IP (Slovenia) - SI – 07101-5-2023-16

From GDPRhub
Revision as of 10:15, 5 December 2023 by Aa (talk | contribs) (→‎English Summary)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
IP - SI – 07101-5-2023-16
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 15(1) GDPR
Type: Complaint
Outcome: Upheld
Started: 24.02.2023
Decided: 13.11.2023
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: SI – 07101-5-2023-16
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Slovenian
Original Source: IP (in SL)
Initial Contributor: n/a

The Slovenian DPA held that a data subject was entitled to be informed of the purposes of a controller's processing log under Article 15(1)(a) GDPR. However, the DPA noted that whether the data subject is entitled to the entire processing log under an access request, must be decided on a case-by-case basis depending on the contents of the log and and applicable limitations (including derogations).

English Summary

Facts

On 17 January 2023, the data subject made an access request to Slovenia’s General Police Directorate (the controller) and requested a copy of the record of processing activities and the controller's processing log, under Article 15 GDPR.

As the controller is the Slovenian Police, the log file is a database of criminal offences committed by data subjects, photographs, fingerprints and DNA tests, but also includes information on processing operations that are not related to criminal law.

On 2 February 2023, the controller responded providing the data subject with their criminal record, offence record, photographic records, fingerprint data and DNA examination record. However, the controller refused to provide information relating to the record of processing activities and also refused to provide information concerning their processing logs.

On 24 February 2023, the data subject lodged a complaint with the Slovenian DPA concerning the controller’s refusal to provide information for their processing logs and record of processing activities. The complaint was limited to the controller's refusal to provide information regarding the purposes and the date/time of processing from the logs, and not the names of internal users.

Holding

The Slovenian DPA held that the controller was in violation of Article 15(1)(a) GDPR, as the purposes of processing of the logs fell within the scope of Article 15(1)(a) GDPR.

The Slovenian DPA considered that the information regarding the time of processing was necessary to understand the information about the purpose of the processing and to achieve the objectives of the right of access. They noted that the right to be informed about the processing of personal data does not explicitly include information about the duration of the processing, but nonetheless, it should be considered an essential part of the information about the processing of personal data.

In addition, the DPA following the EDPB’s Guidelines (2023, para 114), interpreted Article 15(1)(a) GDPR as not only imposing an obligation to provide information on the general purpose of processing of all personal data or of individual groups of data or data sets, but also specific information on a processing-by-processing basis for individual data.

Following from this interpretation of Article 15(1)(a) GDPR, the DPA held that generally the data and information contained in the processing logs are not automatically excluded from the scope of Article 15 GDPR. However, the granting of access to information contained in a controller's processing logs must be assessed on a case-by-case basis, taking into account any applicable exceptions and exclusions on the basis of compelling legitimate grounds (including, inter alia, those relating to the prevention and investigation of criminal offences).

In this case, the DPA held that there were no compelling legitimate interests overriding the data subject's right of access. As such, the data subject was entitled to be informed of the purposes and the date/time of processing from the logs. As a result, the DPA found a partial infringement of Article 15(1) GDPR. Consequently, the DPA ordered the controller to disclose the requested information.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.

1
Number: 07101-5/2023/16
Date: 3.11.2023
The Information Commissioner, acting through the Supervisory Person (hereinafter referred to as
the "SP"), pursuant to Article 77 of Regulation (EU) 2016/679 of the European Parliament and of the
Council of 27 April 2016 on the protection of individuals with regard to the processing of personal
data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred
to as the "General Data Protection Regulation") and Articles 30 to 34 of Regulation (EU) 2016/679
(hereinafter referred to as the "GDPR"). 163/22, hereinafter referred to as ZVOP-2), on the
application of the applicant: ....., dated 21.2.2023, against the decision of the controller: MNZ,
Policija, Štefanova ul. 2, 1501 Ljubljana, No. ....., dated 20.2.2023, in the matter of acquaintance with
his own personal data, hereby issues the following decision in the matter of acquaintance with his
own personal data
DECISION:
1. it is hereby established that the controller MNZ, Policija, Štefanova ul. 2, 1501 Ljubljana, with
regard to the request of 17.1.2023 from the applicant ....., has infringed Article 15(1) of the General
Regulation and Article 24(2) of the General Data Protection Regulation, Article 15(1) of the General
Data Protection Regulation and Article 24(2) of the General Data Protection Regulation. Article 5 of
the GDPR, namely with regard to the information on the purposes and times (date and time) of the
processing contained in the processing log (for the period from 5.5.2019 until the issuance of the
decision), which the controller decided on in point 10 of the decision No ....., dated 20.2.2023;
2. the Operator is ordered to re-determine the applicant's request within 20 days at the latest, in
accordance with Articles 18 to 25 of the GDPR, Articles 12 and 15 of the General Regulation and
Articles 14 and 15 of the GDPR-2, by:
making a full factual determination, i.e. a preliminary determination of the specific purposes, and
assessing whether the individual processing (lines) and the data and information on the purposes
give grounds for restricting the right to information under the GDPR, the PDPA and other laws; and
to provide the notifier, in the light of the findings referred to in the previous indent, in so far as no
grounds for restricting the right to information under the GDPR, the PDPA and other laws are
provided, with an extract of the traceability log containing information on the dates of the
processing (first column), the times of the processing (second column), the data (last column) and, in
addition, information on the specific purposes of the individual processing, for all 366 rows, in
accordance with the findings referred to in the previous indent;
3. it is concluded that, as regards the remaining part of the applicant's request and notification, the
controller has not infringed Article 15 of the General Regulation and Article 24(2) of the GDPR;
4. the applicant is granted access to the administrative file No 07101-5/2023 with the IP, in respect
of all documents except the processing log. However, following a final decision of the controller in a
review procedure, the scope of the authorised inspection of the administrative file depends on the
content of the decision.
No specific costs were incurred by the IP. The applicant and the controller shall bear their own costs
of the procedure.
Reasoning:
Relevant allegations - factual situation
On 17.1.2023, the applicant, referring to the General Regulation, submitted a request for personal
data to the controller, requesting a copy of the personal data and information on the processing of
personal data under points (a) to (d) and (g) and (h) of the first paragraph of Article 15(1)(a) of
Regulation (EC) No 1/2003. He explained that he would like to receive a copy of all personal data
collected about him since 2015; he would also like to receive a copy of the accesses to his personal
data, the purpose of the accesses, the dates of the accesses and the identification of the persons
who carried out the accesses.
On 20.2.2023, following the applicant's request, the controller issued Decision No ....., by which, on
the basis of the General Regulation and the GDPR, it provided the applicant with all the information
requested (points 1 to 9 and 11 of the operative part of the judgment) and provided him with a
printout of the data in the criminal record, the offence record, the photographic record, the
dactyloscopic record and the DNA examination record. Only in paragraph 10 of the operative part of
the decision did the controller refuse the applicant's request for access to data on the internal
processing of personal data (internal traceability data or data from the processing log). With regard
to the refusal, the controller explained that the data requested are kept for the purpose of
demonstrating the lawfulness of the processing and for the purposes of internal control, for the
purpose of carrying out controls by the IP and other bodies, for the purpose of ensuring the integrity
and security of the personal data, for the purpose of rectifying malfunctions of the IT system, and for
the purpose of pre-trial and criminal proceedings (third paragraph of recital 22 of Article 22(1)(b) of
the ECHR Decision of 12 December 2004 on the protection of personal data in criminal proceedings).
The individual is not entitled to this data, as is clear from IP Opinions No 0712-1/2014/2773, No
0712-1/2014/3051 and No 0710-92/2018/4, etc. If the individual suspects unlawful processing of
personal data, he/she may report the suspected breach to the IP or in the internal security
procedure.
On 24.2.2023, the whistleblower lodged a complaint with the IP against the rejection part of the
decision. In the application, the notifier stated that it only insisted on the purpose and date of the
processing in the processing log, but not on the personal names of internal users, for the period
from 1 January 2021 onwards. The IP forwarded the notification to the controller for comments and
requested clarification on the maintenance of the processing log.
On 13.4.2023, the IP received a reply from the controller with detailed explanations on the
maintenance of the processing log.
On 15.5.2023, the IP sent the controller's explanations to the applicant for clarification and asked
him to specify the claim. The applicant replied to the request on 17.5.2023 with a more specific and
narrowed claim.
On 22.5.2023, the CP requested the Controller to provide it with a complete extract of the
traceability log for the period from 1.1.2021 to 20.2.2023 for the collections referred to in point 1 of
the operative part of the Controller's decision. The requested extract was received by the HR on 1
June 2023.
In accordance with Article 32(2) of the GDPR-2, on 10.10.2023 the IP forwarded the record of its
findings to the notifier and the controller and invited them to comment on its preliminary findings.
In its response, the notifier stated that it wished to continue the procedure. The operator explained
that it had no objections and that it accepted the limitation of the inspection of the administrative
file due to the possible restrictions under Article 25 of the ZVOPQD and Article 127 of the ZNPPol.
The competence of the IP and the object and limits of the supervisory procedure
Article 30(1) of the GDPR-2 provides that an individual who considers that the processing of his or
her personal data by a controller infringes the provisions of the General Regulation, the GDPR-2 or
other laws governing the protection of personal data (a whistleblower with a special situation) may
lodge a request with the supervisory authority requesting supervision of the lawfulness of the
processing of his or her personal data (a notification), and may also propose the necessary action to
be taken in the event of the breaches identified, in order to achieve the restoration of the lawful
state of affairs. A possible breach of the GDPR is also a breach of the right of access to one's personal
data as defined in Article 15(1) of the GDPR. The IP, as supervisory authority, issues a decision after
the supervision procedure in accordance with Article 34(1) of the GDPR-2.
The appeal procedure is provided for in the GDPR for personal data falling under Article 1(1) of the
GDPR. This provides that the ZVOPOKD "regulates the protection of the processing of personal data
processed for the purposes of the exercise of these competences by the police, public prosecutors'
offices, the Probation Administration of the Republic of Slovenia, the Penal Sanctions Enforcement
Administration of the Republic of Slovenia and other state bodies of the Republic of Slovenia which
are legally designated as competent in the fields of prevention, investigation, detection or
prosecution of criminal offences or the enforcement of criminal sanctions". Article 27(1) of the GDPR
provides that the supervisory authority, as the second instance authority, shall decide on an appeal
by the data subject against a decision of a competent authority.
In the present supervisory procedure, the IP determined whether and to what extent, i.e. with
regard to which individual records, the conditions for consultation of the extract of the traceability
log submitted by the controller on 1 June 2023 were fulfilled. As regards the remainder of the
request, the controller has not infringed the right to be informed of personal data, since it has
provided the applicant with all the information requested concerning the processing of the
applicant's personal data. Moreover, the application does not relate to the remainder of the request
or to points 1 to 9 and 11 and 12 of the controller's operative part of the decision.
The IP also did not assess the entitlement to the personal names and SSNs of internal users in the
context of the application against point 10 of the operative part of the decision, as the applicant had
narrowed the request (i.e. his application no longer relates to internal users, but only to the purpose
and dates of the processing), since under Article 15 of the GDPR and Article 24 of the GDPR, as well
as the IP's previous practice, an individual is not in principle entitled to be informed of the identity of
internal users, except in exceptional circumstances in accordance with the conditions set out in CJEU
Judgment No C 579/21 ECJ.
In the decision, the controller refers to the General Regulation and the GDPR as the substantive legal
basis for the decision. The extraction of the traceability log would concern databases relating to
criminal offences, misdemeanours, photographed persons, dactyloscopic persons and DNA tests,
where the controller explains that the extraction does not only relate to processing relating to
criminal offences but also to processing which does not fall within the scope of the GDPR. Therefore,
the IP also decided on the whistleblower's notification on both legal bases and in a single
"supervisory procedure based on a notification of a whistleblower with a special situation" under
Articles 30 to 34 of the GDPR-2. This supervisory procedure consumes or also includes the appeal
procedure under Article 27 of the ZVOPOKD: because the supervisory procedure gives even more
procedural rights to the participants in the proceedings, because the provisions of the ZUP are also
applicable in this supervisory procedure, because the uniform treatment is in line with the
principle of economy and the principle of protection of the rights of the parties, without
undermining the right to appeal, because, last but not least, the ZVOPOKD also provides for a
supervisory procedure based on the notification of a whistle-blower with a special status in Article
33.
The processing log extract in question for the period from 5.5.2019 has 366 lines with the following
headings: date and time, terminal address/ip, application/node, group, user ID, user's surname,
user's first name, 1 function, 1 area, 1 case/document, 2 functions, 2 areas, 2 case/documents, cr of
person, person's surname, person's first name, user's parameters, data.
3. Findings in the control process
1. Pursuant to Article 15(1)(a) of the GDPR, the controller is obliged to provide the data subject with
information on the purposes for which his/her personal data are processed. This does not only mean
generalised information on the general purpose of the processing of all personal data or of individual
groups of data or data sets, but also specific information on a processing-by-processing basis for
individual data (for information purposes only, e.g. 'for the resolution of case No (...)', 'for the
provision of data to the user (...)', 'for the rectification of data due to an error', 'for use in an internal
complaint procedure', 'for the implementation of internal controls', 'for the verification of the
alleged facts/compliance with the terms and conditions'). It does not matter where and in how many
places and in what form this information is held by the controller, nor does it matter whether it is to
be accessed on the basis of an internal 'analysis' and 'synthesis' of existing data, i.e. some broader
enquiry (e.g. the 'analysis' and 'synthesis' of existing data, i.e. some broader enquiry (e.g. the
'analysis' and 'synthesis' of existing data). The General Regulation requires the controller to provide
purpose information, but does not deal with how the controller should provide it and how much
effort it should make to do so. In order to demonstrate the lawfulness of the processing of personal
data, the controller must itself know the purposes for which it has processed the individual data in
the specific individual processing and provide this information to the data subject. This means that
he or she must find this information for himself or herself or create it by means of objectively
feasible enquiries on the basis of available sources of information, provided that the processing log
is such that it does not itself disclose the specific purposes.
The IP notes that the extract in question does not contain the specific purposes for which personal
data are processed, but that the purposes of use can be partially and indirectly inferred, in particular
from the headings 'data', 'case/document' and 'field', but not without a proper interpretation by the
controller. It is clear from the controller's explanations that information on the specific purposes
should be obtained orally from the employees on the basis of the selected processing operations.
This means that the requested information on specific purposes does not yet exist in a documented
form or that the condition of a materialised form is not yet met. However, this does not mean that
the purposes are not known, do not exist or cannot be obtained; only in this case could the
controller refuse to provide information on the specific purposes. In order to comply with the
request of the data subject, the controller is obliged to generate information on the specific
purposes of the processing by means of internal enquiries, as these do not necessarily have to be set
out in the processing log. It is possible to identify the specific purposes (which may be stated or
derived from other documents).
2. Paragraph 114 of the European Data Protection Board Guidelines (2023) implies that information
on purposes must be specific. It is not sufficient to list general purposes without clearly explaining
which purposes are relevant in a specific case. If processing is carried out for several purposes, the
controller must clearly explain which data are processed for which purpose.
It follows from recital 83 of the judgment of the Court of Justice of the EU in Case C 579/21 (2023)
that information relating to acts of access to the personal data of a data subject, concerning the
dates and purposes of those acts, constitutes information which that data subject has a right to
obtain from the controller pursuant to the first paragraph of Article 15(1)(b) of Directive 95/46/EC.
The CJEU also stated in the aforementioned judgment that, in relation to the controller's log files,
the provision of a copy of the information contained in those files may prove necessary in order to
comply with the obligation to provide the data subject with access to all the information referred to
in Article 15(1) of the General Regulation. The Court also stated that the processing logs disclose the
existence of processing, which is information to which the data subject must have access under
Article 15. Article 15 of the General Regulation; moreover, they show the frequency and intensity of
the acts of consultation, which thus enable the data subject to ascertain whether the processing
carried out is in fact justified by the purposes stated by the controller.
The IP takes the view that the processing time is necessary to understand the information on the
purpose of the processing and to achieve the purposes of the right to information. The right to
information on the processing of personal data does not explicitly include information on the time of
processing, but it should be considered as an essential element of information on the processing of
personal data, depending on the circumstances of the individual case and if the applicant requests
this information. The ED notes that the identification (specification) of the processing of personal
data according to the time of processing is inextricably linked to the provision of other information
on the processing of personal data to which the individual would be entitled in a specific case. It
follows from recital 63 of the General Regulation that if the individual could not obtain information
on the date of processing, he would not be able to exercise his right to information on processing for
the purpose of knowing about the processing and verifying its lawfulness; every individual should
have the right to be informed of the purposes of the processing of personal data, preferably the
period for which the personal data are processed.
The other fields of the specific processing log do not fall under any of the information referred to in
points (a) to (h) of Article 15(1) of the GDPR or Article 24(2) of the GDPR and are not the applicant's
personal data. It is data about data (data relating to the applicant's otherwise personal data) and not
data directly relating to the applicant as a person. Therefore, the notifier is not entitled to these
parts of the processing log and the controller has not been in breach with regard to them. An
exception may be made for headings (for example, 'case/document' and 'field') which, by virtue of
their content, may supplement the information on the purposes of the processing, but these
headings or information will have to be identified by the controller itself as possibly forming part of
the information on purposes and, consequently, disclosed to the notifier.
5. The ED agrees with the controller's view that the individual is not, as a general rule, entitled to the
entire processing log (depending on its specific content, as there is a significant difference between
controllers in this respect) and that the purpose of keeping a processing log is mainly to allow
internal and external control of the lawfulness of the processing and to correct errors in the
information system, and that the individual cannot exercise such control over the lawfulness of the
processing of personal data. This position is indeed in line with the IP Opinions listed by the
controller (Nos 0712-1/2014/2773, 0712-1/2014/3051 and 0710-92/2018/4), but these opinions do
not explicitly provide that the data subject is not entitled to information on the purposes and the
dates or times of the processing that may be contained in the processing log, but refer to the
processing log in general and focus on the non-disclosure of the identity of the employees. In
addition, in the specific case, more recent case law, in particular based on the above-mentioned
CJEU judgment, should be taken into account.
The above position does not imply that all the data contained in the processing logs, nor the
information contained therein, will be available to the individual in every case and at all times. It
only means that the data and information contained in the processing logs are not automatically
excluded from the scope of Article 15 of the GDPR, but are nevertheless subject to the assessment of
exceptions and exclusions on the basis of compelling legitimate grounds (including, inter alia, on the
grounds of the prevention and investigation of criminal offences and any other legitimate grounds).
6. The same reasoning as set out in the preceding paragraphs, with reference to Article 15 of the
GDPR, applies to information on the time of processing and the purposes of processing under Article
24 of the GDPR, since the substantive legal regulation of this right is the same as under the GDPR.
Under Article 24(2) of the GDPR, in addition to the right to a copy of the data themselves (their
content), the data subject has the right to obtain specific information on the purposes of the
processing and their legal basis.
7. The IP did not necessarily need the specific information on the purposes of the individual
processing contained in the processing log in question in order to take a decision on the notification:
because the IP cannot even formulate them concretely in the final decision on behalf of the
controller; this can only be done by the controller itself, as the specific wording of the purposes is
not specified in the GDPR or in the GDPRCPR (both provisions only refer to 'purposes'); it is a 'free' or
'open' category of information;
because the IP is also not allowed to mention them in the final decision, in order to be able to
invoke the legal protection of the controller;
because in the present case, it is not a question of fact as to whether the purposes already
communicated are genuine, existent and relevant in substance, but a question of law as to whether
the notifier is entitled to them;
because the controller must in any event obtain the specific purposes of the individual processing,
unless he finds that he does not have them (even in this case, he must inform the notifier that he has
no information about the purposes or that they are unknown to him).
Therefore, the IP did not ask the controller to communicate to it the specific purposes of the
processing, but, by the final decision, ordered the controller to search for, identify and formulate
(formulate or word) the purposes of the processing and to communicate this information to the
notifier. The notifier has the possibility to lodge a separate complaint against this decision of the
controller.
4. Conclusion
In the light of the foregoing considerations, the decision of the Hearing Officer is as set out in
paragraphs 1, 2 and 3 of the operative part of this Decision, namely:
the IP found a partial infringement of Article 15 of the General Regulation and Article 24 of the
GDPR as a result of the partial refusal of the request for information and, in this respect, ordered the
controller to provide the notifier, after a prior ascertainment procedure, with the information from
the processing log to which it is entitled,
, the IP found that, as regards the remainder of the request and the notification, the controller had
not infringed the data protection rules with regard to the right to know one's own personal data.
Article 34(3)(1) of the GDPR-2 provides that the decision in the supervision procedure under the
provisions of this Section shall, in addition to the elements laid down by the law governing the
general administrative procedure, also contain the permissible scope of the examination of the file
of the case for a whistleblower with a special situation. This is to be decided irrespective of the
individual's request and in the event that the individual may request the IP to inspect the
supervisory or administrative file on the basis of Article 82 of the C.P.A. In this respect, the IP
decided in point 4 of the operative part of the present decision to allow the applicant to inspect the
file of the supervisory case No 07101-5/2023, as there are no specific obstacles to the inspection,
with the exception of the processing log in question, which will be accessible to the applicant in the
light of the controller's final decision.
Pursuant to Article 118(1) of the CPA, the Authority shall decide on the costs of the proceedings in
its decision. The Authority has not incurred any specific costs in the present supervisory procedure;
the notifier and the controller shall bear their own costs (point 5 of the operative part of the
decision). This decision is exempt from the payment of administrative charges in accordance with
the provisions of the Administrative Charges Act (ACA).
Lessons on the remedy:
This decision may not be appealed but may be the subject of an administrative dispute. An
administrative dispute may be brought by lodging an action with the Administrative Court, Fajfarjeva
33, 1000 Ljubljana. The action must be brought within thirty days of notification of this Decision,
either in writing directly before the said court or by registered post or orally on record. If the
application is sent by registered post, it shall be deemed to have been received in time if it is
deposited at the post office on the last day of the period for lodging the application. In addition to
the original, a copy or a copy of this Decision, the application shall be accompanied by a copy or
copies of the application and the annexes for the defendant and, if anyone is affected by the
Decision, for him. The application shall be accompanied by a court fee.
Dr. Urban Brulc, Univ. Dipl,
State Data Protection Supervisor