IP - 07121-1/2020/701

From GDPRhub
IP - 07121-1/2020/701
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 4(1) GDPR

Article 58 GDPR

Article 25(2) ZVOP-1

Article 49(1)(g) ZVOP-1

Article 2 ZInfP

Type: Advisory opinion
Outcome: Non-binding
Decided: 23.4.2020
Published: n/a
Fine: none
Parties: anonymous
National Case Number: 07121-1/2020/701
European Case Law Identifier: n/a
Appeal: n/a
Original Language: Slovenian
Original Source: Informacijski pooblaščenec (SI)

The Slovenian DPA (IP) issued the non-binding opinion that the personal data of researchers employed by a public institute is in principle not personal data but publicly available information. However, a concrete assessment about the nature of this and the legal basis has to be made by the data controller.

English Summary[edit | edit source]

Facts[edit | edit source]

The IP received a request to issue an opinion on whether the data regarding the appointment of a researcher and the invalidity of the research title are personal data and as such are inaccessible to the Scientific Council of a public institute. The question arose from the fact that the Scientific Council incorrectly named a particular researcher due to lack of access to his personal data.

Holding[edit | edit source]

The IP found that the processing of the personal data of researchers by the public institute as controller or the Scientific Council as its expert body may be permissible under Article 6 (1)(e) GDPR in the election to the research title as public task.

It added that researchers employed by the public institute are civil servants, thus names and other data related to their employment constitute freely available, public information. It follows that the data on a (valid) research title of a researcher employed by a public institute is probably not personal data at all. However, a concrete and definitive assessment falls under the responsibility of the controller.

Pursuant to the Article 25(2) ZVOP-1, the data controllers determine procedures and measures for the protection of personal data and designate the persons responsible for certain files with personal data and persons who process certain data. IP sees in principle no obstacles to the access to the personal data at stake. However, the final assessment of the personal data that can be processed and the respective legal basis has to be made by the data controller.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the original. Please refer to the Slovenian original for more details.

Date: 04/23/2020
Title: Information for appointment to research title
Number: 07121-1 / 2020/701
Subject matter: Legal basis, Statistics and research, Protection of personal data
Legal act: Opinion

The Information Commissioner (hereinafter referred to as IP) has received your request for an opinion. You are wondering whether the data regarding the appointment to the research title by the decision of the director and the invalidity of the research title are personal data and as such are inaccessible to the Scientific Council of the public institute, which otherwise decides on the appointment to the research titles. You describe a case where the Scientific Council incorrectly named a particular researcher due to lack of access to the personal data of a researcher. You ask how you should handle such cases in the future.

On the basis of the information you have provided to us, in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Directive 95/46 / EC (General Data Protection Regulation, hereinafter referred to as the General Regulation), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette RS, No. 94/07-UPB1, hereinafter ZVOP-1 ) and Article 2 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter ZInfP) provide our non-binding opinion regarding your question.

The IP emphasizes that it can provide non-binding opinions and explanations, but it cannot advise individual entities, outside of specific inspection procedures, on how to organize certain business processes and in this context to process personal data. Similarly, the opinion of IP cannot determine in advance whether in the particular case it is protected personal data. Therefore, IP cannot answer your question in the light of this opinion, but only provides general explanations below.

In accordance with Article 4 (1) of the General Regulation, personal data is any information relating to an identified or identifiable individual; an identifiable individual is one that can be determined, directly or indirectly, in particular by identifying an identifier such as name, identification number, location information, web identifier, or by indicating one or more factors specific to the physical, physiological, genetic , the mental, economic, cultural or social identity of that individual. In accordance with Article 4 (7) of the General Regulation, operator means a natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of processing; where the purposes and means of processing are determined by Union or Member State law, the controller or the specific criteria for his designation may be laid down by Union or Member State law.

Any processing of personal data must have an appropriate and legal legal basis. These are laid down in Article 6 (1) of the General Regulation and are for the public sector to which public institutions belong:
- law (point (c)),
- consent in the case of non-performance of public tasks (point (a)),
- the conclusion or performance of the contract (point (b)),
- performance of a public task (point (e)).

You state that the Scientific Council of your public institute, as a collective body or professional body, decides on the award of research titles in accordance with the Rules on Research Titles (Official Gazette RS, No. 126/08, 41/09, 55/11, 80/12, 4 / 13 - afterwards, 5/17, 31/17 and 7/19) and internal regulations. In doing so, you emphasize that researchers are obliged to take care of the validity of their research title and to initiate the process of appointment to a research title with the Scientific Council in due time. The Research Titles Regulations allow, in some cases, the appointment of a research title to a director by an appointment decision of no more than one year (see paragraph 6 of Article 18).
However, you are reminded that the data on appointments by the decision of the Director and the invalidity of the research titles in case the researchers did not initiate the procedure for appointment to the research title are personal and therefore inaccessible to the members of the Scientific Council.

V VI. Chapter of the Research Titles Regulations prescribes the procedure for election to the research title. Article 21 of these Rules stipulates that in the procedure for election the competent authority (expert body) shall first examine whether the candidate fulfills the conditions for election, then consider all indicators and criteria for the scientific and professional performance of the candidate, paying particular attention to the five most important scientific and five most important socio-economically or culturally relevant achievements reported by the candidate and takes into account the candidate's complete bibliography recorded in the SICRIS system. Based on the established conditions and other indicators and criteria, the competent authority (professional body) of the public research organization and research organization may elect the proposed candidate to a higher or the same title or reject the candidate's proposal for election to the proposed research title. It follows from the foregoing that the processing of the protected personal data of researchers by the public institute as controller or the Scientific Council as its expert body may be permissible under Article 6 (1) (e) of the General Regulation, that is to say, in the exercise of election to the research title as public tasks.

In addition, IP adds that researchers employed by your public institute are civil servants. Names and other data related to the employment of civil servants, however, constitute freely available information of public character (indent 1, third paragraph of Article 6 of the Act on Access to Public Information, Official Gazette RS, No. 51/06 - Official consolidated text, 117/06 - ZDavP-2, 23/14, 50/14, 19/15 - Dec. US, 102/15 and 7/18 (hereinafter ZDIJZ). Also, the first paragraph of Article 38 of the Public Sector Wage Act (Official Gazette of the Republic of Slovenia, No. 108/09 - Official Consolidated Text, as amended) provides that public sector wages are public, with publicly available information on job, title or function, basic salaries, allowances and part-time salaries other than seniority. Against this background, the data on the (valid) research title of a researcher employed by your public institute probably does not represent protected personal information at all. However, a concrete and definitive assessment is the responsibility of the operator. In making this assessment, it is essential to consider whether, in the specific case, this is information relating to the use of public funds and the employment of a public servant.

Pursuant to the second paragraph of Article 25 of ZVOP-1, which is still in force, the controllers of personal data prescribe in their acts procedures and measures for the protection of personal data and designate the persons responsible for certain personal data files and persons who, due to the nature of their work, process certain data. personal information. Taking into account the reasoned IP, in principle it sees no obstacles to the access to the Scientific Council of a public institute of personal data that it needs to decide on the election of researchers to research titles, namely the public data of researchers as public servants. However, the final assessment of what personal data and on what legal basis the members of the Scientific Council can process in the performance of their tasks will have to be made by the manager on the basis of the clarified starting points, and also regulated by the internal rules of the Institute. IP can only make such an assessment in the context of a complaint procedure under the ZDIJZ or an inspection procedure under the rules on personal data protection.