IP - 0712-1/2020/1408
|IP - IP - 07121-1/2020/1408|
|Relevant Law:||Article 15 GDPR|
|National Case Number/Name:||IP - 07121-1/2020/1408|
|European Case Law Identifier:||n/a|
|Original Source:||Informacijski Pooblaščenec (in SL)|
The Slovenian DPA clarified that the right to request one's personal data under GDPR Article 15 only applies to the person whose personal data is in question. In other words, a claimant cannot request from a controller the personal data of another person, using Article 15 as their basis.
The Slovenian DPA (IP) was asked for an opinion concerning the scope of GDPR Article 15.
Within the GDPR, an individual can only request their own personal data or data relating to them. As a rule, the request is submitted in writing to the controller, whom the individual considers to be processing his personal data. The deadline for the operator's decision is one month from the receipt of the request. An appeal is possible against the operator's silence or against his refusal, for the resolution of which the IP is responsible. An appeal against the refusal must be lodged within 15 days of receipt of the reply. Therefore, (any) negative answer is sufficient for an appeal.
The IP points out, however, that in exercising the right to access personal data processed by public authorities responsible for the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal sanctions, including protection against threats to public security and their prevention ( these authorities include the police) do not apply the provisions of the General Data Protection Regulation but the rules that were in force before its application.
Share your comments here!
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.
On the basis of the information you have provided to us, in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Directive 95/46 / EC (hereinafter: the General Regulation on Data Protection), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07-UPB1, hereinafter: ZVOP-1) and Article 2 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter: ZInfP), we provide our non-binding opinion on your issue. IP generally clarifies that the General Data Protection Regulation regulates the right to access or access one's own personal data in Article 15, which stipulates in the first paragraph that the data subject has the right to obtain confirmation from the controller, whether personal data are processed in relation to it and, where applicable, access to personal data and the following information: a) the purposes of the processing; b) the types of personal data concerned; c) users or categories of users to whom personal data have been or will be disclosed, in particular users in third countries or international organizations; d) where possible, the envisaged retention period of the personal data or, if that is not possible, the criteria used to determine that period; e) the existence of a right to require the controller to rectify or delete personal data or to restrict the processing of personal data in relation to the data subject, or the existence of a right to object to such processing; f) the right to lodge a complaint with the supervisory authority; g) where personal data are not collected from the data subject, all available information concerning their source; h) the existence of automated decision-making, including the profiling referred to in Article 22 (1) and (4) of the General Data Protection Regulation, and at least in such cases meaningful information on the reasons for it, as well as the significance and intended consequences of such processing for the data subject. The right to be acquainted with personal data or the right to access personal data therefore refers only to the personal data of the applicant. This means that within the framework of this right, an individual can only become acquainted with his own personal data or data relating to him. As a rule, the request is submitted in writing to the controller, whom the individual considers to be processing his personal data. The deadline for the operator's decision is one month from the receipt of the request. An appeal is possible against the operator's silence or against his refusal, for the resolution of which the IP is responsible. An appeal against the refusal must be lodged within 15 days of receipt of the reply. Therefore, (any) negative answer is sufficient for an appeal. IP points out, however, that in exercising the right to access personal data processed by public authorities responsible for the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal sanctions, including protection against threats to public security and their prevention ( these authorities include the police) do not apply the provisions of the General Data Protection Regulation but the rules that were in force before its application. These are the provisions of Articles 30, 31 and 36 of ZVOP-1. In these cases, too, it is considered that an appeal is possible against the silence of the operator or against his refusal, for the resolution of which the IP is competent. The IP is therefore in these cases an appellate body, so it cannot be involved in the proceedings at first instance, which in this case means that the IP cannot (in the case of You can also read more about the right to be informed about one's own personal data and how to exercise it on the IP website: https://www.ip-rs.si/varstvo-osebnih-podatkov/pravice-posameznika/seznanitev-z-lastnimi-osebnimi-podatki/ In this connection, the IP adds that in accordance with Article 36 of ZVOP-1, the rights of an individual referred to in the third and fourth paragraphs of Article 19, Articles 30 and 32 of this Act (ie also the right to be informed) may exceptionally be limited by law. for reasons of protection of sovereignty and defense of the state, protection of national security and constitutional order of the state, security, political and economic interests of the state, exercise of police powers, prevention, detection, detection, prosecution and prosecution of crimes and misdemeanors, detection and punishment of violations of ethical norms professions, for monetary, budgetary or fiscal reasons, for the purpose of supervising the police and protecting the data subject or the rights and freedoms of others. The sectoral legal basis for the processing of personal data by the police is the Police Tasks and Powers Act (ZNPPol; Uradni list RS, nos. 15/13, 23/15 - corr., 10/17, 46/19 - US decision, 47 / 19). In accordance with Article 33 of the ZNPPol, the collection and processing of data is one of the police powers that police officers may exercise in the performance of police duties. Article 112 of the ZNPPol then stipulates in more detail that police officers collect and process personal and other data, including data on the biometric characteristics of persons and data from confidential relationships or professional secrets, in order to perform police tasks. Police officers collect personal and other data directly from the data subject and from others who know something about it, whether from personal data files, official records, public books or other databases. In accordance with 130. According to Article ZNPPol, police officers must report on each use of police power in a report on the work performed, or if they do not write reports, in a written act on the use of police power or in an official note. The written acts referred to in the preceding paragraph must be drawn up by the police officer no later than within 24 hours of the use of the police power of attorney. The police officer's report on the work performed serves exclusively for internal reporting and verification of the legality and professionalism of the exercise of police powers. IP further clarifies that the right to information described above does not represent the only possibility or legal basis for access to documents held by the police. Thus, in the fourth paragraph of Article 116, the ZNPPol stipulates that the police must, in the event of an incident or the performance of police tasks, submit a reasoned written request stating the circumstances referred to in the fourth paragraph of Article 40 of the ZNPPol injury, suspicion of committing a criminal offense or misdemeanor and similar cases) to a person who demonstrates a legal interest. The beneficiary must specify in the written request the type of information and the purpose for which it is needed. In order to obtain the desired information in this way, it is therefore necessary to address a request to the police for the provision of information and to meet the above conditions, In conclusion, IP reiterates that this opinion is optional, based on available information, and the adequacy and legality of the transfer of personal data in a particular case can be assessed only in a specific inspection or other administrative procedure, when all the specific circumstances of each case are known. whereas, as already pointed out, the IP must not interfere with the substantive procedures conducted by other bodies in the context of an individual procedure. With refreshments. Prepared: Matej Sironič, Adviser to the Commissioner for the protection of personal data Mojca Prelesnik, B.Sc. dipl. right, Information Commissioner