IP (Slovenia) - 0609-20/2024/6

From GDPRhub
Revision as of 08:34, 25 April 2024 by Im (talk | contribs)
IP - 0609-20/2024/6
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 6(1)(a) GDPR
Article 32 GDPR
Article 96(1)(1) ZVOP-2
Type: Complaint
Outcome: Upheld
Started:
Decided: 28.03.2024
Published: 15.04.2024
Fine: n/a
Parties: n/a
National Case Number/Name: 0609-20/2024/6
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Slovenian
Original Source: IP website (in SL)
Initial Contributor: im

The DPA issued a reprimand to a company as one of its employees neglected to update payment reminders to borrowers, leading to the disclosure of financial information to the borrowers' employers.

English Summary

Facts

Data subject filed a complaint against a legal entity for forwarding and disclosure of personal data of borrowers (‘data subjects’) to their employers. The personal data containing borrowers’ identification, financial and economic data was processed in the context of payment recovery under credit agreements.

The incident occurred due to the failure of responsible person of the legal entity to update written working instructions and application which supports the reminder process of the payment recovery. The responsible person of the legal entity was a director of risk management with citizens (‘controller’).

Holding

The DPA held that the controller did not meet conditions for the lawfulness of the processing set out in Article 6(1) GDPR. As the data subjects did no consent to sharing of their personal data with their employers, the responsible person of the employer violated Article 96(1)(1) ZVOP-2.

Additionally, the director failed to update written instructions for sending payment reminders to the data subjects. This led to sharing of their data with their employers. Such failure to implement appropriate technical and organizational measures to ensure the security of borrowers' personal data constitutes an infringement of the controller's obligation under Article 32 GDPR.

As a result, the DPA issued a warning to the controller and a reprimand to the controller’s employer. Both, the controller and his employer were ordered to pay a court fee of €30.

Comment

Article 96(1)(1) ZVOP 2

(infringements of the provisions of Article 83(4) GDPR) (1) A fine of between EUR 100 and EUR 5 000 shall be imposed on the person responsible for the offence, whether a legal person, a sole proprietor or an individual carrying out an activity independently: 1. if it infringes the obligations of the controller or processor as set out in Articles 8, 11, 25 to 39 and 42 and 43 of the General Regulation;

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.

Number: 0609-20/2024/6
Date: 28 March 2024

The Information Commissioner (hereinafter: the misdemeanor authority) issues through an authorized official..., the State Supervisor for the Protection of Personal Data, ex officio on the basis of the second paragraph of Article 51 and Article 46 of the Act on Misdemeanors (Official Gazette of the RS, No. 29/11) -UPB8, 111/14 – dec. US, 32/16 – dec. US, 175/20 – ZIUOPDVE and 5/21 – section US; hereinafter: ZP-1), articles 2 and 8 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, no. 113/07 – ZUstS-A, hereinafter : ZInfP) and Article 95 of the Personal Data Protection Act (Official Gazette of the RS, No. 163/22; hereinafter referred to as ZVOP-2), in proceedings on a misdemeanor against a legal entity... and its responsible person..., due to a misdemeanor under the first paragraph of 95 . of Article ZVOP-2 in connection with point a) of the fourth paragraph of Article 83 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals in the processing of personal data and on the free flow of such data and the repeal of Directive 95/ 46/EC (General Data Protection Regulation, hereinafter: General Regulation) and an offense under point 1 of the first paragraph of Article 96 of the ZVOP-2 in connection with point a) of the fourth paragraph of Article 83 of the General Regulation, as follows


DECISION ON OFFENSE

Violator:

1. responsible person:

..., ... citizen, EMŠO: ..., at the time of commission of the offense employed by ..., as ..., is

responsible for the offence
 according to point 1 of the first paragraph of Article 96 ZVOP-2
in connection with point (a) of the fourth paragraph of Article 83 of the General Regulation,

which he did by failing, as a responsible person of a legal entity ..., in the period from ... to ..., in ..., to carry out procedures for regular testing, evaluation and evaluation of the effectiveness of technical and organizational measures to ensure the security of the processing of borrowers' personal data in the process of collecting payments of obligations until ... according to concluded credit agreements and did not ensure the updating of written work instructions and application support for the implementation of the reminder process in such a way that written reminders with the contained (identification, financial and economic) personal data of borrowers would not be forwarded and disclosed to their to employers, since none of the conditions for the legality of personal data processing from the first paragraph of Article 6 of the General Regulation in connection with Article 6 of ZVOP-2 were met for such intervention and disclosure, which resulted in... when implementing the warning process of borrowers during the defined period by sending written reminders to employers unauthorized disclosure of the above-mentioned types of personal data ... of borrowers ... to employers,

whereby he violated the operator's obligation to ensure the security of processing, as specified in Article 32 of the General Regulation, as he did not implement appropriate technical and organizational measures to ensure an adequate level of security of borrowers' personal data...
 
... committed the above-mentioned offense by his act (omission) in the performance of activities and in the name and with the means of a legal entity..., in which at the time of the offense he was authorized to perform the work of director of risk management with citizens, as a result of which, on the basis of the first paragraph Article 15 of ZP-1 and the first paragraph of Article 15a of ZP-1, he is responsible for the offense as a responsible person of a legal entity... .


2. responsible legal entity:

…, registration number: … , is

responsible for the offence
according to the first paragraph of Article 95 of ZVOP-2
in connection with point a) of the fourth paragraph of Article 83 of the General Regulation,

which was committed by ... in that, as a responsible person of a legal entity ..., in the period from ... to ..., in ..., he did not ensure the implementation of procedures for regular testing, assessment and evaluation of the effectiveness of technical and organizational measures to ensure the security of personal data processing of borrowers in the process of collecting payments of obligations up to ... under concluded credit agreements, and did not ensure the updating of written work instructions and application support for the implementation of the reminder process in such a way that written reminders with the contained (identification, financial and economic) personal data of borrowers would not be forwarded and disclosed to their employers, since none of the conditions for the legality of personal data processing from the first paragraph of Article 6 of the General Regulation in conjunction with Article 6 of the ZVOP-2 were met for such mediation and disclosure, which resulted in... during the implementation of the process of reminding borrowers during the defined period by sending written reminders to employers, unauthorized disclosure of the above-mentioned types of personal data ... of borrowers ... to employers,

whereby he violated the controller's obligation to ensure the security of processing, as set out in Article 32 of the General Regulation, as he did not implement appropriate technical and organizational measures to ensure an adequate level of security of borrowers' personal data... .

... committed the offense charged above by his act (omission) in the performance of activities and in the name and with the means of a legal entity ..., where at the time of committing the offense he was authorized to perform the work of director of risk management with citizens, as a result of which the legal entity ... for In accordance with the first paragraph of Article 14 of the ZP-1, the said offense is liable as a responsible legal entity.


The person responsible for the infringer shall therefore be liable on the basis of point 1 of the first paragraph of Article 96 of the ZVOP-2 in connection with point (a) of the fourth paragraph of Article 83 of the General Regulation, and the legal person responsible for the infringer on the basis of the first paragraph of Article 95 of the ZVOP-2 in connection with a) point of the fourth paragraph of Article 83 of the General Regulation and when applying Article 114 of ZVOP-2, the second paragraph of Article 26 and the first paragraph of Article 21 of ZP-1

for a misdemeanor
and with words

1. Violator to responsible person...: REMINDER;

2. to the legal entity responsible for the infringer... : REMINDER.

Based on the first paragraph of Article 143, in relation to the first paragraph of Article 144 and the second paragraph of Article 58 of the ZP-1, the violator, the responsible person... must pay a court fee in the amount of EUR 30.00. The court fee, which is assessed to the violator for the reprimand according to tariff number 8112 of the Court Fees Act (Official Gazette of the RS, No. 37/08, with spr., hereinafter ZST-1), must be paid by the violator to the recipient's account by the responsible person: Information authorized representative, IBAN of the recipient: SI56 0110 0845 0162 502, BIC code of the recipient bank: BSLJSI2X, purpose code: GOVT, purpose of payment: 0609-20/2024/6 court fee, reference: SI11 12157-7120087- ….

Based on the first paragraph of Article 143, in relation to the first paragraph of Article 144 and the second paragraph of Article 58 of the ZP-1, the violator, the responsible legal entity, must pay a court fee in the amount of EUR 30.00. The court fee, which is assessed to the violator for the issued warning under tariff number 8112 ZST-1, must be paid by the violator by the responsible legal entity to the account of the recipient: Information Commissioner, IBAN of the recipient: SI56 0110 0845 0162 502, BIC code of the recipient bank: BSLJSI2X, purpose code: GOVT, purpose of payment: 0609-20/2024/6 court fee, reference: SI11 12157-7120087-….
Violators must pay the court fee within fifteen (15) days after the decision on the offense becomes final. If the infringer does not pay the court fee within the specified period, the unpaid court fee will be recovered compulsorily.


LEGAL LESSON: A request for judicial protection is allowed against a decision on a misdemeanor. The request must be announced in writing within eight (8) days of receipt of this decision to the Information Commissioner, Dunajska cesta 22, 1000 Ljubljana, otherwise it is considered that the beneficiary of the request (infringer, legal representative or defender) has waived the right to request judicial protection. The notice of request is sent by mail or delivered directly in two copies and is considered timely if submitted on the last day of the deadline for filing the notice of request by registered mail or directly to the authority that issued the decision. The announced filing of a request for judicial protection can be withdrawn until the deadline for filing the announcement of this request expires.

If the beneficiary of the request for judicial protection does not announce or withdraws the announcement within the legal deadline for filing this request, it is considered that he has waived the right to request for judicial protection.

If none of the beneficiaries of the request for judicial protection announces this request, the misdemeanor authority does not make a decision on the offense with reasons, but it is considered that a final decision has been served on the date of service of the decision without reasons, which with the expiration of the deadline for announcing the request for judicial protection becomes final.

When at least one of the beneficiaries of the request for judicial protection announces the filing of this request, a written decision on the offense with reasons is drawn up and sent no later than thirty (30) days after the announcement of the filing of the request for judicial protection is received. In this case, the decision with reasons is served on all beneficiaries of the request for judicial protection.

Under the conditions and in accordance with the regulations governing the financial operations of the offense authority, the offender can pay the costs of the procedure (court fee) also with a non-cash means of payment.