IP - 07121-1/2020/1570

From GDPRhub
IP - 07121-1/2020/1570
LogoSE.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 6(3) GDPR
Article 58 GDPR
ePrivacy Directive 2002/58/EC
Article 148 ZEKom-1
Article 158 ZEKom-1
Article 2 ZInfP
Article 49(1)(g) ZVOP-1
Type: Advisory Opinion
Outcome: n/a
Decided: 11.09.2020
Published: n/a
Fine: None
Parties: n/a
National Case Number/Name: 07121-1/2020/1570
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Slovenian
Original Source: Informacijski Pooblaščenec (in SL)
Initial Contributor: n/a

The Slovenian DPA (IP) provides a non-binding opinion on the legal basis for sending an SMS message to all users about a new application by the Slovenian National Institute of Public Health (NIJZ). The IP found that there was no legal basis for the SMS by relying on Articles 148 and 158 of the Slovenian law transposing the ePrivacy Directive 2002/58/EC .

English Summary[edit | edit source]

Facts[edit | edit source]

The IP received a request for an opinion concerning sending of an SMS message to users about the new #StayHealthy app created by the National Institute of Public Health (NIJZ). The SMS message was to be carried out on a voluntary basis by operators at the initiative of NIJZ.

The opinion relates to the legal basis for this SMS message.

Dispute[edit | edit source]

Is there a legal basis under Slovenian national law for sending an SMS message to all users about a new application launched by the Slovenian National Institute of Public Health?

Holding[edit | edit source]

The IP held that Article 6(3) GDPR applies in this context. As such the legal basis for processing is laid down by the Slovenian Electronic Communications Act (ZEKom-1). To come to this conclusion, the IP referred to the EDPB Opinion 5/2019 on the relationship between the ePrivacy Directive 2002/58/EC (transposed into Slovenian law by ZEKom-1) and the GDPR to establish that ZEKom-1 applies.

The IP found that there are restrictions imposed by ZEKom-1 on electronic communications operators regarding lawful data processing. Article 148 ZEKom-1 provides a legal basis for processing subscribers' data, but limits the purposes for which such data is processed with the consent of the data subject. IP added that Article 158 ZEKom-1 restricts sending of unsolicited communications for the purpose of direct marketing through SMS messages. Such communications are only permitted on the basis of consent or certain exceptions. According to IP, the restriction in Article 158 applies to commercial and non-commercial communications, including for the promotion of ideas, political promotions and promotions by NGOs. Therefore, it is unlikely that unsolicited communications on ground relating to emergencies are exempt.

Therefore, there was no legal basis for the SMS.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.

Date: 09/11/2020
Title: Opinion on SMS notifications about the installation of the #StayHealth app
Number: 07121-1 / 2020/1570
Subject matter: Legal basis, Telecommunications and Post
Legal act: Opinion

The Information Commissioner (hereinafter: IP) has received your letter asking us for an opinion on sending an SMS message to all users, with a notification about the new application #StayHealthy , prepared by N IJZ. The NIJZ also provided you with the opinion of the Government Office for Legislation, according to which the legal basis for sending a message should be Article 9 or 10 of ZVOP-1, according to the opinion of the IP from 2016 in the context of sending SMS messages about consular services. Ask us to comment on the proposed legal basis . You definitely want to help, but you by sending don’t want to break the law .

 

On the basis of the information you have provided to us, hereinafter referred to as Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Directive 95/46 / EC (hereinafter: the General Regulation), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07, official consolidated text, hereinafter ZVOP-1) and 2 Article of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter ZInfP), we provide our non-binding opinion on your question.

 

At the beginning, we explain that the Information Commissioner gives non-binding opinions and explanations, but he cannot assess specific actions of personal data processing outside the inspection procedures.

 

Article 6 of the General Regulation sets out the legal basis on which the controller may lawfully process personal data. Among other things, the basis for processing may be determined by special legislation, in accordance with Article 6 (3) of the General Regulation. Special legislation governing the processing of personal data in the field of electronic communications services provided by electronic communications operators is the Electronic Communications Act (Official Gazette of the Republic of Slovenia, No. 109/12, as amended; ZEKom -1).

 

The Data Protection Committee (EDPB) adopted an opinion (No. 5/2019) on the relationship between the General Regulation and the ePrivacy Directive 2002/58 / EC (this directive has been transposed into Slovenian law by ZEKom-1). In the opinion, which is binding for IP in terms of uniform interpretation, the committee explains that the legal bases for the processing of personal data in this area are set out in ZEKom-1, as a special act. In the context of the activities of the operator regulated by ZEKom-1, the legal basis referred to in Article 6 of the General Regulation is not applied, but the basis set out in ZEKom-1. If there is no legal basis for a certain processing of personal data in ZEKom-1, such processing cannot be lawful from the point of view of the principle of personal data processing referred to in Article 5 of the General Regulation.

 

The IP opinion to which you refer in your letter does not relate to an identical situation, but also to the framework as it was before the entry into force of the General Regulation in 2018. Following the application of the General Regulation, the IP must also take into account for data protection - e.g. mentioned opinion no. 5/2019.

 

 

 

 

As already explained in opinion 07121-1 / 2020/1348 on this topic, IP considers that in defining the legal bases on which the operator should send an SMS notification to all its users that the Ostanizdrav application is available to it, ZEKom-1, which imposes restrictions on electronic communications operators regarding the permissible processing of personal data and the provision of services. The direct and explicit legal basis for SMS notification, which would be carried out voluntarily by the operator in the manner described, but at the initiative of the NIJZ, does not follow from the stated provisions of ZEKom-1.

 

At the same time, IP emphasizes that it is not responsible for the interpretation and control of the provisions of ZEKom-1, as this falls within the competence of the Agency for Communication Networks and Services of the Republic of Slovenia (AKOS).

 

We note, however, without prejudice to the competence of AKOS for the interpretation and control of ZEKom-1, that in Article 148 it includes the legal basis for the permissible processing of subscribers' data and narrowly limits the purposes for which data may be processed. with the consent of the contracting authority. Article 158 of ZEKom-1 also restricts the sending of unsolicited communications for the purpose of direct marketing via e-mail, SMS and MMS messages and allows this on the basis of consent or in certain exceptions. Personal data protection supervisors certainly understand the provision on unsolicited communications in the sense that it includes restrictions on the sending of all types of unsolicited messages, whether commercial or non-commercial, such as. for the purpose of promoting ideas, political promotion, promotion of NGOs, etc. As in the previous opinion, we also express doubts about the adequacy of the use of grounds relating to emergencies.

 

 

Prepared by:

Dr. Jelena Burnik,

Head of International Cooperation and Supervision

 

 

 

Mojca Prelesnik, B.Sc.

Information Commissioner