Persónuvernd (Island) - 2023030483

The Icelandic DPA held that a controller acted in violation of Article 32 GDPR by failing to locate all personal data requested by a data subject in the context of an access request under Article 15(3) GDPR.

English Summary

Facts

On 3 February 2023, a data subject filed multiple access requests with the City of Reykjavík, the controller, asking to obtain a copy of her personal data processed in the context of her work permit applications from 1998 until 2023, in accordance with Article 15(3) GDPR. The controller replied with an incomplete set of documents containing data about the data subject. Then the data subject submitted a list of the missing data requested and the controller sent her seven additional documents and informed her that it could not find further data about her. However, the data subject was not satisfied with the documents provided by the controller, as some were still missing, thus she filed a complaint with the Icelandic DPA, also claiming that the controller failed to take the appropriate security measures under Article 32 GDPR, since it was not able to locate her data.

In its submissions, the city of Reykjavík argued that the laws governing the issuing and storage of work permits had changed during the period covered by the data subject’s request. The controller also claimed that it answered the data subject’s request but it could not find all of the data requested. In addition to this, the controller argued that it took measures to ensure security of processing, including encryption, record keeping and access control.

Holding

The DPA considered that the controller complied with the data subejct’s access request under Article 15(3) GDPR as it provided all the information available to it, even though in different occasions, but within the time limit set out in Article 12(3) GDPR. As a matter of fact, the DPA held that the right to access to one’s personal data only extends to existing personal data, hence, since the controller had conducted a thorough search and could not locate some of the missing data, the DPA was satisfied that the missing personal data was not available to the controller and thus could not be provided.

As regards the security of processing, the DPA first argued that controllers are responsible for ensuring security of processing both in the preservation and in making the data available to data subjects. Also, the DPA underlined the fact that under Article 32(2) GDPR, controllers have to take appropriate measures to prevent accidental or unlawful destruction and loss of personal data.

For this reason, the DPA considered that since the controller could not locate all of the personal data of the data subject, it did not take appropriate measures in order to prevent the data from being lost. In this regard, the DPA concluded that the controller acted in violation of Article 5(1)(f) GDPR and Article 32 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

Solutions

The City of Reykjavík's handling of an individual's access request and retention of personal information

Case no. 2023030483

21.12.2023

Individuals have the right to receive information about whether a company or government, or another party that processes personal data, processes personal data about them. The processing of personal information may include, among other things, its collection, use and storage. The right of access includes i.a. the right to receive a copy of the personal information about you that is processed. It is then the responsibility of the party responsible for the processing of personal information to ensure adequate security during its processing.

----

The Norwegian Data Protection Authority ruled in a case where there was a complaint about the City of Reykjavík's handling of an access request by an individual who requested a copy of their work permit application from the city along with supporting documents for a limited period. As the city was unable to locate all the requested data, there were also complaints about the security of the personal information held by the City of Reykjavík.

In its practice, the Data Protection Authority has taken the view that the data subject's right to access data extends only to existing personal information. In view of the fact that the City of Reykjavík had repeatedly made an attempt to locate the requested data and delivered the part of the data that was available to the municipality, it was the conclusion of the Privacy Protection that the complainant's access request had been answered and it was processed taking into account that limitation. However, the Personal Protection Authority considered that, in light of the fact that some of the complainant's data, which i.a. contained sensitive personal information about her, had been lost in the custody of the City of Reykjavík, that the city had not adequately ensured the security of the complainant's personal information. The processing therefore did not comply with the provisions on personal protection and processing of personal information.

Ruling

about a complaint about the processing of an access request by the City of Reykjavík in case no. 2023030483:

i

Procedure

On March 6, 2023, Personal Data Protection received a complaint from [A] (hereinafter the complainant) about the City of Reykjavík's handling of her request for a copy of the personal information that the City had for processing for her work permit applications during the specified period. There was also a complaint that the security of data stored at the City of Reykjavík was lacking.

Personal Protection invited the City of Reykjavík to comment on the complaint by letter, dated April 14, 2023, and the city's answers were received on May 26, 2023. The complainant was then given the opportunity to submit comments to the City of Reykjavík's responses by letter, dated 1 June s.á., reiterated by letter 30 s.a.m., and they were received by email on 13 July s.á. When resolving the case, all of the above-mentioned documents have been taken into account, although not all of them are separately explained in the following ruling.

___________________

There is a dispute about the substantive processing of the City of Reykjavík's request for access to her personal information that the City had for processing. Also, whether the City of Reykjavík has ensured adequate security when storing the data.

The complaint states that the complainant did not receive a copy of all her personal information that the City of Reykjavík had for processing due to her work permit applications with the city, despite repeated requests. The complainant specified all the data covered by the access request and sent the city a list of the missing data. Thus, the request was based on personal information generated by the city as a result of its work permit applications from September 1, 1998 to February 3, 2023, when the access request was sent. The complainant also claims that, in light of the fact that all the requested data was not found, the City of Reykjavík did not take care of adequate security when storing the data.

The City of Reykjavík's response is based on the fact that the arrangements for issuing and storing data for the work permits in question have changed a lot during the period covered by the complainant's access request. The City of Reykjavík has already delivered to the complainant, after a thorough search and collection of the data within the city, all the requested data that was found in the databases of the city and the City Archives. It was not possible to locate all the data requested by the complainant, but it was an extensive request that covered a long period of time. The documents that could not be located were the application for a work permit, the work permit and medical and criminal records from 1998; application for renewal of work permit and work permit from 2003; work permit and medical certificate from 2008; and application for the renewal of a work permit from 2016 The complainant has therefore been provided with all the requested data available at the municipality and her access request has been included.

The City of Reykjavík's letter also states that it has always worked to ensure the security of the personal information that is being processed by the city through certain record keeping, access control, encryption and archiving in accordance with the relevant legal provisions of the current Personal Protection Act and the Act on Public Archives at any given time.

II.

Conclusion

1. Scope – Responsible party

Scope of law no. 90/2018, on personal protection and processing of personal information, and regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thus the authority of Personal Protection, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partially or fully automated and the processing of personal data that is or is to become part of a file by methods other than automatic.

In number 4. Article 3 Act no. 90/2018, processing is defined as an operation or a series of operations where personal data is processed, whether the processing is automatic or not, such as collection, registration, classification, system binding, storage, adjustment or modification, request, examination, use, communication by forwarding , distribution or other means of making the information available, linking or syndication, access restriction, deletion or destruction.

The person responsible for the processing of personal information is compatible with Act no. 90/2018 is the named responsible party. According to number 6 Article 3 of the Act, it refers to an individual, legal entity, government or other entity that alone or in cooperation with others determines the purposes and methods of processing personal data, cf. Number 7. Article 4 of regulation (EU) 2016/679. As stated here, the City of Reykjavík is considered to be responsible for the processing in question.

In this case, it is tested whether the responsible party has handled the complainant's request for access to his personal information in a satisfactory manner and ensured the security of the data in accordance with the provisions of Act no. 90/2018 and Regulation (EU) 2016/679. It is clear that the requested data all concern the complainant and relate to her work permit applications with the city.

2.

Access request processing

According to paragraph 2 Article 17 Act no. 90/2018, a registered person has the right to access personal information about him according to the instructions of Article 15. of regulation (EU) 2016/679. In paragraph 1 Article 15 The regulation stipulates, among other things, that the registered person shall have the right to receive confirmation from the responsible party as to whether personal information concerning him or her has been processed and, if so, the right to access the information. It also says in paragraph 3. same article that the responsible party must provide a copy of the personal information that is being processed.

The responsible party must take appropriate measures to ensure the transparency of information and notifications to the registered person according to the instructions of Article 12. of regulation (EU) 2016/679, cf. Paragraph 1 Article 17 Act no. 90/2018. According to paragraph 3 Article 12 of the regulation, the responsible party must provide the data subject with information on the actions taken as a result of the access request, without undue delay and in any case within a month of receiving the request. The deadline can be extended by an additional two months if necessary, taking into account the number of requests and their complexity. The responsible party must notify the data subject of such extensions within one month of receiving the request, together with the reasons for the delay.

In the comments to Article 17 in the bill that became law no. 90/2018 states, among other things, that it should be borne in mind that rights according to the provision must always be examined in light of the principles of Article 8. its The right of access of individuals is an unequivocal element of requirement 1. Paragraph 1 of that article, which stipulates, among other things, that when processing personal information, care must be taken that it is processed in a legal, fair and transparent manner towards the data subject.

It should also be taken into account that the aim of the personal protection legislation is, among other things, to promote the handling of personal data in accordance with the basic principles and rules on personal protection and privacy, cf. Paragraph 1 Article 1 of the Act and paragraph 2 Article 1 of the regulation. The right of access of registered persons is important in order to enable them to exercise other rights guaranteed to them according to the law and regulation, such as the right to correct and delete personal information and the right to object. Facilitates the right of access so that the aforementioned goal is achieved.

In the opinion of the Personal Protection Authority, the provisions of paragraph 3 should be clarified. Article 12 of regulation (EU) 2016/679, cf. Article 17 Act no. 90/2018, so that in the case of an individual's access request, the appropriate action of the responsible party consists in either granting or denying access to the data subject, cf. Paragraph 4 Article 12 of the regulation, including to take a substantive stance on the right to a copy of the personal information that the responsible party works with.

The complaint was accompanied by the complainant's email communication with the City of Reykjavík. The complainant requested, by e-mail on February 3, 2023, copies of his unemployment applications from the city together with their renewal and supporting documents. On the 20th p.m. sent the complainant part of the requested data in a locked document to the City of Reykjavík. On the 23rd p.m. The complaining city of Reykjavík sent a list of the documents that were still missing and confirmed its request. The complainant repeated that request since March 6, 2023. On 10 a.m. seven additional documents were sent to the complainant and she was informed that no further documents could be found either at the school and leisure department, the city archives or the City Archives.

In its implementation, the Personal Protection Authority has taken the view that the data subject's right to access data according to the aforementioned provisions only extends to existing personal information, cf. the institution's ruling from 28 November 2019 in case no. 2018/1443.

From the above, it is clear that the complainant's access request has been answered and part of the requested data has been delivered in two locked documents. It is also stated in the e-mail communication between the parties that, despite a very extensive search, it was not possible to locate all the data and that it was not found by the city or the custodians. The complainant has therefore been provided with all the requested data available at the municipality and her access request has been included. The City of Reykjavík is therefore considered to have processed the request taking into account that limitation. As is the case here, it must be assumed that the City of Reykjavík has thereby fulfilled its obligation according to sentence 1. Paragraph 3 Article 15 of regulation (EU) 2016/679.

3.

Security of personal information

As mentioned above, there is also a complaint that the security of the complainant's personal information at the City of Reykjavík was inadequate. The complainant relies on the fact that, given that it was not possible to locate the data in question and provide her with a copy of it, it is clear that the security of the data was not adequate.

According to number 6 Paragraph 1 Article 8 Act no. 90/2018, cf. point f, paragraph 1 Article 5 of Regulation (EU) 2016/679, care must be taken when processing personal information that appropriate security of the information is ensured. The responsible party is responsible for ensuring that the processing of personal information always complies with this requirement and must be able to demonstrate this, cf. Paragraph 2 of the provisions. More detailed provisions on information security are in paragraph 1. Article 27 of the Act and Article 32 of the regulation. It states that the responsible party and the processor must take appropriate technical and organizational measures to ensure adequate security of personal data, taking into account the latest technology, the cost of implementation, the nature, scope, context and purpose of the processing and risks, unlikely and of varying severity, to the rights and freedoms of individuals. Then it says in the 2nd paragraph Article 32 of the regulation that when assessing adequate security, the risk that the processing entails with regard to the unintentional or illegal deletion of personal data that is sent, stored or processed in another way, or that it is lost, changed, published or given access to them without permission.

From the above, it is clear that the City of Reykjavík must ensure appropriate information security when processing personal information, i.e. both during the preservation of the information and by making it available to the data subject when requested. Among other things, this requirement requires the City of Reykjavík to take appropriate and acceptable measures aimed at preventing data from being lost, being unintentionally deleted or unauthorized access being granted.

Regarding the level of requirements for information security in the custody of the City of Reykjavík, according to the aforementioned provisions of the personal protection legislation, it must be considered that the City of Reykjavík, as in the case here, worked among other things. with information about the complainant's state of health and is therefore sensitive personal information, cf. b-point 3. no. Article 3 Act no. 90/2018.

It is known that the City of Reykjavík could not locate all the requested data of the complainant, i.e. on m. data contained her sensitive personal information. It must therefore be considered that the above data has been lost, cf. Paragraph 2 Article 32 of regulation (EU) 2016/679. The city of Reykjavík is therefore not considered to have adequately ensured the security of the data.

Ruling:

The City of Reykjavík's handling of [A]'s request for access to personal information processed by the municipality was in accordance with the Act on Personal Protection and Processing of Personal Information, no. 90/2018, and Regulation (EU) 2016/679.

The City of Reykjavík has not taken appropriate technical and organizational measures to ensure adequate security of personal information [A] in accordance with section 6. Paragraph 1 Article 8 and paragraph 1 Article 27 Act no. 90/2018 on personal protection and processing of personal information, cf. point f, paragraph 1 Article 5 and Article 32 of regulation (EU) 2016/679.

Privacy, December 18, 2023

Þórður Sveinsson                        Rebekka Rán Samper