IP (Slovenia) - 07101-22-2023-7 34

From GDPRhub
IP - 07101-22-2023-7_34
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 12 GDPR
Article 12(3) GDPR
Article 15 GDPR
Article 15(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 08.01.2024
Published: 31.01.2024
Fine: n/a
Parties: n/a
National Case Number/Name: 07101-22-2023-7_34
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Slovenian
Original Source: Informacijski pooblaščenec (in SL)
Initial Contributor: ar

The DPA found that a controller who fails to reply to an access request within the one-month limit violates Article 15 GDPR. However, corrective measures may be unnecessary if the controller eventually replies.

English Summary

Facts

On 31 August 2023, the controller sent to a data subject some marketing communications. On the same day, the data subject exercised his right to access as well as deletion, to which the controller did not reply.

Thus, on 16 October 2023, the data subject lodged a complaint with the DPA.

On 18 October 2023, the DPA requested the controller to comply with the data subject’s access request. The controller replied on 3 November 2023, indicating that it had sent the data subject a reply to his request on the same day and that it had deleted the data subject’s data already on 31 August 2023.

Subsequently, on 6 November 2023, the DPA informed the data subject that the controller had complied with his request and had fulfilled its obligations under Articles 12 and 15 GDPR and asked whether they wanted to proceed with the complaint. The data subject replied that the controller did apologise for the late reply but that the apology did not change the fact that it had missed the legal deadline. Moreover, the data subject noted that the controller stated in its reply that the data subject had signed up for the notification himself on 19 June 2015. In this respect, the data subject pointed out that, over the years, there had been a change in data protection legislation and that the controller should have obtained his consent again. Therefore, the data subject wanted to continue with the complaint.

Holding

Noting that the data subject’s access request fell within the scope of Article 15 GDPR, the DPA acknowledged that the deadline for the controller to reply is one month after receipt of the request. This time limit may be extended by up to two additional months if necessary after informing the data subject, as provided by Article 12(3) GDPR.

Thus, the DPA noted that at the time of the complaint submission on 16 October 2023, the controller had not yet decided on the data subject's request for access to personal data on 31 August 2023. As the one-month time limit had already expired by that time, the DPA affirmed that the controller breached Article 15(1) GDPR at the time of the complaint submission. However, the DPA also acknowledged that following the DPA’s contact, the controller remedied this breach on 18 October 2023, fulfilling the access request. The DPA further recognised that the controller had already deleted the data subject's data on 31 August 2023.

With regards to the allegations concerning the validity of the consent, the DPA added that the entry into force of the GDPR did not automatically render invalid the previously given consents for data processing and that controllers are only obliged to obtain consent again in cases where all the conditions for the validity of the consent laid down in the GDPR were not fulfilled.

In conclusion, the controller was found to have infringed Article 15 GDPR in conjunction with Article 12 GDPR at the time of the complaint submission by the data subject. However, since the controller complied with the access request during the procedure and no other infringements were found at the time of the submission of the complaint, the DPA did not impose any measure on the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.

Number: 07101-22/2023/7
Date: 8 January 2024


The Information Commissioner (hereinafter referred to as IP) is issued by the supervisory person on the basis of Articles 2 and 8 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, no. 113/05 and 51/07; hereafter ZInfP), Article 77 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals in the processing of personal data and on the free flow of such data and on the repeal of Directive 95/46/EC (hereinafter the General Regulation) and Article 34 in relation to 2. point of the first paragraph of Article 55 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 163/22; hereinafter ZVOP-2) in the application procedure of the applicant with a special status: ..., dated 16 October 2023, against the controller: ... , in the matter of the right of access to personal data


DECISION:

1. It is established that the operator, ..., at the time of filing the applicant's report ... on 16 October 2023, violated Article 15 in relation to Article 12 of the General Regulation and Article 14 of the ZVOP-2, but is not at this moment illegally storage violated Article 6 of the General Regulation.

2. The controller, ..., shall not be ordered to take measures regarding the processing of personal data relating to the applicant.

3. The applicant... is allowed to review the case file in its entirety, which is kept under no. 07101-22/2023.

4. In this procedure, the authority did not incur any special costs, and each party covers its own costs of the procedure.


 Place the page in:

Current course of the procedure and relevant information

The applicant filed a report with IP on October 16, 2023, due to a violation of personal data protection. He stated that the operator sent him a message of a marketing nature on October 31, 2023 (the attached SMS shows that it was August 31, 2023). As he was interested in how the controller obtained his data, he sent him a request for familiarization with his own personal data on 31 August 2023, to which the controller did not reply.

Therefore, on 18 October 2023, the IP asked the operator to make a written decision on the applicant's request in accordance with Articles 12 and 15 of the General Regulation in relation to Article 14 of ZVOP-2. On November 3, 2023, he received an electronic message from the operator for information, from which it appears that he sent the applicant a response to his request for access to his personal data and informed him that he had excluded him from the customer base and that he would not be notified sent more.

Then, on November 6, 2023, IP informed the applicant that the controller had decided on his request for access to his own personal data, from which it follows that he subsequently fulfilled his obligations under Articles 12 and 15 of the General Regulation and Article 14 of ZVOP-2 by ruling on his request. At the same time, he asked him to let the IP know whether he had received the manager's decision and whether he was insisting on the application due to silence and why.

On November 8, 2023, the applicant informed the IP that he had received a response from the controller, in which he apologized for the late response, but the apology does not change the fact that he missed the deadline specified in the law, i.e. he violated the law, thereby committing a misdemeanor , for which a fine is prescribed. In addition, the controller stated in the reply that the applicant applied for the notification himself, namely at 10:58:51 on 19 June 2015. The applicant noted in this regard that in previous years there had been a change in the legislation on in the field of personal data protection, and that the administrators had to obtain consent for further use or delete the data, but definitely not keep the data for eight years and after eight years start using the same data for illegal unsolicited communication for marketing purposes. Therefore, when reporting a violation, he insists that his data was stored and used by the manager without a legal basis.

Control procedure

The IP considered the application received on 16 October 2023 in a procedure conducted at the request of the applicant with a special status, which guarantees the right to appeal under Article 77 of the General Regulation. In this supervisory procedure, he acted in accordance with the provisions of Articles 30 to 35 of ZVOP-2 (procedure based on the application of an applicant with a special status). Among other things, this procedure is characterized by the fact that the IP acts in accordance with the investigative and regulatory powers from Article 58 of the General Regulation and Articles 28 and 29 of ZVOP-2 and in accordance with the general rules of the General Administrative Procedure Act (Official Gazette of the Republic of Slovenia, No. 24/06 – UPB, with amendments and additions; hereinafter ZUP).

The first paragraph of Article 30 ZVOP-2 provides that an individual who believes that the processing of his personal data by the controller or processor violates the provisions of the General Regulation, this Act or other laws governing the processing or protection of personal data, or violates the provisions of to these laws related by-laws or general acts for the exercise of public powers (hereinafter: the applicant with a special position), submits a request to the supervisory authority in accordance with the law governing the general administrative procedure, with which he requests control of the legality of the processing of his personal data (in hereinafter: report), but may also propose the necessary action in accordance with the previous article in case of identified violations, so that the establishment of a legal situation is achieved. The second paragraph of the same article ZVOP-2 stipulates that each party shall bear its own costs of the procedure.

The IP, as a supervisory authority, issues a decision in accordance with the first paragraph of Article 34, which, in addition to the components specified by the law governing the general administrative procedure, contains:
1. determination of the existence or non-existence of an alleged violation of the processing of personal data of the applicant with a special position at the time of filing the application;
2. measures ordered to the manager or processor regarding the processing of personal data relating to the applicant with a special status, and the deadline for their implementation;
3. permitted scope of review of the case file for an applicant with a special status.

In general, the right of access of the individual to whom personal data relates

The right of an individual to be informed of their own personal data is a fundamental human right, defined in the third paragraph of Article 38 of the Constitution of the Republic of Slovenia, which stipulates that everyone has the right to be informed of the collected personal data relating to him. This right, named as the right of access of the individual to whom personal data relates, is specified in Article 15 of the General Regulation, which stipulates that the individual to whom personal data relates has the right to obtain from the controller 1) confirmation as to whether personal data are processed in connection with it, and when this is the case, 2) access to personal data and a copy thereof, and 3) certain information related to processing and rights, which are then listed in the General Regulation. Procedural rules are regulated in Articles 11 and 12 of this regulation, and procedural provisions are also contained in ZVOP-2 in Articles 12 to 21.

The prescribed deadline for the controller's response is one month after receiving the request. If necessary, this deadline can be extended by a maximum of two additional months, taking into account the complexity and number of requests, and the controller is obliged to inform the data subject of any such extension within one month of receiving the request together with the reasons for the delay (third paragraph 12 of the General Regulation).

The form of the decision on the request for access and its components for the operator in a specific case is determined by Article 14 of ZVOP-2. Pursuant to this provision, the controller, which is not a state authority or a self-governing local community, handles claims by individuals from Articles 15 to 22 of the General Regulation and other claims by individuals in the field of personal data protection, access to personal data, their acquisition and processing according to this or that to the law, informs the individual of the decision and, if this is the subject of the request, of the personal data relating to him, within the time limit set by the General Regulation. If the individual so requests, he can also be informed of personal data orally. The decision must contain reasons and information about the right to appeal to the supervisory authority within 15 days of being informed of the decision in accordance with the provisions of point f) of the first paragraph of Article 15 of the General Regulation. The decision can take the form of an official note, which is sent to the individual in a way that enables them to become familiar with the decision and prove its receipt.

Assessment of the applicant's statements

The IP notes that the operator at the time of submitting the application, i.e. 16/10/2023, has not yet decided on the applicant's request for access to personal data from 31/8/2023. As the one-month deadline for a decision on the access request had already expired at that time, the IP judged that the controller at the time of submitting the application violated Article 15 in relation to Article 12 of the General Regulation and Article 14 of ZVOP-2 (the first part of point 1 of the sentence of this decision). This violation was remedied by the administrator after the application and the request of the IP with a reply dated 18 October 2023, thereby fulfilling the obligation to decide on the request according to the aforementioned provisions.

The IP stated these essential findings for the decision in notification no. 07101-22/2023/4 and, in accordance with the second paragraph of Article 32 of ZVOP-2, asked the applicant to decide whether he insists on the application, and in accordance with the second paragraph of Article 33 of ZVOP-2, he also served this notice and invitation to the controller. The administrator did not respond to the record of essential findings. The applicant stated in the reply dated 8 November 2023 that he insists on the application because 1) the operator missed the deadline for a decision on his request and 2) the operator illegally stored and used his data for the purpose of direct marketing.

Regarding the imposition of a fine, the IP explains that this can only be the subject of a separate misdemeanor proceeding and not this supervisory proceeding, which is conducted on the basis of the provisions of Section 2 of the ZVOP-2.

Further, the IP emphasizes that it assesses the existence of a violation at the time of filing the application, in this case i.e. on 16/10/2023. As follows from the controller's reply of 18/10/2023, to which the applicant did not object, the controller deleted the applicant's personal data already on 31 August 2023. Therefore, the IP established the non-existence of the alleged violation of illegal storage according to Article 6 of the General Regulation, which regulates the conditions for the legality of processing or the legal basis, at the time of filing the application (second part of point 1 of the statement of this decision). Otherwise, regarding the statements about the validity of the consent, it merely adds that with the entry into force of the General Regulation, the previously given consent for data processing did not automatically become invalid. Namely, managers are obliged to obtain new consents only in cases where all the conditions for the validity of the consent from the General Regulation and ZVOP-2 are not met.

Regarding the applicant's allegations about the illegal use of his personal data, IP points out that the field of unsolicited communication is specifically regulated by the Electronic Communications Act (Official Gazette of the RS, No. 130/22, hereinafter ZEKom-2) in Article 226, the control over the implementation of which is under the jurisdiction of the Agency for Communication Networks and Services of the Republic of Slovenia (AKOS). Therefore, the IP is not competent to act in the part that refers to the use of the applicant's personal data for the purposes of direct marketing by SMS. An individual who is sure that he has not given the sender prior consent for the use of electronic communications for direct marketing purposes can send his application directly to AKOS.

Since during this procedure, the controller therefore followed the imposed IP measure to decide on the applicant's request for familiarization with his own personal data, and since he did not find any other violations at the time of filing the IP application, he did not order the controller to take special measures in relation to the processing of the applicant's personal data within the scope of 2 .points of the pronouncement of this decision.

Permissible scope of file review

In point 3 of the first paragraph of Article 34 ZVOP-2, it is stipulated that the decision in the control procedure according to the provisions of this section, in addition to the components specified by the law governing the general administrative procedure, also contains the permissible scope of the review of the case file for the applicant with a special situation . In this regard, the IP decided to allow the applicant to fully review the case file, which is kept under no. 07101-22/2023.

Costs

Pursuant to the first paragraph of Article 118 of the ZUP, the authority decides in its decision on the costs of the procedure, who bears the costs of the procedure, how much they are, and to whom and within what period they must be paid. The authority did not incur any special costs in this control procedure. The applicant and the manager bear their own costs (point 4 of the sentence of this decision).

In accordance with the provisions of the Administrative Fees Act (Official Gazette of the RS, No. 106/10 - official consolidated text, with amendments and additions), this decision is exempt from the payment of the administrative fee.


Lessons on the legal remedy:
An appeal against this decision is not allowed, but it is permissible to initiate an administrative dispute. An administrative dispute is initiated by filing a lawsuit at the Administrative Court, Fajfarjeva 33, 1000 Ljubljana. The lawsuit must be filed within thirty days of service of this decision, in writing directly to the said court or by registered mail or orally on the record. If the claim is sent by registered mail, it is considered to have arrived on time if it was sent to the post on the last day of the deadline for filing the claim. In addition to the original, transcript or copy of this decision, the lawsuit must also be accompanied by one transcript or copy of the lawsuit and attachments for the defendant, if someone is affected by the decision, as well as for him.

....,
  the State Inspectorate for the Protection of Personal Data

Serve:
- ... (in person according to ZUP),
- ... (in person according to ZUP).