IP - 0613-438/2019/16
From GDPRhub
| IP - 0613-438/2019/16 | |
|---|---|
 | |
| Authority: | IP (Slovenia) |
| Jurisdiction: | Slovenia |
| Relevant Law: | Article 32 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 25.03.2021 |
| Published: | 15.04.2021 |
| Fine: | None |
| Parties: | n/a |
| National Case Number/Name: | 0613-438/2019/16 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Slovenian |
| Original Source: | GDPR+ (via IP’s zip) (in SL) |
| Initial Contributor: | GDPR+ |
The Slovenian DPA held that a controller had breached Article 32 GDPR by not adequately protecting the personal data of individuals, including names, addresses and ID numbers, in a criminal complaint published online.
English Summary
Facts
A controller published online an article linking to a file - a criminal complaint that contained personal data of several individuals. In doing so, the controller did not ensure adequate security of personal data.
Holding
The DPA held that the controller must, in accordance with Article 32 GDPR:
(a) cover, delete or otherwise ensure an adequate level of security of the birth data of the persons to whom it relates;
(b) secure the ID data and the data on the residence of the persons to whom it relates in such a way that it cannot be accessed; and
(c) secure the remaining personal data in such a way as to prevent unauthorized disclosure of or access to such personal data.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.
Publication of a criminal complaint - decision according to ZIN
Number: 0613-438 / 2019 / 16
Date: March 25, 2021
Information Commissioner (hereinafter IP) issue according to the State Supervisor for Personal Data Protection… on the basis of Articles 2 and 8 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05 et seq .; hereinafter ZInfP), Article 54 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia) , No 94/07 (hereinafter ZVOP-1), Article 58 (2) (d) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation; hereinafter the General Decree) and Articles 29 and 32 of the Inspection Supervision Act (Official Gazette of the Republic of Slovenia, No. 43/07 et seq .; hereinafter the ZIN), in the procedure of inspection supervision over the implementation of the provisions of ZVOP-1 and the General Decree on the liable party… (hereinafter referred to as the taxpayer) represented by…, ex officio the following
DECISION
The taxpayer… must, due to irregularities found in the implementation of the provisions of the General Regulation, file "…", which is a criminal complaint javno, which is publicly available on the website… which the controller is liable, in accordance with Article 32 of the General Regulation, to cover, delete or otherwise ensure an adequate level of security of a) the birth data of the individuals to whom it relates; b) EMŠO data and data on the residence of the individuals to whom the… relates, in such a way that this data will not be accessible; and c) personal data remaining in… the said individuals, in a way that prevents unauthorized disclosure or access to the said personal data. The measure referred to in point 1 of the operative part of this Decision must be executed within 5 (five) days of receipt of this decision. on the execution of the measure referred to in point 1 of the operative part of this decision within 3 (three) days after execution inform the IP in writing and submit evidence of execution. The request of the controller for reimbursement of the notified costs is rejected. The body in this procedure did not incur special costs. IP findings and statements of the liable party The subject procedure was initiated because the liable party allegedly published an article entitled »(hereinafter the relevant article) on… or on the website… (hereinafter the relevant website), which contains a hyperlink to the file - criminal complaint …, Which is supposed to contain the personal data of several individuals. On 19 January 2021, the IP inspected the relevant website and a report was drawn up on the inspection of the website. page number 0613-438 / 2019/7 of 19 January 2021. During the inspection, screenshots of the website and the article in question were taken and a .pdf file "…" (hereinafter referred to as the official computer of the State Data Protection Supervisor) was saved. file in question) - the article contained a hyperlink to the web address… where the first file in question was published. The minutes of the visit to the website number 0613-438 / 2019/7 of 19 January 2021 were served on the taxpayer, and the taxpayer was invited to comment on them. After reviewing the article in question and the file in question, the IP found that both articles (the article contained, among other things, a larger number of images of the file in question) than the file in question contained a larger number of names, surnames and functions of individuals. The file in question, which represents… ('the criminal complaint in question'), which is…, also contained the birth data of the… of the individuals to whom the criminal complaint in question relates. For each of the individuals to whom the criminal complaint in question concerned, there were two black boxes covering some of the data of those individuals. As noted during the review of the file in question, the black box data was overlaid in such a way that the text below the black box could be highlighted and copied as text. If the first file in question was opened with a .pdf file program, the black boxes that covered certain personal data of the individuals to whom the criminal complaint in question could also be removed. In this way, in addition to the names, surnames and dates of birth of the individuals to whom the criminal complaint in question relates, their EMŠO and address could also be deduced from the website itself as well as from the entry in the media register at the Ministry of Culture. that the operator of the said website or the publisher of the medium… is liable. The taxpayer is listed as the issuer… in the media record under the serial number… IP at this point explains that it is not clear who is the author of the article, because the article states only "…". Based on the established facts, IP assessed that the taxpayer , when it has published on the website… the file "…" representing the criminal complaint in question, without first covering, deleting or otherwise anonymising a) the birth data of the individuals to whom the criminal complaint relates; and b) EMŠO data and data on the residence of the individuals to whom the criminal complaint in question relates in such a way that such data cannot be accessed; and (c) the personal data of the remaining individuals mentioned in the criminal complaint and by not covering the personal data of several different individuals in the images of the relevant criminal complaint contained in the article entitled "…" of… published on the website…, did not ensure the security of personal data, as provided for in Article 32 of the General Regulation, or did not provide protection of personal data, as provided for in Articles 24 and 25 of ZVOP-1. By letter number 0613-438 / 2019/8 of 25 January 2021 called on the taxpayer's IP to identify itself, pending the findings of the IP in that letter. Insofar as irregularities or Violations of the provisions of the General Regulation or ZVOP-1 have been eliminated, which means that the data subject has ensured the security of personal data by taking measures to prevent unauthorized disclosure or access to personal data contained in: 1) the file "…", which represents the criminal complaint in question and is available on the website…, and 2) an article entitled "…" dated…, published on the website…, the taxpayer was asked to inform the IP of the manner and date of rectification of the irregularity and submit evidence from which the truth of his statements will derive. In the application of z, which, inter alia, represents the statement of the taxpayer on the facts and circumstances of the minutes number 0613-438 / 2019/7 of 19 January 2021, the taxpayer states that until disclosure personal data of individuals against whom a criminal complaint has been filed can be obtained only with a special computer program, which is not available to the average reader or web user. The average reader cannot become acquainted with such hidden personal data…. Only the use of special computer programs and advanced computer knowledge enables the disclosure of EMŠO numbers and addresses of individuals suspected of a crime. In the application of…, which represents the statement regarding the letter IP number 0613-438 / 2019/8 of 25.1.12021, ie. by acquainting itself with the findings of the IP, the liable party agrees with the position of the IP that in the case of processing (publication) of names and surnames of individuals to whom the criminal complaint relates, the liable party's right to freedom of expression prevails. The liable party states that after receiving the IP letter dated 25 January 2021, he additionally ensured the security of the suspects' personal data by covering the data on the day, month and year of birth, EMŠO and address of residence in the criminal complaint. In the criminal complaint, it also covered the names and surnames of individuals not covered by the criminal complaint in question and individuals who are not current or former highest representatives najviš and thus not relatively public figures. The personal data in the article in question were also overlapped. In both of these applications, the liable party also points out that the proceedings in question are not permitted because pre-trial proceedings are already pending against him due to the publication of the criminal complaint and article. On 25 March 2021, the IP re-examined the website in question. pages of the published article in question. In doing so, the IP finds that all personal data except the names and surnames of the accused persons and the name and surname of the then Minister were deleted from the pictures of the relevant criminal complaint contained in the article in question. In this case, IP considers that the media's right to freedom of expression prevails over the right of these individuals to the protection of personal data. Furthermore, the IP notes that the text of the article in question now contains a hyperlink to a different web address, namely…, which, when clicked, opens the web page or the .pdf file "…" (hereinafter the new file in question). The new file in question also represents the criminal complaint in question, but in this file the birth data, EMŠO and residence addresses of the persons to whom the criminal complaint relates are deleted, as well as the personal data of the remaining individuals mentioned in the criminal complaint. that their right to the protection of personal data prevailed over the debtor's right to freedom of expression. Despite other allegations by the debtor, the IP further notes that on 25 March 2021 the relevant file is still available on the website…, ie. … A file representing the criminal complaint in question and which still contains the birth data of the… individuals to whom the criminal complaint relates. For each of the individuals to whom the criminal complaint in question relates, there are two black boxes covering some of the data of these individuals. The data is covered with a black box in such a way that the text below the black box can be marked and copied in the form of text. If the file in question is opened with a program for .pdf files (for example, Adobe Acrobat Reader, Foxit Reader), the black boxes that cover certain personal data of the individuals to whom the criminal complaint relates can also be removed. In this way, in addition to the names, surnames and dates of birth of the individuals to whom the criminal complaint in question relates, their EMŠO and address could also be deduced. The file in question also contains a large amount of personal data of individuals to whom the criminal complaint does not relate. The condition of the file or in relation to the file… is therefore the same as at the time of the inspection on 19 January 2021, when the relevant website was visited. The provisions of the regulations on which the decision is based with an explanation of inspection measures are defined in the General Regulation. "Processing" in Article 4. Personal data means any information relating to an identified or identifiable individual; an identifiable individual is one that can be identified directly or indirectly, in particular by indicating an identifier such as name, identification number, location data, web identifier, or by indicating one or more factors specific to the physical, physiological, genetic , the mental, economic, cultural or social identity of that individual (point 1). Processing means any act or set of acts carried out in relation to personal data or sets of personal data with or without automated means, such as collecting, recording, editing, structuring, storing, adapting or modifying, retrieving, inspecting, using, disclosing by forwarding, disseminating or otherwise making available, adapting or combining, restricting, deleting or destroying (point 2) .According to the above definitions, name, surname, function, in some cases merely an indication of the function, and in some in connection with the name and surname), EMŠO and address, together with the name and surname, constitute personal data because they are information relating to an identified or identifiable individuals, and the publication of personal data of individuals on a website constitutes the processing of personal data.Article 32 of the General Regulation provides that controller and processor, taking into account the latest technological developments and implementation costs and the nature, extent and purposes of the processing, as well as the risk for the rights and freedoms of individuals, which differ in probability and severity, ensure an appropriate level of security in relation to the risk. According to Article 12 (12) of the General Regulation, 'breach of personal data security' means a breach of security which results in the unintentional or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed. Articles 24 and 25 of ZVOP-1 contain a similar provision, where it is stipulated that personal data controllers and contractual processors are obliged to provide protection of personal data, which protects personal data, prevents accidental or intentional unauthorized destruction of data, their change or loss and unauthorized processing of these data. It should be noted that the rules of personal data protection set out in the General Regulation and ZVOP-1 constitute the concretization of one of the human rights and fundamental freedoms of the Constitution of the Republic of Slovenia (Official Gazette of the RS, No. 33/91-I et seq .; hereinafter referred to as the Constitution). In the first paragraph of Article 38, the Constitution guarantees the human right to the protection of personal data. The Constitutional Court has repeatedly emphasized that the Constituent Assembly thus specifically protected one of the aspects of an individual's privacy, t. i. [1] Article 38 (1) of the Constitution prohibits the use of personal data contrary to the purpose of their collection, (2) determines the collection, processing, purpose of use, control and protection of the secrecy of personal data as the subject of legal regulation, and (3) it gives everyone the right to be informed of the personal data collected concerning him or her, and in the event of abuse, the right to judicial protection. At the same time, it must be borne in mind that human rights and fundamental freedoms include the right to freedom of expression. Article 39 (1) of the Constitution guarantees the freedom of expression of thought, speech and public appearance, the press and other forms of public information and expression, (2) everyone has the right to obtain information of a public nature for which he has a legitimate interest, except in cases provided by law. The activity of the media is based on the right to freedom of expression. This also follows from Article 6 of the Media Act (Official Gazette of the Republic of Slovenia, No. 110/06 et seq .; hereinafter ZMed), which stipulates that media activity is based on freedom of expression, inviolability and protection of human personality and dignity, and free movement. information and openness of the media to different opinions, beliefs and various contents, on the autonomy of editors, journalists and other authors in creating program content in accordance with program concepts and professional codes, and on the personal responsibility of journalists or other authors and contributors for the consequences of their work In accordance with the third paragraph of Article 15 of the Constitution, human rights and fundamental freedoms may be restricted primarily due to the human rights or fundamental freedoms of other people. As with the right to freedom of expression, the right to information privacy is not unlimited, it is not absolute. In the event of a collision of two coexisting rights, the conflict between the rights is reconciled with a method that theory and case law also know as practical concordance. Practical concordance means the creation of a rule that applies to a specific case, ie a rule on the coexistence of rights in specific circumstances. It is necessary to decide which right should be given priority according to the specific circumstances and which, in order to activate the necessary, constitutionally protected content of another right, should be withdrawn or part of the entitlements that make up this right should be withdrawn. that the criminal complaint in question was published because it is "…" and "…". The purpose of publishing the article in question and the file in question (hereinafter the publication in question) and the related processing (publication) of personal data of individuals is therefore to inform the public about the process of recapitalization of banks. Furthermore, it can be inferred from the fact that the taxpayer or the author of the article tried to (unsuccessfully) cover certain personal data of the individuals to whom the criminal complaint relates before publishing the file in question on the controller's website that the taxpayer or the author of the article was aware that the publication means a certain interference with the right to protection of personal data.Reporting on the time of the so-called Bank rehabilitation is a topic for which there is a strong public interest in being widely acquainted with it. It is also a topic that has been widely reported by various media in the past. For example, several years before the publication in question, the media reported that an investigation was under way into the rehabilitation of banks [3], and a few months before the publication in question, for example, that the National Investigation Committee had filed a criminal complaint with the Specialized State Prosecutor's Office [4] .As already stated, it follows from the relevant publication that its central message is reporting on the recapitalization process of banks. In order to achieve the purpose pursued by the publication in question, the processing (publication) of personal data on the day, month and year of birth, EMŠO data and the address of residence of individuals is by no means necessary. According to the IP, in order to achieve this purpose, it is not necessary to publish names, surnames and other information related to certain or identifiable individuals to whom the criminal complaint in question does not apply and individuals who are not (current or former) highest representatives… and thus not relatively public. persons. Namely, if the publication in question did not contain that personal data, it would still (could) achieve its purpose. The disclosure of this personal data is therefore, in IP's view, grossly contrary to the principle of minimum data set out in point (c) of Article 5 (1) of the General Regulation, according to which personal data must be relevant, relevant and limited to what is necessary for the purpose. , for which they are processed. At the same time, such a way of exercising the right to freedom of expression also represents an unnecessary and disproportionate interference with the right of individuals to the protection of personal data. A different position must be taken in the case of publishing the names of individuals to whom the criminal complaint relates. The Bank of Slovenia is the central bank of Slovenia and is exclusively state-owned with financial and management autonomy, which acts as the supervisory body of the Slovenian banking system. The highest representatives of such a body must meet high professional and moral standards, and by occupying such a position they also become relatively public figures, so their field of expected privacy shrinks. Given the circumstances of the specific case, IP considers that it is necessary, especially taking into account the fact that the individuals to whom or to whom the criminal complaint relates, are (then) the highest representatives of the Bank of Slovenia, in the case of processing (publication) of names and surnames. individuals in relation to the criminal complaint in question, in this particular case to give priority to the right of the data subject to freedom of expression over the right of these individuals to the protection of personal data. "Representing…, without first effectively covering, erasing or otherwise anonymising a) the birth data of the individuals to whom the criminal complaint in question relates; and b) EMŠO data and data on the residence of the individuals to whom the criminal complaint in question relates in such a way that such data cannot be accessed; and c) did not ensure the security of personal data as provided for in Article 32 of the General Regulation or did not provide protection of personal data as provided for in Articles 24 and 25 of ZVOP-1.IP. also that the liable party was acquainted with the above-mentioned findings of the IP by letter number 0613-438 / 2019/8 of 25 January 2021 and at the same time asked to comment on them. In the application dated…, which represents, inter alia, the taxpayer's statement on the facts and circumstances of the minutes number 0613-438 / 2019/7 of 19 January 2021, the taxpayer stated only that the average reader cannot get acquainted with EMŠO and the address of residence of the accused persons because they are overlaid in the "» "file, and only the use of special computer programs and advanced computer knowledge enables the disclosure of this information. IP cannot follow these statements. Namely, modern web browsers (such as Google Chrome, Mozilla Firefox or Microsoft Edge), ie programs that allow you to view web pages, among other things, allow you to open .pdf files. This allows any user who enters the… address to the "…" file in a web browser. As it was established when reviewing the said file, the data in it were overlaid with a black field in such a way that the text (EMŠO and address) under the black field could also be marked and copied. Using the function of copying and pasting (i.e. copy paste) of text is one of the most basic computer skills. However, if the said file is opened with a program for .pdf files (for example Adobe Acrobat Reader or Foxit Reader - the latter was used in this case), black boxes may be used to cover certain personal data of the individuals to whom the relevant criminal complaint relates, also removed. Thus, by copying the text or removing the black boxes, it is also easy to understand the EMŠO and the address of the accused. The taxpayer did not have any comments regarding other IP findings or other data available in the said .pdf file. The taxpayer referred to Article 11a of the Act on… as well as in the application dated…. misdemeanors (Official Gazette of the Republic of Slovenia, No. 29/11 et seq .; hereinafter ZP-1) also states that the proceedings in question are not permitted because criminal proceedings are already underway against the liable party, both of which stem from the same historical event. In relation to the said IP, he explains that the concrete procedure represents an administrative inspection procedure, ie. a procedure conducted in accordance with the provisions of the ZIN, and not a misdemeanor procedure conducted in accordance with the provisions of ZP-1. Inspection control is the control over the implementation or observance of laws and other regulations (Article 2 of the ZIN). Inspectors perform inspection tasks in order to protect the public interest and the interests of legal and natural persons (Article 5 of the ZIN). If the state supervisor for personal data protection in an inspection procedure finds that the data subject processes personal data in contravention of regulations in the field of personal data protection, he may impose one of the measures referred to in the first paragraph of Article 54 of ZVOP-1 or use one of the corrective powers referred to in the second paragraph of Article 58 of the General Regulation. It is clear from the above that the sole purpose of conducting the inspection procedure over the implementation of the provisions of ZVOP-1 and the General Regulation is to verify the (illegal) processing of personal data, and irregularities that may be detected in the inspection procedure can be eliminated. The purpose of the inspection procedure is therefore to ensure compliance with the applicable legislation. The imposition of sanctions for possible violations of the rules in the field of personal data protection is intended for another, separate procedure - the misdemeanor procedure - the rules of which are determined by ZP-1. However, the provisions of ZP-1, including Article 11.a, to which the applicant refers, apply only in misdemeanor proceedings. The inspection procedure and the misdemeanor procedure are two separate procedures, which have different and separate purposes. According to the reasoning, the taxpayer had to order the abolition of irregularities or ensuring the security of processing as provided for in Article 32 of the General Regulation, in the manner and within the time limit set out in points 1 and 2 of the operative part of this decision. The order to eliminate the identified irregularities is based on findings in the inspection procedure. The order in point 3 of the operative part that the liable party must notify the IP in writing and submit evidence of the elimination of the irregularities within 3 (three) days after the elimination of the irregularities is based on the provision of the fifth paragraph of Article 29 of the ZIN. inform the inspector immediately if the irregularities are rectified. Pursuant to Article 118 of the ZUP, a decision is made on the costs of the proceedings. The costs of the inspection procedure, which were necessary to establish the facts proving that the taxpayer violates the law or other regulation, in accordance with the first paragraph of Article 31 of the ZIN, the taxpayer suffers, so the taxpayer covers his own costs, as decided in point 4 of the disposition. As the body did not incur any special costs of the proceedings in this procedure, it has been decided in point 5 of the operative part. This decision is issued ex officio and is free of fees on the basis of Article 22 of the Administrative Fees Act (Official Gazette of the Republic of Slovenia, No. 106/10 et seq.) Instruction on legal remedy: This decision is final in administrative proceedings. Pursuant to the provision of Article 55 of ZVOP-1, no appeal is allowed against it, but an administrative dispute is possible by filing a lawsuit with the Administrative Court of the Republic of Slovenia, Fajfarjeva 33, 1000 Ljubljana, within 30 days of receiving this decision. The action shall be brought before the competent court directly in writing or sent to it by post. The application shall be accompanied by a copy of this Decision in the original or an uncertified copy. [1] Decision of the Constitutional Court no. U-I-98/11 of 26.9.2012 (point 12). [2] Supreme Court of the Republic of Slovenia Decision II Ips 340/2011 of 17 July 2014. [3] … [4]…
