IP - 07121-1 / 2020/2260: Difference between revisions

From GDPRhub
(LogoSE.png => LogoSI.png)
 
(2 intermediate revisions by 2 users not shown)
Line 3: Line 3:
|Jurisdiction=Slovenia
|Jurisdiction=Slovenia
|DPA-BG-Color=
|DPA-BG-Color=
|DPAlogo=LogoSE.png
|DPAlogo=LogoSI.png
|DPA_Abbrevation=IP
|DPA_Abbrevation=IP
|DPA_With_Country=IP (Slovenia)
|DPA_With_Country=IP (Slovenia)
Line 70: Line 70:
==English Machine Translation of the Decision==
==English Machine Translation of the Decision==
The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.
The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.
 
<pre> The Information Commissioner (hereinafter: IP) received your e-mail stating that the Director had decided to prepare a video greeting card for the clients, which would then be sent to the company's clients by e-mail. The video must be recorded by the workers at home, participation is mandatory. You wonder if this is allowed.
<pre>
 
On the basis of the information you have provided to us, in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Directive 95/46 / EC (hereinafter the General Data Protection Regulation), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07-UPB1, hereinafter ZVOP-1) and 2 In accordance with Article of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter ZInfP), we provide our non-binding opinion on your question.
Search engine according to GDPR
+
We emphasize at the outset that the IP cannot assess specific processing of personal data outside the inspection procedure or other administrative procedure. This means that in issuing an opinion, the IP can only draw attention to the relevant legal basis and the conditions that must be met for certain processing of personal data to be lawful.
-
Date: December 9th, 2020
P first explains that any processing of personal data must have an appropriate and lawful legal basis . These are set out in Article 6 (1) of the General Data Protection Regulation and are as follows:
Title: Transmission of medical reports to the insurance company
• consent (point (a)),
Number: 07121-1 / 2020/2187
the conclusion or performance of a contract (point (b)),
Subject matter: Legal basis, Obtaining OPs from collections, Insurance, Medical personal data
• law (point (c)),
Legal act: Opinion
• protection of the vital interests of the individual (point (d)),
 
• implementation of a public task (point (e) in connection with the fourth paragraph of Article 9 of ZVOP-1),
The Information Commissioner (hereinafter IP) has received your request for an opinion on the justification of providing sensitive personal data (medical records) of your subjects to the insurance company on the basis of a cooperation agreement in the field of specialist medical examinations. You state that the insurance company refers to Article 268 of the Insurance Act and Article 9 of the General Regulation on Data Protection. You point out that these are check-ups that you do because an individual has insured themselves for faster access to health services from the specialist doctors who belong to them if they receive a referral. In a medical institution, e.g. with you, this inspection is ordered and paid for by the insurance company, and for this purpose the said contract is concluded.
• legitimate interests of the operator (point (f)).
 
 
The field of labor law is specially regulated in special laws, especially in the Employment Relationships Act (Official Gazette of the Republic of Slovenia, No. 21/13, as amended; hereinafter ZDR-1) and in the Labor and Social Security Records Act ( Official Gazette of the Republic of Slovenia, No. 40/06; hereinafter ZEPDSV). Pursuant to the first paragraph of Article 48 of ZDR-1, personal data of employees may be collected, processed, used and transmitted to third parties only if this is determined by this or another law or if it is necessary for the exercise of rights and obligations arising from employment or in employment relationship. The types and content of records in the field of work and social security are determined in the ZEPDSV.
You state that the eighth paragraph of the Insurance Act in point 6 really explicitly allows the insurance company to obtain medical documentation from the health care provider, but you believe that the third paragraph of Article 268 of the Insurance Act limits this to cases where the scope is appropriate and necessary to achieve the purposes of processing. You estimate that this is not necessary for your participation. In your opinion, the insurance company should obtain written permission from the insured in advance in order to be able to obtain his medical records directly from the medical institution for specific purposes, and that the insurance company should provide this permission to the medical institution when requesting medical records. In addition, you consider that it is necessary for the insurance company to justify in the contract in which cases this is absolutely necessary depending on the purpose of use.
 
This means that the employer may process only those personal data of employees that are necessary for the exercise of rights and obligations arising from the employment relationship or are related to the employment relationship or are determined by the ZEPDSV . The IP clarifies that the personal data of employees, which can be processed by the employer if this is necessary for the exercise of rights and obligations arising from the employment relationship or in connection with the employment relationship, must be assessed on a case-by-case basis. It is up to the employer to explain why the employee needs certain personal data in order to exercise the rights and obligations arising from the employment relationship or in connection with the employment relationship.
 
You suggest that IP give opinions specifically for:
According to IP, the case you described in your communication most likely does not represent the exercise of rights and obligations arising from the employment relationship or in relation to the employment relationship, which could be the legal basis on which the employer could obtain your recordings for making a video greeting card is given in point (a) of Article 6 (1) of the General Regulation, namely the consent of each employee .
 
    insurance for faster access to a specialist,
Regarding consent  to the processing of personal data of employees, IP points out that consent in employment in relation to the above employment law applies only to those personal data that are not related to the exercise of rights and obligations arising from employment or not related to employment. Due to the pronounced inequality of power of the parties in employment relations or due to the protection of the employee, who is a weaker party in relation to the employer, the legislator regulated this area more strictly. Therefore, the processing of personal data on the basis of consent in this area is only possible in exceptional cases and provided that the individual can indeed refuse consent without any consequences for the employment relationship.
    damage insurance - for the purpose of compensation,
    medical examination before taking out life insurance - for the purpose of proving that the insured does not take out insurance after having already received a poor diagnosis,
Article 4 (11) of the General Regulation provides that the consent of an individual may only be:
 
1. voluntary,
 
2. specific,
On the basis of the information you have provided to us, in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Directive 95/46 / EC (General Regulation on Data Protection, hereinafter General Regulation), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07-UPB1, hereinafter ZVOP-1 ) and Article 2 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter ZInfP), we provide our non-binding opinion regarding your questions.
3. informed and
 
4. unambiguous.
 
We emphasize at the outset that the IP cannot assess specific processing of personal data outside the inspection procedure or other administrative procedure. This means that the IP cannot decide in the context of issuing an opinion whether the conditions for the transfer of personal data are met in a particular case, but can only point out the relevant legal basis and the conditions that must be met for a particular transfer to be lawful. However, a concrete assessment can or must be performed exclusively by the personal data controller.
Voluntary consent means the actual selection and control of the data subject. Consent is thus not valid if the data subject has no real choice if he feels compelled to consent or if he will suffer negative consequences if he does not consent. If the consent is tied to conditions that cannot be negotiated, or if the individual cannot refuse or revoke the transfer of personal data without prejudice, the consent is not given validly, consequently such processing of personal data is without a legal basis, or illegal.
 
 
The European Data Protection Board (EDPB) in Guideline no. 05/2020 on consent under Regulation 2016/679, adopted on 4 May 2020, highlighted in point 23 a case similar to the one described, in which it describes a case of duly obtained consent (and its refusal) in the case of the dismissal of employees. An example is given of a film crew that will shoot in one part of the office. In such a case, the employer can ask all employees sitting in this part of the office to consent to the recording, as they may appear in the background of the video. Those who do not wish to be filmed should not be penalized in any way for doing so, but are provided with equivalent office conditions in other premises for the duration of the filming. You can read more about this in the guidelines at the following link:  https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_sl.pdf.
IP clarifies that the controller must have a for any processing of personal data, ie, inter alia, for their disclosure through the transmission, dissemination or other provision of access legal and appropriate legal basis . These are set out in Article 6 (1) of the General Regulation, and in the case of the processing of specific types of personal data, including health data, another of the conditions set out in Article 9 (2) of the General Regulation must be met. In accordance with point (c) of Article 6 (1) of the General Regulation, processing is lawful if it is necessary to fulfill a legal obligation to which the controller is subject. However, under Article 9 (2) (h) of the General Regulation, the prohibition on processing specific types of personal data does not apply in principle if the processing is necessary for the purposes of preventive or occupational medicine, assessment of the employee's working capacity, medical diagnosis, provision of medical or social care or treatment. management of health or social care systems and services under Union law or the law of a Member State or under a contract with a healthcare professional and subject to the conditions and safeguards referred to in paragraph 3.
 
In view of the above, IP concludes that the participation of employees in the preparation of the company's video greeting card is generally only possible with the consent of the employees. The acquisition can be voluntary, which means that the employee can reject it without suffering any negative consequences.
 
IP emphasizes that it is sufficient for the lawfulness of the processing that one of the separate legal bases set out in Article 6 (1) in conjunction with Article 9 (2) of the General Regulation is met. This means that if the controller processes personal data e.g. by law, he is not obliged to obtain consent for this information.
 
 
The legal basis for the transmission of personal data to an insurance company in terms of the above provisions of the General Decree is given in Article 286 of the Insurance Act (Official Gazette of the Republic of Slovenia, nos. 93/15, 9/19 and 102/20; hereinafter ZZavar-1).
 
 
The insurance company is entitled to obtain relevant medical documentation relating to the insured or the beneficiary from the insurance, if this documentation is necessary for concluding and implementing insurance contracts, recovery of unpaid liabilities from insurance contracts, settlement of claims, enforcement of claims and other rights and obligations, including the investigation of suspicious cases of unduly paid compensation or insurance benefits arising from insurance under this Act, and verification of political exposure of persons under the Act governing the prevention of money laundering and terrorist financing (third paragraph of Article 268 ZZavar-1).
 
 
The sixth paragraph of Article 268 of ZZavar-1 states that the insurance company may collect the following personal data, taking into account the purpose of data processing:
 
 
    personal name, sex, date and place of birth, permanent and temporary residence or permanent and temporary address abroad, address for service, date of death, tax number, type and number of personal document of the insured and injured party for whom insurance coverage and compensation is established or insurance;
    on previous insurance cases to the extent referred to in the previous paragraph and information on the relevant health status of the insured and the injured party, including the provision of medical services, previous injuries and medical condition, type of bodily injuries, duration of treatment and consequences for the injured party and policyholder ;
    income of the insured and the injured party and employment;
    retirement (regular and disability), retraining and disability rates of the insured and the injured party;
    costs for medical care, medicines and medical devices of the insured and the injured party;
    entitlement to cover the difference to the full value of health services under the law governing health insurance from the budget of the Republic of Slovenia;
    driving license data;
    historical data on the history of the subject of insurance.  
 
 
As a rule, the documentation is provided in the form of a copy by the insured or the beneficiary, but the insurance company can also obtain it directly from the healthcare provider (point 6 of the eighth paragraph of Article 268 of ZZavar-1).
 
 
The insurance company is therefore entitled, inter alia, to the documentation required for:
 
    taking out insurance, e.g. in the case of a medical examination before taking out life insurance,
    deciding on an insurance claim, e.g. in the case of a claim for damages based on damage insurance,
    to perform an insurance contract, e.g. in certain circumstances, perhaps also to conclude an insurance case under insurance for faster access to a specialist.  
 
 
As you correctly pointed out in the request, the third paragraph of Article 268 of ZZavar-1 is limited to cases when the scope of the submitted data is appropriate and necessary for the realization of the purposes of processing. This is in line with the general principle of minimum data , according to which personal data must be relevant, relevant and limited to what is necessary for the purposes for which they are processed (Article 5 (1) (c) of the General Regulation). However, IP cannot comment on the question of whether it is necessary and appropriate in a specific case for the insurance company to require you, as a co-contractor, to submit the medical records of the examinees on the basis of a cooperation agreement in the field of performing specialist medical examinations.
 
 
Given that the statutory provision of Article 268 of ZZavar-1, which provides the insurance company with a basis for obtaining data, is relatively open, we suggest that you seek additional clarification regarding the legal basis and purpose of processing and a more detailed justification of the required medical reports. to the insurance company.
 
 
Greetings,
 
 
Mojca Prelesnik, B.Sc. dipl. right,
 
Information Commissioner
 
 
 
Prepared by:
 
Tina Ivanc, B.Sc. dipl. prav.,
IP data protection consultant
 
 
 
</pre>
</pre>

Latest revision as of 23:06, 10 February 2021

IP - 07121-1 / 2020/2260
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 4(11) GDPR
Article 4(11) GDPR
Article 6(1) GDPR
Type: Advisory Opinion
Outcome: n/a
Started:
Decided: 16.12.2020
Published:
Fine: None
Parties: n/a
National Case Number/Name: 07121-1 / 2020/2260
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Slovenian
Original Source: IP SLOVENIA (in SL)
Initial Contributor: n/a

The Slovenian DPA issued an opinion on the case of an employee participation in the production of a company's video greeting card under article 6 (1) and 4 (11) of the GDPR.

English Summary

Facts

A company’s director decides to prepare and send by e-mail to the clients a video greeting card. The video should be recorded by the workers at home under mandatory participation. The authority was requested to decide upon the legality of the director’s decision and upon the lawfulness of the processing of the workers’ personal data.

Dispute

Can the employer process employee’s personal data under the legal base of consent of article 6 (1) GDPR?

Holding

The Slovenian DPA finds itself competent of deciding upon the legal basis and the conditions of a lawful processing. Article 6 (1) GDPR provides the conditions of lawful processing. Slovenia’s national legislation provides that employees’ personal data can be processed only if this is determined by law, or if it is necessary for the exercise of rights and obligations arising from the employment relationship or are related to the employment relationship. Due to the inequality of power in the employment relationship and for the protection of the employee, the processing is only possible in exceptional cases and provided that the individual can refuse consent. The consent of article 4 (11) GDPR will suffice only if it is voluntary, specific, informed and unambiguous. The participation at the greeting video is only possible under voluntary consent, which means only if the employee can refuse without negative consequences.

Comment

Share your comments here!

English Machine Translation of the Decision

The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details. 

 The Information Commissioner (hereinafter: IP) received your e-mail stating that the Director had decided to prepare a video greeting card for the clients, which would then be sent to the company's clients by e-mail. The video must be recorded by the workers at home, participation is mandatory. You wonder if this is allowed.
 
On the basis of the information you have provided to us, in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Directive 95/46 / EC (hereinafter the General Data Protection Regulation), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07-UPB1, hereinafter ZVOP-1) and 2 In accordance with Article of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter ZInfP), we provide our non-binding opinion on your question.
 
We emphasize at the outset that the IP cannot assess specific processing of personal data outside the inspection procedure or other administrative procedure. This means that in issuing an opinion, the IP can only draw attention to the relevant legal basis and the conditions that must be met for certain processing of personal data to be lawful.
 
P first explains that any processing of personal data must have an appropriate and lawful legal basis . These are set out in Article 6 (1) of the General Data Protection Regulation and are as follows:
•	consent (point (a)),
•	the conclusion or performance of a contract (point (b)),
•	law (point (c)),
•	protection of the vital interests of the individual (point (d)),
•	implementation of a public task (point (e) in connection with the fourth paragraph of Article 9 of ZVOP-1),
•	legitimate interests of the operator (point (f)).
 
The field of labor law is specially regulated in special laws, especially in the Employment Relationships Act (Official Gazette of the Republic of Slovenia, No. 21/13, as amended; hereinafter ZDR-1) and in the Labor and Social Security Records Act ( Official Gazette of the Republic of Slovenia, No. 40/06; hereinafter ZEPDSV). Pursuant to the first paragraph of Article 48 of ZDR-1, personal data of employees may be collected, processed, used and transmitted to third parties only if this is determined by this or another law or if it is necessary for the exercise of rights and obligations arising from employment or in employment relationship. The types and content of records in the field of work and social security are determined in the ZEPDSV.
 
This means that the employer may process only those personal data of employees that are necessary for the exercise of rights and obligations arising from the employment relationship or are related to the employment relationship or are determined by the ZEPDSV . The IP clarifies that the personal data of employees, which can be processed by the employer if this is necessary for the exercise of rights and obligations arising from the employment relationship or in connection with the employment relationship, must be assessed on a case-by-case basis. It is up to the employer to explain why the employee needs certain personal data in order to exercise the rights and obligations arising from the employment relationship or in connection with the employment relationship.
 
According to IP, the case you described in your communication most likely does not represent the exercise of rights and obligations arising from the employment relationship or in relation to the employment relationship, which could be the legal basis on which the employer could obtain your recordings for making a video greeting card is given in point (a) of Article 6 (1) of the General Regulation, namely the consent of each employee .
 
Regarding consent  to the processing of personal data of employees, IP points out that consent in employment in relation to the above employment law applies only to those personal data that are not related to the exercise of rights and obligations arising from employment or not related to employment. Due to the pronounced inequality of power of the parties in employment relations or due to the protection of the employee, who is a weaker party in relation to the employer, the legislator regulated this area more strictly. Therefore, the processing of personal data on the basis of consent in this area is only possible in exceptional cases and provided that the individual can indeed refuse consent without any consequences for the employment relationship.
 
Article 4 (11) of the General Regulation provides that the consent of an individual may only be:
1.	voluntary,
2.	specific,
3.	informed and
4.	unambiguous.
 
Voluntary consent means the actual selection and control of the data subject. Consent is thus not valid if the data subject has no real choice if he feels compelled to consent or if he will suffer negative consequences if he does not consent. If the consent is tied to conditions that cannot be negotiated, or if the individual cannot refuse or revoke the transfer of personal data without prejudice, the consent is not given validly, consequently such processing of personal data is without a legal basis, or illegal.
 
The European Data Protection Board (EDPB) in Guideline no. 05/2020 on consent under Regulation 2016/679, adopted on 4 May 2020, highlighted in point 23 a case similar to the one described, in which it describes a case of duly obtained consent (and its refusal) in the case of the dismissal of employees. An example is given of a film crew that will shoot in one part of the office. In such a case, the employer can ask all employees sitting in this part of the office to consent to the recording, as they may appear in the background of the video. Those who do not wish to be filmed should not be penalized in any way for doing so, but are provided with equivalent office conditions in other premises for the duration of the filming. You can read more about this in the guidelines at the following link:   https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_sl.pdf.
 
In view of the above, IP concludes that the participation of employees in the preparation of the company's video greeting card is generally only possible with the consent of the employees. The acquisition can be voluntary, which means that the employee can reject it without suffering any negative consequences.
Retrieved from "https://gdprhub.eu/index.php?title=IP_-_07121-1_/_2020/2260&oldid=13633"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki