IP - 07120-1/2021/168

From GDPRhub
Revision as of 10:10, 14 April 2021 by Cvl (talk | contribs) (→‎Facts)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
IP - 07120-1/2021/168
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 15 GDPR
Type: Advisory Opinion
Outcome: n/a
Decided: 08.04.2021
Published: 08.04.2021
Fine: None
Parties: IP
National Case Number/Name: 07120-1/2021/168
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Slovenian
Original Source: IP (in SL)
Initial Contributor: GDPR+

The Slovenian DPA held that on the basis of Article 15 GDPR it is not possible for an employee to obtain information about the data processing activities of other employees within a hospital.

English Summary


The DPA was asked by a hospital if it can provide an employee with data on which of its other employees are processing health data, as well as when and how they are processing such data.


The DPA held that under its current practice, it is not possible under Article 15 GDPR to obtain information about specific individuals who have processed personal data within the controller. This applies irrespective of the fact:

- that the person is employed by a controller,

- which systems and collections the employee has accessed, and - whether the access was lawful or unlawful.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.

                    Internal insights into the health and personal data of other employees and action in this regard
                        Date: 08.04.2021
                        Number: 07120-1 / 2021/168
                        Categories: Right to acquaint with own personal data, Health personal data
                        We received your request for an opinion from the Information Commissioner (IP) on 6 April 2021:

Based on the form below, can the hospital provide the employee with information on which of the employees (name and surname), when and to which health data he or she accessed or processed?
 Can the provision of Article 46 of the Patients' Rights Act (ZPacP) be applied mutatis mutandis in the case of employees when they are not hospital patients but are registered in the Birpis information system because they used the service within the scope of the employer's activities and consequently can they access their health data (both data on the services they have used in carrying out the employer's activities and data in the CRPP)?

The hospital would prepare a request form for employees to get acquainted with insights into its own health data in order to contain the risk of unauthorized access to health data by other employees in the Birpis information system, which contains health data of employees who were (were) patients of the hospital. use the services in the context of carrying out the activities of the employer. Therefore, they are misled in the system, which automatically allows access to their health data in the CRPP.

On the basis of the information you have provided to us, in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Directive 95/46 / EC (hereinafter: the General Regulation on Data Protection), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07-UPB1, hereinafter ZVOP-1) and Article 2 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter ZInfP) provides our non-binding opinion on your issue.

 In accordance with current IP practice, based on the requirement to become acquainted with one's own personal data under Article 15 of the General Data Protection Regulation, it is not possible to obtain information on specific persons who processed an individual's personal data within the controller. This applies regardless of:

- that the individual is employed by a manager,
which systems and collections the employee has accessed, and
- whether the access was lawful or illegal.

Regarding insights into the CRPP (performed by employees on behalf of the hospital as an external user), the individual must, as a rule, contact the manager - the NIJZ.

 Action under Article 46 of the ZPacP is necessary in the event that the (allegedly) affected person is a patient. Employees of a healthcare provider may also be patients if they have received any healthcare (care) as defined in the ZPacP, such as testing and vaccination in relation to COVID-19, participation in various preventive healthcare programs or examinations by an in-house healthcare provider. MDPŠ.


In a similar case, IP has already issued Opinion no. 0712-1 / 2019/861, which is available on the IP website.

In case of suspicion of illegal internal processing of personal data, an individual may file an inspection report. Under certain legal conditions (see ZIN and ZP-1), an individual can obtain information about the violator in the inspection or misdemeanor procedure at the IP.

Insight into the data in the CRPP is considered as external use of the data, but the disclosure of information cannot be decided by the healthcare provider, but by the CRPP operator (NIJZ).

The IP opinion is not affected by the fact that or if the CRPP is integrated into the BIRPIS.

It follows from Article 2 of the ZPacP that a patient is "a patient or other user of health services in relation to health care workers and health care associates or health care providers, regardless of their health condition". Medical treatment is "medical and other interventions for disease prevention and health promotion, diagnostics, therapy, rehabilitation and nursing care, and other services or procedures performed by health care providers in the treatment of patients." Health services are "services provided to patients by healthcare professionals and healthcare professionals as part of their activities."

Therefore, in individual cases, it is possible that hospital staff should also be considered as patients, even if they have been treated outside the hospital's regular activities. Consequently, the hospital is obliged to take action in the event of detected unauthorized processing of personal data of these persons in accordance with Article 46 of the ZPacP.

Outside the inspection procedure, the IP is not competent to assess the role played by employees in the use of individual hospital services.

Kind regards,

mag. Urban Brulc, Univ. dipl. right.
independent IP consultant

Mojca Prelesnik, B.Sc. dipl. right.
Information Commissioner