IP (Slovenia) - 0610-32/2021/7

From GDPRhub
IP (Slovenia) - 0610-32/2021/7
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 32 GDPR
Personal Data Protection Act
General Administrative Procedure Act
Type: Investigation
Outcome: Violation Found
Decided: 10.05.2021
Published: 15.06.2021
Fine: None
Parties: n/a
National Case Number/Name: 0610-32/2021/7
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Slovenian
Original Source: GDPR planet (in SL)
Initial Contributor: Klemen Kraigher Misic

The Slovenian DPA (IP) held that an eGovernment portal had violated Article 32 of the GDPR by failing to ensure that documents posted on its bulletin adequately secured personal data.

English Summary[edit | edit source]

Facts[edit | edit source]

The controller, an eGovernment portal (eUprava), published multiple public documents on its digital bulletin board. These documents published more personal data than what is permitted by national law (Article 96 of the General Administrative Procedure Act. According to this national law, the controller can only publish the following kinds of data:

  • information on the reasons for public notification,
  • the authority which has issued the document,
  • the number, date and type of the document,
  • the personal name or business name of the addressee,
  • the address for service or other permanent or temporary residence if the addressee does not have an address for service,
  • the registered office of the legal person or natural person registered for the performance of activities,
  • an indication of the administrative case,
  • the date of publication of the notification with the warning that the addressee is to take delivery within 15 days,
  • the consequences referred to in paragraph five of this Article, and the place where the document is located.

Additionally, the controller published the following personal data (not explicitly permitted by the ZUP):

  • individuals’ date of birth,
  • decisions to suspend the procedure for granting international protection, in full.

Dispute[edit | edit source]

Holding[edit | edit source]

Slovenian DPA held, that the controller (public sector) violated Articles 24 and 25 of the ZVOP-1 and Article 32 of the GDPR. The controller failed to ensure an adequate level of personal data security in order to prevent illegal publication.

Author's note: in accordance with the practice of the IP, the controller should protect personal data, the publication of which is not explicitly permitted by law, with a password or in any other appropriate manner.

As the controller had already complied with the GDPR during the inspection procedure, the IP stopped further procedure. However, the IP announced that this violation will also be assessed in the context of misdemeanors (seperate procedure).

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.

Number: 0610-32 / 2021/7

Date: May 10, 2021



The Information Commissioner (hereinafter: IP) is issued by the State Supervisor for Personal Data Protection on the basis of the fourth paragraph of Article 135 of the General Administrative Procedure Act (Official Gazette of the Republic of Slovenia, No. 24/06-UPB2, as amended; hereinafter ZUP) , in connection with Article 50 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07-UPB1, hereinafter ZVOP-1) and Articles 2 and 8 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113) / 05 and 51/07 - ZUstS-A, hereinafter ZInfP), and Articles 57 and 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data data and repealing Directive 95/46 / EC (General Data Protection Regulation,hereinafter referred to as the General Regulation) in the matter of conducting inspections of the implementation of the provisions of ZVOP-1 and the General Regulation against the taxpayer… (Hereinafter: the liable party), ex officio the following


CONCLUSION


1.The procedure of inspection control over the implementation of the provisions of ZVOP-1 and the General Regulation, conducted by the IP against the liable party under no. 0610-32 / 2021, stop .

2.No specific costs were incurred in this proceeding.

Justification


IP initiated the inspection procedure against the taxpayer on suspicion of improper implementation of procedures and measures to ensure the security of personal data when publishing documents on the bulletin board of the eGovernment portal, which the taxpayer must carry out in accordance with Articles 24 and 25 ZVOP-1 and Article 32 regulations. The suspicion of the violation stems from the information in the news… on the Slo-Tech portal… and the results of the review of publications on the eGovernment notice board by the IP on 2 February 2021 (doc. No. 0610-32 / 2021/1).


A review of the website by IP shows that on 2.2. 2021 on the bulletin board of the eGovernment fifty-five (55) announcements of the liable party and that the liable party, in cases,…, in the title of the publication publicly publishes the name and surname and birth data of individuals (when available), ie the liable party on the bulletin board of the eGovernment portal with the public announcement provided for in Article 96 of the General Administrative Procedure Act (Official Gazette of the Republic of Slovenia, No. 24/06-UPB2, as amended; ZUP), publishes more personal data than permitted by Article 96 of the ZUP.


In a detailed review of the first twenty (20) publications and the contents of the attached files on 2 February 2021, the State Supervisor to whom the case in question was referred for resolution (hereinafter: the Supervisor) found that out of twenty (20) attached seventeen (17) Notices of service by public announcement, which contained only information in accordance with Article 96 of the ZUP, two (2) Decisions on termination of proceedings for… (contains date of birth) and one (1) Decision on rejection of the request for access to public information (contains the e-mail address of the applicant). Published documents are also of various formats.


Due to the need to clarify the matter and establish the facts, on the basis of the second paragraph of Article 29 of the ZIN and the powers under Article 19 of the ZIN, Articles 2 and 8 of the ZInfP, Articles 50, 51 and 53 of ZVOP-1 and Article 57 and 58 of the General Regulation, on 4 February 2021, the IP requested the liable party to provide a written explanation, documentation and a statement explaining: no later than eight (8) days from the service of the summons:

• which documents of the data subject define the adequacy of the procedures and measures by which the data subject ensures an adequate level of security of personal data ;
• what instructions were given to the taxpayer's employees who have permission to publish the documents on the eGovernment notice board, and who prepared them;
• on what legal basis does the liable party publish the date of birth of an individual who has failed to serve the document in the list of published documents on the eGovernment notice board;
• on which legal basis the taxpayer publishes decisions on oglas in full text on the eGovernment notice board;
• whether the taxpayer detected information on alleged violations of personal data protection in the media and the IP call of 17 December 2020 and consequently reviewed its publications on the eGovernment notice board;
• if the review of publications was carried out, who carried it out, when and what were the findings of the review;
• if irregularities or breaches of personal data protection have been identified in the framework of the internal review, what measures has the taxpayer taken to establish the legal situation, reduce the consequences of the identified irregularities and to reduce the possibility of such breaches in the future;
• if the data subject has detected breaches of personal data protection in publications on the eGovernment notice board, on the basis of which he has assessed that it is unlikely that the breaches of personal data protection would endanger the rights and freedoms of individuals and therefore did not notify the IP;
• if the person liable for the violation of personal data protection during the publication on the eGovernment notice board has not yet detected what measures he intends to take to establish the legal situation and reduce the possibility of such violations in the future and by when;
• any additional clarifications and documentation to help clarify the facts.

On 12 February 2021, the taxpayer submitted a request for an extension of the deadline for responding to the IP's request, arguing that these were extensive questions, and that it was necessary to collect answers from several internal organizational units or a constituent body. The supervisor granted the taxpayer's request.


The IP received the respondent's response to the invitation on 19 February 2021. In the reply, the obligor explains that the procedures and measures to ensure an adequate level of personal data security are set out in the Rules on Personal Data Protection of 11 February 2009, which he also attached it. Given the fact that the rules were adopted before the application of the General Regulation, the taxpayer explains that he will prepare new rules as soon as the new law in the field of personal data protection is adopted.


Employees of the taxpayer who have permission to publish documents on the eGovernment notice board did not receive any special instructions, as they are expected to act in accordance with the applicable legislation and the aforementioned rules.


Regarding the publication of birth data in the list of published documents on the eGovernment notice board, the taxpayer explains that the indication of the date of birth of an individual in the list of failed service of documents was due to marking the case in accordance with the Decree on Administrative Operations (Official Gazette RS no. 9/18, 14 / 20 and 167/20), which requires, inter alia, a summary of the case. As persons with the same names and surnames often appear in proceedings,, and it is also useful to see from the title of the case whether it is a minor, the liable party shall state the date of birth and nationality in the summary of the case. In the case of publication on the bulletin board of the eGovernment, the short content of the case was automatically transferred to the title of the published document on the bulletin board, which consequently led to the date or year of birth of the person being published, who was unable to serve the document. In the notice of service by public announcement, the liable party does not state the date of birth of the individual.


Regarding the established publication of decisions on the termination of the procedure for the recognition of international protection in full text, the liable party explains that he really does not have an appropriate legal basis for such publication and that the publication of these decisions was made by mistake or the publication was wrong file.


In order to eliminate the consequences of the established violation and reduce the possibility of such violations in the future, the taxpayer called on all internal organizational units to review all their publications on the eGovernment notice board and eliminate any identified irregularities immediately. A uniform form (Notice of service by public announcement) was also prepared for publication on the eGovernment notice board. In response to the IP call, the taxpayer also states that the data transfer in the information system has been changed so that the case address, which also contains birth data, is no longer automatically transferred, but the title of the document is automatically transferred but does not contain the date of birth.

In order to verify the truthfulness of the taxpayer's statements in response to the IP call and the success of the implemented measures, on 7 May 2021 the supervisor checked the status of the taxpayer's announcements on the eGovernment notice board (doc. No. 0610-32 / 2021/6). During 59 publications of the obligor (…) in the period from 22 April 2021 to 6 May 2021, no violations in the field of personal data protection were established.


The taxpayer called on the internal organizational units to examine whether the violations are of such a nature as to pose a significant risk to the rights and freedoms of individuals and to inform the affected individuals in the event of such violations.


After reviewing the taxpayer's explanations and the bulletin board of the eGovernment portal on 7 May 2021, the Supervisor found that the taxpayer had answered all IP questions and attached the relevant evidence for the statements in the answers. It follows from the taxpayer's explanations that the taxpayer has a procedure for serving documents with public announcement, that by changing the system transfer of data from the case he ensured that there is no automatic transfer of the case title, which also contains birth data, and that in other established In cases of breaches, breaches and excessive publication of personal data occurred due to human error or negligence of employees, who were again warned to be careful when processing personal data and sent to use the prepared standard notice of service with a public announcement.


The Supervisor concluded that during the proceedings the liable party voluntarily eliminated illegalities, irregularities and deficiencies and established the legal situation and took appropriate measures to reduce the consequences of the identified violation and the possibility of recurrence of such violations in the future. As the need to continue conducting the subject procedure has ceased, it is necessary to stop the inspection procedure and decide, as stated in the disposition of this resolution, on the basis of the fourth paragraph of Article 135 of the ZUP.


By failing to ensure an adequate level of security of personal data in order to prevent illegal publication and thus illegal processing of personal data of individuals, the taxpayer violated the provisions of Articles 24 and 25 of ZVOP-1 and Article 32 of the General regulations. IP will treat the established violation within its competence as a misdemeanour authority.


Pursuant to the second paragraph of Article 118 of the ZUP, the decision terminating the procedure decides on the costs of the procedure and since they were not incurred in this procedure, it is thus established and stated in point 2 of the operative part.


This resolution is issued ex officio and is free of fees on the basis of Article 22 of the Administrative Fees Act (Official Gazette of the Republic of Slovenia, No. 106/2010-UPB5 with amendments).



Instruction on legal remedy : There is no appeal against this decision, but an administrative dispute is allowed. An administrative dispute is initiated by a lawsuit, which is filed within 30 days of service of the decision with the Administrative Court of the Republic of Slovenia, Fajfarjeva 33, 1000 Ljubljana. The action shall be sent by registered post to that court. The application, with any annexes, shall be filed in at least three copies. The application must also be accompanied by this decision in the original or in a transcript.