IP (Slovenia) - 0609-6/2024/7: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Slovenia |DPA-BG-Color= |DPAlogo=LogoSI.png |DPA_Abbrevation=IP |DPA_With_Country=IP (Slovenia) |Case_Number_Name=0609-6/2024/7 |ECLI= |Original_Source_Name_1=IP website |Original_Source_Link_1=https://gdprhub.eu/images/8/89/SI_0609-6-2024-7.pdf |Original_Source_Language_1=Slovenian |Original_Source_Language__Code_1=SL |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code_2= |Type...")
 
mNo edit summary
Line 70: Line 70:


=== Facts ===
=== Facts ===
The DPA decided that both responsible person of a legal entity and the legal entity are held liable for processing of personal data of former employees without their consent.
A responsible person, while employed at a certain company, unlawfully processed the personal data of two individuals. This included their e-mail addresses and the traffic data of the e-mails sent to those addresses during a specified period. Despite the termination of the individuals' employment, the responsible person continued to process their personal data, directing e-mails sent to their addresses to her own e-mail address without proper legal basis or individual consent.


=== Holding ===
=== Holding ===
The DPA held that the responsible person is found in violation of Article 8(1) of the Slovenian Data Protection Law according to which the personal data may only be processed if so provided by law or if the processing is subject to the consent of the data subject.  
The DPA held that the responsible person is found in violation of [https://zakonodaja.com/zakon/zvop-1/8-clen-splosna-opredelitev Article 8(1) of the Slovenian Data Protection Law] according to which the personal data may only be processed if so provided by law or if the processing is subject to the consent of the data subject.
Importantly, these offenses were committed within the scope of the responsible person's business activities and on behalf of the legal entity she represented. According Article 91(2) of the Slovenian Data Protection Law, such responsible personal must also be held liable for offences committed.  
 
The DPA decided that the legal entity is also held liable for the same breach of Article 8(1) of the Slovenian Data Protection Law as the offence was committed within the scope of its business activities and on its behalf.  
Importantly, these offenses were committed within the scope of the responsible person's business activities and on behalf of the legal entity she represented. According [https://zakonodaja.com/zakon/zvop-1/91-clen-splosne-krsitve-dolocb-tega-zakona Article 91(2) of the Slovenian Data Protection Law], such responsible personal must also be held liable for offences committed.
 
The DPA decided that the legal entity is also held liable for the same breach of [https://zakonodaja.com/zakon/zvop-1/8-clen-splosna-opredelitev Article 8(1) of the Slovenian Data Protection Law] as the offence was committed within the scope of its business activities and on its behalf.  
 
As a result, the DPA imposed a fine of €300 to the responsible person of the legal entity and another fine of €6,255 to the legal entity.
As a result, the DPA imposed a fine of €300 to the responsible person of the legal entity and another fine of €6,255 to the legal entity.



Revision as of 08:31, 25 April 2024

IP - 0609-6/2024/7
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 6(1)(a) GDPR
Article 8(1) ZVOP-1
Article 91(1)(1) ZVOP-1
Article 91(2) ZVOP-1
Type: Complaint
Outcome: Upheld
Started:
Decided: 07.03.2024
Published: 15.04.2024
Fine: n/a
Parties: n/a
National Case Number/Name: 0609-6/2024/7
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Slovenian
Original Source: IP website (in SL)
Initial Contributor: im

The DPA decided that both responsible person of a legal entity and the legal entity are held liable for processing of personal data of former employees without their consent.

English Summary

Facts

A responsible person, while employed at a certain company, unlawfully processed the personal data of two individuals. This included their e-mail addresses and the traffic data of the e-mails sent to those addresses during a specified period. Despite the termination of the individuals' employment, the responsible person continued to process their personal data, directing e-mails sent to their addresses to her own e-mail address without proper legal basis or individual consent.

Holding

The DPA held that the responsible person is found in violation of Article 8(1) of the Slovenian Data Protection Law according to which the personal data may only be processed if so provided by law or if the processing is subject to the consent of the data subject.

Importantly, these offenses were committed within the scope of the responsible person's business activities and on behalf of the legal entity she represented. According Article 91(2) of the Slovenian Data Protection Law, such responsible personal must also be held liable for offences committed.

The DPA decided that the legal entity is also held liable for the same breach of Article 8(1) of the Slovenian Data Protection Law as the offence was committed within the scope of its business activities and on its behalf.

As a result, the DPA imposed a fine of €300 to the responsible person of the legal entity and another fine of €6,255 to the legal entity.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.

Date: 7.3.2024


The Information Commissioner (hereinafter referred to as the offence authority), acting ex officio on the basis of
Article 51, paragraph 2 and Article 46 of the Act on Offences (Official Gazette of the RS, No. 29/11 - official
consolidated text, 21/13, 111/13, 74/14 - US Decree, 92/14 - US Decree, 32/16, 15/17 - US Decree, 73/19 - US
Decree, 175/20 - ZIUOPDVE and 5/21 - Decree No. 21/11 - official consolidated text, 21/13, 111/13, 74/14 - US

Decree, 92/14 - US Decree, 32/16, 15/17 - US Decree, 73/19 - US Decree, 175/20 - ZIUOPDVE and 5/21 -
ZIUOPDVE), shall, upon the request of the authorised official...- the state data protection officer, . 113/05 and
51/07 - ZUstS-A), in the infringement proceedings against the legal entity ... (registration number: ..., hereinafter:

...), and Articles 2 and 8 of the Information Commissioner Act (Official Journal of the RS, No. 113/05 and 51/07 -
ZUstS-A), in the infringement proceedings against the legal entity ... (registration number: ..., hereinafter: ...) and
its responsible person ..., for offences under Article 91(1)(1) and Article 91(2) of the Personal Data Protection Act
(Official Journal of the RS, No 94/07-UPB1 and 177/20, hereinafter: ZVOP-1), as follows



                                          AN INFRINGEMENT DECISION



To the offender:


   I.    responsible person: ..., ID number: ..., citizen of ..., employed at the time of the offence by ...,

                                                       is responsible


                                                     for two (2) offences
                         under Article 91(2) ZVOP-1 in conjunction with Article 91(1)(1) ZVOP-1,


by unlawfully processing, as the responsible person of the legal person ...., for which she was authorised to work, ...,
in ..., from ..., the personal data of ... and, from ..., the personal data of ..., namely their e-mail addresses ... and
... and the traffic data of the e-mails sent to those addresses during the period referred to below, by unlawfully
processing the e-mail addresses of ... and ... and by unlawfully processing the e-mail traffic data of ... and ..., after

termination of their employment, to those individuals in ......, but gave explicit instructions to the company ...
(registration number: ...), which provided the services of ... to ...., including the provision of mailbox services to ...,
to the effect that all e-mails sent to ... were:


 1.) between ... and ..., to the e-mail address ..., which belonged to ... and
 2.) during the period from ... to ... arrived at the address of ..., which belonged to ...


redirected to her email address (...), even though it had no basis in law or in the individual's personal consent for
such use, transmission, communication or processing of personal data ... and ..., thereby infringing Article 8(1)
of the GDPR-1 on two (2) occasions during the above-mentioned periods, i.e. on a case-by-case basis.


The offences described above were committed by ... in the course of her business and on behalf of and with the
funds of the legal person ..., to which she was authorised to carry out the works and tasks of ..., which makes her
liable for the said offence as the responsible person of the legal person ... on the basis of Article 15(1) of the Law

on the Protection of Human Rights and Fundamental Freedoms and Article 15a(1) of the Law on the Protection
of the Protection of Human Rights and Fundamental Freedoms.


  II.responsible legal entity: ..., ..., ..., ...

                                                    is responsible


                                                 for two (2) offences
                                           under Article 91(1)(1) ZVOP-1,


                                                                                                                      1committed by its responsible person ... by acting as the responsible person of a legal person ...who was authorised

to work for ..., in ..., from ... to ..., unlawfully processed the personal data of ... and, from ... to ..., unlawfully
processed the personal data of ..., namely their e-mail addresses ... and ... and the traffic data of the e-mails sent
to those addresses during the period referred to below, by giving those e-mail addresses to those individuals in
..., after the termination of their employment, in ...., ..., ... (registration number: ...), which is the parent company

of ..., ..., ..., ..., ..., ..., ..., ..., ..., ..., ..., .... ..., which included the provision of a mailbox service to ..., gave explicit
instructions under which all emails sent to ... were :


  1.)  between ... and ..., to the e-mail address ..., which belonged to ... and
  2.)  during the period from ... to ... arrived at the address of ..., which belonged to ...

 redirected to her email address (...), even though it had no basis in law or in the individual's personal consent for

 such use, transmission, communication or processing of personal data ... and ..., thereby infringing Article 8(1)
 of the GDPR-1 on two (2) occasions during the above-mentioned periods, i.e. on a case-by-case basis.


... committed the offences of unlawful processing of personal data of female employees in the course of its
business and on behalf of and with the funds of the legal person ..., to which it was authorised to carry out the
works and tasks of ..., which makes the legal person ... liable for the offences in accordance with Article 14(1) of
the Law on the Protection of Personal Data of Female Employees.


For the offence under Article 91(2) ZVOP-1 in conjunction with Article 91(1)(1) ZVOP-1, for which a fine of EUR
830.00 is prescribed, taking into account Article 91(2) ZP-1 and Article 119(1) ZVOP-2 on the application of a less
restrictive provision, the offender shall be fined EUR 830.00 on the basis of Article 91(2) ZVOP-1 and Article

119(1) ZVOP-2 on the application of a less restrictive provision, in accordance with Article 91(1) ZVOP-1. Article
97, paragraph 1, subparagraph 1, and applying Article 52, paragraph 3, and Article 26, paragraphs 1, 2 and 3,
and Article 27 of the PDL-1, and to the offending legal person on the basis of Article91,paragraph 1, subparagraph

1, subparagraph 1, of the ZVOP-1 and applying the same provisions of the PDL-1,
                                                       P a g e

1.  the responsible person of the legal person ...:


        for the offence of unlawful processing of personal data ... under point I.1.) of the present Sentence:
         GLOBA in the amount of EUR 200,00,

        for the offence of unlawful processing of personal data ... under point I.2.) of the present Sentence:
         GLOBA in the amount of EUR 200,00,

2. a legal person ...:


        for the offence of unlawful processing of personal data ... under point II.1.) of this judgment: GLOBA in
         the amount of EUR 4 170,00,

        for the offence of unlawful processing of personal data ... under point II.2.) of this judgment: GLOBA in
         the amount of EUR 4 170,00.

Then, in accordance with Article 27(2) of the Law on the Prohibition of Torts in conjunction with Article 26(1), (2),

(3) and (5) of the Law on the Prohibition of Torts, and taking into account Article 17(2)(3) and (4) of the Law on
the Prohibition of Torts, the offenders shall be sent a fine of EUR 400.00 for all the same offences in the bundle
instead of the single sanction of EUR 8 340.00 for the responsible person and EUR 8 340.00 for the responsible

legal person...,

                                                 A s s e s s m e n t


                                                 a single sanction:



                                                                                                                    21. to the person responsible for ...: GLOBA, the sum of EUR 300,00;
2. the responsible legal person ...: GLOBA for an amount of EUR 6 255,00.



The offender, the responsible person ... shall pay the fine of EUR 300,00 to the account of the recipient: the

Information Commissioner, IBAN of the recipient: SI56 0110 0845 0051 825, BIC code of the bank of the
recipient: BSLJSI2X, purpose code: GOVT, purpose of payment: 0609-6/2024/7 fine, reference: SI11 12157-
7120010-202426.


The offender, the responsible legal person ... shall pay the fine of EUR 6 255,00 to the account of the
recipient: the Information Commissioner, IBAN of the recipient: SI56 0110 0845 0051 825, BIC code of the
bank of the recipient: BSLJSI2X, purpose code: GOVT, purpose of payment: 0609-6/2024/7 fine, reference: SI11

12157-7120010-202424.

The offender, the person responsible ... shall pay a court fee of EUR 40.00 pursuant to Article 143(1) in

conjunction with Article 144(1) and Article 58(2) of the CP-1. The court fee, which is levied on the offender in
respect of the fine imposed on him under tariff No 8111 of the Court Fees Act (Official Journal of the RS, No
37/08, as amended), shall be..., hereinafter: ZST-1) in the amount of EUR 40,00 shall be paid by the infringer
as the responsible person to the account of the recipient: the Information Commissioner, IBAN of the

recipient: SI56 0110 0845 0162 502, BIC code of the bank of the recipient: BSLJSI2X, purpose code: GOVT,
purpose of payment: 0609-6/2024/7 court fee, reference: SI11 12157-7120010-202427.


The offender, the responsible legal person ... shall, pursuant to Article 143(1) in conjunction with Article 144(1)
and Article 58(2) of the Civil Code, pay a court fee of EUR 625,50. The court fee, which is assessed to the
offender for the fine imposed under tariff number 8111 ZST-1 in the amount of EUR 625,50, shall be paid by the

offender as a responsible legal person to the account of the recipient: Information Commissioner, IBAN
of the recipient: SI56 0110 0845 0162 502, BIC code of the bank of the recipient: BSLJSI2X, purpose code:
GOVT, purpose of payment: 0609-6/2024/7 court fee, reference: SI11 12157-7120010-202425.


The offenders shall pay the full amount of the fine and the court fee within fifteen (15) days of the final
decision on the offence. After the expiry of the time limit for payment, the offenders may apply to the authority
responsible for enforcement (the Financial Administration of the Republic of Slovenia) for payment of the fine and

the costs of the proceedings (court fee) in instalments.

If the fines and court costs (court fees) are not paid by the offending legal entity and the responsible person within

the time limit set, the unpaid fines and court costs (court fees) will be recovered by enforcement action.

If the person responsible for the offence, who would be entitled to regular free legal aid according to the material
criterion laid down in the law governing free legal aid on account of his/her financial situation or ability to pay, is

unable to pay the fine and the costs of the proceedings (court fees) in the amount of at least EUR 300.00, he/she
may, not later than the expiry of the time-limit for payment, submit a request to the authority which issued the
decision that the payment of the fine and the costs of the proceedings (court fees) be replaced by work for the

common good.

The court grants the applicant, who would be entitled to regular free legal aid under the substantive criteria of the
law governing free legal aid, the compensation of the fine and the costs of the proceedings by means of a work

of general interest.

LAW LESSON: You can apply for judicial protection against an offence decision. The request must be notified

     in writing within eight (8) days of receipt of this decision to the Information Commissioner, Dunajska cesta
     22, 1000 Ljubljana, otherwise the beneficiary of the request (the infringer, legal representative or defence
     counsel) shall be deemed to have waived the right to request judicial protection. The statement of claim shall

     be sent by post or delivered directly in duplicate and shall be deemed to be in time if it is lodged on the last
     day of the period for lodging the statement of claim by registered post or directly with the authority which


                                                                                                                  3     issued the decision. An application for judicial protection which has been lodged may be withdrawn until the
     expiry of the time-limit for lodging the notice of application.


If the person entitled to a request for judicial protection does not announce or make an announcement within the
     statutory time limit for lodging the request

withdraws the application, he or she shall be deemed to have waived his or her right to applyfor judicial protection.

If none of the persons entitled to apply for judicial protection announces such an application, the offending
authority shall not issue a reasoned decision on the offence, but shall be deemed to have served a final decision

without reasons on the date of service of the decision, which shall become final on the expiry of the time-limit for
announcing the application for judicial protection.


Where at least one of the beneficiaries of the request for judicial protection announces the lodging of such a
     request, a written decision on the offence, stating the reasons for the decision, shall be drawn up and
     dispatched not later than thirty (30) days after receipt of the announcement of the request for judicial

     protection. The reasoned decision shall in that case be served on all persons entitled to apply for judicial
     protection.

The offender who fails to notify an application for judicial protection against the decision on the offence shall

pay half of the fine imposed within eight (8) days of the expiry of the time limit for notification of the
application for judicial protection (half of the fine is EUR 150.00 for ... and EUR 3 127.50 for ...), otherwise
he shall pay the full amount of the fine imposed within the time limit set out in the operative part of this Decision.

The infringer who announces an application for judicial protection against the decision and subsequently fails to
lodge a reasoned application against the decision shall also be required to pay the full amount of the fine within
the time limit laid down in the operative part of the decision.


If the offender pays half of the fine before the expiry of the time limit for the notification of the request for judicial
protection, the request for judicial protection against the decision shall not be admissible, unless the offender was
required to pay the fine before the expiry of the time limit for the notification of the request in accordance with the

provisions of the CP-1.

Under the conditions and in accordance with the rules governing the financial management of the offending

authority, the offender may also pay the fine and the costs of the proceedings by means of a non-cash means of
payment.




                                                               ...







To be served:















                                                                                                                     4