Persónuvernd (Iceland) - 2020010609

From GDPRhub
Persónuvernd (Iceland) - 2020010609
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law:
Directive EU 2016/680
Type: Complaint
Outcome: Rejected
Decided: 05.05.2021
Published: 07.05.2021
Fine: None
Parties: n/a
National Case Number/Name: 2020010609
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Icelandic
Original Source: Personuvernd (in IS)
Initial Contributor: n/a

The Icelandic DPA held that a police officer had not violated the law on the processing of personal data for law enforcement purposes, by refusing an access request to personal data registered in the Schengen Information System (SIS).

English Summary[edit | edit source]

Facts[edit | edit source]

On 13 January 2020, the DPA received a complaint about a refusal to grant access to personal information registered in the Schengen Information System (SIS).

The background to the case is that in 2017 the complainant had come to Iceland and submitted an application for international protection. The complainant later withdrew that application by notification and was subsequently ordered to leave the country within the prescribed seven-day deadline. The complainant did not do so and was therefore subsequently escorted out of the country on 7 November 2017. As the complainant had not left the country within the prescribed time limit, he was placed under a two-year return ban to Iceland.

On 14 October 2019, the complainant sent an access request to the Office of the National Commissioner of Police on registrations concerning him in the SIS, as well as a request that such information be deleted.

The complainant was answered that the information in question was not delivered by e-mail, but that the data subject was required to come in person to the police or to the nearest Schengen State Embassy. The complaint sent a letter to the Swedish Embassy, and was instructed to send his request for information to the embassy of the same country in northern Macedonia. The embassy responded that it was not visible that he was registered in SIS and that he should go to the country that submitted the registration, ie. Iceland.

The complainant sent a letter to the Icelandic consul in Albania but received the answer that the consul was not involved in the issuance of visas. The complainant contacted the German embassy by e-mail on 18 November 2019. The embassy could not confirm whether he was under a re-entry ban in Germany or in the Schengen area.

Finally, the complainant sent an e-mail to the office of the National Commissioner of Police, dated 13 January 2020, reiterating the demand for the deletion of personal data.

According to the Police, the registration in question was deleted automatically at the end of the re-entry ban, ie. November 7, 2019. Therefore, information about the complainant is no longer registered in the SIS, provided that the re-entry ban is not in force. The police established procedures for the delivery of information from SIS to registered individuals, accessible to the Office's employees on the internal website.

Individuals who wish to know whether they are registered in the Schengen Information System can contact the SIRENE office of any country in the Schengen area and the office that receives the request is obliged to take a position.

Regarding the DPA’s question about the Swedish and German embassies in Albania, the office said it could not answer why information was not provided about registration in the SIS. Embassies and consulates can also mediate in obtaining such information from the SIRENE offices of their country.

Holding[edit | edit source]

The DPA held that the national police officer had not breached the law on the processing of personal data for law enforcement purposes when refusing to access request to personal information registered in the Schengen Information System (SIS). At the same time, however, the DPA intends to write a letter to the Ministry of Justice and the Ministry of Foreign Affairs drawing attention to the problems that individuals registered in the Schengen Information System may encounter when trying to exercise their rights under the system's legislation.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.


                   
      The Data Protection Authority has taken a decision in the case of an individual who complained about not having had access to information about himself that had been registered in the Schengen Information System. The background to the case is that in 2017 the complainant had come to Iceland and submitted an application for international protection. The complainant later withdrew that application and was subsequently ordered to leave the country within a seven-day deadline, cf. decision of the Directorate of Immigration. The complainant did not do so and was subsequently followed up by the police.
As the complainant had not left the country within the prescribed time limit, he was placed under a two-year return ban to Iceland, which was registered in the Schengen Information System. Almost two years later, the complainant sent a request to the Office of the National Commissioner of Police, together with a copy of his passport, requesting information on registrations concerning him in the Schengen Information System as well as requesting that such information be deleted. In his reply to the complainant, it was stated that the information in question was not delivered by e-mail, but that the data subject was required to come in person to the office of the National Commissioner of Police or to the nearest Schengen embassy and present identification.
It became the conclusion of the Data Protection Authority that the processing of personal information about the complainant by the Office of the National Commissioner of Police was in accordance with Act no. 75/2019, on the processing of personal information for law enforcement purposes. However, the Data Protection Authority intends to write a letter to the Ministry of Justice and the Ministry of Foreign Affairs drawing attention to the problems that individuals registered in the Schengen Information System may face when trying to exercise their rights, by seeking registration information concerning them. itself, and recommends that the disclosure of information be coordinated as far as possible between the parties providing information to the data subjects.

    

    
    Decision
 At a meeting of the Board of the Data Protection Authority on 29 April 2020, the following decision was made in case no. 2020010609:
I.

Procedure
1.
Complaint
On 13 January 2020, the Data Protection Authority received a complaint from [A] (hereinafter referred to as the "complainant") that it had not been given access to information about itself that had been registered in the Schengen Information System. The background to the case is that in 2017 the complainant had come to Iceland and submitted an application for international protection, dated. October 9, 2017. The complainant later withdrew that application by notification, dated. 11 p.m., and was subsequently ordered to leave the country within the prescribed seven-day deadline, cf. decision of the Directorate of Immigration, dated same day. The complainant did not do so and was therefore followed out of the country by the police on 7 November 2017.
As the complainant had not left the country within the prescribed time limit, he was placed under a two-year return ban to Iceland according to Art. the aforementioned decision of the Directorate of Immigration, which was registered in the Schengen Information System on 9 November 2017, in accordance with point 1. paragraph 1 (b) Article 6 Act no. 16/2000 on the Schengen Information System in Iceland.
On 14 October 2019, the complainant sent a request to the Office of the National Commissioner of Police, together with a copy of his passport, requesting information on registrations concerning him in the Schengen Information System as well as requesting that such information be deleted. The complainant was answered by e-mail, dated 15. s.m. stating that the information in question was not delivered by e-mail, but that the data subject was required to come in person to the office of the Office of the National Commissioner of Police or to the nearest embassy of the Schengen State and present identification. The complaint states that the complainant sent a letter to the Swedish Embassy, dated October 15, 2019, and was instructed to send his request for information to the Embassy of the same country in Northern Macedonia. It is known that he did so and has a complaint to keep a copy of the embassy's reply to the complainant, to the effect that it was not visible that he was registered in the Schengen Information System and that he should go to the country that submitted the registration, ie. Iceland. It is also stated that the complainant sent a letter to the Icelandic consul in Albania but received the answer that the consul was not involved in the issuance of visas. It is also stated that the complainant contacted the German embassy by e-mail on 18 November 2019. Attached to the complaint is a reply from the embassy from 7 pm, to the effect that it could not confirm whether he was under a re-entry ban in Germany or in the Schengen area. Finally, the complainant sent an e-mail to the Office of the National Commissioner of Police, dated 13 January 2020, reiterating the demand for the deletion of personal data. On the same day, the complainant was told that no information on registrations was provided by e-mail, in addition to which previous instructions were sought to go to the nearest Schengen embassy.
2.
Correspondence
By letter dated On May 4, 2020, the National Commissioner of Police was invited to provide explanations regarding the complaint. The answer was by letter dated. 29, where the background to the registration of information about the complainant, which has been described above, is reviewed. It is also stated that the registration in question was deleted automatically at the end of the re-entry ban, ie. November 7, 2019. Information on the complainant is therefore no longer registered in the Schengen Information System, provided that the re-entry ban is not in force.
It is stated that it is undisputed that the complainant has the right to be informed of the information that has been registered about him in the Schengen Information System, cf. Paragraph 1 Article 13 Act no. 16/2000 on the Schengen Information System in Iceland. It further states that the complainant was neither denied the information, nor made unable to access it, but was instructed on how to access it.
It is pointed out that according to Article 2 (g). Regulation on the Schengen Information System in Iceland no. 112/2001, the persons responsible for the system shall take the necessary measures to ensure that unauthorized persons do not have access to information registered in the system. It is stated that it is the Office's assessment that it does not comply with the provisions of cited Regulation no. 112/2001, nor the principles of Act no. 75/2019 on the processing of personal information for law enforcement purposes, cf. also Act no. 90/2018, to disseminate personal information from police systems by e-mail or send it by letter without the individual proving his or her identity conclusively. It is the opinion of the Office that it, and thus its SIRENE office, is not authorized to disseminate information from the system unless it is known with certainty who is submitting the request to that effect.
By letter dated On October 21, 2020, the Data Protection Authority requested further information from the National Commissioner of Police regarding the case. Information was requested as to whether procedures had been established for the delivery of the information in question, how co-operation was conducted between the Schengen embassies and, as the case may be, the consulate on the one hand and the SIRENE office on the other on the provision of the information in question. examine which embassies or, as the case may be, consulates under the auspices of Iceland, and as the case may be, other Schengen states, would have access to the Schengen Information System used for such information. Taking into account the instructions of the Office of the National Commissioner of Police to the complainant, he was asked how it was that neither the Swedish or German embassies in Albania had been able to provide him with the requested information.
A reply was received by letter dated. November 10, 2020. It states, among other things, that procedures have been established for the delivery of information from the Schengen Information System to registered individuals and that it is accessible to the Office's employees on the internal website.
It also states that co-operation between SIRENE offices is such that individuals who wish to know whether they are registered in the Schengen Information System can contact the SIRENE office of any country in the Schengen area and the office that receives the request is obliged to take a position. to the question and answer it, if applicable. If a registration registered by another State becomes apparent, the Office receiving the request shall contact the State of registration and request an opinion on whether it is appropriate for the data subject to be informed of the registration and its period of validity, and to base its answers thereon. If a person requesting information is not present in the Schengen area, he / she is advised to contact the embassy or consulate of a Schengen state and request information. Embassies and consulates are not defined as institutions entitled to direct access to the Schengen Information System, although in some cases representatives of such institutions, such as the police or customs, may be present at work and therefore have access to the system. Embassies and consulates can also mediate in obtaining such information from the SIRENE offices of their country. Regarding the Data Protection Authority's question about the Swedish and German embassies in Albania, the office said it could not answer why information was not provided about enrollment in the Schengen Information System.
II.
Assumptions and conclusion
1.
Scope - Responsible party
The processing of personal data by the competent authorities that takes place for law enforcement purposes is governed by Act no. 75/2019, on the processing of personal information for law enforcement purposes, cf. Paragraph 1 Article 3 of the law. It falls under the role of the Data Protection Authority to enforce the law as stated in Article 30. of them, e.g. á m. by making a decision in cases concerning complaints from individuals, cf. Paragraphs 2 and 3 of that article.
The Act was enacted to implement the provisions of Directive (EU) 2016/680 of 27 April 2016 on the protection of individuals with regard to the processing of personal data by the competent authorities in connection with the prevention, investigation, detection or prosecution of criminal offenses. or comply with criminal sanctions and the free dissemination of such information. The competent authority is defined in point 11. Article 2 of the Act as a public authority responsible for or entrusted with the task by law of preventing, investigating, prosecuting or prosecuting criminal offenses or enforcing criminal sanctions, incl. to protect against and prevent threats to public safety. The office of the National Commissioner of Police is defined as the competent authority according to this provision.
So that Act no. 75/2019 validity must be in the case of processing of personal information that is automatic or in whole or processing by other methods than automatic processing of personal information that is or is to become part of a register, cf. Paragraph 2 Article 3 of the Act. Personal information includes information about a person who is personally identifiable or personally identifiable, and an individual is considered personally identifiable if it is possible to identify him or her, directly or indirectly, with reference to his or her identity or one or more factors that are characteristic of him or her, cf. 1. tölul. Article 2 Act no. 75/2019. Processing refers to an action or series of actions in which personal information is processed, whether the processing is automatic or not, cf. 2. tölul. Article 2 Act no. 75/2019.
In order for the processing of personal information to fall within the scope of Act no. 75/2019, the mere fact that an authority falls under the definition of a competent authority is not sufficient, but the processing that takes place at any given time must be for law enforcement purposes. The purpose of law enforcement is defined in point 8. Article 2 Act no. 75/2019 whose purpose is to prevent, investigate, prosecute or prosecute criminal offenses or comply with criminal sanctions, incl. to protect against and prevent threats to public safety. It is clear that when processing personal information for this purpose, it is based on the powers obtained by the competent authorities by law, but as is the case here, Act no. 16/2000 on the Schengen Information System in Iceland. In Article 2 of that Act states that the National Commissioner of Police operates and is responsible for the Schengen Information System, he handles registration in it and the transmission of other documents in accordance with the Act. In the first paragraph. Article 4 The same Act further states that registration in the Schengen Information System shall be aimed at ensuring public security and public order, incl. state security. In view of the above, this is processing for law enforcement purposes, cf. 8. tölul. Article 2 Act no. 75/2019, and the above processing therefore falls within the scope of that Act.
The competent authority, which decides, alone or in co-operation with others, the purpose and methods of processing personal information, is called the responsible party, cf. Number 4 Article 2 Act no. 75/2019. As such, the office of the National Commissioner of Police is considered to be responsible for the processing in question.
With reference to the above, it is clear that the processing of personal data in the Schengen Information System involves the processing of personal data by a competent authority carried out for law enforcement purposes and therefore falls within the competence of the Data Protection Authority as defined in Article 30. Act no. 75/2019, th. á m. to resolve complaints, cf. Paragraphs 2 and 3 same articles.
2.
Legality of processing
All processing of personal data for law enforcement purposes must comply with the principles laid down in Article 4. Act no. 75/2019. It states that in the processing of personal data for law enforcement purposes, care shall be taken to ensure that it is processed in a lawful and fair manner, that the processing is necessary for the competent authority for law enforcement purposes, that it is obtained for clearly stated, lawful and objective purposes and not further processed. other and incompatible purposes, that they are sufficient, appropriate and not far beyond what is necessary for the purpose of the processing and that they are reliable and updated as necessary. It also states that if personal information is unreliable or incomplete for the purpose of its processing, it shall be deleted or corrected without delay, that it shall be stored in such a way that it is not possible to identify registered persons for longer than necessary for the purpose of processing and that they shall be prepared in such a way as to ensure their appropriate safety.
In addition, the processing of sensitive personal data must comply with one of the conditions of the first paragraph. Article 6 Act no. 75/2019. Sensitive personal information within the meaning of the law is information about a person's race or ethnic origin, political views, religion, beliefs and trade union membership, information about health, sexual life and sexual orientation, as well as genetic information, as well as biometric information used to personally identify an individual . It is clear that the Schengen Information System contains information as in this case, including fingerprints, cf. k of the first paragraph. Article 5 Act no. 16/2000, but they are considered biometric. According to the said provision of Act no. 75/2019, such personal information will only be processed if there is an urgent need for the processing, in addition to which it fulfills a.m. one of the following conditions: that it has a special authority in other laws, that it is capable of protecting the urgent interests of the data subject or another person, or that it protects information that the data subject has made public himself. In the case under consideration here, it is clear that personal information was registered in accordance with Art. authority in Article 5. and point 1. paragraph 1 (b) Article 6 Act no. 16/2000. The processing is therefore considered to have been permitted in light of Act no. 75/2019.
It is clear that the complainant has requested that the registration of his re-entry ban be deleted. It is also clear that the registration was deleted automatically at the end of the re-entry ban, on November 7, 2019. This issue will therefore not be examined further.
It remains to be determined, however, whether the National Commissioner of Police has processed the complainant's request for access to information in accordance with Article 13. Act no. 75/2019 and Article 13. Act no. 16/2000, where that right is guaranteed, but as has been stated, the request was not processed as the complainant's request was not available in person with the presentation of identification. It is also clear that following the refusal of the National Commissioner of Police, the complainant applied to the embassies of two Schengen states, as well as the Icelandic consulate, for the requested information, but received answers indicating that it was not possible to obtain the access in question.
It is according to Chapter V of Act no. 75/2019, the responsible party is responsible for ensuring adequate security of personal information. When formulating measures for this purpose in the Schengen Information System, it should be borne in mind that, among other things, sensitive personal information is recorded there. Therefore, high demands must be made on their safety. In Article 18, cf. also the first paragraph. Article 23 of the Act, states that the responsible party shall take appropriate measures that take into account the nature, scope, context and purpose of the processing, as well as the data subject's rights, to ensure and demonstrate that the processing of personal data meets the requirements of the Act. In the case of the Office of the National Commissioner of Police, it has been deemed necessary to request the original identity card and the Data Protection Authority does not comment on that assessment in light of the nature of the Schengen Information System and the importance of information not falling into the hands of unauthorized parties.
At the same time, however, it is clear that the data subject must have a realistic possibility of exercising his or her rights and indicating the facts of the case that remedial action may be necessary in that regard. It must be assumed that this will test whether the Schengen states have established co-operation so that within their foreign service there are contacts that the data subjects can turn to, regardless of which state has been responsible for recording the information at any given time. It must also be assumed that the final responsibility in these matters does not lie with the police authorities and that the involvement of other authorities is also needed, such as the Ministries of Justice and Foreign Affairs.
In view of the above, the conclusion of the Data Protection Authority is that the processing of personal information about the complainant by the Office of the National Commissioner of Police was in accordance with Act no. 75/2019, on the processing of personal information for law enforcement purposes.
At the same time, however, the Data Protection Authority intends to write a letter to the Ministry of Justice and the Ministry of Foreign Affairs drawing attention to the problems that individuals registered in the Schengen Information System may encounter when trying to exercise their rights under the system's legislation.
U r s k u r ð a r o r ð:
The processing of personal information about [A] by the Office of the National Commissioner of Police due to the registration of a re-entry ban and a requirement for the delivery of information on registration was in accordance with Act no. 75/2019, on the processing of personal information for law enforcement purposes.
In Privacy, April 29, 2021
Ólafur Garðarsson, acting chairman
Björn Geirsson Vilhelmína Haraldsdóttir
Þorvarður Kári Ólafsson


    





















  
                    Privacy PolicyLegal DisclaimerAccessibilityService DeskTwitter