Persónuvernd (Iceland) - 2020010394

From GDPRhub
Revision as of 12:32, 12 May 2021 by Msm (talk | contribs)
Persónuvernd (Iceland) - 2020010394
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 6 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 05.05.2021
Published: 07.05.2021
Fine: None
Parties: n/a
National Case Number/Name: 2020010394
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Icelandic
Original Source: Personuvernd (in IS)
Initial Contributor: n/a

The Icelandic DPA stated that a municipality and a trade union did not comply with Article 6 GDPR when sharing complainant’s data without her knowledge and legal basis.

English Summary

Facts

The DPA received a complaint about the sharing of personal data between a municipality and a trade union.

The complainant requested that her workplace contribute to the cost of studies she pursued in parallel with her work. However, she was informed by an e-mail that she had already received the reimbursement from the union. The municipality obtained information about the studies and courses she had been paid for from the union's funds directly from the union. The complainant argued that her rights were violated because nor she nor her boss were not contacted and asked for receipts.

According to the municipality, when the inquiry was sent, the authorizations for the processing of personal information were not taken into account. The complainant had not been informed about the inquiry. The municipality also stated that procedures have been reviewed and it has been ensured that cases such as this will not be repeated.

Holding

The DPA stated that the disclosure of the complainant's personal data was not authorized. For that reason alone, it is the opinion of the DPA that the processing of a municipality and of a trade union of personal information about the complainant was not in accordance with Article 6 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

    Dissemination of personal information between a municipality and a trade union
      Case no. 2020010394
 
      
        5.5.2021
        
   
      The Data Protection Authority has ruled in a case where a complaint was made about disclosure
personal information between the municipality and the complainant's trade union in connection with
reimbursement of the costs of studies which the complainant pursued in parallel with his work. Í
The complaint states that the municipality sent personal information about the complainant
her union with a question about whether her studies were eligible for a grant
the union, but with the inquiry were copies of the complainant's accounts due
of the courses. In the union's response, he said that the study was eligible and that
the complainant had already received his studies paid for in full from the study fund
the union, as well as the dates and amount of the payments. According to answers
responsible party and the information available in the case was considered by the Data Protection Authority
was not authorized to share the information and that it did not
complies with Act no. 90/2018, on personal protection and processing of personal information.

    

    
    Ruling
On April 16, 2021, the Data Protection Authority announced the following
ruling in case no. 2020010394 (formerly 2019101965): I. Proceedings 1. Abstract
caseOn October 16, 2019 received
Privacy complaint from [A] (hereinafter the complainant) over disclosure
personal information between [municipality X] and [trade union Y]. By letters dated January 7, 2020,
[X] and [Y] were invited to provide explanations regarding the complaint. Answer [Y]
received by email on 14 p.m. and reply [X] was received by letter dated. 23. s.m.
By letter dated On 9 June this year, the complainant was invited to appear
comments on the responses of the responsible party. The complainant's reply was received
e-mail 2 July s.á. There were no comments on the answers
guarantor but on behalf of the complainant it was stated that she requested a ruling on them
processing of personal data in question.In the resolution of the case has been
cover all of the above data, although not specifically stated
all of them in the following ruling.The handling of this case has been delayed
due to a lot of work at the Data Protection Authority. 2. Perspectives
The complainant's complaint states that the complainant has
requested that her workplace, [Z], would contribute to the cost of training as
she worked concurrently. It is stated that the complainant handed over his boss
receipts for costs and that the payroll department [X] should have paid those costs.
On Monday 14 October 2019, however, the complainant was forwarded
an e-mail from his boss at [Z] accompanying the union's response
her, [Y]. The e-mail stated that she had already received the cost
paid by the union. Finally says that has not been contacted
her or her boss. Instead, the municipality had direct contact
with her union to get information about the study and the courses that
she had been paid from the union's funds and to the union
has provided that information. The complaint was also accompanied by a copy of an email from
the union stating that the complainant had been paid for the courses
fully from the union's study fund, as well as the dates and amount of the payments. The complainant considers that it has
has been violated because she or her boss have not been contacted
and asked for receipts but the municipality had obtained information from
her union, without her knowledge, of the studies and courses she took
has been paid for from the union's funds.3
guarantor - [union Y] In reply [Y] states that the union has replied to an e-mail that
received from the Human Resources Manager [X] on October 14, 2019. The e-mail was
asked whether the union paid for a course taken by the complainant and
an attachment from the complainant was accompanied by receipts from the complainant regarding the person in question
courses. In the union's reply, it was reported that she had
received these courses paid for by the union, as well as dates and amount
payments to the complainant. Other views were not put forward by him
of the union. 4. Perspectives
responsible party - [municipality X] In reply [X] states that on 14 October 2019 there was an e-mail
sent to [Y] with an inquiry about whether the union's vocational training fund
paid for courses specified on the complainant's receipts that followed
by e-mail [X] to the union. The answer says that the query has
was sent where the rules of procedure [X] provided that the conditions for
the municipality allocated grants for studies of this kind was to employees
first exercised their right to allocation from vocational training and career development funds. It also says that when the inquiry was sent, it had sources
for the processing of personal data have not been kept in mind where the purpose
has only been gathering information on whether the Vocational Training Fund
the union paid for the course in question. There was therefore no complainant
reported that the inquiry would be sent to the union. Furthermore
says that procedures have been reviewed and that cases such as this will not be ensured
repeat itself.II.Conditions and conclusion 1. Scope - Responsible Scope of Act no. 90/2018, on personal data protection and processing
personal information, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the law,
and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers
processing of personal information that is partially or fully automated and processing with
methods other than automating personal information that is or should be
part of a file.This case concerns the sending of e-mails containing
personal information about the complainant between [municipality X] and [the trade union
Y]. In that respect and with
In view of the above provisions, this case concerns the processing of personal data
which falls within the competence of the Data Protection Authority. The person responsible for the processing of personal information complies with Act no.
90/2018 is named the responsible party. As such, [X] and [Y] are each considered
be responsible for the processing of the personal information they share
emails.2.Legitiveness of processingAll
the processing of personal data must be subject to one of the authorization provisions
Article 9 Act no. 90/2018. In addition, the processing of sensitive personal information will be involved
comply with any of the additional conditions of paragraph 1. Article 11 of the Act. According to point 5. Article 9 Act no. 90/2018 and item e of the first paragraph. Article 6
Regulation (EU) 2016/679, the processing of personal data is permitted if it is
necessary for a project carried out in the public interest or in its application
public authority exercised by the responsible party. Then there is the processing of personal information
if it is necessary in the interests of legitimate interests as a guarantor or a third party
a party may exercise the interests or fundamental rights and freedoms of the data subject who
demand that the protection of personal information be more important, cf. 6. tölul. Article 9 Act no.
90/2018 and item f of the first paragraph. Article 6 Regulation (EU) 2016/679. In addition to the authorization according to the above, there will be processing
personal data to meet all the basic requirements of the first paragraph. Article 8 Act no. 90/2018,
sbr. Article 5 Regulation (EU) 2016/679. Among other things, it stipulates that
personal information shall be processed in a lawful, fair and transparent manner
towards the data subject (point 1); that they should be obtained in clearly specified,
legitimate and objective purposes and not further processed in other and
incompatible purpose (paragraph 2); and that they should be adequate, appropriate
and not in excess of what is necessary in view of the purpose of the processing (point 3). January 23, 2020, says no
authorizations for the processing of personal information have been taken into account in the dissemination
information about the complainant to the union. If the purpose was only
to obtain information on whether the study in question was eligible for a grant from a vocational training fund
of the trade union.In the answer of [trade union Y], dated January 14, 2020, states that
the union only answered a query received by the union from [X]
by e-mail on October 14, 2019. The municipality's inquiry was asked
whether the Vocational Training Fund paid for certain courses and in response
the union was informed that the complainant had already received the courses
paid in full from the Vocational Training Fund, in addition to the amount of the grants and
the dates of the payments. According to the answers of the responsible party and the information available in
In this case, the disclosure of the above personal information was not authorized
according to Article 9. Act no. 90/2018, Coll. Article 6 Regulation (EU) 2016/679. When
for that reason, it is the opinion of the Data Protection Authority that the processing of [municipality X] and [the trade union
Y] of the personal information of the complainant did not comply with Act no. 90/2018, um
privacy and processing of personal information. C o r d a r d a r o r d: Processing of [municipality X] and [trade union Y]
personal information about [A] did not comply with Act no. 90/2018, on privacy
and processing of personal information.Privacy, 16 April 2021Helga Þórisdóttir Helga
Sigríður Þórhallsdóttir