IP (Slovenia) - 0603-98/2022/6: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(2 intermediate revisions by 2 users not shown)
Line 63: Line 63:
}}
}}


Slovenian DPA considered that sending emails containing personal data to unauthorized recipients lacked legal basis but found mitigating circumstance since most of the addressees belonged to people bound by professional secrecy
According to the Slovenian DPA, sending emails containing personal data to unauthorized recipients constitutes unlawful processing under [[Article 6 GDPR|Article 6(1) GDPR]]. However the authority found a mitigating circumstance since most of the recipients were bound by professional secrecy.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
A person (controller) forwarded an e-mail containing the residential address and date of birth of some individuals to 46 unauthorized recipients. The DPA therefore opened an investigation.
An individual (controller) forwarded an e-mail containing the residential address and date of birth of some individuals to 46 unauthorized recipients. Therefore, the DPA opened an investigation.


=== Holding ===
=== Holding ===
The DPA considered that the controller could not rely on any legal basis for this processing, in breach of [[Article 6 GDPR|Article 6(1) GDPR]]. Taking into account that the 46 recipients included mainly state authorities and lawyers, who, in accordance with the national law are bound by professional secrecy, the DPA considered that there were mitigating circumstances and decided to not impose a fine. It issued a warning for the lack of legal basis.   
The DPA considered that the controller could not rely on any legal basis for this processing, in breach of [[Article 6 GDPR|Article 6(1) GDPR]]. However, the DPA took into account that the 46 recipients included mainly state authorities and lawyers, who, in accordance with the national law are bound by professional secrecy. The DPA considered this as mitigating circumstances and decided to not impose a fine. It issued a reprimand for the lack of legal basis.   


== Comment ==
== Comment ==

Latest revision as of 13:16, 26 July 2023

IP - 0603-98/2022/6
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 5(2) GDPR
Article 6(1) GDPR
article 8 ZVOP-1
Type: Investigation
Outcome: Violation Found
Started: 13.10.2022
Decided: 14.11.2022
Published: 14.07.2023
Fine: n/a
Parties: n/a
National Case Number/Name: 0603-98/2022/6
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Slovenian
Original Source: IP (in SL)
Initial Contributor: spela

According to the Slovenian DPA, sending emails containing personal data to unauthorized recipients constitutes unlawful processing under Article 6(1) GDPR. However the authority found a mitigating circumstance since most of the recipients were bound by professional secrecy.

English Summary

Facts

An individual (controller) forwarded an e-mail containing the residential address and date of birth of some individuals to 46 unauthorized recipients. Therefore, the DPA opened an investigation.

Holding

The DPA considered that the controller could not rely on any legal basis for this processing, in breach of Article 6(1) GDPR. However, the DPA took into account that the 46 recipients included mainly state authorities and lawyers, who, in accordance with the national law are bound by professional secrecy. The DPA considered this as mitigating circumstances and decided to not impose a fine. It issued a reprimand for the lack of legal basis.

Comment

In this case national law that was used was ZVOP-1 which is no longer in force, because it was changed and now ZVOP-2 is in force and applicable. Link to the ZVOP-2 https://www.uradni-list.si/glasilo-uradni-list-rs/vsebina/2022-01-4187?sop=2022-01-4187.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.

Number: 0603-98/2022/6
Date: 14 November 2022


Information Commissioner (hereinafter: misdemeanor authority) by authorized official..., on the basis of the second paragraph of Article 51 and the first paragraph of Article 46 of the Act on Misdemeanors (Official Gazette of the Republic of Slovenia, No. 29/11 – UPB8, 21/13, 111/ 13, 74/14 dec. US, 92/14 dec. US, 32/16, 15/17 dec. US, 73/19 dec. US, 175/20 ZIUOPDVE and 5/21 dec. US; hereinafter: ZP 1) and the second paragraph of Articles 2 and 8 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, no. 113/05 and 51/07; hereinafter referred to as the ZInfP), in the procedure for a misdemeanor against the violator..., for two misdemeanors under the fourth paragraph of 91 of Article 1 of the Personal Data Protection Act (Official Gazette of the RS, No. 94/07 UPB1 and 177/20; hereinafter ZVOP 1) in relation to point 1 of the first paragraph of Article 91 of ZVOP 1, ex officio issues the following


DECISION ON OFFENSE


Violator...,

is liable for two (2) misdemeanors

according to the fourth paragraph of Article 91 of ZVOP 1 in relation to point 1 of the first paragraph of Article 91 of ZVOP 1,

which he did with the fact that on ... in ... an electronic message with the subject ..., in which, in addition to the text of the supplement to the lawsuit and the proposal for exemption from payment of court fees in the process for an apology and the publication of the judgment, which was conducted before ... under no. ..., as part of the identification data of the defendants, also provided personal data:

1. ... (address of residence and date of birth) and
2. ... (address of residence and date of birth),

forwarded from the email address ... to the email addresses of 46 addressees, although not all addressees of the email message (among them in particular ...) were not entitled to be informed of the residence address and date of birth of the individuals ... and ... and for such processing of their specified personal data (disclosure with mediation) had no basis in law or in their personal consent, thereby violating the provision of Article 8 of ZVOP 1 twice (by processing the personal data of each individual once).

On the basis of the fourth paragraph of Article 91 of ZVOP 1 in relation to point 1 of the first paragraph of Article 91 of ZVOP 1 and when applying the second paragraph of Article 26 of ZP 1, the first paragraph of Article 21 of ZP 1 and the first and second paragraphs of Article 27 ZP-1 for both offenses committed

utters

REMINDER.

On the basis of the first paragraph of Article 144 in relation to point 8 of the first paragraph of Article 143 and the second paragraph of Article 58 of the Criminal Code 1, the violator must pay a court fee to transaction account SI56 0110 0845 0162 502 within fifteen (15) days after the finality of the decision on the offense according to tariff number 8112 of the Court Fees Act (Official Gazette of the Republic of Slovenia, no. 37/08, 97/10, 63/13, 58/14 odl. US, 19/15 odl. US, 30/16, 10/17 – ZPP E, 11/18 – ZIZ L, 35/18 odl. US and 204/21) in the amount of EUR 30.00 (according to the attached UPN - universal payment order).

After the expiry of the deadline for the payment of costs, the violator may apply to the authority responsible for forced recovery (FURS) for the payment of costs in installments. If the violator does not pay the costs of the procedure within the specified period, the costs of the procedure will be recovered compulsorily.

JUSTIFICATION

I.
(Course of the procedure and statement of the violator)

On ..., the offense authority received an e-mail from the e-mail address ... with the subject ..., the signatory of which is the offender (hereinafter: e-mail from ...). In connection with the electronic message dated ..., the criminal authority has ex officio launched an inspection procedure, which it conducts under the op. no. 06110-418/2022, and against the violator, ex officio, he initiated a misdemeanor procedure for violation of the provisions of Article 8 of ZVOP 1.

On October 13, 2022, the offense authority sent the offender a written notice to declare the facts or circumstances of the offense. Written notification in accordance with the fourth paragraph of 87 of the Act on General Administrative Procedure (Official Gazette of the RS, No. 24/06 – UPB2, 105/06 – ZUS 1, 126/07, 65/08, 8/10, 82/13, 175 /20 ZIUOPDVE and 3/22 – Zdeb; hereinafter: ZUP) in relation to the first paragraph of Article 58 ZP 1 is considered to have been served on the infringer on 29 October 2022, while it was left in the infringer's home mailbox on 2 November. 2022. On 11/10/2022, the offender submitted a statement of the offense to the misdemeanor authority along with a request for reinstatement, in which he stated that he was abroad from 10/29/2022 to 11/6/2022 inclusive and he was actually notified of the offense only on 7 November 2022, as proof of which he attached plane tickets in his name. Taking into account the above and the fact that the violator submitted the proposal for the return to the previous state before the expiration of eight days from the day when the cause that caused the delay ceased (paragraph one of Article 105 of the ZUP) and together with the proposal also submitted a written statement (paragraph three Article 104 of the ZUP), the misdemeanor authority considered the offender's statement as timely based on the first paragraph of Article 103 of the ZUP.

In a written statement, the infringer stated that he obtained the personal data (address of residence and date of birth) of the individuals ... and ... legally, namely, without being asked, one of the employees told him years ago at the bar of the restaurant.... Furthermore, the infringer explained that he needs this personal data for the legal exercise of personal interests arising from the draft text of the supplement to the lawsuit and the proposal for exemption from payment of court fees in the procedure for an apology and the publication of the judgment, which was conducted before ... under opr. no. ... (hereinafter: draft supplement to the lawsuit). In addition, the offender pointed out that "an honest person has no problem publicly stating where he lives and/or when does he celebrate his birthday" and that numerous decisions of the Supreme Court of the Republic of Slovenia (hereafter: VSRS) and the European Court of Human Rights (hereafter: ECtHR) result in violations of the fundamental human rights of members of the offender's family. In the statement, the violator also provided the misdemeanor authority with online links to the decisions of the Supreme Court and the ECtHR, and...

The misdemeanor authority, with the relevant decision on misdemeanor no. 0603-98/2022/6 of 14 November 2022 decided that the offender has fulfilled the statutory signs of a misdemeanor under the fourth paragraph of Article 91 of ZVOP 1 in relation to point 1 of the first paragraph of Article 91 of ZVOP 1 and that on the basis of the fourth paragraph Article 91 of ZVOP 1 in relation to point 1 of the first paragraph of Article 91 of ZVOP 1 and when applying the second paragraph of Article 26 of ZP 1, the first paragraph of Article 21 of ZP 1 and the first and second paragraphs of Article 27 of ZP-1 for both committed issued a warning for the misdemeanor and, on the basis of the first paragraph of Article 144 in relation to point 8 of the first paragraph of Article 143 and the second paragraph of Article 58 of ZP 1, payment of a court fee according to tariff number 8112 of the Court Fees Act (Official Gazette of the Republic of Slovenia, No. 37/ 08, 97/10, 63/13, 58/14 dec US, 19/15 dec US, 30/16, 10/17 – ZPP E, 11/18 – ZIZ L, 35/18 dec US and 204 /21, hereinafter: ZST 1).

On 21 November 2022, the misdemeanor authority received a notification of a request for judicial protection against the decision on misdemeanor no. 0603-98/2022/6 of 14 November 2022, filed by the infringer.

The fifth paragraph 59.a of Article ZP-1 stipulates that in the event that at least one of the beneficiaries of the request for judicial protection has announced the filing of this request, a written decision on the offense with reasons must be prepared and sent no later than 30 days after receiving the announcement of the filing requests for judicial protection. The decision with reasons is served on all beneficiaries of the request for judicial protection.

II.
(Provisions of regulations on which the decision is based)

Not all personal data in itself enjoys protection under ZVOP-1 and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free flow of such data and repealing Directive 95/46 /EC (General Data Protection Regulation; hereinafter: General Regulation), but they enjoy this protection only in the event that personal data is processed in whole or in part by automated means and for processing other than by automated means, if it concerns personal data that are part of the collection of personal data or are intended to form part of the collection of personal data (Article 2(1) of the General Regulation).

The General Regulation in Article 4(1) defines personal data as any information relating to a specific or identifiable individual; an identifiable individual is one who can be identified directly or indirectly, in particular by reference to an identifier such as name, identification number, location data, online identifier, or by reference to one or more factors that characterize the physical, physiological, genetic , mental, economic, cultural or social identity of that individual.

According to Article 4(2) of the General Regulation, processing means any act or set of acts carried out in relation to personal data or sets of personal data with or without automated means, such as collection, recording, editing, structuring, storage, adaptation or modifying, retrieving, viewing, using, disclosing by means of, disseminating or otherwise making accessible, adapting or combining, restricting, erasing or destroying.

Point (a) of Article 5(1) of the General Regulation stipulates that personal data must be processed lawfully, fairly and in a transparent manner in relation to the individual to whom the personal data relate ('lawfulness, fairness and transparency'). Based on Article 5(2) of the General Regulation, the operator is responsible for compliance with paragraph 1 and is also able to demonstrate this compliance ("responsibility").

Pursuant to Article 6(1) of the General Regulation, the processing of personal data is legal only and to the extent that at least one of the following conditions is met:
(a) the data subject has consented to the processing of his personal data for one or more specified purposes;
(b) processing is necessary for the performance of a contract to which the data subject is a contracting party, or for the performance of measures at the request of such an individual prior to the conclusion of the contract;
(c) the processing is necessary to fulfill a legal obligation applicable to the controller;
(d) processing is necessary to protect the vital interests of the data subject or other natural person;
(e) processing is necessary for the performance of a task in the public interest or in the exercise of public authority assigned to the controller;
(f) processing is necessary due to the legitimate interests pursued by the controller or a third party, except when such interests are overridden by the interests or fundamental rights and freedoms of the individual to whom the personal data relate, which require the protection of personal data, in particular when the individual , to whom personal data refer, a child.

Point (f) of the first subparagraph does not apply to processing by public authorities in the performance of their tasks.

Having regard to Article 6(2), which states that Member States may maintain or introduce more detailed provisions to adapt the application of the rules of this Regulation regarding the processing of personal data to ensure compliance with points (c) and (e) of paragraph 1, so that define in more detail the special requirements related to processing and other measures to ensure legal and fair processing, also for other special cases of processing from Chapter IX, it is also necessary to take into account Article 8 of ZVOP 1. The first paragraph of Article 8 of ZVOP 1 stipulates that personal data can only be processed if the processing of personal data and the personal data being processed is determined by law or if the personal consent of the individual is given for the processing of certain personal data. In the second paragraph of the same article, it is stipulated that the purpose of personal data processing must be determined by law, and in the case of processing based on the individual's personal consent, the individual must be informed in advance of the purpose of personal data processing in writing or in another appropriate way.

III.
(Establishment of the actual situation)

After reading the electronic message dated ..., the criminal authority found that the offender is the signatory of the electronic message dated ..., in which, in addition to the text of the draft amendment to the lawsuit, he also provided personal data (address of residence and date of birth) within the framework of the identification data of the defendants ... and ..., and forwarded it to the e-mail addresses of 46 recipients. Even otherwise, the violator in the relevant misdemeanor procedure communicated with the misdemeanor authority precisely via the email address... After reviewing the written statement that the violator gave in the misdemeanor proceeding, the misdemeanor authority concluded that the violator, due to the fact that he was the sender of the electronic message dated ..., also he did not dispute.

Furthermore, the misdemeanor authority notes that all addressees of the electronic message dated ... (among them in particular ...) were not entitled to be informed of the residential address and date of birth of the individuals ... and ..., since the offender is not eligible for such processing (disclosure through mediation) of personal data had grounds in law or in the personal consent of the individuals concerned. Taking into account Article 5(2) of the General Regulation, the above is additionally confirmed by the fact that the violator did not state in the written statement that the processing of personal data (disclosure through mediation) had a basis in law or that the processing would be based on any of the possible legal bases , specified in Article 6(1) of the General Regulation, did not even submit the possible consent of the individuals concerned. In a written statement, the infringer stated that he obtained the personal data of the concerned individuals legally and is processing them for the purposes arising from the draft supplement to the lawsuit. The criminal authority points out that the processing of the residence address and date of birth of individuals ... and ... for the purpose of asserting legal claims, which can be understood from the draft supplement to the lawsuit, must be distinguished from the processing of these same personal data in the context of the electronic message for ..., which represents disclosure of personal data (address of residence and date of birth) of individuals ... and ... by intervening outside the court (or other) procedure, within the framework of which the violator would enforce any claims. The fact that the violator had no basis for disclosing the address and date of birth of ... and ... to the 46 recipients of the e-mail dated ... where he lives and/or when does he celebrate his birthday." In relation to this belief, the misdemeanor authority points out that even from the stated claim of the violator it is possible to discern an essential guideline of the law on the protection of personal data, which leaves the decision to disclose personal data primarily in the domain of the specific individuals to whom the personal data relate .

Despite the fact that the act of disclosing personal data by forwarding it to the e-mail addresses of 46 addressees who are not entitled to know the address and date of birth of the individuals ... and ... represents an intrusion into the information privacy of the individuals whose data was disclosed in this way, it is a misdemeanor at the same time, the authority found that in the case under consideration there are mitigating circumstances which, in accordance with the first paragraph of Article 21 ZP 1, justify the issuance of a warning. As a mitigating circumstance, the misdemeanor authority took into account the broader circumstances in which the offense was committed, which can be seen from the draft supplement to the lawsuit and the decisions of the Supreme Court of Appeal and the ECtHR, which the offender highlighted in his written statement and which, among other things, indicate the offender's tendencies, from which committed the offence. From the above documents, it can be seen that the violator has been asserting various legal claims against the Republic of Slovenia and specific civil servants (also against ... and ...) for several years, which primarily stem from the demolition of the building of the violator and his family members in 2010 based on the decision on enforcement , which was declared null and void. Also, as a mitigating circumstance, the misdemeanor authority took into account that among the 46 addressees, in addition to journalists and media editors, there are mainly state authorities and lawyers, which are in accordance with the provisions of the first paragraph of Article 6 of the Law on Advocacy (Official Gazette of the Republic of Slovenia, No. 18/93, 24/96 US Ord., 24/01, 54/08, 35/09, 97/14, 8/16 US Ord., 46/16, 36/19 and 130/22) bound to protect professional secrecy.

IV.
(Conclusive)

The offense authority made its decision based on an inspection of the following documents:
- an electronic message with the subject ... received by the misdemeanor authority on ... from the email address ... (0603-98/2022/1);
- statement of the infringer (with attachments) dated 11/10/2022 (0603-98/2022/5);
- the verdict of the Supreme Court of Appeal ... dated ..., which is accessible via the online link ...;
- the verdict of the Supreme Court of Appeal ... dated ..., which is accessible via the online link ...;
- the verdict of the Supreme Court of Appeal ... dated ..., which is accessible via the online link ...;
- ECtHR decision on appeal no. ... dated ..., which is accessible via the web link ...

According to the facts established in this way, the misdemeanor authority concluded that the violator, with the behavior described in the sentence of the decision, fulfilled the legal signs of an offense according to the fourth paragraph of Article 91 of ZVOP 1 in relation to point 1 of the first paragraph of 91 twice (by processing the personal data of each individual once). Article 1 of ZVOP, for which the individual is fined from 200 to 830 euros.

When assessing the sanction, the criminal authority took into account the provisions of the first and second paragraphs of Article 27 of the ZP-1 and when applying the second paragraph of Article 26 of the ZP 1, which stipulates that when assessing the sanction, all circumstances that affect whether the sanction should be taken into account minor or major (mitigating and aggravating circumstances), in particular: the degree of the offender's responsibility for the offence, the inclinations from which he committed the offence, the degree of endangerment or violation of the protected property, the circumstances in which the offense was committed, the previous life of the offender, his personal circumstances , his behavior after the offense was committed, in particular, whether he settled the damage, and the provisions of the first paragraph of Article 21 of the Criminal Code 1, which stipulates that the offense authority may issue a warning for an offense committed under such mitigating circumstances, which make it particularly light, to the offender for both misdemeanors, taking into account the second and third paragraphs of Article 4 ZP-1, a warning was issued instead of a fine.

V.
(Costs of the procedure)

On the basis of the first paragraph of Article 144 in relation to point 8 of the first paragraph of Article 143 and the second paragraph of Article 58 ZP 1, within fifteen (15) days after the decision on the offense becomes final, the offender must pay to the transaction account specified in the sentence of this decision court fee. The court fee is assessed to the violator according to tariff number 8112 of the Court Fees Act (Official Gazette of the Republic of Slovenia, no. 37/08, 97/10, 63/13, 58/14 odl. US, 19/15 odl. US, 30/16, 10/17 – ZPP E, 11/18 – ZIZ L, 35/18 odl. US and 204/21), which prescribes a fee of EUR 30.00 for issuing a warning.


LEGAL LESSON: The violator, his legal representative or defense attorney may file a request for judicial protection against a decision on a misdemeanor, provided that the beneficiary has timely announced its filing in writing. A request for judicial protection may be filed within eight (8) days of the service of this decision on the offense. The request for judicial protection must be submitted in writing by post or in person in two copies to the Information Commissioner, Dunajska cesta 22, 1000 Ljubljana, and is considered timely if it is submitted on the last day of the deadline for submitting a request for judicial protection by registered mail or directly to the authority , who issued the decision. The request for judicial protection will first be decided by the misdemeanor authority in accordance with the fifth paragraph of Article 63 ZP 1. If the misdemeanor authority does not cancel the decision or stop the procedure for misdemeanors, or cancel it and replace it with a new decision, the request for judicial protection based on referred to the seventh paragraph of Article 63 of ZP 1 for a decision to the competent court of first instance.

Under the conditions and in accordance with the regulations governing the financial operations of the offense authority, the violator can also pay the costs of the procedure with a non-cash means of payment.


Authorized official:

…


Attachment:
1. UPN - completed universal payment order for the payment of the court fee, with the written amount of 30.00 euros (...).

Serve:
1. to the violator: ... - personally according to ZUP.