Persónuvernd (Island) - 2022081290

The Icelandic DPA held that the National Police Commissioner, as a controller, was authorised under Article 6(1)(e) GDPR to carry out background checks on personal data of an applicant for a position as emergency operator. However, the controller failed to duly inform the applicant about the extent and purposes of processing.

English Summary

Facts

A data subject applied for a position as an emergency operator at the national emergency line of Iceland. When applying, the data subject claimed that she only received information that a background check would be carried out on applicants but was not informed about the scope or purpose of processing of her personal data nor did she consent thereto. The national emergency line then asked the police commissioner look up the applicant’s personal information in the police case file and transmit it to the emergency line office.

The data subject felt that the lack of transparency regarding the processing of her personal data constituted a violation of the GDPR, thus, on 31 August 2022, she filed a complaint against the National Police Commissioner with the Icelandic DPA.

The DPA invited the police commissioner and the emergency line to submit their views.

The national emergency line submitted that its close cooperation with the national police commissioner requires its employees to fulfil the requirement of passing a police background check, and this is provided for in the law on coordinated emergency response. The emergency line further added that applicants are informed about this check and they are asked to give their consent. Also, the emergency line considered that the police commissioner is the controller since it determines the purpose and means of processing and it is in the police interests to carry out such a check.

The police commissioner submitted that it did not receive a copy of the data subject’s consent form but that the processing of her personal data is necessary due to the public interest in doing so and the exchange of information with the emergency line occurred on the basis of the National Act on processing of personal data for law enforcement purposes implementing the LED.

Holding

First of all, the Icelandic DPA considered the police commissioner to be the controller under the GDPR. Further, the DPA clarified that the National Act on processing of personal data for law enforcement purposes did not apply in this case, since the processing was not specifically aimed at preventing, investigating or prosecuting criminal offences. Instead, the GDPR applies.

Against this background, the DPA had to assess whether processing by the police commissioner was carried out in compliance with the GDPR.

The DPA considered the possible legal bases for processing. First, it held that generally, processing by a prospective employer can never be based on consent under Article 6(1)(a) GDPR given the clear imbalance between employer and prospective employee and would thus constitute forced consent. Hence, the DPA considered whether the processing was necessary for a task carried out in the public interest or by an official authority under Article 6(1)(e) GDPR and whether a clear legal obligation prescribing such processing was given as per Article 6(3) GDPR.

In this, the DPA considered that the processing by the controller is necessary to safeguard a public interest, among others protecting public safety and maintaining law and order which are also among the official duties of the police commissioner provided for by law. The DPA also took into account the fact that the work of emergency operators at the emergency line is strictly intertwined with the work of the police and they both have access to the same information systems, thus the police commissioner had an interest in checking data about prospective employees of the emergency line too.

Accordingly, the DPA considered that the background check carried out by the controller on information relating to the data subject and the subsequent transmission of such data to the emergency line constitutes processing that is necessary in the public interest under Article 6(1)(e) GDPR.

However, the DPA pointed out that all processing activities must also comply with the principles of processing enshrined in Article 5 GDPR. In this case, by failing to duly inform the data subject about the extent and purposes of processing, the DPA held that the controller acted contrary to fairness and transparency under Article 5(1)(a) GDPR and in violation of Article 14 GDPR. Since the controller was already working to improve this, the DPA did not deem it necessary to adopt any corrective measures against it.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

Solutions

Processing of personal information by the National Police Commissioner

Case no. 2022081290

15.12.2023

The Inspector General of Police's review of the case file of those who apply for the position of emergency guard at the Emergency Line can be considered necessary in the public interest, as emergency guards have, among other things, access to the same work space as the Commissioner of Police's Communications Center. However, the National Police Commissioner is responsible for educating applicants that it is a condition for employment as an emergency guard at the Emergency Line that the person passes a so-called background check and what such an check entails.

----

Personal Protection has ruled in a case where there was a complaint that the National Police Commissioner had looked up the complainant in the case file (LÖKE) on the occasion of her application for a job at the Emergency Line and forwarded the information to the Emergency Line. According to law no. 40/2008, the Emergency Line has the task of managing the operation of a coordinated emergency response call center and performs, among other things, requests for police assistance and other emergency assistance. In order to carry out their role, emergency guards at the Emergency Line need access to the common duty room of 112 and the Communications Center of the National Police Commissioner. In that space, work is done with access to international systems where sensitive information is exchanged and communicated to police officers in the field, and work is done with sensitive information due to law enforcement in the interests of the security of the top management and information that may threaten the security of the state. In order to gain access to the space where they work on screens with the national systems and other sensitive information, emergency guards must meet the requirements that the police make to those who have assigned access to the systems, which includes in passing a police background check. With reference to the above and the role assigned to the National Police Commissioner by law, the Personal Protection Authority considered that the National Police Commissioner's examination of the case file of those who apply for the position of emergency guard at the Emergency Line can be considered necessary in the public interest. The aforementioned processing of personal information by the National Police Commissioner was therefore considered to be permitted on the basis of item 5. Article 9 Act no. 90/2018 and Article 6(e) of regulation (EU) 2016/679.

However, the Commissioner of the National Police was unable to demonstrate that the complainant had been given special training that such information collection would take place during the application for the job of an emergency guard or was given training on what is included in a career check by the Commissioner of the National Police. The conclusion of the Personal Protection Agency was that the Inspector General of Police's examination of the personal information about the complainant and its transmission to the Emergency Line did not comply with the provisions of Act no. 90/2018, on personal protection and processing of personal information, on fair and transparent processing and educational obligation, cf. also Regulation (EU) 2016/679.

Ruling

about a complaint about the processing of personal information by Neyðarlínnin ohf. and the Commissioner of State Police in case no. 2022081290:

i

Procedure

On August 31, 2022, Personal Protection received a complaint from [A] (hereafter the complainant) about the processing of personal information about her by Neyðarlínunn ohf. and the National Police Commissioner (hereafter RLS). More specifically, the complaint relates to the fact that Neyðarlínan, in connection with the complainant's job application, obtained information about her from RLS, among other things from the case file system of RLS (hereafter LÖKE), without having been informed about the scope or purpose of the processing or giving her consent before the processing. RLS then looked up the complainant at LÖKE and passed on the information from her case file to the Emergency Line.

Personal protection invited Neyðarlínna and RLS to comment on the complaint with a letter dated 14 July 2023, and the response of the Emergency Line was received with a letter dated 8 August s.á., and RLS's reply with a letter, dated 19 September s.á. The complainant was then given the opportunity to express comments on the responses of the Emergency Line and RLS by letter, dated 22 p.m., and they were received by e-mail on October 2, 2023. When resolving the case, all the above-mentioned documents have been taken into account, although not all of them are separately explained in the following ruling.

___________________

The complainant refers to the fact that when applying for a job at the Emergency Line, applicants are informed that a background check will be carried out on applicants. However, the extent or purpose of the processing is not disclosed and applicants are not asked to sign an informed consent for the processing. The emergency line then gets RLS to look up applicants in LÖKE and assess whether the relevant applicant is trustworthy, without the applicant being made aware of what personal data is being processed. The complainant is based on the fact that there is no legal authorization for such processing of personal information and that no training has been carried out by the Emergency Line. In his comments to the responses of the Emergency Line and the RLS, the complainant completely denies having signed consent for a background check by the RLS.

In Neyðarlínn's response letter to Personal Protection, reference is made to the fact that Neyðarlínn operates on the basis of Act no. 40/2008, on coordinated emergency response, and that the company has the task of managing the operation of the coordinated emergency response duty station. According to Article 1 of the Act handles the coordinated emergency response for Iceland receiving notifications about people, property and the environment in distress and requests for police, fire, rescue and ambulance facilities and other emergency assistance. In order to carry out the aforementioned role, a certain part of the staff of the Emergency Line, the so-called emergency guards, need access to the common duty room of 112 and the Communications Center of the National Police Commissioner. In that space, i.a. processing in the national police systems. In order to gain access to a space where work is done on screens with the national systems and other sensitive information, emergency guards have to fulfill the requirements that the police make to those who have assigned access to the systems, which includes e.g. in passing a police background check. The Emergency Line refers to the fact that, for this purpose, RLS requests the Emergency Line to receive information about the names and social security numbers of those who apply for the job of an emergency guard. The emergency line makes it clear to all applicants for the job of an emergency guard that it is a condition for employment in the job in question that the person passes a police background check, and applicants are also invited to give written consent for this on a separate form. If the applicant does not give such consent, the processing will not take place. If, however, approval is granted, the Emergency Line will send information about the applicant's name and social security number to RLS, which will subsequently notify the Emergency Line of whether the office approves the person taking up work in the space where work is carried out in the national police systems, i.e. in the duty station of the coordinated emergency response. If RLS refuses to grant the applicant the access in question, however, the Emergency Line will in no case receive information about the reasons for that decision.

With reference to the above, the Emergency Line is based on the fact that all processing of personal data to which the complaint relates is under the jurisdiction of RLS, which determines the purpose and methods of the said background check. Therefore, Neyðarlínan considers RLS to be the responsible party for the processing of personal data to which the complaint relates, since it is carried out by RLS and in the interests of the police's security rules for dealing with the national police system. The Emergency Line's role in that process is only to act as an intermediary to invite applicants for jobs at the Emergency Line to give informed consent to the career review. In order to ensure that transparency is maintained, the specified consent states what such a career review by RLS entails and for what purpose the review is carried out. Attached to Neyðarlíninn's response letter was a copy of the standard approval for a career review for a job application. In the responses of the Emergency Line, it is also stated that the application documents of those who are not offered a job are deleted when it is clear that there will be no employment with the Emergency Line, including the specified approval for a career check.

RLS's response letter states that Emergency Line has communicated the complainant's social security number to the office with the request that an employee of the National Police Commissioner's Communications Center would review the complainant's case file with regard to her possible employment with Emergency Line. It is pointed out that according to information from the Emergency Line, the complainant has signed a standard information sheet on background checks, but RLS has not received the copy. The information sheet states that the background check in question includes an inspection of communications with the police and/or court authorities and that the inspection also covers cases that have not gone to court or have been completed without further intervention and then with an inspection at LÖKE.

RLS is based on the fact that it is important to be able to carry out an examination of the persons who work for the Emergency Line in light of the role that the company's staff perform according to the law and the information that the staff receives and sends out in terms of emergency response and police actions during the investigation of criminal cases . It is pointed out that the jobs in question are to a large extent intertwined with the work of the police, e.g. can the Emergency Line transfer conversations to the police or decide to end them and not forward them to the police. Reference is also made to the fact that the Emergency Line is located in the same premises and work space as the Communications Center of the National Police. Along with assisting the police in police operations, the employees of the Telecommunications Center have access to international systems, such as the SIS information system, where sensitive information is exchanged and communicated to police officers on the ground. The same applies for law enforcement in the interest of the security of the highest management and information that may threaten the security of the state. RLS believes that care must be taken to ensure the security of this information in accordance with international obligations, not least because of the state's security, e.g. by performing a background check or even security certification on the persons working in the premises, based on Regulation 959/2012, depending on the nature of their work.

With reference to the above, RLS is based on the fact that the processing of personal information about the complainant was necessary due to public interest in accordance with section 5. Article 9 Act no. 90/2018, on personal protection and processing of personal information. In addition, the processing was in accordance with all the principles of the privacy legislation, provided that the complainant's personal information was processed in a lawful manner and obtained for a clearly specified and relevant purpose, and that RLS during the processing sought not to work with more personal information than was necessary. In this regard, RLS refers to the fact that the Emergency Line was not given any information about which registrations were available for the complainant in LÖKE, but that RLS only gave its oral position in the form of a "by or on" statement, on the occasion of the complainant's possible employment at the emergency line. RLS is based on the fact that the communication of information about the complainant to the Emergency Line was in accordance with Article 11. Act no. 75/2019, on the processing of personal information for law enforcement purposes.

Finally, RLS's response letter stated that work had begun to establish more formal work procedures when requests for lookups were received from the Emergency Line, where e.g. should define the minimum information to be shared between the RLS and the Emergency Line and the requirements for data traceability and archiving.

II.

Conclusion

1.

Lawfulness of processing

This case concerns the authorization of RLS to look up the complainant at LÖKE on the occasion of her application for a job at the Emergency Line and to pass on information from her case file to the Emergency Line. It concerns the processing of personal data that falls under the authority of the Personal Protection Agency. RLS is considered to be the party responsible for said processing according to Act no. 90/2018, on personal protection and processing of personal information, regulation (EU) 2016/679 and law no. 75/2019, on the processing of personal information for law enforcement purposes.

Law no. 75/2019, cf. Paragraph 1 Article 3 of the law. Competent authority is defined in section 11. Article 2 of the law and the police stations are specifically specified there. The purpose of law enforcement is defined in section 8. Article 2 of the Act with the purpose of preventing, investigating, investigating or prosecuting criminal offenses or enforcing criminal sanctions, including to protect against and prevent threats to public safety. The processing of personal information by RLS, which consisted of looking up the complainant at LÖKE on the occasion of her job application at the Emergency Line, will not be considered to have been carried out for law enforcement purposes and therefore the aforementioned processing falls under Act no. 90/2018, on personal protection and processing of personal information.

In paragraph 1 Article 11 Act no. 75/2019, on the other hand, the competent authorities are authorized to share personal information collected for law enforcement purposes to other public and private entities to the extent necessary for them to perform their statutory duties or protect their legally protected interests. According to paragraph 2 of the legal provision, the provisions of the Act on Personal Protection and Processing of Personal Information otherwise apply to the sharing of personal information according to paragraph 1. and the recipient's processing of the information.

All processing of personal information must be covered by one of the authorized provisions of Article 9. Act no. 90/2018, cf. Article 6 of regulation (EU) 2016/679. One can mention that personal data can be processed if the data subject has given his consent to the processing of his personal data for one or more specific purposes, cf. Number 1. of the legal provision and point a of the regulatory provision, or if the processing is necessary for work carried out in the public interest or in the exercise of official authority exercised by the responsible party, cf. Number 5. of the legal provision and section e of the regulatory provision.

According to paragraph 3 Article 6 Regulation (EU) 2016/679 shall prescribe the basis of processing, which is referred to in points c and e of paragraph 1. of the provision, in the laws of the Union or the laws of a member state to which the responsible party is subject. It follows that a clear legal authorization is required for the processing of personal data based on the fact that it is necessary for work carried out in the public interest or in the exercise of public authority.

In light of the fact that the complainant relies mainly on the fact that the processing of personal information about her would have had to be based on her consent, it should be noted that employers, as well as prospective employers, cannot generally base the processing of personal information about employees on their consent, cf. Number 1. Article 9 Act no. 90/2018 and point a of Article 6 of the regulation, since it is rarely an unforced consent due to the difference in status that is generally considered to exist between the employer and the employees. Is it necessary to process personal data in such cases because other sources can be relied on in Article 9. Act no. 90/2018, cf. Article 6 of the regulation.

When evaluating authorization for processing, provisions in other laws that are applicable in each case must also be taken into account. In particular, law no. 40/2008, on coordinated emergency response, Police Act, no. 90/1996, and regulation no. 959/2012, on the protection of confidential information, security certifications and security approvals in the field of security and defense.

In addition to authorization according to the above, the processing of personal data must satisfy all the basic requirements of paragraph 1. Article 8 Act no. 90/2018, cf. Paragraph 1 Article 5 of regulation (EU) 2016/679. Among other things, it is stipulated that personal data must be processed in a lawful, fair and transparent manner towards the data subject, cf. Number 1. of the legal provision and point a of the regulatory provision, that they must be obtained for a clearly specified, legitimate and relevant purpose and not further processed for other and incompatible purposes, cf. Number 2. of the legal provision and point b of the regulatory provision, and that they must be sufficient, appropriate and not beyond what is necessary based on the purpose of the processing, cf. Number 3. of the legal provision and point c of the regulatory provision.

2.

Conclusion

RLS is based on the fact that the processing of personal information about the complainant was necessary for public interest in accordance with section 5. Article 9 Act no. 90/2018. In this regard, RLS refers to the fact that the work of emergency guards at the Emergency Line is largely intertwined with the work of the police in light of the information that emergency guards receive and send in terms of emergency response and police actions during criminal investigations. RLS also refers to the fact that the Emergency Line is located in the same building and workspace as the National Police Commissioner's Communication Center, where, among other things, access to international systems, such as the SIS information system, is used, where sensitive information is exchanged and communicated to police officers on the scene, and that the same applies for law enforcement in the interest of the security of the highest management and information that may threaten the security of the state.

According to number 2 Article 1 Police Act, no. 90/1996, the role of the police i.a. to safeguard public safety and maintain law and order, strive to ensure the legal security of citizens and protect property rights, public interests and all kinds of legitimate activities and to prevent crimes and prevent activities that disrupt the security of citizens and the state, cf. Sections a and b of the legal provision. In Article 5 The Act stipulates the role of the National Police Commissioner. According to point j of the legal provision, the role of RLS is, among other things, to take care of public safety issues. Under the RLS, the employees of the Communications Center report to the National Police Commissioner, but they provide assistance to police officers in the field in the form of instructions, information, etc. The employees of the Telecommunications Center also receive emergency calls and reports to the police, handle the call management of the entire police call team and direct the first actions of the police when there is danger. The National Police Commissioner's Communication Center is also the National Police Commissioner's operational control center for security matters, as well as its employees monitor the Sirene office for the Schengen cooperation and monitor other information and communication systems outside of daytime hours.

With reference to the above and the role assigned to the RLS by law, the Personal Protection Authority believes that the public interest should be the basis for allowing a background check to be carried out on those who work as emergency guards at the Emergency Line and who need access to a common duty area for their work 112 and Communications Centers of the National Police Commissioner. In the opinion of the Personal Protection Agency, the processing of personal information by RLS, which involved the complainant's search in LÖKE on the occasion of her application for the job of an emergency guard and the transmission of information from her case file to the Emergency Line, may therefore be considered necessary in the interest of the public interest within the meaning of section 5. Article 9 Act no. 90/2018 and Article 6(e) of regulation (EU) 2016/679, cf. also Article 11 Act no. 75/2019, on the processing of personal information for law enforcement purposes, provided that other provisions of Act no. 90/2018 and Regulation (EU) 2016/679. Here, in particular, number 1 comes into consideration. Paragraph 1 Article 8 of the Fairness and Transparency Act, cf. Article 5(a) of the regulation, but the provision results, among other things, from the responsible party's educational obligation towards the registered person, which is detailed in 13.-14. art. of regulation (EU) 2016/679, cf. Article 17 Act no. 90/2018.

As before, the complainant states that he has completely denied having signed a consent form with the Emergency Line for a background check by RLS. The emergency line, on the other hand, is based on the fact that the complainant signed such consent, but the company's answers also stated that the application documents of those who are not offered a job are deleted when it is clear that there will be no employment with the emergency line, including the specified consent for career review RLS also refers to the fact that according to information from the Emergency Line, the complainant has signed a standard information sheet on background checks, but RLS has not received the copy. As is the case here, it must therefore be considered unproven that the complainant signed the specified consent for a career check at RLS. Furthermore, nothing has been stated by the Emergency Line or the RLS that the complainant has been given special training on information gathering at the RLS, beyond the information that appears on the said consent for a background check.

Although the complainant's consent was not required for the processing, cf. what is analyzed above, it must be considered that the complainant should have been informed about the processing so that it would have been compatible with the requirement of fairness and transparency in item 1. Article 8 Act no. 90/2018, cf. also Article 14 of regulation (EU) 2016/679. It cannot be seen from the documents of the case that these requirements were taken care of towards the complainant in connection with the career check at RLS. In this context, it should also be pointed out that according to paragraph 2 Article 8 Act no. 90/2018, cf. Paragraph 2 Article 5 of the regulation, the responsible party is responsible for ensuring that the processing of personal information always complies with the provisions of paragraph 1. of the legal article and must be able to demonstrate it. RLS will therefore have to bear the burden of not having adequately demonstrated how the requirements of item 1 were taken care of. Paragraph 1 Article 8 Act no. 90/2018, cf. point a, paragraph 1 Article 5 of regulation (EU) 2016/679, cf. also Article 14 of the regulation.

In light of all of the above, it is the conclusion of the Data Protection Authority that the RLS's examination of the complainant's personal information and its transmission to the Emergency Line did not comply with the provisions of Act no. 90/2018, on personal protection and processing of personal information, on fair and transparent processing and educational obligation, cf. also Regulation (EU) 2016/679.

With reference to the fact that RLS works to establish more formal procedures when requests for lookups are received from the Emergency Line, there is no reason to direct instructions to RLS in this ruling.

Ruling:

RLS's review of personal information about [A] and its transmission to the Emergency Line did not comply with the provisions of Act no. 90/2018, on personal protection and processing of personal information, on fair and transparent processing and educational obligation, cf. regulation (EU) 2016/679.

Privacy, December 5, 2023

Þórður Sveinsson                             Edda Þuríður Hauksdóttir