IP (Slovenia) - 07101-37/2023/30

From GDPRhub
IP - 07101-37/2023/30
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 12(3) GDPR
Article 15 GDPR
20. člen ZVOP-2
Type: Complaint
Outcome: Partly Upheld
Started: 20.12.2023
Decided: 13.06.2024
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 07101-37/2023/30
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Slovenian
Original Source: IP (in SL)
Initial Contributor: fb

The DPA found that a school can partially refuse to act on an access request filed by the parent of a data subject, if the disclosure of certain data can impair the best interest of the minor.

English Summary

Facts

On 9 October 2023, one of the data subject’s parents filed an access request for the data subject with the school attended by the data subject (the controller). The parent requesting access for the data subject did not live with the data subject at the time. Since the controller did not reply, on 20 December 2023 the parent filed a complaint with the DPA.

After a follow-up request by the DPA, on 4 January 2024 the controller partially granted access to the data. However, it redacted the data concerning the name and the address of the people authorised to pick up the data subject from school. The controller argued that it needed to do so according to Article 15(4) GDPR, since their disclosure would impact the rights of these people.

The DPA believed that, if a controller wants to redact some data, it cannot only refer to Article 15(4) GDPR but must provide a more specific explanation on why the requirements set by this paragraph are met in the specific case. Therefore, on 4 March 2024 the DPA asked the controller to provide a more detailed written reply.

On 13 March 2024, the controller explained that it had removed those data because a court had issued a restraining order against the applicant.

Holding

First of all, the DPA highlighted that, in general, parents can exercise the right of access on behalf of their children and, therefore, access their data.

However, the DPA pointed out that the children are on themselves holder of their right of access. Therefore, an access request concerning a child’s data must be answered in light of the principle of the best interest of the child.

Secondly, the DPA noted that Article 23 GDPR allows, under certain conditions, Member State law to restrict the scope of the obligations and rights provided for in Article 15 GDPR. In Slovenian law, one of these restrictions is provided for by Article 20 of the Personal Data Protection Act (Zakon o varstvu osebnih podatkov - ZVOP-2): a controller can exceptionally refuse to act on an access request if there are specific and objective circumstances which lead to the reasonable conclusion that the disclosure of certain personal data would directly or indirectly prejudice the best interests, rights or legitimate interests of minors.

In this case, the DPA held that the controller rightly redacted the address of the person authorised to pick them up, since this person is living at the same address of the child themselves. According to the DPA, the same reason applies to the names of the people authorised to pick the minor up from school.

Thirdly, the DPA pointed out that, however, the controller failed to act on the access request and provide a complete reply to the data subject's parent within the time limit stipulated in Article 12 GDPR. Therefore, it found a violation of Article 15 GDPR in combination with Article 12 GDPR.

Finally, since the controller later (partially) answered to the access request and explained which was the reason to redact some data, the DPA did not find necessary to issue any order to the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.

Number: 07101-37/2023/30
Date: 13 June 2024


The Information Commissioner (hereafter IP) issues, on the basis of Article 77 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals in the processing of personal data and on the free flow of such data and on the repeal of the Directive 95/46/EC (hereafter General Regulation) and Article 34 in relation to point 2 of the first paragraph of Article 55 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 163/22; hereafter ZVOP-2) and in in relation to the General Administrative Procedure Act (Official Gazette of the Republic of Slovenia, No. 24/06 – UPB, with amendments and additions; hereinafter ZUP), in the application procedure of the applicant with a special position: ..., who is represented by ..., against the controller: ..., in the matter of the right to access personal data


O D L O C B O

1. It is established that the operator... at the time of filing the applicant's application... on 20 December 2023, violated Article 15 of the General Regulation in relation to Article 12 of the General Regulation and Article 14 of ZVOP-2 by failing to make a timely decision on requests for access to personal data relating to his child. 

2. It is established that the administrator... at the time of filing the applicant's application... on 04/05/2024 with the decision of 03/13/2024 regarding the request for access to personal data relating to his child, did not violate Article 15 of the General regulations.

3. The controller... shall not be ordered to take measures regarding the processing of personal data.

4. The applicant... is partially restricted from reviewing the case file, which is kept under no. 07101-35/2023, namely for the lower part of the second page of document no. 07101-37/2023/12, i.e. for the text under the indication of the name v. d. of the principal, which begins with "Explanation: In additional justification of the reason..." and ends with "...provided an explanation".

5. In this procedure, the authority did not incur any special costs, and each party covers its own costs of the procedure.

 P r a s i o n s

1. Current course of the procedure and relevant information

On 12/20/2023, the IP received a report... due to a violation of the right to access personal data relating to his child. It follows from the application that it was filed due to the controller's silence, as he did not respond to the applicant's request for access to personal data dated 10/9/2023 within the prescribed period. 

After a telephone conversation with the IP on 4 January 2024, the manager sent the applicant the documentation relating to his child. He explained, however, that due to the sensitivity of some data, it is hidden, as according to the fourth paragraph of Article 15 of the General Regulation, it may not be disclosed. In an email dated 01/04/2024, the applicant then additionally asked the manager to explain the reason for concealing some data (who is authorized to come or bring the child, and address of residence), and on 01/05/2024 the manager answered again: "Due to the sensitivity of some data, only these are hidden, since, according to paragraph 4 of Article 15 of the General Data Protection Regulation, we must not disclose them", as this would unapologetically reveal the personal data of others. Despite this, the applicant insisted on obtaining all the requested personal data.

The IP found that the controller had already provided the applicant with the requested copies of personal data, covering certain personal data due to sensitivity and referring to the fourth paragraph of Article 15 of the General Regulation. However, the manager did not sufficiently explain this decision, since a blanket reference to the legal provision does not allow for the implementation of an effective legal remedy, nor does the contested decision be tested by the supervisory authority. Therefore, the IP considered that the manager had not yet fully decided on the applicant's request for access to personal data relating to his child and called on him on 03/04/2024 to make a written decision on the applicant's request in accordance with Articles 12 and 15 Article of the General Regulation in relation to Article 14 of ZVOP-2.

On 13/03/2024, the administrator informed the IP that on the same day he replied to the applicant's request for the provision of personal data relating to his child. In his reply, he stated that he had already sent the applicant the documentation related to his child's personal data, which they have at the school, on January 4, 2024. He explained, however, that the data on the residence address of the child, who lives at the same address as his mother, is hidden in accordance with Article 20 of ZVOP-2 and in accordance with the fourth paragraph of Article 15 of the General Regulation. He explained that he concealed this information in accordance with the decision of the District Court in ..., opr. no. ... dated ..., from which it follows that from 9 April 2023 he has a restraining order against his mother, who lives at the same address as the child, for a period of 12 months, and in accordance with the principle of minimization of personal data, because it is the personal data of other persons and not for personal information of the applicant's child. This answer was served to the applicant with a fiction on 28/03/2024, but he himself stated that he received it in the mailbox on 2/04/2024.

In the notice, the operator also separately stated more specific reasons for the refusal, which are not accessible to the applicant in accordance with Article 20 of the ZVOP-2, so the IP does not summarize them here.  

On April 5, 2024, the applicant stated in his objection, which he submitted within the deadline from the second paragraph of Article 14 of the ZVOP-2, against the controller's decision, that any limitation of the child's data to the parents can only be determined by the court and that he wants the child's data as a caring parent and is for the benefit of the child. On 10 April 2024, he supplemented these statements and explained that he constantly asks the controller and presents himself to them as the child's father, who wants the child's data as a caring parent and is in the child's best interest, that they always treat him discriminatingly, and provided some information , which should indicate deception on the part of the operator. The IP took these statements into account as a report against the administrator's decision of March 13, 2024.

On 17 May 2024, the IP issued a record of findings essential for the decision in this procedure and a call for a statement before the decision.

The administrator did not respond to this request within the set 10-day period from service. On June 3, 2024, the applicant gave an oral statement to the record of the IP's findings, essentially stating: that he does not agree with the IP's decision and that he insists on obtaining all personal data relating to his child; that communication with the operator is poor or non-existent, so he cannot explain his side of the story to him; that the manager prevents him from being a good father, which is undoubtedly not in the best interests of the child; that the manager acts as if he wants to nag them for filing a report with the IP; that the manager describes him negatively throughout, e.g. in the opinion of the CSD for the court, that he is a bad father, violent, disrespectful, that he neglects the child, that they do not do their homework, because it is not true; that unilateral action is not in the child's favor and that they unfairly distance him from him; that the manager unfoundedly believes that the CSD is above them and therefore they listen to him uncritically, and his rights could only be limited by the court; that the operator discriminates against him and that he feels threatened; that he only wants to communicate properly with the manager and have a correct attitude so that he can normally exercise his parental rights. The applicant also forwarded to the IP the report of the controller for the CSD and the opinion of the CSD to the court in the non-litigation case on the proposed change of contacts and the counter-proposal. 

Since the IP assessed that the factual situation for the decision in this case was fully established, it did not perform other procedural actions.

2. Control procedure 

The applicant submitted a request to the controller for access to personal data relating to his child. Pursuant to Article 14 of ZVOP-2, administrators who are not state bodies or self-governing local communities generally decide on the request by means of a written notice. The decision must contain reasons and information about the right to appeal to the supervisory authority within 15 days of being informed of the decision in accordance with the provisions of point f) of the first paragraph of Article 15 of the General Regulation. The decision can take the form of an official note, which is sent to the individual in a way that enables them to become familiar with the decision and prove its receipt. Against the controller's silence (i.e. if he does not respond to the individual within a one-month or exceptionally extended period) or against the controller's negative response, a complaint is admissible, for which the IP is competent.

The first paragraph of Article 30 ZVOP-2 provides that an individual who believes that the processing of his personal data by the controller or processor violates the provisions of the General Regulation, this Act or other laws governing the processing or protection of personal data, or violates the provisions of related by-laws or general acts for the exercise of public powers, submits a request to the supervisory authority in accordance with the law governing the general administrative procedure, with which he requests control of the legality of the processing of his personal data, and may also propose the necessary action in accordance with to the previous article in case of established violations, so that the establishment of a legal situation is achieved. The second paragraph of the same article ZVOP-2 stipulates that each party shall bear its own costs of the procedure.

Therefore, the IP considered the application in a procedure conducted at the request of the applicant with a special position, which guarantees the right to appeal under Article 77 of the General Regulation. In this supervisory procedure, he acted according to the provisions of Articles 30 to 35 of ZVOP-2 (procedure based on the application of an applicant with a special status). Among other things, this procedure is characterized by the fact that the IP acts in accordance with the investigative and regulatory powers from Article 58 of the General Regulation and Articles 28 and 29 of ZVOP-2 and in accordance with the general rules of the ZUP.

IP, as a supervisory authority, after the supervision procedure has been carried out, in accordance with the first paragraph of Article 34, issues a decision which, in addition to the components specified by the law governing the general administrative procedure, contains:
1) determination of the existence or non-existence of the alleged violation of the processing of personal data of the applicant with a special position at the time of filing the application;
2) measures ordered to the manager or processor regarding the processing of personal data relating to the applicant with a special status, and the deadline for their implementation;
3) permitted scope of review of the case file for an applicant with a special status.

3. General information on the right of access of the individual to whom personal data refer

The individual's right to access his or her personal data is a fundamental human right, defined in the third paragraph of Article 38 of the Constitution of the Republic of Slovenia (Official Gazette of the Republic of Slovenia, No. 33/91-I, as amended), which stipulates that everyone has the right to be informed of the collected personal data relating to him. This right, called the right of access of the data subject, is specified in Article 15 of the General Regulation, which stipulates that the data subject has the right to obtain (1) confirmation from the controller as to whether they process personal data in connection with it, and when this is the case, (2) access to personal data and (3) certain information listed in the General Regulation. Pursuant to the third paragraph of Article 15 of the General Regulation, the controller is also obliged to provide the individual with a free copy of the personal data that is being processed, which, according to the fourth paragraph of the same article, must not negatively affect the rights and freedoms of others.

As legal representatives, parents are generally entitled to access personal data relating to their children. At the same time, IP emphasizes that children are individuals who themselves have the right to access their own personal data and that the benefit of the child must always be the guiding principle in decisions made regarding the exercise of this right, especially when it is exercised on behalf of the child by the holder of parental authority. worries.

The IP also points out that the right to the protection of personal data is not absolute, which means that it must be balanced with other important rights. The general regulation determines the reasons and conditions under which the controller can limit the rights of an individual in the field of personal data protection. Article 23 of the General Regulation stipulates that the right of access referred to in Article 15 may be limited if such limitation respects the essence of fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to ensure certain interests, such as national security, defense, interests , related in the field of criminal law, independence of the judiciary, protection of the individual to whom personal data refer, or the rights and freedoms of others, and the enforcement of civil law claims. Also, the right to obtain a copy of personal data must not negatively affect the rights and freedoms of others (fourth paragraph of Article 15 of the General Regulation). This can also be the right to the protection of personal data of other individuals. However, the controller must be able to prove that the rights or freedoms of others would actually be affected in a specific situation. 

One of the limitations of the right of access is also explicitly defined in Article 20 of the ZVOP-2. Pursuant to this provision, the controller may exceptionally reject the request of an individual from Article 15 of the General Regulation, filed through a legal representative, if there are concrete and objective circumstances that would make it reasonable to conclude that the benefits would be directly or indirectly affected as a result of familiarization with certain personal data , the rights or legitimate interests of minors or persons placed under guardianship or other persons for whom the law so stipulates, and if these rights and interests outweigh the interests of the legal representative for information. In this case, the reasons for the refusal are accessible to the supervisory authority, the Ombudsman, the conflict administrator, when it comes to personal data from the medical records, and the representative of the patient's rights according to the law governing the patient's rights.

4. Assessment of the applicant's statements

In the specific case, the applicant, as a legal representative, requested access to personal data relating to his child from the controller on October 9, 2023. After the expiration of the one-month deadline for a response from Article 12 of the General Regulation and after filing the application with the IP on January 4, 2024, the controller sent him the required documents, while concealing the personal data of other persons and the address of the child's residence. He justified this in a reasoned manner only in the decision of 13/03/2024, namely with the exception based on Article 20 of ZVOP-2 and the limitation from the fourth paragraph of Article 15 of the General Regulation, mainly due to the existence of a decision prohibiting access to the child's mother, additional the IP also explained the reasons for this. Due to the nature of the content, the latter are not accessible to the applicant, but according to the IP, they additionally enable testing of the correctness of the contested decision. 

The IP explains that in the event of a conflict between two human rights, it is necessary to consider whether and to what extent the exercise of one right may be allowed at the expense of, or to the detriment of, another right. In the specific case, the elementary school as the administrator of personal data carried out an appropriate weighing between the rights and benefits of the child, which it must adequately protect, and the right of the applicant as a parent, and reasonably concluded that the concealment of some personal data was in the child's interest. Since a restraining order was issued against his mother, and the child lives at the same address, according to the IP, hiding the address information is also appropriate, namely to protect this location. Even covering up the personal data of other persons who come to pick up the child from school is, in IP's opinion, consistent with the fourth paragraph of Article 15 of the General Regulation, as such disclosure could have a negative impact on their rights and freedoms, and such disclosure could also be in light of the aforementioned restraining order against the child's best interests. Both reasons for concealing specific personal data were additionally convincingly explained by the administrator, and IP has no reason to doubt the correctness of the contested decision. In a specific case, given the decisions of the courts, it is also necessary to proceed from the provisions of the Act on Prevention of Domestic Violence (Official Gazette of the Republic of Slovenia, no. 16/08, 68/16, 54/17 – ZSV-H and 196/21 – ZDOsk; in continued ZPND), especially from Articles 4, 5 and 9a of this law, which prescribe special protection of children against violence (whereby a child is a victim of violence even if he is present when violence is committed against another family member), the duty of protection and respect for the integrity of the victim and the protection of information about the accommodation of the victim and her children or other measures for their protection by organizations.

The applicant cannot change the correctness of the contested decision by the statements he made during the procedure and on the record of findings. The IP understands that, depending on the family situation in the specific case, there are certain disagreements between the applicant who is the father of the child and the school as the administrator. However, it emphasizes that the IP is only responsible for the protection of personal data and that the controller has convincingly justified the reason for limiting access to the child's personal data in a specific case. At the same time, he points out that in such conflict situations one must be extremely careful not to act against the child's benefit. The IP cannot judge whether the operator's conduct outside the decision on the right under Article 15 of the General Regulation, described by the applicant, is appropriate. It concludes, however, that the administrator partially rejected the applicant's request for access to personal data relating to his child, although it was too late, but subsequently rejected it with reasons and reasons, taking into account Articles 14 and 20 of ZVOP-2 and the fourth paragraph of Article 15 of the General regulations. 

Therefore, in points 1 and 2 of the pronouncement of this decision, the IP found that the operator violated Article 15 of the General Regulation in relation to Article 12 of the General Regulation and Article 14 of the ZVOP-2 at the time of filing the application on 20 December 2023 that he did not make a timely decision on the applicant's request for access to personal data relating to his child, and that he did not violate Article 15 of the General Regulation at the time of filing the application on 04/05/2024 with the decision of 03/13/2024 .

Since, after filing the application, the controller completely eliminated the violation of the right to access personal data relating to the applicant's child, the IP did not order him to take special measures in relation to the processing of the personal data of the applicant (point 3 of the pronouncement of the decision), as it would have been this is pointless in the described circumstances. The use of the set of corrective measures from the second paragraph of Article 58 of the General Regulation is also conditioned by the fact that the measure in question is necessary to ensure compliance with this regulation (cf. point 48 of the reasoning of the final proposals of the Advocate General Priit Pikamäe dated 11/04/2024 in Case C 768/21, TR v. Land Hessen).

5. Permissible scope of file review

In point 3 of the first paragraph of Article 34 of ZVOP-2, it is stipulated that the decision in the control procedure according to the provisions of this section, in addition to the components determined by the law governing the general administrative procedure, also contains the permissible scope of the review of the case file for the applicant with a special situation . 

The IP notes that on 13/03/2024 the administrator informed him of the response he gave to the applicant to his request for access to personal data relating to his child, and at the same time the IP provided an additional explanation containing more specific reasons from Article 20 of ZVOP-2, which are not accessible to the applicant. Therefore, the IP partially limited the applicant's review of the file of this case no. 07101-35/2023, namely for the lower part of the second page of document no. 07101-37/2023/12, i.e. for the text under the indication of the name v. d. of the principal, which begins with "Explanation: In additional justification of the reason..." and ends with "...provided an explanation".

6. Costs of the procedure

Pursuant to the first paragraph of Article 118 of the ZUP, the authority decides in its decision on the costs of the procedure, who bears the costs of the procedure, how much they are, and to whom and within what period they must be paid. No special costs were incurred in this control procedure (point 5 of the pronouncement of the decision). The applicant and the controller shall each cover their own costs that may have been incurred by them as a result of the procedure (second paragraph of Article 30 of ZVOP-2).  

In accordance with the provisions of the Administrative Fees Act (Official Gazette of the Republic of Slovenia, No. 106/10 - official consolidated text, with amendments and additions), this decision is exempt from the payment of the administrative fee. 


Lessons on the legal remedy:
An appeal against this decision is not allowed, but it is permissible to initiate an administrative dispute. An administrative dispute is initiated by filing a lawsuit at the Administrative Court, Fajfarjeva 33, 1000 Ljubljana. The lawsuit must be filed within thirty days from the service of this decision, in writing directly to the said court or by registered mail or orally on the record. If the claim is sent by registered mail, it is considered to have arrived on time if it was sent to the post office on the last day of the deadline for filing the claim. In addition to the original, transcript or copy of this decision, the lawsuit must also be accompanied by one transcript or copy of the lawsuit and attachments for the defendant, if someone is affected by the decision, as well as for him.




						....,
  the State Inspectorate for the Protection of Personal Data