IP - 0712-1/2019/2419
|IP - 0712-1/2019/2419|
|Relevant Law:||Article 6 GDPR|
|National Case Number:||0712-1/2019/2419|
|European Case Law Identifier:||n/a|
|Original Source:||Informacijski Pooblascenec (SI)|
On 4 November 2019, the Slovenian DPA (IP) exercised its powers under Article 58(3) GDPR to issue an advisory opinion regarding processor's and controller's roles.
English Summary[edit | edit source]
Facts and questions arising[edit | edit source]
The legal entity which requested the opinion is a third party service provider which collects through parents and the service provider, the children’s personal data for the purpose of organising trips. The legal entity receives and collects the information necessary for the signature of the contract and then transfers the personal data to the service provider with which the parents sign the contract.
The IP’s opinion pursuant to Article 58(3) GDPR has been requested in order to find out who is considered to be a processor, a controller and what the legal basis for the processing of the children’s personal data is. More precisely, the question was raised whether the processing is carried out on behalf of the service provider as a controller or if the third party service provider is processing the personal data for its own purposes.
Holding[edit | edit source]
The Slovenian DPA stated it was not able to answer to the question due to lack of information. Nevertheless, it stated that both the controller and the processor have to apply the necessary measures to secure the transfer and to prevent unauthorised personal data disclosures.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the original. Please refer to the Slovenian original for more details.
Date: 04.11.2019 Title: Insurance OP Number: 0712-1 / 2019/2419 Subject matter: Contractual processing of data, Legal bases, Kindergarten, Protection of personal data Legal act: Opinion The Information Commissioner (hereinafter referred to as IP) has received your request for an opinion, stating that you arrange skating and flying for children at your institution through outside contractors, with the parents paying for the said service. In the described case, the Institute is a kind of mediator in the communication between the contractor and the parents. You also participate in the organization in the sense that you bring your children to skate. You further state that the contractor brings open contracts and bills of exchange and wants you to provide them to your parents. The latter means that the chauffeur from the secretariat brings them to a unit (15 units in different locations) where the educator distributes the contracts to the parents when they bring or take the children. Reminder for unpaid service is the same. It is arguable that personal information documents are traveling around. The IP makes it clear that on the basis of information received from applicants in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data information and repealing Directive 95/46 / EC (hereinafter referred to as the General Regulation), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette RS, No. 94/07-UPB1 - hereinafter ZVOP-1); Article 2 of the Information Commissioner Act (Official Gazette RS, No. 113/05 - hereinafter ZInfP) issues non-binding opinions on issues related to the protection of personal data. In doing so, the IP emphasizes that it cannot judge the actual processing of personal data outside the inspection or administrative process. The processing of personal data pursuant to the first paragraph of Article 6 of the General Decree is lawful only to the extent that at least one of the following conditions is fulfilled: the data subject has consented to the processing of his or her personal data for one or more specific purposes; processing is necessary for the performance of a contract to which the data subject is a contracting party or for the implementation of measures at the request of such individual before the conclusion of the contract; processing is necessary to fulfill the legal obligation applicable to the controller; processing is necessary to protect the data subject or other natural person; processing is necessary for the performance of tasks in the public interest or in the exercise of public authority conferred on the controller; processing is necessary for the legitimate interests pursued by the controller or a third party, except where such interests outweigh the interests or fundamental rights and freedoms of the data subject requesting the protection of personal data, in particular where the data subject is it concerns personal data, the child (this item is not used for processing by public authorities in the performance of their duties). Based on the information provided in the request for an opinion, IP cannot say with certainty which of the following legal bases would be relevant in the specific case and thus cannot give you a definitive answer in the opinion, nor can it judge whether the outsourcer in in the specific case acts as controller or processor of personal data. In other words, does the outsourcer collect personal information on request and for the kindergarten account, or in his own name and on his own account and for his own purposes. Processors are those organizations or individuals who, at the request of a particular manager (eg you as a contracting authority) and in accordance with his requirements for the specific task or purpose for which he or she processes personal data. In determining who is the controller and who is the processor of personal data, what is crucial is the role of a particular entity in obtaining data, exercising access rights, deleting individuals, collecting personal data, determining purposes and means of processing, actually accessing a database of personal data that they process. You can read more about the regulation of contractual processing in accordance with the Regulation on the IP website at the following link: https://www.ip-rs.si/legislation/reforma-european-legislative-framework-for-the-personal- data / key-areas-regulation / contract-processing /. In addition, we advise you to take note of the content of the opinion, no. 0712-1 / 2019/1169 dated 16 May 2019, relating to contractual processing, located at the following link: https://www.ip-rs.si/vop/?tx_jzgdprdecisions_pi1%5BshowUid%5D=551 . 3254/5000 Regarding your concern that you find it controversial that personal data files are traveling around, IP adds that the area of personal data processing security is governed by both the General Decree and the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07 - officially consolidated hereinafter referred to as ZVOP-1), which in this case uses the term insurance. Pursuant to Article 24, paragraph 1, of ZVOP-1, protection includes organizational, technical and logical-technical procedures and measures that protect personal data, prevents the accidental or deliberate unauthorized destruction of data, their modification or loss, and unauthorized processing, inter alia, to prevent unauthorized access to personal data during their transmission, including transmission by telecommunication means and networks (point 3 of the first paragraph of Article 24 of ZVOP-1). In accordance with Article 25, Paragraph 1 of ZVOP-1, which is still in force, data controllers and contractual processors are obliged to ensure the protection of personal data in the aforementioned manner. In addition to the provisions of ZVOP-1, it is necessary to take into account Article 32 of the General Regulation that, taking into account the nature, scope, circumstances and purposes of processing, as well as the risk to the rights and freedoms of individuals, by ensuring appropriate technical and organizational measures, they provide an adequate level of security by risk, and gives examples of measures to ensure the security of personal data. In determining the appropriate level of security, account shall be taken, in particular, of the risks posed by processing, in particular as a result of unintentional or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data that is transmitted, stored or otherwise processed. In doing so, the principle of minimum data coverage (point (c) of the first paragraph of Article 5 of the General Regulation must also be observed. In accordance with the aforementioned Article, personal data must be relevant, relevant and limited to what is necessary for the purposes for which they are processed. This means that personal data must be adequately secured throughout the transmission of the shipment, from delivery to service, and the security procedures and measures depend on the risk posed by the transfer and the nature of the personal data transmitted. Personal data transmitted by mail or by courier, they must be secured in such a way as to prevent unauthorized disclosure of the personal data being transmitted. This means that e.g. service contracts or Reminders for unpaid service provided in sealed envelopes, glued in such a way as to ensure that they are not torn or opened during sorting, handling and transfer. It follows, therefore, that personal data must be adequately protected at all times during the transfer by procedures and measures that prevent unauthorized persons from accessing personal data, whereby the procedures and measures of protection depend on the risk posed by the transfer and the type of personal data, which are transmitted. IP reiterates that the latter obligation applies to both controllers and processors of personal data. Hoping to get your questions answered, we welcome you. Mojca Prelesnik, univ. dipl. right., Information Commissioner