Persónuvernd (Iceland) - 2020061979

From GDPRhub
Persónuvernd - 2020061979
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 38 GDPR
Article 39 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 29.06.2022
Published: 04.08.2022
Fine: n/a
Parties: Íslensk erfðagreining
National Case Number/Name: 2020061979
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Icelandic
Original Source: Persónuvernd (in IS)
Initial Contributor: n/a

The Icelandic DPA held that a there is a conflict of interest when a DPO is simultaneously also a company's senior lawyer, deputy CEO or board member. However, a DPO can hold the position of compliance officer.

English Summary

Facts

The Icelandic DPA started an investigation into a genetic research company. More specifically, to assess the company's Data Protection Officer (DPO), as well as the performance of the DPO's tasks.

The DPA requested information from the company to determine if and how the company's DPO was compatible with Article 38 GDPR. The DPA stated that the decision to investigate the DPO was made with the intention of ensuring compliance, not because it assumed the requirements of the GDPR were not being followed.

The DPA wrote two letters, but the company did not respond to any of them within the prescribed deadlines. After a phone call, the DPA received a response almost two months after the first letter had been sent.

Holding

After reviewing the responses from the controller, the Icelandic DPA concluded that there were no violations in relation to the obligations to appoint a DPO (Article 37), to involve the DPO in relevant matters (Article 38(1)), and to provide the DPO with the necessary resources (Article 38(2)).

However, the DPA held that the controller violated the obligation to ensure the DPO's independence pursuant to Article 38(3). The acting DPO at the time of the investigation also held the position of deputy CEO, senior lawyer and board member. The DPA held that that could lead to a conflict of interest.

The current DPO also held the position of senior lawyer. The DPA held that this also constituted a conflict of interest.

The DPA instructed the controller to ensure that the acting DPO would not be responsible for other tasks and duties that may lead to a conflict of interest. The DPA further noted that the despite the delayed answers, it would not impose a fine, taking into account the fact that the information was eventually received as well as the COVID-19 outbreak.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

Solutions

Decision on the status of the personal protection representative of Íslenskr gerenálys ehf

Case no. 2020061979

4.8.2022

Personal protection has completed an assessment of the position of the personal protection representative of Íslenskr geninálys ehf. The conclusion of the audit was that no comments were made regarding the involvement of privacy protection officers in issues related to privacy protection or the resources they had been given to carry out their tasks.

On the other hand, it was the conclusion of the Data Protection Authority that the company had not ensured that the other tasks and duties of the data protection officers could not lead to conflicts of interest due to their tasks as data protection officers, and instructions were given for improvements in this regard.

Decision

due to an assessment of the position of the privacy representative of the Icelandic Genetic Analysis, in case no. 2020061979

i
Procedure
1.
Start of case – Request for clarifications and data

By letter, dated On September 1, 2020, Personal Protection informed the Icelandic Genetic Analysis that the organization had decided to conduct an assessment of the position of the company's privacy officer, i.e. to check whether the requirements for the position of personal protection officer in law no. 90/2018 on personal protection and processing of personal data and regulation (EU) 2016/679, cf. Paragraphs 1 and 3 Article 39 and number 2. Paragraph 1 Article 41 of the Act and point b of paragraph 1 Article 58 of the regulation. In the Personal Protection Authority's letter, it was stated that the decision to review the position of the privacy protection representative at Icelandic Genetic Analysis did not imply that the Personal Protection Authority believed that the requirements of the law had not been complied with, but that the goal was to verify that the position of the privacy protection officer at Icelandic Genetic Analysis was compatible with the privacy legislation. It would be expected that audits of this type would be carried out in good cooperation between the Personal Protection Agency and the relevant parties. With reference to the above, the Data Protection Authority requested information from the Icelandic genetic analysis on whether and how the position of the company's data protection representative was compatible with the specific provisions of Article 38. of the regulation. The Data Protection Authority also requested that the company submit relevant data that demonstrated compliance with the above.

Personal protection did not receive answers from the Icelandic genetic analysis within the prescribed deadline, and the agency's mission was therefore repeated with a letter dated October 7, 2020. Since no response was received to the reiteration letter from the Personal Protection Agency, the matter was repeated a second time in a phone call on November 3, 2020. with the representative of relations at Icelandic genetic analysis, where a two-week period was requested to answer the question. By email on the same day, the Personal Protection Agency granted the requested deadline, i.e. to 5 p.m., but it was noted that the agency considered it to be a deadline. Later the same day, an e-mail was received from the representative of communications where once again a deadline was requested, until 23.00 p.m. With a letter from the Personal Protection Agency to the company, dated 18. s.m., says that if the organization does not receive the company's answers 23. s.m., as well as relevant data, it may be grounds for the imposition of administrative fines, cf. Number 5. Paragraph 1 Article 41, paragraphs 1 and 3 Article 46 Act no. 90/2018, cf. point e, paragraph 1 Article 58, paragraphs 1 and 5 Article 83 of regulation (EU) 2016/679.

2.
The answers of the Icelandic genetic analysis

On November 23, 2020, Personal Protection received the response of the Icelandic genetic analysis, dated s.d. Attached was the mission letter from the privacy representative of the Icelandic Genetic Analysis, dated 9 September s.á., issued by the CEO of the company. In the reply letter, reference is made to the letter from the Personal Protection Agency, dated 7 October s.á., and apologized for the delay in responses, which can be attributed to the fact that the initial letter went wrong, as well as many aspects of the company's traditional work being delayed and out of control due to the COVID-19 epidemic .

In the response letter of Íslenskr genéanalysi, the implementation of the current privacy legislation in the company's operations is reviewed.

When law no. 90/2018 has entered into force, if [A] lawyer has been appointed as the privacy representative of Icelandic genetic analysis. Both she and [B]'s lawyer attended training on the implementation of Regulation (EU) 2016/679 at The International Association of Privacy Professionals (IAPP). [A] also sat on the company's committee, which is now called the Personal Protection Committee of Icelandic Genetic Analysis. The committee meets at least monthly and more often if necessary. The director of Icelandic genetic analysis sits on the company's board of directors and represents the board in relation to the company's relations with the data protection officer, including all his reporting to the company. A mission letter issued by the CEO of the company applies to the duties of the privacy officer.

[A] retired from Icelandic genetic analysis in May 2020 and it was decided that [C] the company's chief legal officer would be its privacy representative temporarily. Lawyer [D] has also been hired as the company's data protection representative and will start work in January 2021.

In the answers of the Icelandic genetic analysis, it is stated that the appropriate and timely involvement of the privacy protection officer in all issues related to personal protection is ensured by the independent powers that the privacy protection officer has according to his mission letter and by his seat in the company's Privacy Committee, which closely monitors all planned processing of personal information and assesses, among other things, together with representatives in the committee whether the planned processing calls for an assessment of the impact on personal protection. The quality manager and the information security manager sit on the committee and are very well suited to be a data protection representative to help them perform their duties, among other things because it is impossible for new processing of personal data to start without their involvement. In this way, the quality manager is responsible for documenting and maintaining all procedures, (e. Standard Operating Procedures) that must be in place before the new processing of personal information at the Icelandic genetic analysis laboratory begins. The company's laboratory has received ISO 9001 certification, which is renewed annually when the mentioned procedures are taken out by the certification body. In his daily work, the security manager monitors the security of the information systems used in the processing of personal information and works closely with all system managers and heads of departments. It also states that by far the largest part of the processing of personal information carried out by Íslensk genetic analysis is based on the permits of the Scientific Ethics Committee, cf. law no. 44/2014 on scientific research in the field of health, as well as permits from the Personal Protection Agency as the case may be. The processing is therefore subject to stricter controls than generally happens and cannot normally start until a government permit is available. The data protection officer has easy access to said licenses and applications for them, which enables him to monitor and evaluate all planned processing of personal data within the company.

In the answers of the Icelandic genetic analysis, it is also stated that the mission letter of the company's data protection representative gives him all the necessary authorizations to carry out his tasks and access to personal information and processing operations. His seat in the company's Privacy Committee is also a powerful tool to enable him to carry out his duties, as a central arrangement has been established to ensure that personal data is not processed until the committee has reviewed and carried out the necessary assessment and documentation of the processing.

The mission letter of the privacy protection officer also guarantees his independence in his work and that he does not receive any instructions that are incompatible with the law, his position and permits and government orders that apply to the company's processing of personal information. The mission letter also ensures that he reports directly to the highest authority of the company. The current data protection representative has easy access to the CEO of the company and attends all regular meetings of the executive board.

The company's answers also state that the personal representative's mission letter specifically mentions that he should not initiate or plan the processing of personal information. He is only intended to supervise that the processing of personal information complies with the law and government orders and to give an opinion in this regard. The current data protection officer, who will perform the job until a new data protection officer starts working in January 2021, is also the company's chief legal officer. His main job is to provide the company and those who work there with the best possible legal advice and to ensure that the company's activities are in accordance with the law at all times. Those jobs are compatible with the jobs that a personal protection officer is supposed to perform.

3.
Further explanations of Icelandic genetic analysis

With a letter from the Personal Protection Agency to Icelandic genetic analysis, dated On April 8, 2021, the agency requested further clarification regarding individual issues and the company responded with a letter dated 20 May s.á. The company's answers to the Privacy Protection's questions were as follows:

1. "Which tasks did the deputy director of the company carry out in the period from July 15, 2018 to May 16, 2020, when she also held the position of privacy officer."

During the period in question, the deputy director of Íslenskr genetic analysis assisted the company's CEO in his daily work, among other things, in relation to the company's parent and sister companies. She had no involvement or initiative in decision-making regarding the processing of personal information within the company. Then she was the company's compliance officer, but the role of the compliance officer is to enforce the company's ethics and conduct rules and to present the content of the rules at least. annually for its employees. Extremely limited processing of personal information took place in connection with compliance during the period.

2. "Which tasks did the company's general counsel perform in the period from May 17, 2020 to January 14, 2021, when he also held the position of data protection officer."

During the mentioned period, the senior lawyer of Icelandic Genetic Analysis provided general legal advice to the company's senior management, middle managers and employees. Among other things, he handled the legal review of contracts the company made with third parties and worked on the preparation of annual accounts, audits and internal audits. He also communicated with the company's lawyers and legal advisers, including for court cases, auditors and public bodies. He did not initiate the processing of personal information within the company or the organization of processing. Then he was one of the three people on the company's board and secretary of the board. The board of the company does not make any major decisions about its affairs, but it is in the hands of the CEO.

3. "Whether, and then what other tasks, its current privacy officer."

The current personal protection representative of Ísleniskar genetic analysis is also the company's compliance officer and deputy chief lawyer, cf. their role in the answers to questions no. 1 and 2. The company's senior lawyer can assign her to work on individual legal projects. A recent addition to the compliance officer's duties is to monitor that there is a procedure within the company that is laid down in law no. 40/2020 on the protection of whistleblowers.

4. "Whether there has been a case where a risk of conflict of interest has been considered due to the nomination of the parties listed in questions no. 1. – 3. as data protection officer. If such cases have occurred, information is requested on how they were dealt with."

The processing of personal information in the activities of Icelandic genetic analysis is of such a nature that it prevents conflicts of interest at the company. Icelandic genetic analysis involves extensive processing of personal information in the field of human genetics. There are always researchers at the company who initiate research that later involves the processing of personal information. That processing can never start until after receiving the permission of the Scientific Ethics Committee and the opinion of the Personal Protection Agency, according to law no. 44/2014 on scientific research in the field of health. The privacy representatives of Icelandic genetic analysis have never taken the initiative or been involved in the processing of personal information at the company.

5. "Whether there was a letter of mission for the company's privacy officer from July 15, 2018 - September 9, 2020."

The first mission letter of the privacy protection representative of Icelandic genetic analysis was published in September 2020.

6. "Whether procedures have been established, on the one hand, on how conflicts of interest that might arise due to the parties listed in questions no. 1. - 2. and, on the other hand, how to deal with conflicts of interest that may arise due to the party specified in question no. 3.”

Such procedures have not been established as they are not deemed necessary in view of the processing of personal information carried out by the company.

II.
Privacy Protection's opinion
1.
Legal environment of data protection officers

The responsible party and the processing party must appoint a personal protection representative when the main activity of the relevant party consists in extensive processing of sensitive personal information, cf. Number 3. Paragraph 1 Article 35 Act no. 90/2018, on personal protection and processing of personal information, cf. c-point 1. paragraph Article 37 of regulation (EU) 2016/679. The personal protection officer shall be appointed on the basis of his professional competence, in particular his expertise in the law and law enforcement in the field of personal protection and his ability to perform the tasks referred to in Article 39. of the regulation, cf. Paragraph 5 Article 37 of the regulation.

Article 38 states, among other things, about the position of a personal protection officer. of the regulation that it must be ensured that they deal with all matters related to the protection of personal information in an appropriate manner and in a timely manner (paragraph 1), that they must have the necessary resources to carry out their tasks, as well as access to personal information and processing operations (paragraph 2 .), that they receive no instructions regarding the execution of their tasks and report directly to the highest management level of the parties concerned (paragraph 3), and that other tasks and duties they perform do not lead to conflicts of interest (paragraph 6).

Paragraph 1 states about the tasks of the privacy officer. Article 39 of the regulation that they must at least take care, among other things, of informing the parties concerned and their employees about their obligations according to the regulation and other provisions on personal protection and providing them with advice in this regard (paragraph a), to monitor compliance with provisions of the regulation and other provisions on personal protection and policies on the protection of personal data (point b), to cooperate with the supervisory authority, (point d), and to be the point of contact for the supervisory authority regarding issues related to processing and seek advice, as appropriate, regarding other issues (item e).

In the European Data Protection Board's guidelines for personal data protection officers, as amended in April 2017, it says about the position of data protection officers that by ensuring their involvement in cases right from the start, according to paragraph 1. Article 38 of the regulation, compliance with the regulation and built-in and default personal protection are promoted. Therefore, for example, privacy representatives should be invited to regularly participate in senior and middle management meetings, have them present when decisions are made that may lead to or affect the processing of personal information, provide relevant information to them in a timely manner, give weight to their advice and document the reasons for non-compliance.

Regarding the authorizations and facilities of personal protection officers, the instructions state that among the things they must have as a minimum to be able to perform their work, according to paragraph 2. Article 38 of the regulation, there is enough time and access to support services within the activity so that they receive the necessary support, resources and information from other service areas.

The instructions also state that in paragraph 3. Article 38 the regulation states that personal protection representatives may not be given instructions on which outcome is desirable in the cases they have for processing on the basis of Article 39. of the regulation, how complaints should be investigated or whether they should consult the supervisory authority. In addition, they may not be given instructions on how to assess certain issues in light of the personal protection legislation, such as how the legislation should be interpreted. However, this does not mean that personal protection representatives have decision-making power beyond what is prescribed in Article 39. of the regulation and the responsible and processing parties are responsible for ensuring that the processing of personal data is compatible with the regulation.

According to paragraph 3 Article 38 the regulation further seeks to ensure the independence and protection of data protection officers by stipulating that they may not be dismissed or punished for the performance of their tasks. In this regard, it must be taken into account that punishments can be in various forms, direct and indirect, and therefore the provision can also cover those cases when it is only a threat or threat of some kind of punishment. The more safeguards that data protection officers have against unfair dismissal, the more likely they are to be able to act independently.

As far as conflicts of interest are concerned, the guidelines state that the requirement of paragraph 6. Article 38 that the other tasks and duties of the personal protection officer do not lead to conflicts of interest is closely related to the requirement for the independence of the personal protection officer. The general rule is that conflicts of interest, according to the provision, can occur if privacy representatives are in the company's top management (e. senior management), such as managing directors, operations managers, finance managers, etc., but this can also apply in other cases if the duties include makes decisions about the purpose and method of processing personal data. In addition, conflicts of interest may arise if external data protection representatives are asked to represent the responsible party or processor in court in a case concerning the processing of personal data by the party.

2.
Obligation to appoint a data protection officer

On the website of Íslenskr gerenálysi, it is stated that the purpose of the company's research is to seek explanations of human nature and the causes of diseases through research on the genetic material of Icelanders. According to point d, number 3. Article 3 Act no. 90/2018, cf. Paragraph 1 Article 9 of Regulation (EU) 2016/679, genetic information is sensitive personal information, but more specifically, it refers to personal information relating to a person's inherited or acquired genetic characteristics that provide unique information about the person's physiology or health and is obtained in particular by analyzing a biological sample from the person in question.

Accordingly, it is clear that Icelandic genetic analysis must appoint a personal protection representative cf. Number 3. Paragraph 1 Article 35 Act no. 90/2018, cf. c-point 1. paragraph Article 37 of regulation (EU) 2016/679.

3.
Appropriate and timely approach to issues

If we first look at the involvement of the privacy representative of the Icelandic Genetic Analysis in matters related to the protection of personal information, the company's answers say, among other things, that since the entry into force of Act no. 90/2018, there was an active Privacy Committee of the company, which, together with the privacy representative, sits in the security manager of information security and the quality manager. The committee meets at least monthly and with it it is guaranteed that no processing of personal data takes place until the committee has reviewed and carried out the necessary assessment of the planned processing. The company's data protection officer thus deals appropriately and in a timely manner with all issues related to the protection of personal information.

In the opinion of the Data Protection Authority, the above information of Icelandic genetic analysis does not give rise to comments on the involvement of the privacy protection representatives who have been appointed by the company in matters related to the protection of personal information, with reference to paragraph 1. Article 38 regulation (EU), cf. Paragraph 3 Article 35 Act no. 90/2018.

4.
Remedies – access to personal data and processing operations

In the personal protection officer's mission letter, dated September 9, 2020, states that the company's privacy officer is authorized to demand without delay all necessary information about the processing or planned processing of personal data, from all employees and departments of the company. He can recommend to the company's top management that assessments be made of the safety of individual processing operations or of the company's processing operations as a whole.

Is it the opinion of the Personal Protection Agency that with the aforementioned mission letter, the privacy protection representatives of Icelandic Genetic Analysis have been given the necessary resources to carry out their tasks, as well as access to personal information and processing operations, cf. Paragraph 2 Article 38 of the regulation, cf. Paragraph 3 Article 35 Act no. 90/2018. No comments will be made on the measures of the privacy protection officer until the letter of intent enters into force, since no processing of personal information has started until the company's Privacy Protection Committee has met with the participation of the privacy protection officer.

5.
Independence in work and possible conflicts of interest

In the responses of the Icelandic genetic analysis, it is stated that the company's privacy protection representatives have never taken the initiative or been involved in the processing of personal information at the company. There are always researchers at the company who take the initiative for research that later involves the processing of personal information. Since the company's operations and organization are this way, no conflicts of interest have arisen.

The duties of a personal protection officer are described in Article 39. of regulation (EU) 2016/679, as explained above. According to paragraph 6 Article 38 of the regulation, Icelandic genetic analysis must ensure that other tasks and duties that fall on the personal protection representative do not lead to conflicts of interest. This means that if there are conflicts of interest due to other tasks and duties, they should be transferred to another, but to ensure that the personal protection officer can continue to carry out the tasks that he is required to carry out according to Article 39. of the regulation.

When assessing whether there may be a conflict of interest, the position of the privacy officer in the company's management is considered, among other things. As explained above, the European Data Protection Board's guidelines for data protection officers state that the general rule is that conflicts of interest, according to paragraph 6. Article 38 of the regulation, can happen if privacy representatives are in the highest management of a company (e. senior management), such as managing directors, operations managers, financial managers, etc. Thus, the aforementioned requirement of paragraph 6. Article 38 of the regulation is closely related to the requirement for the independence of the data protection officer.

In the answers of the Icelandic genetic analysis, it is said that when the company's privacy officer also held the position of assistant director of the company, she assisted the director in his daily work. When the company's privacy officer has also held the position of the company's senior lawyer, he has, among other things, taken care of the legal review of contracts that the company has concluded with third parties and has communicated with the company's lawyers and legal advisors, including due to court cases. He was also one of the three people on the company's board and secretary of the board. It is also stated in Article 14. of the rules of procedure of the Norwegian Genetics Collection, which came into effect on November 10, 2012, that the museum's board of directors should be composed of three people elected by the company's board. The conclusion of the rules states that the company's chief legal officer is on the board of the museum together with its director and the company's representative vis-à-vis Personal Protection and the Scientific Ethics Committee.

As for the company's current privacy officer, she is also the deputy general counsel.

Taking into account the nature of the aforementioned tasks and the position of the privacy protection representatives who have been appointed at Icelandic Genetic Analysis in the company's top management, in the opinion of the Data Protection Authority, it cannot be ruled out that conflicts of interest could have occurred. The same applies to the position of the current data protection officer, insofar as she has to perform the duties of a senior lawyer.

In the opinion of the Data Protection Authority, the above arrangement is incompatible with the role and tasks of the data protection officer according to Article 39. of the regulation and suitable for causing conflicts of interest according to paragraph 6. Article 38 her

On the other hand, the Data Protection Authority does not comment on the fact that the company's privacy officer also holds the position of compliance officer, insofar as the role of the compliance officer is to enforce the company's ethics and conduct rules and to introduce the content of the rules to its employees.

6.
Summary of findings and guidelines

From the information that Íslensk genetic analysis has provided to Personal Protection, it is the conclusion of the organization that no comments are made regarding the involvement of the privacy representatives who have been appointed at the company in matters related to the protection of personal information, cf. Paragraph 1 Article 38 regulation (EU), cf. Paragraph 3 Article 35 Act no. 90/2018.

At the same time, it was the conclusion of the Data Protection Authority that no comments are made on the resources that the company's data protection representatives have been given to carry out their tasks, cf. Paragraph 2 Article 38 of the regulation, cf. Paragraph 3 Article 35 of the law.

In addition, it is the conclusion of the Personal Protection Agency that the Icelandic genetic analysis has not ensured that other tasks and duties of the company's privacy protection officer cannot lead to conflicts of interest, cf. Paragraph 6 Article 38 of the regulation, cf. Paragraph 3 Article 35 of the law.

With reference to the above, the Data Protection Authority instructs Icelandic genetic analysis to ensure that the company's current data protection representative does not perform other tasks and duties that may lead to conflicts of interest.

As explained at the beginning of this decision, Personal Protection received the responses and requested data from the Icelandic genetic analysis after repeating its mission three times. In the opinion of the Personal Protection Agency, the delay in the responses and delivery of the data of the Icelandic Genetic Analysis is reprehensible in light of the institution's supervisory role. In spite of that, this case has not been put into criminal proceedings, as the company's answers and the requested data were eventually received by the Data Protection Authority, in addition to which the circumstances due to the outbreak that has erupted are taken into account, cf. Paragraph 1 Article 47 Act no. 90/2018.

Privacy, 29 June 2022

Valborg Steingrímsdóttir                     Gyða Ragnheiður Bergsdóttir