Persónuvernd (Iceland) - Case no. 2021061304

From GDPRhub
Revision as of 17:53, 22 December 2022 by 2a00:23c8:a0f:ce01:e115:7ac9:76dd:6a76 (talk) (→‎English Summary)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Persónuvernd - Case no. 2021061304
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 12 GDPR
Article 15 GDPR
Article 58 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 31.10.2022
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: Case no. 2021061304
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Icelandic
Original Source: Icelandic DPA (in IS)
Initial Contributor: n/a

The Icelandic DPA ordered a car repair shop to comply with an Article 15 GDPR access request by providing a data subject with data of all repairs and services done to his car while it was in his possession.

English Summary

Facts

The case concerns an access request from a car owner, the data subject, to a car repair shop, the controller. The access request was sent by a company on behalf of the data subject to the repair shop. The company hired an attorney who electronically signed the access request and asked for personal data on the data subject's car regarding its repair and service history.

The controller denied the request. It replied to the data subject that it does not believe itself responsible to process historical data for the vehicles it worked on as this would entail high costs and the legality of such processing would be unclear. Moreover, the service history of most vehicles covers more than one customer and there are no mandates from previous owners.

Consequently, the data subject complained to the Icelandic DPA.

The data subject argued that he has the right to access his personal data contained in the service and repair history of the vehicle he owns. The controller's refusal to provide the data would constitute a violation of the GDPR.

Responding to the allegations in front of the DPA, the controller stated that they only received a request by the company on behalf of the data subject, but no request directly from the data subject. It is their working method to only present customers with data on repair histories when they arrive in person at one of their shops and only in the form of paper and not electronically.

Holding

The DPA first asserted that the data subject would only have the right to access their own personal data. Consequently, they would only have the right to access the repair history of the car while it was in the possession of the data subject, but no right to receive any information about services done on the car while it was in the possession of previous owners.

Next, the DPA noted that that Article 15 GDPR stipulates that a data subject shall have the right to receive confirmation from a controller as to whether personal data concerning him or her is being processed and, if so, has the right to access personal data. Moreover, the controller must provide a copy of the personal data that is being processed. If the data subject submits a request electronically, the information must be provided in an electronic format that is generally used unless the data subject requests otherwise. Additionally, Article 12 GDPR demands that controllers shall facilitate data subjects to exercise their rights.

Regarding the first argument of the controller, the DPA explained that when an attorney is given the power to act on behalf of a principal, their actions are to be considered equivalent to those of the principal. Therefore, no further action would have been required from the data subject in this case. Moreover, if the controller would have deemed the powers of the attorney to be insufficient, it should have instructed the data subject on who to meet the formal requirements in order to submit an access request instead of refusing it.

Concerning the second argument, the DPA reiterated that controllers are required to provide answers to access requests in a commonly used electronic format, unless requested otherwise. Therefore, only providing it in the form of paper is insufficient.

Considering the above, the DPA held that the controller acted in violation of the GDPR. It ordered the controller pursuant to its powers of Article 58(2)(c) GDPR to comply with the access request.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

Delivery of BL ehf. on access request not compliant by law
Case no. 2021061304

31.10.2022

In general, individuals have the right to request their personal information. Information about the vehicle's service and repair history, which the vehicle received while it is in their possession, is considered such information.

In this case, the responsible party refused to process the complainant's request in substance, but this did not comply with the personal protection law, and the procedure for handing over the data was considered insufficient.

-----

Personal Protection ruled in a case where there was a complaint about the refusal of a request for access to the repair and service history of a vehicle owned by the complainant by BL ehf. More specifically, a company on behalf of the complainant requested information from BL ehf. about the repair and service history of the vehicle owned by the complainant, including from workshops and service providers.

In communication with BL ehf. who accompanied the complaint said that the company believed that it did not need to process historical data from its systems and that doing so would entail high costs and it was unclear whether the processing was legal. During the handling of the case, BL ehf. also for the fact that the request for information came electronically from someone other than the complainant and that such data is only delivered on paper against the presentation of identity documents and not sent electronically.

The conclusion of the Privacy Protection was that the processing of BL ehf. on the complainant's access request did not comply with the provisions of the Act on Personal Protection and Processing of Personal Information. Also, BL ehf. given a warning for violating the provisions of the law and submitted to BL ehf. to take the complainant's access request for substantive processing.
Ruling


about a complaint about the refusal of BL ehf. about an access request by Autoledger ehf. fh [A] in case no. 2021061304:
I.
Procedure
1.
Outline of a case

On June 9, 2021, Personal Protection received a complaint from the law firm Juris, fh [A] (hereinafter the complainant), regarding the refusal of BL ehf. on access to the repair and service history of a vehicle owned by the complainant.

The complaint states that the company Autoledger ehf. on 11 February 2021, on behalf of the complainant, requested information from BL ehf. about the repair and service history of a vehicle in his possession. The complaint was accompanied by a power of attorney, signed electronically by the complainant, stating that the complainant authorizes Autoledger to retrieve, store and work with information about the repair and service history of a vehicle owned by the complainant from third parties, including workshops and service providers.

In the response of BL ehf.'s lawyer. to the access request, dated 26. sm, which came with the complaint, says that Autoledger ehf. has requested information about 878 vehicles from the company, but that it believes that it does not need to process historical data for an unspecified number of vehicles from its systems. It is noted that this would entail high costs, and it is unclear whether such processing of personal information is legal. In addition, it says that the service history of most vehicles covers more than one customer and that there are no mandates from previous owners. In addition, warranty repairs and many damage repairs are not paid by the owner but by the manufacturer or insurance company, but this means that the reliability of such an overview is not high.

Personal protection invited BL ehf. to comment on the complaint by letter, dated December 1, 2021, and the company's answers were received on January 6, 2022. The complainant was then given the opportunity to provide comments on BL ehf's answers. by letter, dated 13. sm, and they were received by letter, dated 2 February s.á. By letter, dated On June 13, 2022, Personal Protection requested more information from the complainant. A reply was received by e-mail on 1 July s.á. When resolving the case, all of the above-mentioned documents have been taken into account, although not all of them are separately explained in this ruling.
2.
Complainant's point of view

In the complainant's opinion, he has the right to access his personal information contained in the service and repair history of the vehicle he owns, which is kept by BL ehf. The complainant notes that the access request was sent by Autoledger ehf. on the basis of a power of attorney from him and it is equivalent to the fact that he himself requested the information.

According to the complainant, the refusal of BL ehf. on access to this information constitutes a violation of his rights under the Personal Protection Act.
3.
The point of view of BL ehf.

In the reply letter BL ehf. says that the company only received a request from Autoledger ehf. for information in electronic form about the vehicle's service history, but no formal request directly from the complainant. It is also stated that the company's working method is such that this data is presented if the customer arrives at the location and presents identification and that the data is only delivered on paper and not sent electronically.
II.
Assumptions and conclusion
1.
Limitation of case – Scope – Responsible party

At the beginning of the proceedings, the complainant was informed that Act no. 90/2018 and regulation (EU) 2016/679 gave individuals the right to access their own personal data, but not the right to access personal data about others, such as the personal data of the previous owner that could be contained in the repair and service history of a vehicle. Personal protection would therefore only deal with the complainant's right to access information about the repair and service history of the car while it was in his possession, but not to information about the services the car had received during other owners' time.

It should be noted that points of view may be tested there according to legislation other than the personal protection legislation, such as according to consumer legislation, cf. i.a. section 3.6 in the general comments with the bill that became law no. 27/2021. Then the buyer's right to information about the sale item can be tried, cf. b-point 1. paragraph Article 19 Act no. 50/2000 on the purchase of liquid assets, but it can be assumed that repair history may fall under that. Responsibilities in that regard rest only on the seller of the item, but could be relevant when assessing the authority of others who have information about the item to provide that information.

This case concerns the processing of BL ehf. on a request for access to personal information about the complainant contained in the service and repair history of a vehicle owned by him. It concerns the processing of personal information that falls under the authority of Personal Protection as defined in Act no. 90/2018. BL ehf. is considered to be the party responsible for that processing according to that law, as well as Regulation (EU) 2016/679.
2.
Legal environment

This case examines whether the responsible party has processed the request of Autoledger ehf. on access to personal information about the complainant in accordance with the provisions of Act no. 90/2018 on personal protection and processing of personal data and regulation (EU) 2016/679.

According to paragraph 2 Article 17 Act no. 90/2018 on personal protection and processing of personal information, the registered person has the right to access personal information about himself according to the instructions of Article 15. of regulation (EU) 2016/679. In paragraph 1 Article 15 the regulation stipulates, among other things, that a registered person shall have the right to receive confirmation from the responsible party as to whether personal data concerning him/herself is being processed and, if so, the right to access personal data. In paragraph 3 of the same article states that the responsible party must provide a copy of the personal information that is being processed and that if the data subject submits a request electronically, the information must be provided in an electronic format that is generally used unless he requests otherwise. Then it says in the 2nd paragraph Article 12 of the regulation that the responsible party shall facilitate the registered person to exercise his right according to 15.-22. art.

In paragraph 1 Article 10 Act no. 7/1936 states that if an agent executes a legal deed in the name of the principal and within the limits of his authority, then that legal deed creates an obligation for the principal without the need for a further legal deed, from the agent or the principal.

 
3.
Conclusion

 

The responsible party has stated that the company only received an access request from Autoledger ehf. about information in electronic form, and that the company has not received any formal request directly from the complainant. The complainant has stated that the company Autoledger ehf. requested the information on the basis of a power of attorney.

It will generally be considered that when a party is given a power of attorney, the agent acts on behalf of the principal without the latter having to take further action. It will therefore be considered that the request of Autoledger ehf. was equivalent to if the complainant himself had requested personal information about himself from the responsible party. In addition, it will be considered that on the basis of paragraph 2 Article 12 of Regulation (EU) 2016/679, the responsible party, if he considered the power of attorney to be insufficient, should have instructed the authorized party on how to meet the formal requirements for submitting an access request, instead of refusing the request.

The responsible party's answer also states that data is delivered to customers on paper, and not electronically, when they show up at the venue and present identification. As stated above, the controller, who receives an electronic request for access to personal information, must process the request electronically in a commonly used format, unless the requester requests otherwise.

In view of the above, it is the conclusion of Personal Protection that the responsible party's handling of the access request by Autoledger ehf., for the complainant, did not comply with Act no. 90/2018, on personal protection and processing of personal information, cf. regulation (EU) 2016/679.

In accordance with this conclusion, and with reference to item 3. Article 42 Act no. 90/2018, cf. c.-item 2. paragraph Article 58 regulation (EU) 2016/679, is hereby submitted to BL ehf. to take the access request of Autoledger ehf., fh the complainant, for substantive processing. Confirmation that these instructions have been complied with must be received by Personal Protection no later than November 28, 2022.
Ú r s k u r ð a r o r ð:

Delivery of BL ehf. on the access request of Autoledger ehf., fh [A], did not comply with the provisions of Act no. 90/2018, on personal protection and processing of personal information, cf. regulation (EU) 2016/679.

With reference to item 2. Paragraph 2 Article 42 Act no. 90/2018 and point b of paragraph 2. Article 58 regulation (EU) 2016/679 is BL ehf. given a warning for violating the provisions of Act no. 90/2018 and Regulation (EU) 2016/679.

It is proposed for BL ehf. to take the access request of Autoledger ehf., fh [A], for substantive processing. Confirmation that these instructions have been complied with must be received by Personal Protection no later than November 28, 2022.

Privacy, 31 October 2022

Vigdís Eva Líndal Gunnar Ingi Ágústsson