IP - 07121-1/2020/387: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(6 intermediate revisions by 4 users not shown)
Line 1: Line 1:
{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"
{{DPAdecisionBOX
! colspan="2" |IP - 07121-1/2020/387
 
|-
|Jurisdiction=Slovenia
| colspan="2" style="padding: 20px; background-color:#ffffff" |[[File:logoSI.png|center|250px]]
|DPA-BG-Color=
|-
|DPAlogo=LogoSI.png
|Authority:||[[IP (Slovenia)]]
|DPA_Abbrevation=IP (Slovenia)
[[Category:IP (Slovenia)]]
|DPA_With_Country=IP (Slovenia)
|-
 
|Jurisdiction:||[[Data Protection in Slovenia|Slovenia]]
|Case_Number_Name=07121-1 / 2020/387
[[Category: Slovenia]]
|ECLI=
|-
 
|Relevant Law:||[[Article 58 GDPR#3|Article 58(3) GDPR]]
|Original_Source_Name_1=Informacijski Pooblaščenec
|Original_Source_Link_1=https://www.ip-rs.si/vop/?tx_jzgdprdecisions_pi1%5BshowUid%5D=1374
|Original_Source_Language_1=Slovenian
|Original_Source_Language__Code_1=SL
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=
 
|Type=Advisory Opinion
|Outcome=Other Outcome
|Date_Started=
|Date_Decided=20.03.2020
|Date_Published=
|Year=2020
|Fine=None
|Currency=
 
|GDPR_Article_1=Article 9 GDPR
|GDPR_Article_Link_1=Article 9 GDPR
|GDPR_Article_2=
|GDPR_Article_Link_2=
|GDPR_Article_3=
|GDPR_Article_Link_3=
 
|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=
 
|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=
 
|Party_Name_1=Anonymous
|Party_Link_1=
|Party_Name_2=
|Party_Link_2=
|Party_Name_3=
|Party_Link_3=
 
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=
|Appeal_To_Link=
 
|Initial_Contributor=
|
}}
 
[[Category:Article 58(3) GDPR]]
[[Category:Article 58(3) GDPR]]


Article 49(1)(g) ZVOP 


Article 2 ZInfP
The Slovenian Supervisory Authority (IP) issued an opinion as foreseen under [[Article 58 GDPR#3|Article 58(3) GDPR]] on the issue of the health data sharing under [[Article 9 GDPR]] in the employer - employee context. It held that there is no reason to collect such data by all organisations and companies, since in principle such information is provided through the National Institute of Public Health (NIJZ) epidemiological service. For all the other cases, the respective exceptions under [[Article 9 GDPR|Article 9(2) GDPR]] may apply.
|-
|Type:||Advisory opinion
|-
|Outcome:||Non-binding
|-
|Decided:||4. 2. 2020
[[Category:2020]]
|-
|Published:||n/a
|-
|Fine:||none
|-
|Parties:||anonymous
|-
|National Case Number:||07121-1 / 2020/387
|-
|European Case Law Identifier:||n/a
|-
|Appeal:||n/a
|-
|Original Language:||[[Category:Slovenian]]
Slovenian
|-
|Original Source:||[https://www.ip-rs.si/vop/?tx_jzgdprdecisions_pi1%5BshowUid%5D=1244 Informacijski Pooblaščenec (SI)]
|}
 
The Slovenian DPA (IP) issued a non-binding opinion as foreseen under [[Article 58 GDPR#3|Article 58(3) GDPR]] regarding spamming e-mails to Slovenian company, which were sent by a travel agency without any prior registration.


==English Summary==
==English Summary==


===Facts and questions arising===
===Facts and questions arising===
A Slovenian company asked the IP whether a travel agency was allowed to send spams to the company's e-mail "info@..." since it hasn't registered to receive such e-mails.     
The IP received a request whether at the time of the pandemic, an employee may be required to notify an employer about the infection with the corona virus. The purpose of such notification would be to ensure safe working conditions in the unit where the employee performs their work.     


===Holding===
===Holding===
The IP found that the protection of personal data refers to the processing of personal data which relate to an individual. Data relating to an entity are not considered to be personal and, therefore, the data protection rules do not apply to them. In this sense, there is no need for prior informed consent in such cases.  
The IP was of the view that the employer may request that employees inform the employer about the infection, if the NIJZ deems it necessary. Such information falls under the special category personal data under Article 9 GDPR. The processing of such data is prohibited unless one of the exceptions referred to in Article 9(2) GDPR applies.


Finally, the IP advised the company to refer its complaint to the competent Agency for Communication Networks and Services [https://www.akos-rs.si/ (AKOS)].  
In the event of the COVID-19 pandemic, which threatens both the individual and public health, these exceptional circumstances may require measures that interfere with the processing of special category personal data. The IP held that the measures that otherwise interfere with the processing of special category personal data may be in the interests of protecting the vital interests of employees, the legitimate interests of the company, and in the public interest. 
 
If such a member of the medical staff decided that an obligation to process the health data exists, the explicit consent cannot be a suitable basis for processing since the legal basis derives from the above mentioned rules and labor law. The principle of proportionality should always be respected and only the data that is necessary to achieve the purpose should be processed. However, this information must be adequately protected by the employer. In principle, statistics (eg, only information on the occurrence of an infection in a particular company, class, floor, etc.) are sufficient to provide further information, without other information that enables the individual to be identifiable.
 
Therefore, there is no reason to collect such data in all organizations and companies, since in principle such information is provided through the NIJZ epidemiological service. Should the NIJZ epidemiological service in a particular institution confirm a case of infection with the new coronavirus either among employees or among users, the NIJZ epidemiologist will immediately contact the organisation and give them clear instructions on the follow-up procedures and measures to be taken.


==Comment==
==Comment==
Line 58: Line 84:


==Further Resources==
==Further Resources==
''Share blogs or news articles here!''
The IP invited to get familiar with detailed information on the processing of personal data at the time of pandemic, which it made available on its website:
 
https://www.ip-rs.si/novice/odgovorno-ravnanje-vseh-je-kljucno-v-casu-virusne-krize-1170/


==English Machine Translation of the Decision==
==English Machine Translation of the Decision==
Line 65: Line 93:


<pre>
<pre>
Search engine according to GDPR
Date: 03/20/2020
 
Title: Obligation to inform the employer of individual occurrences of the COVID-19 virus
Date: 02/04/2020
Number: 07121-1 / 2020/387
Title: Question about sending messages without prior registration
Subject matter: Employment relations, Specific types, Legal bases
Number: 0712-1 / 2019/2725
Subject matter: Direct marketing, sweepstakes, Telecommunications and mail
Legal act: Opinion
Legal act: Opinion
The Information Commissioner (hereinafter referred to as IP) has received your question whether it is permissible, at the time of the epidemic, to require the worker to notify the employer in the event of coronavirus infection. Namely, we need the information to ensure safe working conditions in the unit where the worker performs his work.
On the basis of the information you have provided to us, in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Directive 95/46 / EC (hereinafter referred to as the General Data Protection Regulation or Decree), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette RS, No. 94/07-UPB1, hereinafter ZVOP- 1) and Article 2 of the Information Commissioner Act (Official Gazette RS, No. 113/05, hereinafter ZInfP) provide IP explanations.
It is not possible to speak automatically and in all cases of such an obligation on the employee. However, such an obligation of the employee may be ordered by an individual company or organization at the discretion of the competent institutions and the authorized person for occupational health (depending on the specific nature and organization of work) and taking into account the ZDR-1 in connection with sectoral regulations and measures for ensuring health and safety at work. This is a question that needs to be answered primarily by the health care profession, especially by an authorized occupational health officer. So if this is the nature of work, where, despite quarantine, workers come to work or were at work at a time when they could infect others and infection information may be relevant to the employer because of the urgent need to take the necessary measures to protect the vital interests of employees or third parties, such a requirement could be justified in the given emergency.
According to the NIJZ, employers should alert or urge sick workers to stay home and follow the instructions. The NIJZ also provided accurate instructions on how to deal with a respiratory illness in the workplace. Epidemiological service the competent health care institutions are the only persons who can give the sick persons the only concrete instructions on the measures in case of confirmed infection, as well as the companies and / or companies. provide guidance to organizations where such employees were present.
The eligibility of such an obligation therefore depends on the type of work involved, how the employer has arranged it and the nature of the work (eg the risks of infection and consequently the measures are different in the case of work with people, health professionals, teachers, work involving close work). contacts).
Employers are not entitled to the processing of employees' health data, including information about the diagnosis, body temperature of employees, etc., in accordance with the provisions of labor law. Generally, with regard to employer notification obligations, the provisions of the ZDR-1 apply, which are the same for the public and private sectors. In accordance with Article 35 of the ZDR-1, the worker is obliged to observe and implement the rules and measures on safety and health at work and to carry out his work carefully in order to protect his life and health and the life and health of others. In accordance with Article 36 of the ZDR-1, an employee must also inform the employer of material circumstances that affect or could affect the fulfillment of his contractual obligations, and of any changes to the data that affect the fulfillment of his employment rights. The worker must inform the employer of any threatening danger to life, health or material damage he or she perceives at work. Therefore, the employer may request that employees be informed of the infection, if the occupational health care professional or the competent authority (NIJZ) deems it necessary. Such information is a specific type of personal data and the General Regulation in Article 9 stipulates that its processing is prohibited unless one of the exceptions referred to in Article 9 (2) is given. In the event of an epidemic emergency when we are dealing with the spread of COVID infections -19, and which threatens both the health of the individual and public health, these special circumstances may require measures that also interfere with the processing of specific types of personal data. It should be borne in mind that measures that otherwise interfere with the processing of specific types of personal data may also be in the interests of protecting the vital interests of employees, the legitimate interests of the company and also in the public interest. However, this is a question that needs to be answered primarily by the medical profession, in the case described above, in particular by an authorized occupational health officer. If such an obligation exists, specific consent is not foreseen, since the legal basis derives from the abovementioned rules and labor law, always the principle of proportionality should be respected and only the data necessary to achieve the purpose should be processed. However, this information must be adequately protected by the employer, and without the appropriate legal basis, it is not entitled to forward it. In principle, statistics (eg, only information on the occurrence of an infection in a particular company, class, floor, etc.) are sufficient to provide further information, without other information that enables the individual to be identifiable.
Therefore, there is no reason to collect such data in all organizations and companies, since in principle such information is provided through the NIJZ epidemiological service. Should the NIJZ epidemiological service in a particular institution confirm a case of infection with the new coronavirus either among employees or among users, the NIJZ epidemiologist will immediately contact the institution and give him clear and clear instructions on the follow-up procedures and measures to be taken. In the course of the epidemiological examination, the epidemiologist, in an interview with the patient, identifies all the persons with whom the patient has been in contact. According to the definition of the case, he then orders further action - whether individuals will be tested, quarantined, or will receive instructions for self-observation, etc.
IP has posted information on the processing of personal data in this regard on its website:
https://www.ip-rs.si/novice/odgovorno-ravnanje-vseh-je-kljucno-v-casu-virusne-krize-1170/
For specific guidance on how to act in the event of a case of infection between persons (employees, students or students, clients) in a particular institution, building, etc. however, we suggest that you contact the NIPH, which can provide you with clear and clear guidance on what to do next and what steps you can take.
To this end, NIJZ provides up-to-date information for the general and professional public on the NIJZ website www.nijz.si and on social media channels. For general questions, toll-free telephone numbers 080 14 04 are available to residents every day between 8am and 8pm, and NIJZ's General Public Telephone Numbers 031 646 617 and 031 619 118 are open daily between 9am and 5pm. where an expert is available to talk to concerned residents and try to answer their specific questions.
An IP outside the inspection process and in advance may not and cannot judge what specific information may, or even must, be processed in relation to the current situation, but only by the competent institutions.
Best regards,
Prepared by:
Alenka Jerše, univ. dipl. right.
Deputy Information Commissioner
Mojca Prelesnik, univ. dipl. right.,
Information Commissioner


The Information Commissioner (hereinafter referred to as IP) has received an e-mail from you stating that the designated travel agency "spam" the Slovenian domain "info @" without first registering on the mailing list. Accordingly, you are interested in whether they are allowed to do this.
On the basis of the information you have provided, hereinafter referred to as Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and Directive 95/46 / EC (hereinafter referred to as the General Data Protection Regulation or Regulation), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette RS, No. 94/07, officially consolidated text, hereinafter ZVOP-1) and Article 2 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter ZInfP), we provide our non-binding opinion regarding your question.
IP explains that the protection of personal data refers to the processing of personal data, with personal data being data that point to an individual. Data relating to a legal entity and other business entities (eg e-mail info@podjetje.si) are not protected personal data, therefore they are not subject to the rules of personal data protection. Prior informed consent is therefore not required in such a case.
Corporate marketing rules are governed by the Electronic Communications Act (ZEKom-1) and the Electronic Commerce Market Act (ZEPT). The provisions of ZEKom-1 and ZEPT are overseen by the Agency for Communications Networks and Services (AKOS) and the Market Inspectorate of the RS (TIRS). If you believe that this is a violation of the rules of law, you can report directly to AKOS.
</pre>
</pre>

Latest revision as of 15:11, 17 March 2022

IP (Slovenia) - 07121-1 / 2020/387
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 9 GDPR
Type: Advisory Opinion
Outcome: Other Outcome
Started:
Decided: 20.03.2020
Published:
Fine: None
Parties: Anonymous
National Case Number/Name: 07121-1 / 2020/387
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Slovenian
Original Source: Informacijski Pooblaščenec (in SL)
Initial Contributor: n/a


The Slovenian Supervisory Authority (IP) issued an opinion as foreseen under Article 58(3) GDPR on the issue of the health data sharing under Article 9 GDPR in the employer - employee context. It held that there is no reason to collect such data by all organisations and companies, since in principle such information is provided through the National Institute of Public Health (NIJZ) epidemiological service. For all the other cases, the respective exceptions under Article 9(2) GDPR may apply.

English Summary

Facts and questions arising

The IP received a request whether at the time of the pandemic, an employee may be required to notify an employer about the infection with the corona virus. The purpose of such notification would be to ensure safe working conditions in the unit where the employee performs their work.

Holding

The IP was of the view that the employer may request that employees inform the employer about the infection, if the NIJZ deems it necessary. Such information falls under the special category personal data under Article 9 GDPR. The processing of such data is prohibited unless one of the exceptions referred to in Article 9(2) GDPR applies.

In the event of the COVID-19 pandemic, which threatens both the individual and public health, these exceptional circumstances may require measures that interfere with the processing of special category personal data. The IP held that the measures that otherwise interfere with the processing of special category personal data may be in the interests of protecting the vital interests of employees, the legitimate interests of the company, and in the public interest.

If such a member of the medical staff decided that an obligation to process the health data exists, the explicit consent cannot be a suitable basis for processing since the legal basis derives from the above mentioned rules and labor law. The principle of proportionality should always be respected and only the data that is necessary to achieve the purpose should be processed. However, this information must be adequately protected by the employer. In principle, statistics (eg, only information on the occurrence of an infection in a particular company, class, floor, etc.) are sufficient to provide further information, without other information that enables the individual to be identifiable.

Therefore, there is no reason to collect such data in all organizations and companies, since in principle such information is provided through the NIJZ epidemiological service. Should the NIJZ epidemiological service in a particular institution confirm a case of infection with the new coronavirus either among employees or among users, the NIJZ epidemiologist will immediately contact the organisation and give them clear instructions on the follow-up procedures and measures to be taken.

Comment

Share your comments here!

Further Resources

The IP invited to get familiar with detailed information on the processing of personal data at the time of pandemic, which it made available on its website:

https://www.ip-rs.si/novice/odgovorno-ravnanje-vseh-je-kljucno-v-casu-virusne-krize-1170/

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Slovenian original for more details.

Date: 03/20/2020
Title: Obligation to inform the employer of individual occurrences of the COVID-19 virus
Number: 07121-1 / 2020/387
Subject matter: Employment relations, Specific types, Legal bases
Legal act: Opinion
The Information Commissioner (hereinafter referred to as IP) has received your question whether it is permissible, at the time of the epidemic, to require the worker to notify the employer in the event of coronavirus infection. Namely, we need the information to ensure safe working conditions in the unit where the worker performs his work.
On the basis of the information you have provided to us, in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Directive 95/46 / EC (hereinafter referred to as the General Data Protection Regulation or Decree), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette RS, No. 94/07-UPB1, hereinafter ZVOP- 1) and Article 2 of the Information Commissioner Act (Official Gazette RS, No. 113/05, hereinafter ZInfP) provide IP explanations.
It is not possible to speak automatically and in all cases of such an obligation on the employee. However, such an obligation of the employee may be ordered by an individual company or organization at the discretion of the competent institutions and the authorized person for occupational health (depending on the specific nature and organization of work) and taking into account the ZDR-1 in connection with sectoral regulations and measures for ensuring health and safety at work. This is a question that needs to be answered primarily by the health care profession, especially by an authorized occupational health officer. So if this is the nature of work, where, despite quarantine, workers come to work or were at work at a time when they could infect others and infection information may be relevant to the employer because of the urgent need to take the necessary measures to protect the vital interests of employees or third parties, such a requirement could be justified in the given emergency. 
According to the NIJZ, employers should alert or urge sick workers to stay home and follow the instructions. The NIJZ also provided accurate instructions on how to deal with a respiratory illness in the workplace. Epidemiological service the competent health care institutions are the only persons who can give the sick persons the only concrete instructions on the measures in case of confirmed infection, as well as the companies and / or companies. provide guidance to organizations where such employees were present.
The eligibility of such an obligation therefore depends on the type of work involved, how the employer has arranged it and the nature of the work (eg the risks of infection and consequently the measures are different in the case of work with people, health professionals, teachers, work involving close work). contacts). 
Employers are not entitled to the processing of employees' health data, including information about the diagnosis, body temperature of employees, etc., in accordance with the provisions of labor law. Generally, with regard to employer notification obligations, the provisions of the ZDR-1 apply, which are the same for the public and private sectors. In accordance with Article 35 of the ZDR-1, the worker is obliged to observe and implement the rules and measures on safety and health at work and to carry out his work carefully in order to protect his life and health and the life and health of others. In accordance with Article 36 of the ZDR-1, an employee must also inform the employer of material circumstances that affect or could affect the fulfillment of his contractual obligations, and of any changes to the data that affect the fulfillment of his employment rights. The worker must inform the employer of any threatening danger to life, health or material damage he or she perceives at work. Therefore, the employer may request that employees be informed of the infection, if the occupational health care professional or the competent authority (NIJZ) deems it necessary. Such information is a specific type of personal data and the General Regulation in Article 9 stipulates that its processing is prohibited unless one of the exceptions referred to in Article 9 (2) is given. In the event of an epidemic emergency when we are dealing with the spread of COVID infections -19, and which threatens both the health of the individual and public health, these special circumstances may require measures that also interfere with the processing of specific types of personal data. It should be borne in mind that measures that otherwise interfere with the processing of specific types of personal data may also be in the interests of protecting the vital interests of employees, the legitimate interests of the company and also in the public interest. However, this is a question that needs to be answered primarily by the medical profession, in the case described above, in particular by an authorized occupational health officer. If such an obligation exists, specific consent is not foreseen, since the legal basis derives from the abovementioned rules and labor law, always the principle of proportionality should be respected and only the data necessary to achieve the purpose should be processed. However, this information must be adequately protected by the employer, and without the appropriate legal basis, it is not entitled to forward it. In principle, statistics (eg, only information on the occurrence of an infection in a particular company, class, floor, etc.) are sufficient to provide further information, without other information that enables the individual to be identifiable.
Therefore, there is no reason to collect such data in all organizations and companies, since in principle such information is provided through the NIJZ epidemiological service. Should the NIJZ epidemiological service in a particular institution confirm a case of infection with the new coronavirus either among employees or among users, the NIJZ epidemiologist will immediately contact the institution and give him clear and clear instructions on the follow-up procedures and measures to be taken. In the course of the epidemiological examination, the epidemiologist, in an interview with the patient, identifies all the persons with whom the patient has been in contact. According to the definition of the case, he then orders further action - whether individuals will be tested, quarantined, or will receive instructions for self-observation, etc.
IP has posted information on the processing of personal data in this regard on its website:
https://www.ip-rs.si/novice/odgovorno-ravnanje-vseh-je-kljucno-v-casu-virusne-krize-1170/
For specific guidance on how to act in the event of a case of infection between persons (employees, students or students, clients) in a particular institution, building, etc. however, we suggest that you contact the NIPH, which can provide you with clear and clear guidance on what to do next and what steps you can take.
To this end, NIJZ provides up-to-date information for the general and professional public on the NIJZ website www.nijz.si and on social media channels. For general questions, toll-free telephone numbers 080 14 04 are available to residents every day between 8am and 8pm, and NIJZ's General Public Telephone Numbers 031 646 617 and 031 619 118 are open daily between 9am and 5pm. where an expert is available to talk to concerned residents and try to answer their specific questions.
An IP outside the inspection process and in advance may not and cannot judge what specific information may, or even must, be processed in relation to the current situation, but only by the competent institutions.
Best regards,
Prepared by:
Alenka Jerše, univ. dipl. right.
Deputy Information Commissioner
Mojca Prelesnik, univ. dipl. right.,
Information Commissioner