Persónuvernd (Iceland) - 2020010633

From GDPRhub
Revision as of 09:02, 29 September 2021 by FA (talk | contribs) (Summary changes for newsletter.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Persónuvernd (Iceland) - 2020010633
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 5 GDPR
Article 6(1)(a) GDPR
Article 6(1)(e) GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided: 21.09.2021
Published:
Fine: None
Parties: n/a
National Case Number/Name: 2020010633
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Icelandic
Original Source: Icelandic DPA (in IS)
Initial Contributor: Florence D'Ath

The Icelandic DPA rejected a complaint from a data subject about the sharing of information between their previous, current, and potential future employers (i.e. public authorities X, Y and Z), which they argued led to an unlawful dismissal and rejection from new jobs.

English Summary

Facts

A data subject (the Complainant) had been working for an institution (hereafter, X). He then started to work for a municipality (hereafter Y). Y however decided to re-evaluate the status of the Complainant. In this context, representatives of X shared information about the Complainant with Y. Nine days later, the Complainant was dismissed by Y. The Complainant considered that his dismissal was a direct result of the sharing of information between X (his former institutional employer) and Y (the municipality). Furthermore, his job application with a sub-agency of Y (hereafter, Z) was rejected on the basis of the same information.

The Complainant was of the opinion that X and Y should not have shared and used information about him for the purpose of deciding whether to dismiss him or reject his new job application with Z. In particular, the Complainant considered that X and Y did not have any valid legal basis for the processing of his personal data, and that X and Y had violated the principles of data processing as enshrined in Article 5 GDPR.

Holding

The Icelandic DPA considered the processing in question, i.e. the collection, sharing and use, between X and Y, of the Complainant's personal data for the purpose of human resources management, complied with the applicable data protection law. The Icelandic DPA therefore rejected the complaint.

In particular:

  • the Icelandic DPA found that data relating to the dismissal of a former employee does not qualify as special categories of personal data under Article 9 GDPR. Hence, it was not necessary for X or Y to justify the processing of such data under Article 9 GDPR (i.e. legal bases for the processing of special categories of data). Rather, Icelandic DPA found that X and Y could rely on Article 6 GDPR for processing the Complainant's data (i.e. legal bases for the processing of personal data in general).
  • the Icelandic DPA rejected the idea that the processing of the Complainant's data should have been based on his consent, in accordance with Article 6(1)(a) GDPR. Rather, the Icelandic DPA found that, under administrative law, decisions on dismissal of individuals from public offices are generally regarded as administrative decisions. Hence, X and Y could rely on Article 6(1)(e) GDPR for processing such data, in the sense that the processing was necessary for the performance of a task carried out by a public authority in the exercise of its functions.
  • the Icelandic DPA also found that the Complainant had received sufficient information about the fact that data relating to his previous position would be shared with Y. In particular, the Icelandic DPA noted that none of the parties disputed the fact that the Complainant attended a meeting with representatives of Y in June 2018, where the collection of information from X was discussed in the context of a potential dismissal of the Complainant. In addition, the Icelandic DPA considered that it should have been clear to the Complainant that the available information about him could also be used by Y when deciding on the application of the Complainant for a position with Z, i.e. an agency of Y.

The conclusion of the Icelandic DPA was therefore that the processing by X and Y had been conducted in compliance with the applicable data protection legislation.

Comment

This decision is particularly interesting with respect to the legal basis which the Icelandic DPA accepted as a valid legal basis for the processing of the Complainant's personal data, i.e. the fact hat the processing would be necessary for the performance of a task carried out by a public authority.

The Icelandic DPA's position is a departure from the stance of other DPAs. In other Member States, it is indeed considered that, when taking decisions in the context of human resources management (i.e. decision to hire or dismiss (prospective) employees), public authorities are not acting within the scope of their public mission or fulfilling a task in the public interest, but should be considered similarly to private employers. In that sense, public authorities are sometimes barred from the possibility to rely on the 'public interest' legal basis listed in Article 6(1)(e) GDPR when processing the personal data of their employees or agents for the purpose of human resources management.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.


                    Individuals FAQ complete FAQ electronic monitoring general privacy right to be forgotten right to information about their genotype What is processing? A new privacy legislation 2018Almennt the new legislation other interesting stuff educational booklet: Privacy children's booklet: Private youth booklet: public companies and administration asked and answered all the questions and answers electronic monitoring general privacy access right controllers, processors and vinnslusamningarÁbyrgðarskyldaVinnsluskrárNý Privacy legislation 2018FræðsluefniLög and reglurLög privacy rules and regulations other sacrificed rules and guidelines operating international and European law Solutions Solutions Reviews Licensing Various letters Privacy function Privacy News Mega political process personal data my campaign? How to process personal data in election campaigns? Staff and management for media requests for promotional events policy and gi ldiAnnual Reports201620152014201320122011201020092008200720062005200420032002200120001999Other ContentPrivacy PolicyLegal DisclaimerAccessibilityService DeskTwitterEnglishDecisions
             
                
    
    Enter keywords
    
    
      
    
    
  
  
                    SolutionsReviewsLicensingMiscellaneous letters
             
                
                
                                
            Search for solutions
            
        
                
            
                Year from:
                
            
            
                Year to:
                
            
        
                
            Search
        
    
    



    


    


    
      Processing
municipality with personal information in connection with decisions on termination and
employment in accordance with the law
      Mál. no. 2020010633
    

    

     
      
      
        9/21/2021
        
      
      
      
     

    

  

  

  
      The Data Protection Authority has ruled on the processing of personal data by the municipality, which took place in connection with the decision to dismiss the complainant and reject his second job application with the municipality's agency. The Data Protection Authority considered the processing in question, i.e. collection and use of the information, authorizing on the basis of its necessity for the purpose of making government decisions. The Data Protection Authority also considered that the processing had complied with the principles of the data protection legislation. In this connection, it was considered, among other things, that the municipality had informed the complainant at a meeting about the planned processing in connection with his dismissal. In addition, it should have been clear to the complainant that the available information about him could be used by the municipality when deciding on employment for another job that the complainant applied for. The conclusion of the Data Protection Authority was therefore that the processing had complied with the data protection legislation.

    

    
    Ruling On September 3, 2021, the Data Protection Authority issued a ruling in case no. 2020010633 (formerly 2019051052): I. Proceedings 1. Outline of the case On 16 May 2019, the Data Protection Authority received a complaint from [B]'s lawyer, on behalf of [A] (hereinafter the complainant), about the processing of his personal information by [public agency X] and [the municipality Y]. More specifically, following the complaint that following the complainant's appointment to the institution Z, which belongs to municipality Y], the representatives of the municipality had obtained information about him from the human resources manager and division manager at [X], where the complainant had previously worked, without having specified them as proponents in his application. The complainant had also been reduced in the rating for the information in question when applying for another job at [sub-agency Z]. The complaint was accompanied by, among other things, a so-called basic assessment and justification [of municipality Y] for that employment. By letters dated On 30 June 2020, [municipality Y] and [public agency X] were invited to provide explanations regarding the complaint. Answered by [X] by letter dated. July 13, i.e., and by [Y] by letter dated. 27. s.m. By letter dated On October 29, the Data Protection Authority requested further information from [Y]. The answer was by letter dated. November 20, etc. By letter dated On 27 April 2021, the complainant was invited to comment on the answers received from [municipality Y]. The complainant's lawyer replied by e-mail on 2 June, etc. In resolving the case, all of the above documents have been taken into account, although not all of them are specifically described in the following ruling. The handling of the case has been delayed due to a great deal of work by the Data Protection Authority.2. the official body X], which he did not specify as a proponent in his job application, without his consultation and approval. Nine days later, the complainant was dismissed and he considers that the dismissal was a direct result of the gathering of information. A complaint from the complainant's lawyer to the Data Protection Authority on 2 June 2021 states that the complainant had attended a meeting with the representatives of the municipality, but that the subject of the meeting was unknown to him at the invitation to the meeting. At the meeting, however, the complainant became aware that the representatives of the municipality had already received information from the employees of [X] which he had not specified as recommenders in his application. However, he did not give his consent to the municipality for further information from the agency. The complaint further states that the complainant later applied for a job [director of agency Z] which was advertised [in September] 2018. He was called for a job interview and was rated among the most qualified candidates according to the so-called basic assessment. Although it is clear from the assessment, as well as the reasoning of the municipality, that the complainant was reduced in the rating under the items interview 1 and comments on the basis of the information in question from [public institution X]. The complainant considers that there has been no authorization for the processing or that the conditions for the processing of sensitive personal information have been met, but he believes that this may lead to the possibility that sensitive personal information has been involved. The processing was in conflict with the purpose and content of the law on personal data protection and against the complainant's right to privacy. Furthermore, the reliability and quality of the information has not been ensured.3. Viewpoint [X] It is stated in the reply of [the public agency X] that the agency has, at the request of [municipality Y], provided the municipality with information about the complainant. No information is available from the Agency on the timing of that dissemination. It was an oral dissemination of information, but the information was not retrieved from the electronic system or the institution's files.4. On the one hand, the complaint concerns the processing of personal data in connection with the complainant's employment with [sub-agency Z] and his dismissal nine days later [in June 2018]. This part of the case is governed by Act no. 77/2000, on personal protection and handling of personal information. On the other hand, the complaint concerned the processing of personal data related to the complainant's application for the job [director of the agency Z] in September 2018 as Act no. 90/2018, on the protection of personal data and the processing of personal data applies to. Regarding the first complaint, it is referred to that the municipality has received information about the complainant who did not appear in the recruitment process that he was fired from [public institution X] or made been with him a severance agreement. Three employees of the municipality have met with the complainant about this [in June 2018]. [Representative of the municipality Y] had at the meeting asked the complainant to contact [X] to discuss the information provided and the complainant agreed. Following this, [he] contacted by telephone two managers at [X] who provided information on the complainant's lack of communication skills. The next day, [he] informed the complainant of the comments, of which the complainant was, by his nature, aware. [Later in June 2018, he] wrote the complainant a letter of resignation which was, among other things, sent to him by e-mail. The information in question had not been formally recorded, but it had been entered in the diary entries [of the municipality's representative] in the form of notes in a Word document on a computer. The information is not stored in any other way by the municipality. On the part of [municipality Y] it is based on the fact that the information was obtained on the basis of the complainant's unequivocal consent and therefore the processing was based on point 1. Article 8 Act no. 77/2000. This was necessary information from the complainant's previous employer in connection with his employment with [sub-agency Z] and the processing complied with Article 7. of the Act. The municipality considers that there was no sensitive personal information within the meaning of point 8. Paragraph 1 Article 2 Regarding the latter subject of the complaint, [municipality Y] points out that no new information about the complainant has been obtained from [public agency X] in connection with the appointment of [director of agency Z]. The decision on employment was based on data from the complainant himself and information available to the municipality before the application process began.II.Conditions and conclusion1. Delimitation of a case - Legal settlement This case concerns, on the one hand, [municipality Y]'s collection of information about the complainant from [public institution X], as well as its registration and use for the purpose of deciding on his dismissal from […] at [sub-institution Z]. The complainant's letter of resignation was written [in June 2018]. However, the case concerns the use of the same information by [municipality Y] in the decision to recruit [director of agency Z] which was advertised [in September 2018], which the complainant applied for but was refused. July 2018, Act no. 90/2018, on personal protection and the processing of personal information. They also transposed the Privacy Regulation, (EU) 2016/679, as amended and incorporated into the EEA Agreement. The Act also replaced Act no. 77/2000, on the protection of personal data and the handling of personal information. 77/2000 deals with its resolution according to that law. On the other hand, the events of the latter complaint after the entry into force of Act no. 90/2018 and is therefore subject to its resolution in accordance with that Act.2. Scope - Responsible party - Rejection of part of the case Scope of Act no. 90/2018, on personal data protection and the processing of personal data, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automated and the processing by other methods than automatic of personal data that are or are to become part of a file. Scope of Act no. 77/2000, on the protection of personal data and the handling of personal data, and the powers of the Data Protection Authority according to them were analogous. more factors that are characteristic of him, cf. 2. tölul. Article 3 Act no. 90/2018 and point 1. Article 4 of the Regulation, cf. before the 1st number. Article 2 Act no. 77/2000. Processing refers to an action or series of actions where personal information is processed, whether the processing is automatic or not, cf. Number 4 Article 3 of the Act and point 2. Article 4 of the Regulation, cf. before point 2. Article 2 Act no. 77/2000. Oral disclosure of personal information as such does not fall nor does it now fall within the scope of the Data Protection Act. Accordingly, the part of the complaint concerning the processing of [public institution X] should be dismissed, as it was only an oral disclosure of personal information to [municipality Y]. about the complainant from [public institution X], they were entered in the electronic diary of [the representative of the municipality]. Subsequently, they were used in the preparation of decisions on the termination of an employment contract with the complainant on the one hand and on the other hand on employment for another job which he applied for. In this respect and taking into account the above provisions, the aspect of the case concerns the processing of personal data which falls within the competence of the Data Protection Authority. According to point 6. Article 3 of the Act refers to an individual, legal entity, government authority or other party who decides alone or in collaboration with other purposes and methods of processing personal information, cf. 7. tölul. Article 4 of the Regulation, cf. before point 4. Article 2 Act no. 77/2000. As such, [municipality Y] is considered to be responsible for the processing in question.3. Legal environment All processing of personal data must be covered by one of the authorization provisions of Article 9. Act no. 90/2018, Coll. Article 6 of Regulation (EU) 2016/679, cf. before Article 8 Act no. 77/2000. Has [municipality Y] relied on the fact that the complainant had given his consent for the municipality to obtain information from [public institution X], cf. 1. tölul. Article 8 Act no. 77/2000. Although [municipality Y] has not specifically referred to it, it should also be mentioned that the processing of personal data is permitted if the processing is necessary in the exercise of official authority by the responsible party, cf. 5. tölul. Article 9 Act no. 90/2018, Coll. point e of the first paragraph. Article 6 of Regulation (EU) 2016/679, cf. before point 6. Article 8 Act no. 77/2000. It will not be seen that other processing authorizations can be considered due to the processing that is being discussed in the case. According to point 7. Article 2 Act no. 77/2000, consent was defined as a special, unequivocal statement made by an individual of his own free will that he consented to the processing of certain information about himself and that he was aware of its purpose, how it was conducted, how privacy would be ensured, that he was entitled to withdraw his consent, etc. The complainant has relied on the fact that the processing in question in this case may have involved sensitive personal information, cf. 3. tölul. Article 3 Act no. 90/2018 and the first paragraph. Article 9 of Regulation (EU) 2016/679, cf. before point 8. Article 2 Act no. 77/2000. In the opinion of the Data Protection Authority, it cannot be seen from the case file that this was sensitive personal information within the meaning of the cited provisions. Accordingly, does not attempt the conditions for the processing of such information, cf. Paragraph 1 Article 11 Act no. 90/2018 and the second paragraph. Article 9 of the Regulation, cf. before the first paragraph. Article 9 Act no. 77 / 2000. In addition to the authorization according to the above, the processing of personal information must satisfy all the principles of the first paragraph. Article 8 Act no. 90/2018, Coll. Paragraph 1 Article 5 of Regulation (EU) 2016/679, cf. before the first paragraph. Article 7 Act no. 77/2000. Among other things, it stipulates that personal information shall be processed in a lawful, fair and transparent manner towards the data subject (point 1 of Article 8 of Act no. 90/2018 and point a of the regulation provision, cf. before point 1 of point 7). Article of Act No. 77/2000); that they shall be sufficient, relevant and not in excess of what is necessary in view of the purpose of the processing (point 3 of Article 8 of Act No. 90/2018 and point c of the regulatory provision, cf. before point 3 of Article 7. Act No. 77/2000); and that they are reliable and updated as necessary (Point 4 of Article 8 of Act No. 90/2018 and point d of the Regulation provision, cf. previously Point 4 of Article 7 of Act No. 77/2000). an assessment of whether the processing of personal data has complied with the principles of the data protection legislation may, among other things, need to take into account provisions on the obligation to provide education. In view of the fact that the obligation to provide education [of municipality Y] became active when the information was obtained from [public institution X], it must be assumed that the rules of Act no. 77/2000 applies to this issue, cf. discussion of legal transposition in Chapter II.1. According to the first paragraph. Article 21 of the Act, the party responsible, when obtaining personal information from other than the data subject, was at the same time to inform the data subject and inform him of the name and address of the data controller and the purpose of the processing, as well as other information, to the extent necessary, the special circumstances that prevailed in the processing of the information, so that the data subject could protect his interests, cf. further paragraph 3. of the provision.4.Conclusion4.1.Collection of information about the complainant from [X] and related processingAs mentioned above, this case concerns in the first place the collection [of municipality Y] of information about the complainant from [public institution X], as well as their registration and use in for the purpose of deciding on his dismissal […] from [sub-agency Z]. Has the municipality relied on the fact that this processing was based on the complainant's consent, cf. 1. tölul. Article 8 Act no. 77/2000, but the complainant has refused to have agreed to the processing. Article 2 Act no. 77/2000, taking into account the differences between [municipality Y] and the complainant, in particular with regard to the employment relationship that had already been established. For that reason, it cannot be agreed with [municipality Y] that the processing could have been based on the complainant's consent according to point 1. Article 8 of the Act. However, it must be taken into account that in the comments on Art. in the bill that became Act no. 77/2000 states that point 6. of the provision applies to the processing of information on behalf of the government related to the handling of public authority. This primarily means making government decisions. In administrative law, it is generally considered that decisions on dismissal of individuals from public office are considered to be government decisions. on the part of [municipality Y] on the dismissal of the complainant from public service at [sub-agency Z]. Accordingly, the Data Protection Authority considers it possible to assume that the processing was permitted on the basis of point 6. Article 8 Act no. 77 / 2000. It will then be decided whether the processing has complied with the principles of the first paragraph. Article 7 Act no. 77/2000. It is undisputed that the complainant attended a meeting with employees of [municipality Y in June 2018] where the municipality's acquisition of information from [public institution X] was discussed. During the investigation of the case, however, the complainant stated his position that he believed that the information had been obtained from certain employees [X] before the meeting, but that no statement had been made in support of this statement. In this connection, it also appears that the municipality has obtained information on the nature of the complainant's retirement from [X], but there is no evidence in the case that that information was originally obtained from the institution, or that [municipality Y] had taken the initiative to obtain them in other ways. On the contrary, it can be deduced from the municipality's case preparation that its intention was to verify the information in question, which it had received, by obtaining further information from [X]. According to this, the Data Protection Authority considers it unproven that the municipality obtained information about the complainant before the meeting of its employees with him. It will therefore be assumed that the complainant was informed at the meeting that the information gathering from [X] is ongoing. The Data Protection Authority considers that by doing so, the municipality has fulfilled its educational obligation according to Article 21. Act no. 77/2000. Furthermore, it will not be considered unnatural for the municipality to have verified information on the nature of the complainant's retirement, which it had previously received, by obtaining further information from [public institution X]. In addition, it appears that [municipality Y] obtained the information in question about the complainant directly in order to ensure the reliability of information previously received by the municipality. It cannot be deduced from the case file that the municipality has undertaken too extensive information gathering for this purpose. Article 7 Act no. 77/2000 towards the complainant in the processing that is being discussed here.4.2. Use of available information when rejecting a job application the discussion in section II.5.2., in the decision to reject the complainant's application for the position of [director] at [sub-agency Z] .In the comments on Art. in the bill that became Act no. 90/2018 states that with the processing of the government related to the exercise of public power, cf. 5. tölul. of the provision, is primarily concerned with the making of government decisions. In administrative law, it is generally considered that decisions on employment in public office are considered government decisions. and be necessary for the preparation of a decision on the appointment of a [director] to [sub-agency Z] and the rejection of the complainant's application for the post in question. Accordingly, the Data Protection Authority considers it possible to assume that the processing was permitted on the basis of point 5. Article 9 Act no. 90/2018, Coll. point e of the first paragraph. Article 6 Regulation (EU) 2016/679. It will then be decided whether the processing has complied with the principles of the first paragraph. Article 8 Act no. 90/2018, Coll. Paragraph 1 Article 5 of Regulation (EU) 2016 / 679. In the opinion of the Data Protection Authority, it must be considered that the complainant should have been aware that information about him, which was already available at [municipality Y], could be used in deciding on his application for the position of [director] at [Sub-agency Z]. It will not be considered that the use of the information was incompatible with the original purpose behind its collection. In view of the above, the Data Protection Authority considers that it can be assumed that [municipality Y] has complied with the principles of the first paragraph. Article 8 Act no. 90/2018, Coll. Paragraph 1 Article 5 of Regulation (EU) 2016/679, towards the complainant in the processing under discussion here. ] complied with Act no. 77/2000, on the protection of personal data and the handling of personal data. 90/2018, on personal protection and processing of personal information, and Regulation (EU) 2016 / 679.Helga Þórisdóttir Helga Sigríður Þórhallsdóttir


    





















  
                    Privacy PolicyLegal DisclaimerAccessibilityService DeskTwitter