IP - 07120-1/2020/628

From GDPRhub
IP - 07120-1/2020/628
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 6(1) GDPR
Access to Public Information Act
Type: Advisory Opinion
Outcome: n/a
Started:
Decided: 04.12.2020
Published:
Fine: None
Parties: n/a
National Case Number/Name: 07120-1/2020/628
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Slovenian
Original Source: IP (in SL)
Initial Contributor: n/a

The DPA issued an opinion on making the council meetings open to public. The DPA suggested to determine the rules regarding the openness of meetings and in the case of dealing with personal data, close the specific meeting (partially) to the public, or provide an appropriate legal basis.

English Summary

Facts

According to the complainant, the draft statute of the council institution would state that its sessions are not public, but the council can open them. In his view, the meetings are "per se" closed to the public.

Dispute

What are the legal bases for opening the council meetings to the public?

Holding

According to the DPA, the public institution can determine in its statute when it will open or close the meeting or part of the meeting to the public. The public session is not a requirement that would be determined by a special law for public institutions and does not fall within the scope of the right of access to public information provided by the ZDIJZ.

The DPA claimed that in cases where personal data is discussed at the council's meetings, one of the legal bases for the processing of personal data from Article 6(1) GDPR must be provided.

The DPA suggested to determine the rules regarding the openness of meetings and in the case of dealing with personal data, close the specific meeting (partially) to the public, or provide an appropriate legal basis. The DPA pointed out that consent in the public sector can be given in accordance with the first paragraph of Article 9 of ZVOP-1 (which is still used to a certain extent until the adoption of ZVOP-2) when the law stipulates that certain personal data are processed only based on the personal consent of the individual. The DPA has repeatedly emphasized in the past that the consent of an individual can be given without prior definition in the law only if it is not a matter of performing public tasks.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.

The Information Commissioner (hereinafter IP) received your request for an opinion on the publicity of the meetings of the councils of institutions by e-mail. The draft statute of the public institution would state that the sessions are not public, but that the council can open them to the public. In your opinion, the meetings of the councils are "per se" closed to the public. You are asking what the IP opinion is in this regard.

***

On the basis of the information you have provided to us, hereinafter referred to as Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Directive 95/46 / EC (hereinafter: the General Regulation), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07, official consolidated text, hereinafter ZVOP-1) and 2 Article of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter ZInfP), we provide our non-binding opinion regarding your question.

In doing so, the IP emphasizes that the IP cannot assess specific processing of personal data outside the inspection procedure or other administrative procedure.

In cases similar to yours, the IP has already given its opinions in the past, e.g. opinions no. 0712-1 / 2015/2369 of 21 September 2015 and no. 0712-1 / 2016/714 of 28.3.2016.

At the beginning, we explain that the public institution can determine with its statute when it will open or close the session or part of the session to the public. According to the IP, the public session is not a requirement that would be determined by a special law for public institutions and does not fall within the scope of the right of access to public information provided by the ZDIJZ. However, the above does not mean that the applicant does not have the right to access any documentation that was discussed at the session and is information of a public nature, taking into account the exceptions provided by the ZDIJZ.

Exceptions to free access to the requested information are defined in Article 6 of the ZDIJZ, namely, among other things, the applicant is denied access to the requested information if the request relates to personal data , the disclosure of which would constitute a breach of personal data protection. personal data. In accordance with our competencies, we therefore provide you with our non-binding opinion on the protection of personal data at a meeting of the institution.

As we have pointed out in the opinions quoted above, in cases where personal data is discussed at the institute's meetings, one of the legal bases for the processing of personal data provided for in the General Regulation must be provided. In the public sector, in accordance with the first paragraph of Article 6 of the General Regulation, personal data may be processed in the following cases:

(a) the data subject has consented to the processing of his or her personal data for one or more specified purposes;

(b) processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of measures at the request of such a data subject before the conclusion of the contract;

(c) the processing is necessary to fulfill a legal obligation applicable to the controller;

(d) processing is necessary for the protection of the vital interests of the data subject or of other natural persons;

(e) the processing is necessary for the performance of a task in the public interest or in the exercise of public authority conferred on the controller.

Based on the above, we suggest that you determine the rules regarding the publicity of sessions and in the case of dealing with personal data at sessions of a public institution, close the specific session (in part) to the public, or provide an appropriate legal basis as above. We would like to point out that consent in the public sector can be given in accordance with the first paragraph of Article 9 of ZVOP-1 (which is still used to a certain extent until the adoption of ZVOP-2) when the law stipulates that certain personal data are processed only based on the personal consent of the individual. The IP has repeatedly emphasized in the past that the consent of an individual can be given without prior definition in the law only if it is not a matter of performing public tasks.

Hoping that our instructions will help you, we welcome you.