Difference between revisions of "Persónuvernd- nr. 2019/232"

From GDPRhub
Line 29: Line 29:
|National Case Number:||nr. 2019/2328
|National Case Number:||nr. 2019/232
|European Case Law Identifier:||n/a
|European Case Law Identifier:||n/a

Revision as of 09:46, 27 January 2020

Persónuvernd- nr. 2019/232
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 5(1) GDPR

Article 15 GDPR

Type: Complaint
Outcome: Rejected
Decided: 31.10. 2019
Published: 12.11.209
Fine: None
Parties: Anonymous
National Case Number: nr. 2019/232
European Case Law Identifier: n/a
Appeal: n/a
Original Language: Icelandic
Original Source: Persónuvernd

The Persónuvernd issued a decision on the disclosure of personal data to third party in the context of a recruitment process in line with Article 5(1) GDPR principles.

English Summary


The complainant applied for a job in a public agency. He asked the government agency to disclose the others applicant's documents. Following the access request, the government agency notified the others applicants. The notification included information concerning the complainant’s request, including personal data.  However, the complainant did not consent to share information about his request with the other applicants. Thus, the complainant brought a complaint before the Persónuvernd.


Should data subjects be notifed of an access request which concerns their personal data?


The Persónuvernd considered that since the request concerned the personal data about his fellow applicants, the complainant should have also assumed that the same applicants had the right to know who was granted the access to their personal data. Thus, it was not required to inform nor to ask the consent of the complainant about the disclosure. The Persónuvernd found that the processing was in line with Article 5(1) GDPR principles and its national law.


Add your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Icelandic original for more details.

Case no. 2019/232
12.11.2019 The
Data Protection Authority has ruled that the disclosure by a public body of personal information about a complainant, in a notification of his request for access to all data on a recruitment process with the agency, sent to other applicants, is in accordance with Act no. 90/2018, on privacy and the processing of personal information. 
On October 31, 2019, the Board of the Privacy Protection issued a clear ruling in case no. 2019/232:

Complaint Proposal
On February 8, 2019, the Privacy Complaint received from [A] (hereinafter referred to as "Complainant") on the disclosure of [public agency X] in his name as a single applicant for [X] to other applicants for the job, ie. in a notification to all of them regarding his request for their application documents following a recruitment process at [X].
By letter, date. On February 15, 2019, the [Agency X] was invited to provide explanatory notes on the complaint, including the fact that the processing was deemed to be in compliance with points 1 and 3. Paragraph 1 Article 8 Act no. 90/2018. Answered by letter, dated. 28 cm It states that it is undisputed in the case that the complainant is a party to the case, just like all the applicants who applied for the job at [X] who was advertised for application on November 2, 2018. It is stated that the complainant requested a copy of all data that would have been used in the assessment of the applicants for the job in question and states that, as an applicant for a job with the public sector, a party to the case has the right to study the data in accordance with Article 15. Administrative Law no. 37/1993 with the restrictions set out in Articles 16 and 17. Act. The principle of administrative law is that a party to a case is entitled to all the documents of the case and to the exceptions to access rights, which can be found in Articles 16 and 17. administrative law, should be interpreted narrowly. In explaining the narrow interpretation of exceptions to access, [X] in his letter refers to the Ombudsman's assessment of what data can be excluded from the parties' access, but for example he mentions photographs of other than the applicant, information on family interests, information from a medical professional accompany the application, information from the reviewer's comments and other things that can be equated with not being information that is relevant in assessing competence. Furthermore, a reply letter [X] states that, in the opinion of the Ombudsman for Parliament, it may be natural to look for the position of those who are to submit information (ie other applicants) before deciding in a case like this about what is delivered. however, the outcome of what is delivered is not dependent on their will, but the government should make that decision. Refers [X] in this regard to the opinion of the Ombudsman of Parliament of 3 February 2015 in case no. 8117/2014.
In accordance with the above opinion of the Ombudsman of Althingi and Art. therefore, it has been decided to inform the other applicants about the treatment [X] at the request of the complainant of all data related to the application process and to allow them to comment on the request and whether the exception is Article 17. administrative law should apply to any of the personal information contained in their application documents. When drafting the notification pursuant to Art. the Administration Act has not been considered to exclude the name of the data processor, as other applicants should also be entitled to all the data of the administration, including the data request itself. That right was based on the right of the complainant.
By letter, date. On March 12, 2019, the complainant was given the opportunity to comment on the above explanations [X]. Complainant's letter was received on April 3, 2019. There, the complainant commented that [X] did not respond specifically to the Privacy Policy's question of how the complainant's name publication, in a notification to other applicants for a data request, was found to be compatible with Article 8. Act no. 90/2018 on privacy and processing of personal information. The complainant considers that it was not necessary to notify all […] applicants as to who the applicants had requested the data to be and that there is nothing to explain how the aforementioned name analysis complies with the provisions of Act no. 90/2018 on privacy and processing of personal data, in particular the proportionality considerations provided for in Article 8. Act. The complainant also considers that the name analysis in the said notification [X] was not legitimate, fair and transparent to him.
By letter, date. On April 11, 2019, [X] was given the opportunity to comment on the above-mentioned letter of complaint. Since the Data Protection Authority considered its previous inquiry into how the processing had been considered to be compatible with points 1 and 3. Paragraph 1 Article 8 Act no. 90/2018 still unanswered, explanations were specifically requested in this regard. The Data Protection Authority further requested that information be provided when and in what way the complainant had been informed that all […] applicants for the job would be sent the aforementioned notification with a name analysis.
[X] replied by letter, dated. May 6, 2019. It states that it has informed other applicants of who has submitted to their application documents on the basis that they have been considered parties to the case and thus have the right of access to the case documentation according to Art. Article 15 Administrative. Therefore, it was considered [X] that other applicants should be informed of what was planned to deliver the data, as each applicant was permitted to request a copy of the data request. [X] considered that applicants had an interest in knowing which data in question would be delivered. The Privacy Policy inquiry was not answered in any other way.
Assumptions and conclusions

Scope - Responsible
Scope of Act no. 90/2018 on Privacy and Processing of Personal Information and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thus the powers of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partially or fully automated and the processing of methods other than automatic processing of personal data that is or should be part of a file.
Personal information includes information about a person or person who is personally identifiable and can be considered as personally identifiable if he or she can be directly or indirectly identified by reference to his or her identity or one or more of the characteristics characteristic of him, cf. Item 2 Article 3 of the Act and Paragraph 1. Article 4 Regulation.
Processing means an action or series of actions in which personal information is processed, whether the processing is automatic or not, cf. Item 4 Article 3 of the Act and Paragraph 2. Article 4 Regulation.
This case concerns the dissemination of [public agency X] in the name of the complainant as one applicant for a job at [X] to other applicants for the job, ie. in a notification to all of them about the applicant's request for their application documents following a recruitment process at [X]. Respectfully, and with due regard to the foregoing provisions, this matter concerns the processing of personal information that falls under the sphere of privacy.
The person responsible for processing personal data complies with Act no. 90/2018 is named as the guarantor. According to paragraph 6. Article 3 the Act refers to an individual, legal entity, governmental authority or other party who decides alone or in collaboration with other purposes and methods for the processing of personal information, cf. Item 7 Article 4 Regulation. As is the case here, the [public institution X] is considered to be the guarantor of the said work.
Legality of processing
All processing of personal data must be subject to any of the provisions of Article 9. Act no. 90/2018. In this context, it is considered that this concerns the processing of personal information by the government which, on its part, is supported by the provisions of the Administration Act no. 37/1993. Therefore, in particular, an attempt is made here to authorize the processing of personal data pursuant to Paragraph 3. Article 9 Act no. 90/2018, to the extent that such information may be processed, it is necessary to comply with the legal obligation of the guarantor.
In addition to the authorization according to the above, the processing of personal data must satisfy all the basic requirements set out in principle 1, point 1. Paragraph 1 Article 8 Act no. 90/2018, cf. Article 5 Regulation (EU) 2016/679. Provisions include, inter alia, that personal data should be processed in a legitimate, fair and transparent manner towards the data subject (point 1); that they are derived for clearly stated, legitimate and objective purposes and not further processed for other and incompatible purposes (para. 2); and that they should be sufficient, appropriate and not in excess of what is necessary in relation to the purpose of the processing (Point 3).
In assessing whether a personal data processing authority exists, it may be necessary to consider provisions in other legislation. As is the case here, especially in the Administrative Law no. 37/1993, but according to par. Article 1 of them, the law applies to the administration of state and municipalities when the government makes decisions on the rights or obligations of persons, cf. Paragraph 2 Article 1 In particular, Articles 14, 15 and 17 are then examined. Act.
In Article 14 Act no. 37/1993 states that no party to the case has the right to comment on its content pursuant to Art. Article 13 the same law shall, as soon as practicable, be brought to the attention of the party that his case is pending, unless he is aware of it. Since it is considered the principle of administrative law that only the person requesting access to data is a party to the access right case, and not others who are parties to the administrative matter in Article 14. Act no. 37/1993 does not apply to the case in question.
In the first paragraph. Article 15 Act no. 37/1993 states, among other things, that a party to the case is entitled to access to documents and other documents relating to the case. Then Article 17 the same law deals with the restriction of those rights because of a much wider public or private interest. In the comments on the provision in the bill which became an administrative law, it must be regarded as a narrow exception and therefore the principle is that a party has the right to study the case documents. Also, the comments state that the emphasis is on assessing whether the authorization should be weighed and assess whether the interests of the parties in accessing the data are greater than the public or private interests that call for limitation that access. There, consideration will be given to individuals or legal entities who have significant interests in keeping their information confidential.
The Ombudsman for Althingi has discussed this interest assessment in connection with the request for a job application for access to other applicant's application documents, including in an opinion of February 3, 2015 in case no. 8117/2014. It states that from the wording of Article 17. it is clear from the administrative law that the government must assess the conflicting views that exist in each case and then for individual data. Therefore, it is not possible to deny a party a case for access to data with general considerations that information of a certain kind is generally liable to cause other damage or argues that a party has not shown what interests it has in obtaining information in your hands. The private interests of others must therefore be much richer than the interests of the parties of the case by utilizing the knowledge of the case evidence. Furthermore, the provision, as stated in the legal documentation, is based, inter alia, on persons who have a substantial interest in keeping information about them secret.
Furthermore, the aforementioned Opinion of the Ombudsman of Parliament states that it may also be natural to look for the position of the information concerned and the interests of the case before deciding to grant access to certain documents, even if the outcome of the case is not dependent on the person's intention. . The government must decide for itself what information to provide on the basis of the interest assessment referred to in Article 17. administrative reserve. The Parliamentary Ombudsman mentions, for example, data that may be covered by the exception, including information in reviews and medical certificates, and in this context specifies personal information that is not generally relevant in assessing applicants' competence, provided that the information is not based on resolution. in the case in question. Furthermore, it is stated that the Ombudsman of Parliament does not consider applicants for public office to be able to count on the confidentiality of the processing of the information and data that they provide to the Administration in other respects than with respect to the nature of the information that they fall within the exception of the Administrative Procedure Act.
In the second paragraph. Article 5 Act no. 90/2018 states that the Act does not limit the right of access to data laid down in the Information and Administrative Laws.
Privacy considers it clear that in carrying out the incidental assessment required in Article 17. Act no. 37/1993 may be necessary to provide them with the data concerning the opportunity to comment on the request and whether the exception to the provision applies to any of the personal information contained in their application documentation. The Data Protection Authority also considers it important for the aforementioned individuals to be informed of who receives their personal information from the application data.
This conclusion will also be supported by the principle of point 1. Paragraph 1 Article 8 Act no. 90/2018 that personal information should be processed in a legitimate, fair and transparent manner towards the data subject. Paragraph 39 of the preamble to the Regulation states further explanations that individuals should be clear when collecting, using, viewing, or otherwise processing personal information about them and to what extent the information is or will be processed.
In paragraph 3. Paragraph 1 Article 8 Act no. 90/2018 is a so-called proportionality rule which implies that personal information should be sufficient, relevant and limited to what is necessary for the purpose of the processing. Given the above and other applicants may have an interest in knowing who is receiving such extensive information about them and that information on the complainant's name on a data request is not considered sensitive or sensitive in nature from privacy and privacy considerations that the disclosure in question complies with the requirements imposed by the principle of proportionality, point 3. Paragraph 1 Article 8 Act no. 90/2018. It is also considered that the Data Protection Authority believes that other applicants had the right to request information about the applicant's data request to [X] and the dissemination of personal information about it to him.
With reference to the above, cf. in particular Article 17. administrative law, it is the Privacy Act's opinion that the dissemination [X] of information about a complainant's data request to other applicants was based on the authority in point 3. Article 9 Act no. 90/2018.
According to the evidence of the case, the complainant was not notified that information about his request above would be shared with other job applicants. It is therefore considered whether [X] should have provided the complainant with information about the disclosure in accordance with the provisions of Act no. 90/2018 and Regulation (EU) 2016/679.
The right of information of the data subject to be considered here is dealt with in the 13th Regulation, cf. at the same time, paragraphs 1 and 2 Article 17 Act no. 90/2018. More specifically, Article 13 provides. the regulation applies to the information that must be provided to the data subject when the guarantor collects personal information from him. The information in question, ie. the complainant's name on the data request, was indeed received from him himself but was not obtained by the guarantor for a specific purpose within the meaning of Article 13. of the regulation which is required to educate the data subject. In the opinion of the Data Protection Authority, [X] is therefore not considered to have a duty to educate the complainant about the disclosure with reference to the aforementioned provisions. Here, it should be seen that the request of the complainant received a large amount of personal information about his fellow applicants, and he could reasonably have assumed that their right to obtain information about who was granted access to the data. In this connection, the aforementioned opinion of the Ombudsman of Parliament in case no. 8117/2014 concerning the fact that the complainant had not been able to plead confidentiality about the data request he submitted as information contained therein was not of the nature that they fell within the exception of the administrative law.
In all respects, it is the conclusion of the Data Protection Authority that the processing of [the public agency X] on personal information [A] when [X] sent a notification of its data request to all job applicants, in which the complainant was named, complied with Act no. 90/2018, on privacy and processing of personal information.
Notification [of Government Agency X] to applicants for her job, on request [A] for a copy of their application documents, was complied with Act no. 90/2018 on privacy and processing of personal information.
In Privacy, October 31, 2019
Björg Thorarensen
Chairman of
Aðalsteinn Jónasson Ólafur Garðarsson
Þorvarður Kári Ólafsson