IP (Slovenia) - 0612-23/2019/19: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 61: Line 61:
}}
}}


The DPA found that a controller-processor relationship does not sufficiently describe the responsibilities between the parties, as they both could determine the purpose and means of the processing, and ordered them to establish a joint-controller relationship.
The DPA found that a controller-processor relationship did not sufficiently describe the responsibilities between the parties, as they both could determine the purpose and means of the processing, and ordered them to establish a joint-controller relationship.


== English Summary ==
== English Summary ==

Revision as of 10:48, 20 July 2022

IP - 0612-23/2019/19
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 24 GDPR
Article 26 GDPR
Type: Investigation
Outcome: Other Outcome
Started:
Decided: 01.06.2022
Published: 26.06.2022
Fine: n/a
Parties: n/a
National Case Number/Name: 0612-23/2019/19
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Slovenian
Original Source: IP (in SL)
Initial Contributor: Primož Govekar

The DPA found that a controller-processor relationship did not sufficiently describe the responsibilities between the parties, as they both could determine the purpose and means of the processing, and ordered them to establish a joint-controller relationship.

English Summary

Facts

The cloud solution provider deemed itself the processor.[1] It deemed the users of the cloud solutions the controllers.

The 'processor' offered cloud solution to combine personal data from different sources (controllers) providing information processing and combination in order to allow users to effectively combine the data from various sources.

The computer cloud, the establishment of which provided the 'processor' on the basis of the law, represents the computer infrastructure for direct users and offers them storage, development, business and other capacities in the form of services and the possibility to quickly achieve their business goals by using the concept of cloud computing.

The infrastructure was owned and managed by the 'processor'. It runs services that use sensitive, personal and other data and information that it does not want to store outside of its environment.

Holding

The DPA found that the processor acted as a technical intermediary between its users (the controllers) on the one hand, and the data source on the other hand. Both parties determine the purpose and means of the processing. The DPA therefore held that a simple controller-processor relationship does not sufficiently describe the responsibilities between the parties.

The DPA held that:

I. the 'processor' must regulate relations with users (controllers) by mutual agreement in accordance with Article 26 GDPR (joint controllers).

II. the measure referred to in point I of the pronouncement of this decision must be carried out by the 'processor' within 60 (sixty) days from the receipt of this decision.

III. the 'processor' must inform the DPA in writing about the implemented measure from point I of the pronouncement of this decision within 5 (five) days after execution and submit supporting documents.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.



Number: 0612-23/2019/19
Date: 1 June 2022


The Information Commissioner (hereafter IP) issues according to the State Supervisor for the Protection of Personal Data... on the basis of Articles 2 and 8 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, no. 113/05 and 51/07 – ZustS-A, in hereinafter: ZInfP), Articles 37 and 54 of the Personal Data Protection Act (Official Gazette of the RS, no. 94/07-UPB1 and 177/20, hereinafter: ZVOP-1), fifth paragraph 29 and first paragraph 32. Article 58(2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27 2016 on the protection of individuals in the processing of personal data and on the free flow of such data and the repeal of Directive 95/46/EC (General Data Protection Regulation, hereinafter: General Regulation), in the matter of inspection control over the implementation of the provisions of the General Regulation and ZVOP-1 at to the obligee ... (hereinafter: the obligee), ex officio the following


THE DECISION


I. Due to identified irregularities in connection with the implementation of the provisions of the General Regulation with users (controllers), the taxpayer must...regulate relations by mutual agreement in accordance with Article 26 of the General Regulation (joint controllers).

II. The measure referred to in point I of the pronouncement of this decision must be carried out by the liable party within 60 (sixty) days from the receipt of this decision.

III. The obligee must inform the IP in writing about the implemented measure from point I of the pronouncement of this decision within 5 (five) days after execution and submit supporting documents.

IV. No special costs were incurred in this procedure.


Explanation


1. Procedural actions, findings of the IP and statements of the liable party

The IP conducts an inspection procedure against the taxpayer, during which it verifies the processing of personal data in the context of...

In the context of the subject procedure, the IP is:

- on February 5, 2019, he asked the taxpayer to submit a written explanation, documentation and statement (doc. no. 0612-23/2019/1), to which the taxpayer replied with letters no. 071-7/2017/4 on 22.3.2019 and no. 071-7/2017/5 on 27/03/2019, which attached relevant documentation regarding the system..., namely: answers to questions regarding the provision of information security in connection with the implementation of the service..., Act on the organization of operations. .., Plan of ... data ..., Act on procedures and measures for securing personal data in ..., Instructions on the use of ... resources, Instructions for the use of ... ..., the overall picture of the implementation of the service, infrastructural the service implementation aspect and information related to the provision of an audit trail in the system...;

- on September 18, 2019, he conducted an inspection of the taxpayer's premises, which was recorded in minutes no. 0612-234/2018/3, from which it follows (in summary) that ... it serves as a central point for conducting electronic inquiries to data sources - a technical intermediary between the inquiry system or clients on the one hand and data sources on the other. Communication ... with data sources is carried out on the basis of queries initiated by the query system for connecting to data sources and obtaining data, with ... a built-in mechanism that can dynamically direct the data retrieval process for a specific purpose of querying data. ... contains only technical aspects of obtaining data from individual sources and does not carry out substantive decisions, interpretations and transformations of data. In relation to the traceability of personal data processing at ..., it was found that ...for the purposes of maintaining an audit trail of accesses to personal data via individual transactions, a separate scheme is established in the same database, namely in such a way that the client system .. .presents with a certificate and calls with pre-agreed parameters that are bound to the certificate. ... on the basis of the received request, builds queries according to the procedure that the client system called. Sends the ... transaction process ID and parameters requested by the source itself to the data source. The transaction number of the client system, the beginning of the transaction, the end of the transaction, the client system, the time stamp, information about the archiving of meta data and the type of transaction are recorded in the data tables, which are intended for managing the audit trail. Also, metadata of resource calls and responses is stored in audit trail management tables. The transaction process number that connects the client call to the resource call, process number, start, end, client system, and timestamp. All xml files (which contain information about the client call and resource responses) are kept on ... only until the client system confirms a successful takeover and initiates the deletion of the xml files. Only exchange meta data remains in the audit trail tables. In data exchange agreements, it is agreed that each system takes care of its part of the audit trail. The client system takes care of storing data on who and when initiated an individual request on .... The moment the request is received by ..., it runs an audit trail according to the described procedure. Also, the data sources keep an audit trail about the call.... A complete audit trail for a single transaction can thus be constructed by combining the audit trails of the client system... and the source. With regard to external contractors who maintain..., the liable party explained that this service... and that he has a contract with them on the processing of personal data (the contract he has with the company... is attached to the minutes), a contract with ... and the obligee submitted subsequently, on 7 October 2019. In relation to the contractual relationship between the taxpayer who provides the service... and the clients, the taxpayer explained that there are 10 clients and 50 sources. Contracts should be concluded with all of them or agreements, but from the point of view of personal data protection, they are variously detailed. In the past, three-party contracts were concluded, but later the obligee took the position that, as ... he acts as a contract processor for resources (controllers), so he started concluding personal data processing contracts only with them. In this case, clients act as users, while the obligee is merely an intermediary in the transfer of data from sources to clients. On October 7, 2019, based on the request in the minutes, the obligee submitted the following documentation: Contract ..., Agreement and technical annex - ... (with annex), Technical specifications for the Agreement on the implementation of data transmission ... (tripartite), Application for the registration of a system user .... – production environment (tripartite), Agreement on the processing of personal data – ...(with an annex), Agreement on the use of services provided by ... and contractual processing of personal data (new agreement), Annex no. . 1 to the agreement on the delimitation of responsibilities and on the methods of coordination in management... (with an annex),... - explanation of the new way of signing agreements;

- in order to further clarify the actual situation, on 19 August 2020, the taxpayer was asked to provide an additional written explanation, documentation and statement (doc. no. 0612-23/2019/13), to which the taxpayer responded by letter no. 071-7/2020/13 answered on 16/09/2020 and in which the taxpayer provided additional explanations regarding the new way of signing agreements. The taxpayer originally planned to sign bilateral agreements only between him and the users (so-called data clients), but practice has shown that he needs bilateral agreements with both the data client and the data manager (so-called data source). The taxpayer added that he is currently preparing a single draft of the agreement, where the taxpayer will conclude one agreement with each institution for which he provides services, and the agreement will also include the use of .... The taxpayer will therefore conclude an agreement with the institution that is the source of data and the institution that is the client of the data. The obligor attached to the letter a list of institutions and the types of agreements he has concluded with them (Appendix 2 to the letter), a signed agreement with ... as a client for the needs of data exchange for ... (Appendix 3 to the letter) and the information that currently is also preparing an agreement with the source, which will mean a more transparent system. The taxpayer also added that the data about the user (natural person) of individual applications is stored in the framework of .., which are either listed on their certificates or entered by users who use .. themselves. The owners of the data (of users/natural persons) are therefore the organizations that are the administrators of the individual application and are considered by the taxpayer to be the managers of this data. In this context, the obligee acts as a processor of this data, and mutual relations are governed by mutual agreements;

- the IP met with representatives of the taxpayer regarding his role in relation to ... in the provision of services ... (either as an administrator, contractual processor or joint administrator), namely on 21.20.2020, 11.3.2021 and 25.3. .2021. The conclusion of the aforementioned meetings is an agreement in principle between the IP and the taxpayer (e-mail dated 8/4/2021 and 9/4/2021 - doc. no. 0612-23/2019/18) that the taxpayer's relationship to other authorities will be established within the scope of the inspection procedure in question, used as a model example of regulating relations with users of all other components, according to the analysis of the service provided by each individual component.


2. Provisions of regulations on which the decision is based
 
As a starting premise when assessing the legality of personal data processing in the context of ..., the supervisor states the fact that the development of technology and the increasing interconnection and connectivity of various information systems and services require a departure from mostly the so-called a linear view of the roles of various institutions that process personal data in such an interconnected ecosystem, i.e. considers that, when more than one institution is involved in a certain processing of personal data, only these institutions act in the relationship between controller and processor, and the obligations from the General Regulation that depend on this relationship, which accrue to the controller or processor.

With the development and expansion of software tools from "stand alone" implementations to "software as a service", all kinds of cloud services, mobile internet and agile development of software tools, linear, i.e. controller – processor model of personal data protection, no longer offers sufficient protection of the rights of individuals.

In the direction of moving away from a linear view, it is thus necessary to understand the provisions of the General Regulation, the guidelines of the European Data Protection Board (EDPB), and especially the latest case law of the Court of Justice of the European Union, as will be explained in more detail below. The above is also substantiated by the relevant provisions of the State Administration Act (Official Gazette of the Republic of Slovenia, No. 113/05 – official consolidated text, 89/07 – odl. US, 126/07 – ZUP-E, 48/09, 8/10 – ZUP- G, 8/12 – ZVRS-F, 21/12, 47/13, 12/14, 90/14, 51/16, 36/21, 82/21 and 189/21; hereinafter: ZDU).

2.1. Provisions of the General Regulation

The General Regulation provides individuals with the protection of their rights in relation to personal data relating to them, and in achieving this goal, it is based on the principle of responsibility, to which personal data managers are primarily committed. The principle of responsibility is defined in Article 5(2) of the General Regulation, namely that the controller is responsible for compliance with paragraph 1 and is also able to prove this compliance. Paragraph 1 of Article 5 of the General Regulation defines the remaining principles on which the system of personal data protection rules is based and which are derived in individual provisions of the General Regulation, therefore the principle of responsibility should be considered as an overarching principle.

The concretization of the principle of responsibility is determined by Article 24 of the General Regulation, namely that the controller, taking into account the nature, scope, circumstances and purposes of the processing, as well as the risks to the rights and freedoms of individuals, which differ in probability and severity, implements appropriate technical and organizational measures to ensures and is able to prove that the processing is carried out in accordance with this regulation. These measures are reviewed and supplemented where necessary. When this is proportionate to the processing activities, the measures from the previous paragraph include the implementation of appropriate data protection policies by the controller.

The seventh paragraph of Article 4 of the General Regulation defines the concept of controller and states that "controller" means a natural or legal person, public authority, agency or other body that alone or together with others determines the purposes and means of processing; where the purposes and means of processing are determined by Union law or Member State law, the controller or specific criteria for its appointment may be determined by Union law or Member State law. The eighth paragraph of the same article stipulates that "processor" means that natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.

The general regulation is therefore based on the fact that the effective protection of the rights of individuals in relation to personal data is granted through the principle of responsibility to the (primary) manager, who, by determining the purposes and means of personal data processing, has control and decision-making power over the processing of personal data - therefore, in this sphere, he is responsible for compliance with all principles of personal data protection (the principle of legality, fairness and transparency, the principle of purpose limitation, the principle of minimum volume of data, the principle of data accuracy, the principle of storage limitations and the principle of integrity and confidentiality) and this is compliance also able to prove.

The content of the concepts "controller" and "processor" are explained in more detail in the EDPB Guidelines 07/2020 on the concepts of controller and processor based on the General Data Protection Regulation (ver. 2.0, 7/7/2021; hereinafter: EDPB Guidelines). As stated, the control and decision-making power regarding the processing of personal data comes from the definition in Article 4(7) of the General Regulation, that the controller is the person who "determines" the purposes and means of processing, i.e. the key elements of individual processing: why certain processing takes place and who is determined that this processing will take place for this purpose. A functional point of view (which person actually has decision-making power) and not primarily a formal point of view (e.g. which person is designated as manager in a legal act or contract) is essential for assessing these issues. Another key moment in assessing whether it is the controller is that this person determines the "purposes and means of processing", i.e. determines the content of the processing as a key element of the processing itself: it determines why or what goal does the processing want to achieve (purpose) and how will this goal be achieved (means - which personal data will be processed, to whom this data relates, how long the processing will take place, who can be the recipient of personal data, in which software tool, data will be processed, what measures will be taken to secure personal data, etc.). The controller can only be the person who determines both the purpose and the means of processing. Thus, the controller cannot be the person who determines only the purpose of the processing. And on the contrary, the processor, by definition, can never determine the purpose of the processing, but can to a certain extent decide on the so-called non-essential means of the processing, e.g. can make the selection of appropriate software or the selection of concrete security measures, while the controller must still have influence over which security measures are appropriate and which are not, must supervise the implementation of security measures at the processor, etc. (Article 28(3) of the General Regulation). Regardless of the help of the processor, the controller remains responsible for the implementation of appropriate technical and organizational measures (Article 24(1) of the General Regulation). Namely, the processor processes personal data "on behalf of the controller", which means that with its processing it only pursues the interest (or goal) of the controller to whom it has delegated the execution of this task, and with the processing, the processor implements the controller's instructions. When implementing the controller's instructions, he is allowed as much freedom in decision-making as far as decisions about non-essential means of processing are concerned.

On the other hand, the purpose and means of processing may also be determined in national and EU legislation, whereby the key to an appropriate assessment is who actually exercises influence over the processing of personal data.


If more than one actor is involved in the processing of personal data, the concept of joint management may arise, where the obligations that would otherwise be imposed on one controller are appropriately distributed to two or more controllers. The concept of joint managers is not new, as it was already defined by Directive 95/46/EC. The General Regulation is more specific in this context (Article 26 of the General Regulation), and the clarification of this concept was set mainly by the case law of the Court of Justice of the European Union (hereinafter: CJEU) in cases C-131/12 (Google Spain, 13.5.2014), C- 25/17 (Jehovan todishijat, 10/07/2018), C-210/16 (Wirtschaftsakademie Schleswig-Holstein GmbH, 5/06/2018) and C-40/17 (Fashion ID GmbH & Co. KG, 29/07/2019).
 
Article 26 of the General Regulation stipulates that two or more controllers who jointly determine the purposes and methods of processing are joint controllers. In a transparent manner, by mutual agreement, the joint controllers determine the duties of each of them in order to fulfill the obligations in accordance with this regulation, in particular in relation to the exercise of the rights of the individual to whom personal data refer, and the tasks of each of them regarding the provision of information referred to in Articles 13 and 14, unless and to the extent that the duties of each of the controllers are determined by Union law or the law of the Member State applicable to the controllers. By agreement, a point of contact for the individuals to whom the personal data relates may be determined. The agreement adequately reflects the role of each of the joint controllers and its relationship to the individuals to whom the personal data relate. The content of the agreement is made available to the data subject. Article 26 of the General Regulation further stipulates that the individual to whom personal data relates may, regardless of the terms of the agreement, exercise his rights in accordance with this Regulation regarding each of the controllers and against each of them.

The supervisor emphasizes that the determination of whether there are joint controllers in the context of certain processing of personal data will primarily result in the appropriate (correct) distribution of the obligations from the General Regulation and guaranteeing the rights of individuals to both controllers.

According to the provision of Article 26(1) of the General Regulation, in order to determine whether it is joint management, it is crucial that two (or more) controllers "jointly" determine the purposes and means of processing. The EDPB guidelines state that the term "together" should be interpreted as "together with" or as "not alone" ("not alone"), whereby it is necessary to follow (the same as in the case of an independent manager) a functional point of view - the assessment of the existence of joint management must be based on an analysis of the actual circumstances and not only on the basis of the legal-formal grounds that define the relationships between individual actors (e.g. mutual contracts, legal acts).

The guidelines state that the content of the term "together" can be different in practice, i.e. or in the form of a joint decision made by two (or more) actors (e.g. an airline and a hotel chain decide to use a joint information platform to offer tourist arrangements), but it may be the result of the so-called converging decisions regarding purposes and means of processing. Clarification of the concept of the simultaneous decision of two controllers is based on the above-mentioned decisions of the CJEU. "Decisions can be considered to coincide with respect to purposes and means if they complement each other and are necessary for processing in such a way that they have a tangible impact on the determination of the purposes and means of processing. It should be emphasized that the concept of concurrent decisions must be considered in relation to the purposes and means of processing, but not to other aspects of the business relationship between the parties. As such, an important criterion for determining a concurrent decision in this context is whether the processing would not be possible without the participation of both parties in purposes and means in the sense that the processing is by each party.” The EDPB Guidelines further explain that a concurrent decision regarding purposes is established, "when, on the basis of certain processing of personal data, two actors pursue interconnected or a complementary purpose." A coincident decision regarding means exists when "one of the entities involved provides the means for processing and makes them available to other entities for the processing of personal data. An entity that decides to use these means so that personal data can be processed for a specific purpose also participates in determining the methods of processing."

2.2. Case law of the Court of Justice of the EU

A decisive step in the direction of the concept of joint controllers (and in the light of which the EDPB Guidelines refer to the assessment of joint controllers) was made with the decision in the Wirtschaftsakademie Schleswig-Holstein GmbH case, where the Court of Justice of the EU, instead of assessing the content of the purposes and means of personal data processing by company Facebook in general, judged only concretely or the individual act of processing personal data - i.e. the act of setting criteria for the creation of statistics within the Facebook fan page of the Wirtschaftakademie educational institution - carried out by the administrator of this page. When the administrator on the Facebook fan page set the criteria that should be included in the visitation statistics of this page, he influenced the processing of personal data, which is also carried out by Facebook, since Facebook's servers processed the data in the way that they would otherwise be processed. it wouldn't if the fan page admin didn't cause it with his request.

With the mentioned shift from the so-called "macroscopic view" against the so-called to the "microscopic view", i.e. assessment of who determines the means and purposes of processing in the context of an individual act of processing personal data in a series of several consecutive actions, the SEU expanded the limits of the interpretation of the term "...determines the purposes and means of processing..." and enabled a broader interpretation of the term "controller" and with it ensured the implementation of the principle of "effective and complete" protection of the rights of individuals, the content of which was defined in the Google Spain case.

In connection with the decision in the Google Spain case, the Court of Justice of the EU also ruled in the Fashion ID case regarding the interpretation of the term "controller", in which it concluded that "it is a natural or legal person who, due to its goals, influences the processing of personal data and therefore participates in the determination of the purpose and means of processing', where the processing of personal data comprises one or more processes, each of which relates to one of the different phases that the processing of personal data may cover'. A natural or legal person can be a controller, together with others, "only with regard to personal data processing procedures, for which they determine the purposes and means". In relation to determining the means, the Court of Justice of the EU decided that "by inserting such a social plug-in on its website, the Fashion ID company has a decisive influence on the collection and transmission of personal data of visitors to the said website for the benefit of the provider of the said plug-in, in this case the company Facebook Ireland, until which would not have occurred if the specified plugin had not been inserted". Regarding the purposes of the processing, the court said "that by inserting such a button on its website, Fashion ID appears to have at least implicitly consented to the collection and transmission by transfer of personal data of visitors to its website, with the aim of would benefit from this commercial advantage, which is such an increase in the advertising of its products, where these processing operations are carried out in the economic interest of both Fashion ID and Facebook Ireland".

2.3. ...

3. Definition of the roles "controller", "processor" or "shared controllers" in the context of cloud computing

Cloud computing consists of a set of technologies and service models that focus on Internet usage and delivery of IT applications, powerful processing, storage and memory space. Cloud computing can generate significant economic benefits because on-demand resources can be easily configured, expanded, and accessed over the Internet. In addition to economic benefits, it can also bring security benefits; businesses, especially small to mid-sized ones, can acquire cutting-edge technologies at marginal cost that would otherwise be beyond their budget range. Cloud providers offer a wide range of services, from virtual processing (systems that replace and/or work together with conventional servers under the direct control of a controller) to services that support application development and advanced hosting, to web-based software solutions that can replace applications, which are usually installed on the PC of the end users.

The concept of cloud computing defines 5 essential characteristics (on-demand self-service, wide network access, resource pooling, high elasticity and pay-as-you-go), 3 service models (infrastructure as a service - IaaS, platform as a service - PaaS and software as a service - PaaS) and 4 implementation models (public cloud, private cloud, community cloud and hybrid cloud).

The listed essential features, service and implementation models are mainly related to specific risks in the field of personal data protection, which are not typical for other forms of information and communication technology services. If these risks are not properly addressed, they can significantly reduce the right of individuals to the protection of personal data, and they can only be addressed and reduced by properly defining the role of the user and provider of cloud services as manager, processor or of joint managers.

In the past, the opinion was that the user of cloud services acts in the role of manager, and the provider of cloud services in the role of processor. However, the complexity of cloud services and the related risk in the form of insufficient control (risk of control) and lack of transparency (lack of transparency) require a departure from the so-called binary distribution of roles, which does not provide or it even makes it impossible to ensure the obligations imposed on controllers by the General Regulation (e.g. if the controller has no influence on the choice of sub-processors, he is prevented from implementing Article 28 of the General Regulation, but because he acts in the role of controller, he is as such responsible for its implementation and consequently also for violation if he does not or cannot perform it). Such risks in the use of cloud services have already been pointed out by the Working Group from Article 29 in its opinion on cloud services (Opinion 05/2012 on Cloud Computing, 1.7.2021), in which it already indicated that not all cloud services are of such a nature that when using them, the user and the provider could act in the role of manager and processor and thereby ensure effective protection of personal data, but that in certain cases the provider of cloud services should also act in the role of manager, thereby assuming the obligations that the manager imposed by the General Regulation, which would ensure effective protection.

The literature and guidelines of individual supervisory bodies of other countries also indicate that the binary view of controller-processor in the context of offering cloud services does not ensure effective protection of the right to privacy, e.g. Commission Nationale de l'Informatique et des Libertés (CNIL) .

4. ...

..., for the establishment of which provides the taxpayer with the basis ..., represents a computer infrastructure for direct ... users and offers them storage, development, business and other facilities in the form of services and the possibility to quickly achieve their goals using the concept of cloud computing business goals. The infrastructure is owned and managed by ..., it runs services that use sensitive, personal and other data and information that ... does not want to store outside of its environment.

...is a logical whole of supporting infrastructure and hardware and computer software. It includes e.g. UPS systems, server blades, various disk systems, access terminals, various virtualization platforms, operating systems, proprietary and open source software, control systems, management systems, hardware and software defined network components, etc. The basis of the DRO computing cloud is the virtualization of hardware resources, which are distributed in three logical groups (data centers) in two locations (...): ....
 
In .. services for various areas are ready or under preparation. For internal needs, infrastructure services IaaS (Infrastructure as a Service) were created, partially also entire computer environments PaaS (Platform as a Service), and the latter together with software for end users SaaS (Software as a Service) are also included in the general part of the service catalog. ... so it offers e.g. service ..., electronic document storage service, service ..., service ... (documents, cases, multimedia files), ... (...), hosting of information systems and online presentation sites, etc. including services in the field of information security.

...is like ..., and the description of its operation can be seen from the document ..., dated May 8, 2019. It follows from the document that ... is a horizontal information system for the implementation of electronic inquiries, which, based on the most modern concepts of service-oriented architecture (SOA), enables the dynamic construction of procedures for obtaining logically connected data from various data sources in real time. The system also enables safe and reliable storage of acquired data, either in a transactional or archival collection. Requests for obtaining data are mapped in real time to BPM (Business Process Management) processes, which ... unambiguously determine the data sources and related queries and retrieve all the expected data to the users ... (client application). The basic idea of the system is to simplify the technical complexity of obtaining data from various data sources for the client application as much as possible, thus enabling the application to focus on the interpretation of the data content and not on the process of obtaining this data. A reduction in the technical complexity of data acquisition is achieved by establishing a central web point, which receives data requests from clients and, according to certain rules, transforms them into a set of atomic queries to specific data sources, collects answers from these data sources and reliably delivers them to the client for further processing .

... provides flexibility and administration of procedures, which define the method of obtaining data from different windows. The administrative module enables easy addition of new data sources and their inclusion in various composite procedures. It enables complete parameterization of resource web method calls via XML templates and defines different ways of executing queries, which ensure greater responsiveness and throughput of the system. The administration also enables the construction of interdependent queries (eg the output data of one query can be the input data of another query, etc.) and consequently the construction of very complex data retrieval procedures. Key content features ... are as follows:

- provides a high level of abstraction of access to the data of data sources. The client does not deal with the technological and system characteristics of each individual source (location, method of integration, transport protocol, compatibility of software and hardware, etc.), but focuses on the interpretation of the contents of the obtained data and the control of requests or procedures. ...is built on the concept of Pattern Separation of Concern and its concern is to obtain data in a uniform, reliable, secure and fast way. Clients are concerned with business logic and decision-making algorithms based on the obtained data. The concern of data sources is the preparation of quality data in the form and content as needed by clients;

- provides a single entry point based on SOAP web service and a single entry data XSD schema for all clients. Clients do not need direct logical and physical connections to n data sources, as it ...in the role of an intelligent service bus, adapted and optimized for the needs of obtaining data from several data sources at the same time;

- provides a uniform response format according to the XSD scheme;

- enables the logical combination of data acquisition from sources in the process. Procedures are defined through administrative masks. The execution of procedures is mapped to dynamic BPM processes in real time. It is also possible to combine procedures so that Traynj makes a union of queries from different procedures;

- ensures the correctness of the order of data acquisition. It enables the construction of data sources so that the answers of one data source are input parameters for another data source;

- in the process, it is possible to specify the parallel acquisition of data from several sources. This significantly improves the speed of retrieving data from slow sources;

- the data is stored only until it is taken over by the inquiry system, after which it is deleted;

- for each data source it is possible to determine the query speed or number of concurrent queries. In this way, it is possible to perform fine-tuning and tuning of system throughput and resources;

- supports 4 different ways of communicating with resources:

o synchronous mode (waiting for a response from the source during a call),
o asynchronous mode (a request is sent, a web call to the resource initiates the continuation of the process),
o packet mode (multiple requests are collected into a packet and initiate asynchronous communication mode) and
o pooling (a request is sent and the status of the response from the source is continuously checked);

- ensures the client that the obtained data is verified according to the XSD scheme of each data source;

- all answers are encoded with the client's key so that the data is completely protected against reading by unauthorized clients;

- an audit trail is maintained for each query. The meta data of the responses is stored in the archive collection;

- includes the real possibility that occasional disturbances may also occur during the operation of the data source, so it includes the so-called self-resuming functionality (auto-resume), which enables multiple repetitions of queries to the data source at predetermined intervals and forwarding the response to the user after the query is successfully executed;

- the process restart scenario (RESUME action) is enabled in the event that the process
ends with an error, as well as canceling the process (CANCEL action) in case the client decides
terminate the procedure prematurely. The basic usage scenarios are the START and STOP actions or request for obtaining data and completing the transaction;

- the procedure implementation process is built on the basis of dynamic grouping of BPM micro-processes.
Each micro-process represents a specific functionality for retrieving data from a specific
data source;

- provides administrative masks to edit the information needed to complete
parameterization of data on institutions, sources, queries, procedures and security scheme;

- includes a graphical interface for searching the meta data of queries in the archive database;

- a special Monitor functionality is also built in, which enables constant monitoring of reachability
data sources and immediate notification and action in the event of a data source failure.

From a technological point of view... it uses standard, open source Javanese SOA technology, which means it uses SOAP, REST, HTTPS protocol and XML/XSD schemas to provide connectivity to different data sources, BPM (Business Process Management) concept to orchestrate a large number of processes in real time, etc. During the development, the most modern programming techniques of server Java components were used (EJB 3 entities, session beans, JMS, JAAS security, OR mappings, etc.) and established integration standards (XML, SOAP, JAX-WS) were used with a focus on system parallelism, high throughput and responsiveness. The system ensures linear growth and high availability, as well as offloading the database and can be easily installed in the "cloud".

Communication between the client, ...n data source is two-way and consists of a data call protocol and a data acquisition protocol:

- within the framework of the data call protocol, the client initiates a request to start data acquisition by entering basic parameters (request code, client code and request time) and essential parameters (code of the procedure for which data acquisition is carried out, which basically represents the purpose for which the inquiry is being made, information on the EMŠO or tax number for which the data acquisition process is being carried out, the reference date for which the inquiry is being made and other parameters of the inquiry, e.g. MŠ, etc.). Therefore, the client does not explicitly specify the data sources when calling, but only the procedure or the purpose for which it ... performs the acquisition of data on the basis of a certain legal basis. In this way, the client does not have to worry about the list of data sources because this list is already defined in the procedure type. As part of the data call protocol, ... then checks the input parameters and authorization and returns a status about the success of the input parameters check;

- then... it starts the BPM process within the framework of the data acquisition protocol from various data sources and stores the answers in coded form in the transaction database. ... informs the client about the status of the acquired data, and the client returns the status of successful reception of the web call. The client then calls a method that receives the XML file from the data sources and meta data. When the client confirms the success of the data acquisition, ... it saves the meta data in the archive database and deletes all data from the transaction database.

It follows from the document ... (version 1.0 dated 11/10/2017) that on the infrastructure of the taxpayer, ... in the role of client, they can use for their information systems ... which are connected in ..., but they can also via VPN. For use ... the client, the obligor and the data source sign a formal inter-organizational agreement, which defines the obligations of all parties, the administrators of all parties, mutual information procedures, the agreed levels of availability and responsiveness that the client wants and which the obligor will provide and data source.

For clients who meet the connectivity requirements in ...or VPN, use of ...is free. If the client determines that an upgrade would be necessary to fully meet the requirements..., it prepares detailed requests for additional functionality and forwards them to the administrator... and the obligee. The taxpayer then assesses the suitability of the upgrade requests and gives the client an answer about the upgrade option. If the upgrade is possible based on the general usability of the upgrade and other criteria, the administrator ...with the taxpayer decides whether he will cover the upgrade costs ...or whether the upgrade costs will have to be covered by the client. In the event that the upgrade... for the client's needs would exceed the taxpayer's available funds for such interventions, the taxpayer can propose joint financing of the upgrades to the client. Before deciding on the inclusion of the client, the client and the administrator must also make an estimate of how much additional load on the infrastructure this would cause. Client integration must not significantly degrade performance for existing clients.

The basic idea ...is that the technical complexity of obtaining data from various data sources is simplified as much as possible for the client's web application and in this way enables the application to focus on the interpretation of the data content and not on the process of obtaining this data. This reduction in the technical complexity of data acquisition is achieved by establishing ... which accepts data requests from clients and transforms them according to certain rules into a set of atomic queries to specific data sources, collects answers from these data sources and reliably delivers them to the client for further processing processing.

5. Explanation of inspection measures

I. and II. point of the theorem

An adequate definition of whether, in the context of the specific processing of personal data, it is a relationship between a manager and a processor or a relationship between two managers is crucial, as it depends on this definition whether the obligations as set out in the General Regulation can be guaranteed, thereby the processing of personal data is legal.

The supervisor emphasizes that the provision of obligations under the General Regulation is not and cannot be the subject of an agreement between two parties, but arises from the ability of one and the other party to be able to provide them, and this ability depends on the actual impact on the specific processing of personal data. The party that exercises influence over the processing of personal data is also responsible for the implementation of the obligations under the General Regulation. To the extent that two parties can influence specific processing with their decisions, they are joint controllers in this part.

It follows from the findings of the subject inspection procedure that the taxpayer sees his role in the provision of services as that of a processor (Article 28 of the General Regulation) in relation to the data source or. in relation to the client.

In the following, the supervisor assessed, based on the facts and circumstances established in the procedure, whether the taxpayer is acting in the role of a processor or in the role of a joint administrator or independent operator.

5.1 "Processing"

Article 4(2) of the General Regulation states that "processing" means any act or set of acts carried out in relation to personal data or sets of personal data with or without automated means, such as collection, recording, editing, structuring, storage , adapting or changing, recalling,
viewing, using, disclosing through mediation, disseminating or otherwise making accessible, adapting or combining, limiting, erasing or destroying;

In the subject procedure, it was established that ... is an information system, built in ..., and serves as a central point for conducting electronic inquiries to data sources. It acts as a technical intermediary between the client on the one hand (e.g. ...) and the data source on the other (e.g. ...). Communication ... with data sources is carried out on the basis of queries (data call protocol) initiated by the query system for connecting to data sources and retrieving data (data retrieval protocol).

Based on the provision of Article 4(2) of the General Regulation that "processing" means any act or set of acts carried out in relation to personal data or sets of personal data and in connection with the decision of the CJEU in the Wirtschaftsakademie case, processing is key to the assessment, which, within the framework of the building block... is carried out by the act of "inquiring the client for data and forwarding this data by the data source" (and not the processing that the client and the data source each carry out for their own primary purpose specified in the substantive (regional) law ).

In connection with the content of the Agreement on the delimitation of responsibility for the transmission and use of data within the project ... as data users (clients), ... as data transmitters (data source) and liable parties as technical intermediaries or. to the controller ... (the taxpayer attached the above agreement as an example of regulating relations when using the building block ...), is ... based on the Act on ...) data controller from the field of ... and maintains ... data in its own information to the system for the purpose of recording .... ... is also a data controller based on the Act on ... and processes data for the purpose of enforcing .... Both ... and ... are both controllers of the personal data they process for the purpose specified in the material regulation.

5.2 "...alone or together with others determines the purposes and means of processing..."

In accordance with the provision of Article 4(7) of the General Regulation, "controller" means "a public authority... which alone or jointly with others determines the purposes and means of processing; when the purposes and means of processing are determined by Union law or Member State law, the controller or the specific criteria for its appointment may be determined by Union law or Member State law.".

That in the case of personal data processing through the building block ... for ... is not in dispute in this procedure. The subject of assessment is primarily the question of whether ... the purposes and means of processing with the help of a technical intermediary ... are determined by themselves or jointly.
Tasks and powers... are determined by legislation, which explicitly or implicitly also determines the processing of personal data.
The already mentioned ... stipulates that for the purposes of deciding on .... The database from the previous article is processed ...as the manager of the central database on rights ... (...). ... and ... obtain data for persons under this Act free of charge from the existing databases of the following managers: ....
... it also specifies the types of data that individual managers are obliged to provide free of charge ... for the purpose of processing defined in the law.

... can connect the central data collection from Article 49 of the Act with the data collections from the second paragraph of this article. ... personal data kept in the central database referred to in Article 49 of this Act, and data obtained from the managers of personal data collections referred to in the previous article, may be processed only for the purposes of the decision-making process and the management of databases according to to this law, ...as well as for the needs of implementation .... Data and documents from the central database referred to in Article 49 of this law are kept for five years after the date of termination of entitlement to ....

...so it determines that for the purposes of the decision-making process and the management of databases according to this law (purpose), ... as the manager of this data, obtains specific data from the existing databases of other managers (means), while the law does not specify the method itself obtaining this data. Managers are left with the decision regarding the choice of information solution, with the help of which ...data will be forwarded - the method of data transmission. Managers have the option of developing their own information solution or use ready-made information solutions developed by...
As stated above, ... determines that ... is the management of the information and communication infrastructure, the development of common information solutions and their technological, process and organizational compliance with the central information and communication system, the implementation of a unified information security policy and the planning and management of all budgetary resources on these fields (except for information and communication systems intended for the field of defense, protection against natural and other disasters, police, intelligence and security activities, foreign affairs, prevention and detection of money laundering and financing of terrorism, and payment transactions for budget users). ...
On the basis of ..., the liable party is therefore an authority that is in .... ...thus instructing the liable party to assess which information solutions in ... need to be established (means), for the purpose of achieving a higher level of services ... with aspects of quality, rationalization of operations... and more efficient spending...(purpose). The taxpayer does not perform this assessment completely independently, but also on the basis of guidelines.... In accordance with... directs activities related to the development of the management of information and communication systems of the state administration, prepares non-binding opinions and proposals for the Government of the Republic of Slovenia and other state bodies administration, directs activities related to the management of budgetary resources for the management of information and communication systems of the state administration, issues preliminary opinions for projects, procurement, investment maintenance and upgrades, which include any solution in the field of management of information and communication systems of the state administration (hereinafter : preliminary opinions), reports on its work to the Government of the Republic of Slovenia once a year, directs the work of the operational working group and, if necessary, organizes the work within the working groups of the council.
In light of the above, the supervisor notes that ... has granted decision-making authority over which information resources will be used to ensure the goal he was assigned to achieve by ..., i.e. efficiency and rationalization.... Otherwise, it does not explicitly follow which obligations within the scope of the given authorization the taxpayer should carry out, but from the findings of the actual situation in the context of the subject procedure, the supervisor can conclude that personal data managers as service users have .. .very limited or zero possibility of influencing the technical specifications of the information solutions and the procedures and data security measures that are processed with the help of these technical solutions. They also do not have the possibility to decide which processors the taxpayer will engage for the maintenance and development of such information solutions. Managers are bound by material legislation regarding the types of personal data that they can pass on to a user specified by law. In this part, as managers, they are obliged to ensure the accuracy of the data they provide, for the purpose determined by the material regulation. ... does not oblige operators to transmit data with the help of the building block ..., operators make this decision independently, but the purpose of ... is certainly that the services ... benefit as many as possible and thereby participate in achieving the goal ( purpose) of the obligee, i.e. ensuring a high level of service and streamlining operations.
When assessing the role of the taxpayer, the supervisory authority followed the EDPB Guidelines also in the part where only stakeholders (controllers, processors, joint managers and supervisory authorities) are offered a questionnaire (as a tool for assessing the role played by the actors participating in the processing of personal data, in the appendix guidelines), with the help of which they can adequately define the role in which they act, and thus also a clear definition of the obligations that they are obliged to provide on the basis of the General Regulation. With the help of the questionnaire, the supervisor also assessed that the taxpayer definitely influences the processing of personal data or service users do not have any influence on the data processing that takes place ..., namely: the purpose and means of personal data processing in the context of ... are implicitly determined ..., the obligee does not process personal data based on the user's documented instructions, users have no influence to the provision of personal data security measures and procedures or the selection of processors, they do not have the possibility of exercising control over the implementation of instructions or security measures, the obligee also determines the storage time of personal data in the system...).
Based on the above, the supervisor can conclude that the liable party and the users..., which enables the processing of personal data in the way of triggering inquiries and forwarding data based only on these, act as joint controllers in the context of this specific processing, since each of the participants determines the purpose and means processing, thereby affecting the processing of personal data.

The joint determination of intentions is based on the so-called converging decision, as the obligee and the users of the service pursue interconnected or complementary purpose - quick and efficient execution of inquiries by clients and transmission of data by data sources, without being burdened by the technical specifics of individual data sources on the one hand, and the establishment and provision of such building blocks of the state administration information system, which will be for institutions ( clients, data sources) enabled the efficient performance of their tasks.

The joint determination of means is based on the finding that users... make the decision to transmit the data for which this is specified in the material regulation through a technical intermediary (...), which enables clients and data sources to be relieved of the technical specificities of various information systems on the one hand, thereby affecting or enable data processing in the manner specified by the obligee.

In view of everything found at this point, the Supervisory Board emphasizes that it is not possible to confirm the point of view of the taxpayer, that in providing... he acts in the role of a processor. As a processor, you should process personal data only "on behalf of the controller", i.e. with its processing, pursue solely the interest (or goal) of the controller, who has entrusted the performance of this task to him and transferred it to him, and with the processing, implement the instructions of the controller. When implementing the controller's instructions, he is allowed as much freedom in decision-making as far as decisions about non-essential means of processing are concerned. The established facts unequivocally point to the fact that the obligee has a significantly greater power to influence the processing of personal data in the context of ... than would belong to him in the role of processor. In the part in which the liable party influences the processing of personal data, the influence of users (controllers) is prevented and in this part it is impossible for them to exercise the principle of responsibility. If the supervisory authority were to follow the point of view of the taxpayer, that it acts only in the role of a processor, this would mean a departure from the purpose pursued by the General Regulation - effective and complete protection of the rights of individuals.

Article 26 of the General Regulation stipulates that, in a transparent manner, by mutual agreement, joint controllers determine the duties of each of them in order to fulfill the obligations in accordance with this Regulation, in particular in relation to the exercise of the rights of the individual to whom personal data refer, and the tasks of each of them regarding the provision of information referred to in Articles 13 and 14, unless and to the extent that the duties of each of the controllers are determined by Union law or the law of the Member State applicable to the controllers. By agreement, a point of contact for the individuals to whom the personal data relates may be determined. The agreement adequately reflects the role of each of the joint controllers and its relationship to the individuals to whom the personal data relate. The content of the agreement is made available to the data subject. Article 26 of the General Regulation further stipulates that the individual to whom personal data relates may, regardless of the terms of the agreement, exercise his rights in accordance with this Regulation regarding each of the controllers and against each of them.

It follows from the above that the obligee should enter into a mutual agreement with ... by which the joint administrators agree on the appropriate mutual division of the implementation of obligations, as specified in the General Regulation, especially in relation to the exercise of the rights of the individual to whom personal data refer , and the tasks of each of them regarding the provision of information referred to in Articles 13 and 14. The distribution of obligations should be based on the ability (depending on the actual impact on the processing of personal data) to perform the obligations.

Due to the identified irregularities, the taxpayer had to be ordered to eliminate the identified irregularities and to harmonize the actions of personal data processing with the provisions of Article 26 of the General Regulation, namely within the period specified in III. point of this order.
 
III. point of the theorem

The order in point V. that the obligee, after the execution of the measures from I. and II. points of the pronouncement of this decision, obliged to notify the IP in writing within 5 (five) days after their execution, is based on the provision of the fifth paragraph of Article 29 of the ZIN, which stipulates that the taxpayer must immediately notify the inspector of corrected irregularities.

***

On the basis of Article 118 of the ZUP, the decision decides on the costs of the procedure; since no special costs were incurred in this procedure, it was decided in IV. points of the theorem.

This decision is issued ex officio and based on Article 22 of the Administrative Fees Act (Official Gazette of the RS, No. 106/10 - UPB5, 14/15 - ZUUJFO, 84/15 - ZZelP-J and 32/16) free


Lessons on the legal remedy:
This decision is final in the administrative procedure. According to the provision of Article 55 ZVOP-1, no appeal is allowed against it, but an administrative dispute is possible by filing a lawsuit at the Administrative Court of the Republic of Slovenia, Fajfarjeva 33, 1000 Ljubljana, within 30 days of receiving this decision. The claim is filed with the competent court directly in writing or sent to it by post. This decision in the original or an uncertified copy must be attached to the lawsuit in duplicate.





  1. Even though the DPA held that the cloud solutions provider was in fact a co-controller, I will refer to the cloud solutions provider as 'processor' to prevent confusion with the other co-controllers.