Persónuvernd (Iceland) - 2020010394

From GDPRhub
Revision as of 10:03, 18 May 2021 by ManTechnologist (talk | contribs) (→‎English Machine Translation of the Decision: reformatting)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Persónuvernd (Iceland) - 2020010394
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 6 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 05.05.2021
Published: 07.05.2021
Fine: None
Parties: n/a
National Case Number/Name: 2020010394
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Icelandic
Original Source: Personuvernd (in IS)
Initial Contributor: n/a

The Icelandic DPA stated that a municipality and a trade union did not comply with Article 6(1) GDPR when sharing complainant’s data without a legal basis.

English Summary

Facts

The DPA received a complaint about the sharing of personal data between a municipality and a trade union.

The complainant requested that her workplace contribute to the cost of studies she pursued in parallel with her work. However, she was informed by an e-mail that she had already received the reimbursement from the union. The municipality obtained information about the studies and courses she had been paid for from the union's funds directly from the union. The complainant argued that her rights were violated because nor she nor her boss were not contacted and asked for receipts.

According to the municipality, when the inquiry was sent, the authorizations for the processing of personal information were not taken into account. The complainant had not been informed about the inquiry. The municipality also stated that procedures have been reviewed and it has been ensured that cases such as this will not be repeated.

Holding

The DPA stated that the disclosure of the complainant's personal data was not authorized. For that reason alone, it is the opinion of the DPA that the processing of a municipality and of a trade union of personal information about the complainant was not in accordance with Article 6 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

 Ruling


On 16 April 2021, the Data Protection Authority issued a ruling in case no. 2020010394 (formerly 2019101965):

I.
Procedure

1.
Outline of case

On October 16, 2019, the Data Protection Authority received a complaint from [A] (hereinafter the complainant) about the sharing of personal information between [municipality X] and [trade union Y].

By letters dated On January 7, 2020, [X] and [Y] were invited to provide explanations regarding the complaint. Answer [Y] was received by e-mail on the 14th cm and answer [X] was received by letter dated. 23. cm By letter dated On 9 June this year, the complainant was invited to submit comments on the responses of the guarantors. The complainant's reply was received by e-mail on 2 July. It did not comment on the responses of the responsible party, but the complainant stated that she requested a ruling on the processing of personal information in question.

In resolving the case, all of the above documents have been taken into account, although not all of them are specifically described in the following ruling.

The handling of this case has been delayed due to heavy work at the Data Protection Authority. 

2.
The complainant's views

The complaint states that the complainant requested that her workplace, [Z], contribute to the cost of studies she pursued in parallel with her work. It also states that the complainant handed over receipts to his superior for costs and that the payroll department [X] should have paid those costs. On Monday, October 14, 2019, the complainant, on the other hand, received an e-mail from her boss at [Z] accompanying her union's response, [Y]. The e-mail stated that she had already received the costs from the union. Finally, she or her boss was not contacted. Instead, the municipality had contacted her union directly to obtain information about the studies and courses she had been paid for from the union's funds and that the union had provided that information.The complaint was also accompanied by a copy of an e-mail from the union stating that the complainant had received the courses paid in full from the union's study fund, as well as the dates and amount of the payments.

The complainant considers that she was violated because she or her boss were not contacted and asked for receipts, but the municipality obtained information from her union, without her knowledge, about the studies and the courses she was paid for. from union funds.
3.
Perspectives of the guarantor - [union Y]

In its reply [Y] states that the trade union replied to an e-mail received from the Human Resources Manager [X] on 14 October 2019. The e-mail asked if the trade union paid for a course taken by the complainant and in the attachment to the e-mail were receipts from the complainant. of the courses in question. In the union's reply, it was stated that she had received these courses paid for by the union, as well as the dates and amount of payments to the complainant. No other views were expressed by the union.

4.
Perspectives of the responsible party - [municipality X]

In reply [X] states that on 14 October 2019, an e-mail was sent to [Y] asking if the union's vocational training fund paid for courses specified on the complainant's receipts that accompanied [X]'s e-mail to the union. The answer states that the inquiry was sent as work rule [X] stipulated that the condition for the municipality to allocate grants for this type of study was that employees first exercised their right to allocation from vocational education and training funds.

It is also stated that when the inquiry was sent, the authorizations for the processing of personal information were not taken into account, as the purpose was only to obtain information on whether the Trade Union's Vocational Training Fund paid for the courses in question. The complainant had therefore not been informed that the inquiry would be sent to the trade union. It also says that procedures have been reviewed and it has been ensured that cases like this will not be repeated.

II.
Assumptions and conclusion

1.
Scope - Responsible party

Scope of Act no. 90/2018, on personal data protection and the processing of personal data, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automatic and the processing by other methods than automatic of personal data that are or are to become part of a file.

This case concerns the sending of e-mails containing personal information about the complainant between [municipality X] and [trade union Y]. In this respect and in the light of the above provisions, this case concerns the processing of personal data which falls within the competence of the Data Protection Authority.

The person responsible for the processing of personal information complies with Act no. 90/2018 is named the responsible party. As such, [X] and [Y] are each considered to be responsible for the processing of the personal information they shared in e-mails.

2.
Legality of processing

All processing of personal data must be covered by one of the authorization provisions of Article 9. Act no. 90/2018. In addition, the processing of sensitive personal data must comply with one of the additional conditions of the first paragraph. Article 11 of the Act.

According to point 5. Article 9 Act no. 90/2018 and item e of the first paragraph. Article 6 of Regulation (EU) 2016/679, the processing of personal data is permitted if it is necessary for a project carried out in the public interest or in the exercise of public authority by the responsible party. The processing of personal data is also permitted if it is necessary in the interests of legitimate interests that the responsible party or a third party safeguards, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data outweigh, cf. 6. tölul. Article 9 Act no. 90/2018 and item f of the first paragraph. Article 6 Regulation (EU) 2016/679.

In addition to the authorization according to the above, the processing of personal information must satisfy all the basic requirements of the first paragraph. Article 8 Act no. 90/2018, Coll. Article 5 Regulation (EU) 2016/679. Among other things, it stipulates that personal information shall be processed in a lawful, fair and transparent manner towards the data subject (point 1); that they shall be obtained for clearly defined, legitimate and objective purposes and not further processed for other and incompatible purposes (point 2); and that they shall be sufficient, appropriate and not in excess of what is necessary for the purpose of the processing (point 3).

In the answer of [municipality X], dated 23 January 2020, states that no authorization was taken into account for the processing of personal information when disseminating information about the complainant to the trade union. If the purpose was only to obtain information on whether the study in question was eligible for a grant from the union's vocational training fund.

In the reply of [trade union Y], dated 14 January 2020, states that the union only answered a question received by the union from [X] by e-mail on 14 October 2019. The municipality's inquiry asked whether the vocational training fund paid for certain courses and the union's answer stated that the complainant had already received the courses are paid for in full from the vocational training fund, as well as the amount of the grants and the date of the payments.

According to the answers of the responsible party and the information available in this case, the disclosure of the above-mentioned personal information according to Article 9 was not authorized. Act no. 90/2018, Coll. Article 6 Regulation (EU) 2016/679. For that reason alone, it is the opinion of the Data Protection Authority that the processing of [municipality X] and [trade union Y] of personal information about the complainant was not in accordance with Act no. 90/2018, on personal protection and processing of personal information.
Ruling:

The processing of [municipality X] and [trade union Y] of personal information about [A] was not in accordance with Act no. 90/2018, on personal protection and processing of personal information.