorded in their CRS system (08/02/2022). The supervised manager explained that when preparing a printout of reminders from the insurance company's systems, the address that is recorded in the CRS at the time of the printout is printed. If the address is later changed and a copy of the reminder is created after the change, the valid address at the time of creation of the copy of the reminder is printed on the copy. If later this duplicate is printed again, the address does not change anymore, because the duplicate created for the first time is displayed. This is also confirmed by the fact that both original reminders were sent to the address..., which the controlled manager had at the time the reminders were issued, and not to the address.... The new address should be written on the reminder only when a duplicate is made (for the purposes of court proceedings). In response to the request for familiarization with his own personal data, the controlled manager also attached copies of the two original reminders to the applicant.
8. In relation to the address ..., which is indicated on the "Interest calculation" document, in the reply dated 1/18/2024, the supervised manager explained to the applicant that this address is not recorded under the name of the applicant in their systems. Regarding the document itself, he explained that it is an internal calculation that does not draw data from the CRS, but that the data was manually entered into this document. The fact that the internal calculation of interest was not sent by mail by the controlled manager, as it was an internal document, is said to confirm the statement.
9. In relation to the new statements of the controlled operator, the applicant stated in his application dated 1/19/2024 that these are not credible, that it was embezzlement of personal data and thus illegal processing, and that it is strange why mail from the controlled did not receive the manager.
10. The IP informed the applicant and the supervised manager of the essential findings in preliminary decision 0600-3/2024/3 dated 28/02/2024. to the duplicate notice 72430-2022") there is an address that does not correspond to the address on the original notice, and therefore such a document is not a "duplicate" in the usual sense of the word, which means a copy or duplicate of the original document. The IP also noted that the interest statement listed an address unrelated to the applicant. Therefore, in this part, the supervised operator violated the principle of punctuality. In the pre-decision, the IP asked the controlled operator to provide information regarding the operation of the system for printing out duplicates and if there is a valid reason that the system that allows printing out "duplicates" for printing uses data that is updated in the database in the background and therefore the printed document does not necessarily correspond to the original.
11. In relation to the issued preliminary decision, the applicant clarified in the reply dated 7/3/2024, in which he stated that the IP had incorrectly summarized the factual situation in item 2, that the reply to his request for information should have been sent by "(ordinary) mail" and that it is correct - "recommended". He also stated that the insurance company informed him of the source of the title a...
12. The supervised operator responded to the preliminary decision in a letter dated 11.3.2024, in which he stated:
- Regarding the printout of the "duplicate", he again explained the process of the printout and stated that so far he had not noticed that the solution to the preparation of the printouts was controversial, but that he had submitted a request to the information service to correct the irregularities. Regarding the elimination of irregularities, the supervised administrator proposed to replace the word "duplicate" with "Date of reprint" on the statements.
- According to the applicant's statements, the supervised manager rejected the allegation of illegal acquisition of the address..., since he obtained it on the letter of usual resignation from the DZZ on the form of Vzajemna zhodna zavarovalnica, d.d. and that he did not falsify the documents he submitted to the court.
- He also rejected the complaint of the applicant that the supervised operator did not respond to the applicant's request regarding the source and submitted electronic messages, which show how the supervised operator handled the individual's request.
- He also rejected the allegation that he did not send the answer dated 9/10/2023 and stated again that he sent it by regular mail.
- Regarding the finding that the supervised operator did not comply with the principle of accuracy when writing out data on the internal interest calculation, the supervised operator admitted that due to the human factor there was an inadequate recording of the address on this document and that he took measures to eliminate the possibility of such errors on the documents, so that from then on, only the first and last name are written on these documents.
- That he corrected the inaccuracy in the documents relating to the applicant (reprints of the warning notice and calculation of interest) and attached the corrected documents to his answer.
II. IP findings
13. The application is partially justified.
To the first a. points of the theorem
14. At the applicant's request filed on the basis of Article 30 of ZVOP-2, the IP in accordance with Article 34 of ZVOP-2 establishes a violation of regulations in the field of personal data protection, which is claimed by the applicant and which exists at the time of filing the application.
15. In the case under consideration, the applicant states that the supervised manager organized or falsified specific documents that he submitted to the court and in this way illegally processed the applicant's personal data. The complaint refers to the duplicate of reminder no. 98094-2022 and a duplicate reminder 72430-2022, on which the current address of the applicant was stated (…) and on the document the calculation of interest from 1/5/2022 to 8/9/2022 dated 16/01/2023 and on the calculation of interest from 9/9/2022 to 11/10/2022 from 16/01/2023, which contains an address that is not related to the residence of the applicant (…).
16. Regarding the record of the address on the document ..., which is on the duplicate of reminder no. 98094-2022 and the duplicate of the warning 72430-2022 (in the above of the duplicate of the warnings), the IP found that the "duplicate" of the warnings was prepared by the controlled operator by reprinting the original document from the system, while the system used information about name, surname and address, which were current at the time of the statement. The system used by the supervised operator to prepare the statement connects in the background to the Central Customer Register (CRS), where the applicant's information has changed from the time the reminder is issued to the time the "duplicate" statement is issued. Therefore, the data on the printed "duplicate" did not correspond to the data on the original document.
17. Given the factual situation established in this way, despite the applicant's assertion that it was a case of falsification of documents, the IP did not detect signs of the criminal act of falsification of documents according to Article 251 of the Criminal Code (Official Gazette of the Republic of Slovenia, No. 50/12 – official consolidated text, 54/ 15, 6/16 – cor., 38/16, 27/17, 91/20, 95/21, 105/22 – ZZNŠPP and 16/23) , therefore he did not report the matter to the police or the state prosecutor's office in accordance with Article 145 of the Criminal Procedure Act (Official Gazette of the RS, No. 176/21 – official consolidated text, 96/22 – section US, 2/23 – section US and 89/23 – dec. US; ZKP).
18. Based on the established factual situation, the IP concludes that the information written on the duplicates of the reminder do not mean a "duplicate" in the usual sense of the word, in the sense of a duplicate or a copy that is identical to the original document, therefore the processing did not correspond to the purpose (preparation of a duplicate), personal however, the data on the duplicate was not correct. In accordance with the principle of the minimum volume of data 5(1)(c) of the General Regulation, personal data must be adequate in relation to the purpose of processing. The controlled operator did not use the appropriate data for the purpose of printing out the duplicate, because in order to create the duplicate, he would have to prepare a duplicate of the original document, so such processing constitutes a violation of the principle of the minimum amount of data. The violation of the minimum amount of data was committed at the time of the creation of the duplicate and is therefore not permanent and the IP in this process cannot establish it in a sentence. As a result of this violation, the data on the duplicate is not accurate. In accordance with Article 5(1)(d) of the General Regulation, personal data must be accurate and, where necessary, updated; all reasonable steps must be taken to ensure that inaccurate personal data is deleted or corrected without delay, taking into account the purposes for which it is processed ('accuracy'). Violation of the applicant's right to the protection of personal data, which existed at the time of filing the application, is therefore a violation of the principle of accuracy of personal data on duplicates of reminders, as follows from 1.a. points of the pronouncement of this decision.
19. With regard to the title ..., which is found on the calculation of interest from 1/5/2022 to 8/9/2022 dated 16/1/2023 and on the calculation of interest from 9/9/2022 to 11/10/2022 dated 16 1. 2023 (hereinafter: the statement of interest), based on the statements of the supervised administrator, the IP concluded that there was an inadequate indication of the address due to the human factor, where the data was entered manually. The controlled operator did not state the reason for such an entry. Since there is an incorrect address on the interest statements, the supervised operator also in this regard violated the principle of accuracy of the General Regulation, which existed at the time of filing the application, as well as arising from 1.a. points of the pronouncement of this decision.
20. In this procedure, the IP did not find any other violations that existed at the time of filing the application.
To the first b. points of the theorem
21. Among other things, the applicant blames the supervised operator for not sending a response to his request on 9 October 2023. With this, the applicant asserts a violation of the deadline from Article 12(3) of the General Regulation, according to which the controller must respond to the individual no later than one month after receiving the request, unless he is informed of the extension of the deadline and the reasons for it. Since the applicant asserted the right of access to the controlled controller in accordance with Article 15 of the General Regulation, the alleged violation of the deadline in the case under consideration constitutes a violation of the right of access.
22. The applicant's claims that the supervised operator did not send the applicant a reply by post on 9 October 2023 are disputed between the parties, but the IP did not establish it in this supervision procedure, because this fact in the circumstances of the case at hand indicates a (possible) past violation , which did not (no longer) exist at the time of filing the application. The IP is not competent to determine past violations that do not exist at the time of filing the application, as the administrative court is competent to determine past violations (paragraph three of Article 11 ZVOP-2). Namely, to the applicant's repeated request of December 6, 2023, the controlled operator sent the applicant a response dated October 9, 2023 by e-mail, with which he had already familiarized himself with the applicant, and with this the consequences of a possible violation of the deadline were eliminated before submitting the application. Violation of the deadline referred to in Article 12(3) of the General Regulation was not proven in the case under consideration, therefore the IP will not initiate misdemeanor proceedings in connection with this violation (2nd indent of the fourth paragraph of Article 51 of the Act on Misdemeanors (Official Gazette of the Republic of Slovenia, No. 29 /11 – official text, 21/13, 74/14 – dec. US, 32/16 – dec. US , 175/20 – ZIUOPDVE and 5/21 – od. USZP-1).
23. In the application, the applicant also blames the supervised manager for not informing him of the source of obtaining addresses ..., which is found on the duplicate of the reminders and ..., which is found on the interest statement.
24. Pursuant to Article 15(1)(g), the individual to whom personal data relates has the right to obtain confirmation from the controller as to whether personal data is being processed in relation to him and, if this is the case, access to personal data and information, including when personal data is not collected from the individual to whom it relates, all available information regarding its source.
25. Regarding the applicant's assertion that the supervised administrator did not explain to him the source of obtaining the address indicated on the duplicate reminders and interest statements, the IP notes that the supervised administrator clearly explained the source of the individual address statements on the relevant documents in the reply dated 18.1.2024. Regarding the address ... on the duplicate notices, the supervised administrator convincingly explained and proved that he obtained the information on these documents from the usual resignation from the DZZ on the Vzajemna zavarovalnica form and also submitted his completed form to the applicant. Regarding the address ..., the supervised operator also convincingly explained that it was a manual entry and a human error, and in this regard the IP also found a violation of the principle of accuracy, as stated above. With this answer, the supervised operator fulfilled his obligation regarding the right of access, therefore the allegation of violation of Article 15(1)(g) of the General Regulation in the case under consideration is unfounded. The IP subsequently decided, as follows from 1.b. points of the pronouncement of this decision.
To the second point of the theorem
26. Even before the issuance of this decision, the controlled operator took appropriate measures to correct inaccurate data on the relevant documents. He submitted the corrected documents in the attachment of the answer dated 11/03/2024. Additional measures to ensure the protection of the applicant's personal data are not necessary, therefore the IP did not order additional measures to eliminate the consequences of the accuracy violation (point 2 of the decision).
27. The controlled operator has also taken measures to ensure the accuracy of personal data on future reprints, so that instead of "duplicate" on the document printout, "Date of reprint: XX" is printed. As explained by the supervised operator, it is clear in this way that it is not a duplicate of the original document, but a reprint of the document from the system. Since this is a different conception of the nature of the document, the purpose of processing personal data is also different, and data that is current at the time of printing (and which does not necessarily correspond to the original) may also be suitable for this purpose. The IP concludes that this also ensures the principle of accuracy, so no additional regulatory measures are necessary.
28. Regarding the recording of data on the interest statements, the supervised manager explained that he had taken the measure that from then on, only the first and last name and/or the file number are indicated on the interest statement. This reduces the possibility of wrongly specifying the address, and at the same time the solution follows the principle of the smallest volume of data. IP considers that such a measure is appropriate, provided that it is still possible to ensure the identification of the debtor in the internal documents. Otherwise, the accuracy principle may be violated. Since it is an internal arrangement of the documentation, the IP will not order further regulatory measures in this decision, which primarily relates to ensuring the right to the protection of the applicant's personal data, due to expediency and the principle of economy.
To the third point of the theorem
29. The content of the file documentation does not contain protected personal data of third parties, confidential information or other protected data, which would make it reasonable to restrict the applicant's access to the file documentation, therefore it is not ordered, as follows from point 3 of the sentence of this decision.
III. Costs and fees
30. No special costs were incurred in this control procedure (point 4 of the pronouncement of the decision). The applicant and the operator shall bear their own costs, which may have been incurred by them as a result of the procedure (second paragraph of Article 30 of ZVOP-2).
31. Since in accordance with the provisions of Article 57(3) of the General Regulation, the performance of the tasks of each supervisory authority (including the consideration of applications submitted by the applicant to whom personal data refer under point (f) of Article 57(1) of the General Regulation) for of the individual to whom the personal data relates, free of charge and because, on the basis of the second paragraph of Article 55 of ZVOP 2, the supervisory authority carries out the powers and tasks from the first paragraph of Article 55 of ZVOP 2, which also include decision-making in the application procedures of applicants with special status, free of charge , is regardless of the provisions of the Act on Administrative Fees (Official Gazette of the RS, No. 106/10 – official consolidated text, 14/15 – ZUUJFO, 84/15 – ZZelP-J, 32/16, 30/18 – ZKZaš and 189 /20 – ZFRO; ZUT) tax is also exempt from this decision.
IV. Lessons on the legal remedy:
No appeal is allowed against this decision, but a lawsuit is admissible, which is filed within 30 days of receiving this decision at the Administrative Court in Ljubljana, Fajfarjeva 33, Ljubljana, in writing directly to the said court or by registered mail or orally on the record. If the claim is sent by registered mail, it is considered to have arrived on time if it was sent to the post on the last day of the deadline for filing the claim. The lawsuit with any attachments shall be submitted in at least three copies. This decision in the original or a copy must also be attached to the lawsuit and the court fee must be paid.
...
State supervisor for the protection of personal data
