IP (Slovenia) - 06111-1/2023/8

From GDPRhub
IP - 06111-1/2023/8
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 32 GDPR
Article 4(1) GDPR
Article 2(1) GDPR
33 (2) ZVOP-2
Type: Complaint
Outcome: Rejected
Started: 27.02.2023
Decided: 06.06.2023
Published: 06.06.2023
Fine: n/a
Parties: n/a
National Case Number/Name: 06111-1/2023/8
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Slovenian
Original Source: Informacijski pooblačenec (in SL)
Initial Contributor: spela

The Slovenian DPA ruled out a breach of Article 32 GDPR since the concerned data, a phone number used by a company, was not "personal" under Article 4(1) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

On 17 January 2023, the complainant received an SMS message from the controller regarding certain shipping information. 15 minutes after this first SMS message, the complainant received a spam SMS message from an unknown sender.

Because of this, on 26 January 2023, the complainant lodged a complaint with the Slovenian DPA. It claimed that the controller did not adequately secure his phone number, a personal data, and did not take all measures to prevent their unauthorized use, as a result of which it received a spam SMS message.

The Slovenian DPA initiated proceedings against the controller and, on 10 March 2023, the DPA sent a request for clarification to the controller regarding the allegations.

The controller explained that the disputed telephone number had been provided by another company, which had to deliver an item to the complainant. It further stated that it does protect the shipment data it receives and does monitor its systems carefully, but in this instance, the phone number was publicly posted on several websites of different companies engaged in logistics activities.

Holding[edit | edit source]

Following the information provided, the DPA reiterated that the telephone number of a natural person is generally considered personal data, but not when it belongs to a legal entity.

In order to be "personal" in accordance with Article 4(1) GDPR, data must meet two conditions cumulatively: (i) the information must refer to an individual (a natural person) who (ii) must be specified or identifiable. In the present instance, since the controller processed the phone number in relation to a legal person and the telephone number in question related to a company, the DPA concluded that the telephone number in question did not constitute personal data within the meaning of Article 4(1) GDPR.

As a consequence, the processing of the contested personal data was not subject to Article 2(1) GDPR, and the controller did not violate Article 32 GDPR as the security of processing obligations were not applicable.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.

1
Number: 06111-1/2023/8
Date: 6/6/2023

Information Commissioner (hereinafter: IP) according to the State Supervisor for the Protection of Personal Data on the basis of Articles 2 and 8 of the Information Commissioner Act (hereinafter: ZInfP), point 2 of the first paragraph of Article 55 of the Personal Data Protection Act (hereinafter : ZVOP 2), and articles 55 and 57(1)(f) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals in the processing of personal data and on the free flow of such data and the repeal of Directive 95 /46/EC (General Data Protection Regulation; hereinafter: General Regulation) in the procedure conducted based on the request of an individual: ... (hereinafter: individual), dated 17 February 2023 (hereinafter: complaint) for control of the legality of the processing of his personal data, which is carried out by: ... (hereinafter: controlled entity), issues the following
THE DECISION
1. It is established that, at the time of the filing of the individual's complaint dated 17/02/2023, when processing data in the context of the delivery of the shipment with the receipt number..., the controlled entity did not violate Article 32 of the General Regulation and other laws governing the processing and protection of personal data, on a way that did not ensure the security of an individual's personal data.
2. The controlled entity shall not be ordered to take measures regarding the processing of personal data relating to an individual.
3. Individuals are not subject to restrictions regarding the review of the case file, which is kept under no. 06111 1/2023.
4. In this procedure, the authority did not incur any special costs, and each party covers its own costs of the procedure.
Explanation
I. Current course of the procedure and relevant statements
1. The IP initiated the control procedure against the controlled entity on the basis of the request for control of the legality of personal data processing dated 26/01/2023 and its amendment of 17/02/2023 (hereinafter: the complaint) filed by the individual. It follows from the complaint that the individual believes that the controlled entity did not adequately secure his personal data and does not implement all measures to prevent their malicious use, which is why, when sending an SMS message about the shipment on 17/01/2023 at 17:15 (in hereinafter: authentic SMS message) to the individual's telephone number... (hereinafter: the disputed telephone number) the individual's personal data was misused, as a result of which, on the same day at 5:30 p.m., the indicated telephone number was sent by an unknown sender, who was using alphanumeric characters marked as "...", received an SMS message with an attempted fraud (hereinafter: fake SMS message).
2. On March 10, 2023, the IP sent the supervised entity a call for clarification regarding the individual's statements in the complaint. In response to the request received by the IP on 24/03/2023, the controlled entity explained that it carefully protects shipment data and carefully controls its systems, while the disputed telephone number is publicly published on several websites, including as contact information for several business entities. He also stated that the disputed telephone number was provided to him by the company ... (hereinafter: ...), which was the sender of the shipment with the receiving number ... (hereinafter: specific shipment). The specific shipment was addressed to the company ... (hereinafter: ...) and not to an individual. Given that the sender is the operator of the online store, there is a possibility that the data leakage occurred on his side, since in the past the controlled entity has already detected cases when the online store was operating normally, but in the background of the system it is on the same web server a fake website designed for scams was operating. In its response, the controlled entity also pointed out that the individual accuses the controlled entity of inadequate insurance solely on the basis of the closeness of time between the fake and genuine SMS messages, with the contested phone number being the only information that the individual cites as the subject of abuse, even though the genuine SMS message also contained other information about the specific shipment. If the sender of a fake SMS message obtained information from a controlled entity, he would also use information about the addressee, sender and shipment number in the fake SMS message, and as a result, the success of the fraud would increase, as a result of which the controlled entity would receive a greater number of messages from customers and the police . He explained that in the past he had already dealt with cases of accusations based on the closeness of fake and genuine messages in time, in which there was also a match only in the contact information, but not in other data about the shipment, each time he additionally checked for possible traces on the systems, which would indicate unauthorized access, but in no case was unauthorized access detected. A time match happens rarely, but the probability of a time match is not negligible considering the number of shipments delivered daily by the controlled entity (more than ...) and the usual number of false messages sent in individual cases (even a few 10,000).
3. The IP established the relevant facts in this case on the basis of documentary evidence, namely the letter of the Agency for Communication Networks of the Republic of Slovenia no. 06106-10/2023/2 dated 25/01/2023, screenshot of the genuine SMS message, screenshot of the fake SMS message, summary of relevant search engine results... (hereinafter: summary of results...) and extract from the Business Register of Slovenia (in hereinafter: PRS) for the company...
4. In the letter no. 06111-1/2023/7 of 17 May 2023, in accordance with the second paragraph of Article 32 and the second paragraph of Article 33 of ZVOP 2, the findings essential for the decision in the subject matter were presented, and at the same time, they were requested to 10 days from the delivery of the letter, they declare about them. The individual and the supervised entity did not comment on the presented findings in the procedure.
I. Indication of the provisions of the regulations on which the decision is based
5. Pursuant to Article 32(1) of the General Regulation, the controller must, taking into account the latest technological development and costs of implementation, as well as the nature, scope, circumstances and purposes of processing, as well as risks to the rights and freedoms of individuals, which differ in probability and severity, by implementing appropriate technical and organizational measures to ensure an appropriate level of security in relation to the risk. When determining the appropriate level of security, on the basis of Article 32(2) of the General Regulation, the risks posed by the processing, in particular due to accidental or illegal destruction, loss, alteration, unauthorized disclosure or access to personal data that are sent, stored or how otherwise processed.
6. On the basis of Article 2(1), the General Regulation applies to the processing of personal data that is fully or partially carried out by automated means, and to the processing of personal data that is part of a collection or is intended to form a part of a collection that is not carried out by automated means.
7. In Article 4(1) of the General Regulation, "personal data" is defined as any information relating to a specific or identifiable individual; an identifiable individual is one who can be identified directly or indirectly, in particular by reference to an identifier such as name, identification number, location data, online identifier, or by reference to one or more factors that characterize the physical, physiological, genetic , mental, economic, cultural or social identity of that individual.
I. The established factual situation and the reasons that dictate the finding of non-existence of the alleged violations
8. It is not in dispute between the parties that the controlled person sent an authentic SMS message to the disputed telephone number on 17/01/2023 at 17:15. In addition to information about the disputed phone number to which it was sent, the genuine SMS message also contained information about the specific shipment, namely information about the shipment number (...), information about the sender (...), which can be seen from the screenshot of the genuine SMS messages.
9. From the consistent statements of both parties and the screenshot of the fake SMS message, it follows that the object of abuse was only the information about the disputed telephone number. The IP notes that the summary of results ... confirms the statements of the supervised person that the disputed telephone number is listed on several websites as the contact information of several companies engaged in logistics activity. From the statements of the controlled person, to which the individual did not object, it follows that the controlled person received the information about the disputed telephone number from the sender ..., namely as contact information in connection with a specific shipment addressed to the company ... (and not per individual). The individual also stated that he forwarded the information about the disputed phone number to the sender for the purpose of delivery. Based on the data published in the PRS for ..., the IP found that a disputed phone number is listed among the contacts of the company .... Based on the above, the IP determined that the disputed telephone number represents the contact telephone number of a legal entity...
10. It follows from the consistent statements of both parties that the controlled person processed the disputed telephone number in connection with a specific shipment with the receiving number..., which also follows from the screenshots of the authentic SMS message. In the complaint, the individual did not indicate to whom the specific shipment was addressed, but from the statements of the supervised person it follows that it was addressed to a legal entity... In the absence of different statements from the individual (and evidence) about the addressee of the specific shipment, the IP followed the statements of the supervised person , that it processed the disputed telephone number in connection with a specific shipment, namely as the contact information of the addressee of the shipment - a legal entity...
11. According to the definition of personal data presented in point 7 of this explanation, the telephone number of a natural person (from the point of view of personal data protection regulations) is undoubtedly personal data, but the above does not apply to the contact telephone number of a legal entity. In order to define some information as personal data in accordance with Article 4(1) of the General Regulation, two conditions must be met cumulatively, namely the information must refer to an individual (natural person), who must be specified or identifiable.
12. Since the controlled person processed the disputed telephone number in connection with a legal entity... and the disputed telephone number actually refers to a legal entity, the IP concludes that the disputed telephone number in the specific case does not represent personal data from Article 4(1) of the General Regulation , and as a result, in accordance with Article 2(1) of the General Regulation, the General Regulation, including the obligations from Article 32 of the General Regulation, does not apply to the processing of the disputed telephone number.
13. Taking into account all the above, the IP notes that the controlled entity did not violate Article 32 of the General Regulation when processing the disputed telephone number in the context of the delivery of the shipment with the receiving number, as there is no evidence that it processed the personal data of an individual. As a result, the IP notes that even at the time of the filing of the complaint dated 17/02/2023, the controlled entity did not violate Article 32 of the General Regulation when processing data in the context of the delivery of the shipment with the receipt number..., as follows from point 1 of the sentence of this decision.
14. Since the IP established that the supervised entity in the case in question did not act in violation of Article 32 of the General Regulation, since it did not process personal data relating to an individual, it did not order it to take measures regarding their processing.
15. On the basis of point 3 of the first paragraph of Article 34 of the ZVOP 2, the decision in the control procedure under the provisions of this section, in addition to the components determined by the law governing the general administrative procedure, also contains the permissible scope of the review of the case file for an applicant with a special status (i.e. . of an individual). Taking into account the provisions of Articles 15 and 18 of ZVOP 2, the IP decided not to set restrictions on the individual regarding the review of the file of the case in question.
I. Costs
16. Pursuant to the first and third paragraphs of Article 118 of the ZUP, the authority, in the decision and resolution with which the procedure ends, decides on the costs of the procedure, who bears the costs of the procedure, how much they are, and to whom and within what period they must be paid. In this control procedure, the authority did not incur any special costs, and based on the second paragraph of Article 30 of the ZVOP 2 in relation to the fourth paragraph of Article 114 of the ZUP, each party in this procedure bears its own costs.
17. This decision is tax-free based on Article 57(3) of the General Regulation and the second paragraph of Article 55 of ZVOP-2 in relation to the fourth paragraph of Article 3 of the Administrative Fees Act (hereinafter: ZUT).
II. LESSON ON LEGAL REMEDY:
There is no appeal against this decision, but it is permissible to initiate an administrative dispute. An administrative dispute is initiated by filing a lawsuit at the Administrative Court, Fajfarjeva 33, 1000 Ljubljana. The lawsuit must be filed within thirty (30) days from the service of this decision. The claim is filed directly in writing with the said court or sent to it by post. The lawsuit is considered to have been filed with the court on the day it was sent by registered mail. In addition to the original, transcript or copy of this decision, the lawsuit must also be accompanied by one transcript or copy of the lawsuit and attachments for the defendant, if someone is affected by the decision , but also for him.

...,
the State Inspectorate for the Protection of Personal Data


Send:
1. to an individual personally according to ZUP;
2. to a controlled entity in person according to ZUP.