Persónuvernd - 2020010584

From GDPRhub
Revision as of 07:42, 2 October 2020 by Mh (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Iceland |DPA-BG-Color= |DPAlogo=LogoIS.png |DPA_Abbrevation=Persónuvernd |DPA_With_Country=Persónuvernd (Iceland) |Case_Number_Name=20200105...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Persónuvernd - 2020010584
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 6(1)(e) GDPR
Article 13 GDPR
Article 102(2)(1) Local Auhtorities Act 138/2011
Article 13(1) Information Act 140/2012
Article 31 Planning Act 123/2010
Article 40 Planning Act 123/2010
Article 41 Planning Act 123/2010
Article 9(5) Act 90/2018
Article 17(2) Act 90/2018
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: None
Parties: City of Reykjavík
National Case Number/Name: 2020010584
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Icelandic
Original Source: Persónuvernd (in IS)
Initial Contributor: n/a

The Icelandic DPA (Persónuvernd) established that the publication of the complainant's comment on a planning proposal on the City of Reykjavík's website infringed the national Act 90/2018 and the GDPR. There was no legal basis for processing the comment, which contained the complainant's personal data, and no information was given to the complainant prior to processing.

English Summary

Facts

On the 25th September, the complainant filed a complaint to the Icelandic DPA (Persónuvernd) concerning the publication of his/her personal information on the City of Reykjavík’s website. The City of Reykjavík’s website published the complainant’s comment on a proposal by the Environment and Planning Council. This comment contained information revealing the complainant’s name and ID number.

After an exchange with the City of Reykjavík, the complainant complained that there was a violation of Act 90/2018. The complainant also argued that the City of Reykjavík failed to warn him/her that the comment would be published on their website.

The City of Reykjavík exchanged letters with the complainant to provide an explanation for its actions. It mentioned that the comment was published in order to comply with Article 40 Planning Act 123/2010, which requires them to publish submitted comments unchanged along with the Minutes of the Planning and Transport Council. Therefore, the City of Reykjavík argued that there was a legal basis for the processing of personal data. The City of Reykjavík also stated that it was working on the implementation of Act 90/2018 and assessing whether it was appropriate to publish such personal information.

Dispute

Does the publication of a comment revealing its author's personal data on the City of Reykjavík website and without having warned the data subject prior to its publication, breach Article 6 and 13 of the GDPR?

Holding

The Icelandic DPA outlined the relevant national law applicable in this context. It referred to the Local Government Act 138/2011 which establishes that the local government must ensure that inhabitants of the municipality can participate in and influence the management of the municipality and strategic planning. This can be achieved by providing active information (Article 102(2)(1) Local Authorities Act 138/2011). It also mentioned Articles 31, 40 and 41 Planning Act 123/2010, which establish that inhabitants have the opportunity to submit comments that will be responded to by the relevant authority. Finally, it highlighted that neither the Local Government Act nor the Planning Act elaborate on the publication of comments on the Internet by the Authorities. However, it drew attention to the Information Act 140/2012 which provides that the government shall provide information to the public about its activities on a regular basis (Article 13(1) Information Act 140/2012). According to Article 13(2) of the same Act, the government must make documents and cases accessible online as soon as possible.

As a result of the applicable national law, the Icelandic DPA stated that the City of Reykjavík would only be able to rely on the basis that it was necessary for the public interest pursuant to Article 9(5) Act 90/2018 (Articles 6(1)(e) GDPR). However, publishing the complainant's ID number and name could not be considered necessary for the public interest. This is because publishing the information was for the purpose of increasing transparency in public authorities with regards to their procedures. Revealing the complainant’s personal information does not achieve that purpose. Therefore, the City of Reykjavík did not have a legal basis for publishing the complainant’s personal information.

The Icelandic DPA also held that the City of Reykjavík did not provide information to the complainant regarding the publication of the comment. Therefore, the City of Reykjavík did not comply with Article 17(2) Act 90/2018 (Article 13 GDPR).

The Icelandic DPA therefore proposed that the City of Reykjavík remove the complainant's personal information on the relevant comment published on their website. It also requires that the City of Reykjavík provide appropriate information pursuant to its obligations under Article 17(2) Act 90/2018 (Article 13 GDPR) in the future.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details. 

Publication of the City of Reykjavík submitted the complainant's comment on the city's website
Case no. 2020010584

25.9.2020

Privacy has ruled in a case where a complaint was made about the publication by the City of Reykjavík of a submitted comment the complainant regarding the Environment and Planning Council's proposal for a specific local plan on its website, but it contained his name and ID number. Conclusion Privacy was that the publication as such could be considered permissible on the basis of 5. tölul. Article 9 Act no. 90/2018, i.e. in the public interest. However, had lacks the authority under the law to publish information on the complainant's ID number. It was the conclusion that the Data Protection Authority had not complied with the principles of the Act during the processing, but the Data Protection Authority referred to the fact that no care had been taken a condition of transparency where the obligation to provide education had not been respected by them of the city. In that regard, it was not considered appropriate to consider that the complainant had gained knowledge of the publication on the basis that it was based on applicable law, cf. the exceptional provisions of the fourth paragraph. Article 13 Regulation (EU) 2016/679. It was therefore for the City of Reykjavík to erase the complainant's ID number and provide henceforth education in accordance with the Privacy Act and the Regulation.
Ruling


On August 27, 2020, the board of the Data Protection Authority issued a ruling in the case no. 2020010584 (formerly 2018111586):
I.
Procedure

1.
Complaint and correspondence

Privacy received a complaint from [A] (hereinafter) named complainant), dated September 25, 2018, over the publication of personal information about him on the City of Reykjavík's website. More specifically, it was a publication of submitted the complainant's comment on the Environment and Planning Council's proposal to a specific local plan, but the comment contained the complainant's name and ID number. The complaint is directed to the City of Reykjavík and the complainant considers the publication to be infringing in violation of the Privacy Act and the provisions of the Constitution on privacy.

By letter dated May 9, 2019, var The City of Reykjavík offered to provide explanations regarding the complaint. By e-mail, dated May 16 2019, the privacy representative of the City of Reykjavík referred to a reply letter The City of Reykjavík and the Privacy Officer from 13 and 14 May 2019 in the case due to another complaint of the complainant, dated 17 September 2018. By letter dated On 22 May 2019, the complainant was invited to comment on the answers received Of the City of Reykjavík. By e-mail, dated June 1, 2019, received a reply letter complainant.

The resolution of the case has been taken into account to all of the above data, although not specifically disclosed all in the following ruling.

Treatment of the case has been delayed due to heavy work at the Data Protection Authority.
2.
Point of view complainant

The complaint is based on the fact that the publication has taken place in violation of Act no. 90/2018 on personal protection and processing of personal information and also that it contravenes Article 71. of the Constitution on immunity privacy.

The complainant believes that the City of Reykjavík has failed her obligation to provide information, as she did not inform the complainant of that comment his would appear verbatim on the City of Reykjavík's website before he sent her in or after that. The City of Reykjavík has not yet removed the document publication. The complainant refers to a comment in a letter from the City of Reykjavík stating that the city considers it appropriate, after consideration, to examine in more detail whether the publication of the submissions notes that contain personal information, such as name, address and ID number, on the Internet is necessary to achieve the legitimate purpose of a process of public consultation. In that regard, he seeks answers to it why the City of Reykjavík, which itself doubts this act, has the documents still public on the Internet. The complainant considers it unnecessary to publish the ID number of the people in the case like this on the Internet, despite the City of Reykjavík's views on transparency.
3.
Point of view Of the City of Reykjavík

Í The City of Reykjavík's reply letter is based on the fact that the comments were published part of the processing of personal data due to statutory consultation in making local planning, cf. Article 40 of the Planning Act no. 123/2010, but the implementation has be the one to submit submitted comments unchanged with other accompanying documents in Minutes of the Planning and Transport Council. Publication of the comments as supporting documents with the minutes had been a part of transparent administration and the provision of information of those concerned, both elected representatives, the public and stakeholders. The processing was therefore based on legal authority, cf. 3. tölul. Article 9 Act no. 90/2018, in addition, it can be argued that it can also rely on point 5. the same articles where a transparent consultation process in the preparation of zoning plans is in the interest public interest.

Í the letter then states, in connection with Art. Act no. 90/2018, to the City of Reykjavík considers, as a matter of fact, that it is appropriate to examine in more detail whether the publication of the submissions comments containing personal information, such as name, address and ID number, on the Internet is necessary to achieve the legitimate purpose of a process of public consultation. The letter states that the City of Reykjavík is working that the implementation of the Privacy Act and part of that work involves map all processing of personal information (by making processing files), review whether it meets the requirements of the law and make changes to procedures where applicable needed. Examining the publication of the data in question on the Internet is part of that work. Í In light of the complaint, it had been decided to stop publishing the receipts comments with minutes on the Internet until otherwise decided.

Í The letter finally states that the City of Reykjavík has so far not done so may submit comments stating that they will be published unchanged on The Internet. The above work on the implementation of the privacy law in the city also consider the obligation to provide information to the data subject be fulfilled and to change the implementation and procedures accordingly.

No is considered a reason to trace the letter of the City of Reykjavík's Privacy Officer in more detail but what has been stated in this ruling has been taken into account, e.g. and previously stated.
II.
Assumptions and result

1.
Legal separation

Law no. 77/2000, on personal data protection and handling, which were in force when the personal information in question was first published, it was replaced by Act no. 90/2018, on personal data protection and processing, which entered into force on 15 July 2018. They also enacted the Privacy Regulation, (EU) 2016/679, as adapted and incorporated into the EEA Agreement.

There as this complaint focuses on a situation that still exists, where the complainant's personal information is still available on the City of Reykjavík's website, in addition, the rules of the law on personal data protection that have been tried have not changed substantively with the entry into force of new laws, the matter will be resolved on the basis of law no. 90/2018.
2.
Scope - Responsible party - Delimitation of case

Scope of Act no. 90/2018, um personal protection and processing of personal information, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 39. gr. of the Act, covers the processing of personal information that is partially or in automatic whole and processing by methods other than automatic on personal information that is or should become part of a file.

Personal information includes information about a personally identifiable or personally identifiable individual and is considered person identifiable if it is possible to identify him, directly or indirectly, with reference to his identity or one or more elements as characteristic are for him, cf. 2. tölul. Article 3 of the Act and point 1. Article 4 of the Regulation.

By processing is meant action or a series of operations in which personal information is processed, whether the processing is automatic or not, cf. Number 4 Article 3 of the Act and point 2. Article 4 of the Regulation.

This case concerns processing personal information about the complainant on a website Of the City of Reykjavík. In this respect and in the light of the above provisions This case concerns the processing of personal data which falls within the jurisdiction Privacy.

The person responsible for processing personal information complies with Act no. 90/2018 is named the responsible party. According to point 6. Article 3 of the Act refers to an individual, legal entity, government authority or another party who decides alone or in collaboration with other purposes and methods in the processing of personal information, cf. 7. tölul. Article 4 of the Regulation. With taking into account the case documents, the City of Reykjavík is considered to be responsible for it processing concerning the publication of the complainant's personal information on the city's website.
3.
Legality of processing
3.1.
Authorization for processing personal information

All processing personal data must be covered by one of the authorization provisions of Article 9. Act no. 90/2018, Coll. Article 6 Regulation (EU) 2016/679. In terms of publication The complainant's personal information on the City of Reykjavík's website is mainly used of the examination of point 3. Article 9 of the Act, cf. paragraph 1 (c) Article 6 of the Regulation, which authorizes the processing of personal data if it is necessary to fulfill legal obligation resting on the responsible party, and point 5. Article 9 of the Act, cf. point e Paragraph 1 Article 6 of the Regulation, which authorizes processing if it is necessary for work carried out in the public interest or in the exercise of official authority which the guarantor goes with. The basis of the processing to be requested shall be laid down on the basis of the latter authority, in law, cf. Paragraph 3 Article 6 of the Regulation.

In assessing whether the publication information about the complainant on the City of Reykjavík's website is considered permissible according to the above may thus need to take into account provisions in other applicable laws each time. In Article 102 Local Government Act no. 138/2011 states that the local government shall seek to ensure the possibilities for the inhabitants of the municipality to participate in and influence the management of the municipality and the preparation strategic planning. The influence of the population can be ensured, among other things, through active information provision to the population, cf. 1. tölul. Paragraph 2 the same provision.

In Article 40 of the Planning Act no. 123/2010 deals with, among other things, statutory consultation of the local government with residents and other stakeholders on local planning proposals. Of Articles 40 and 41 of the law, sbr. also Article 31. of them, leads to the above parties being given the opportunity to submit comments within a certain time limit and a position shall be taken the comments by the relevant authority. Neither in Act no. 123/2010 no in Planning Regulation no. 90/2013, which is set on the basis of the law and includes sees a more detailed elaboration of their implementation, deals with the publication of submissions comments on the Internet by the relevant authority.

However, it should be considered Information Act no. 140/2012 and their goal, which is to ensure transparency administration and in the treatment of public interests, inter alia for the purpose of strengthen the right to information and freedom of expression as well as public trust in it the administration, cf. Article 1 of the law. In the first paragraph. Article 13 their says that the government shall provide information to the public on a regular basis its activities, such as the electronic publication of reports, summaries of important project or publication of other data. Then it says in the 2nd paragraph. the same provision that the government shall work systematically to make lists of cases, lists of case documents, and the documents themselves are immediately accessible electronically. On the other hand states in the same provision that care shall be taken that publication does not go against private or the public interest. Then it says in Article 11. of the Act that access may be granted to data to a greater extent than is required by law, provided that there are other legal rules therefore not in the way, including the provisions of the law on confidentiality and privacy. Eins and is referred to in the comments on Article 13. a bill to the law results from this rule, and the unconstitutional rule underlying the provision, that the government may, on its own initiative, decide to make a significant public publication of the information they possess, subject to the aforementioned limitations.

With reference to the above counts Privacy of the processing in question, which consisted in the publication of the complainant's comment local planning proposal on the City of Reykjavík's website, can be considered a home on them on the basis that it is necessary for work carried out in the public interest, sbr. 5. tölul. Article 9 Act no. 90/2018, Coll. also point e of the first paragraph. Article 6 Regulation (EU) 2016/679.

Regarding the publication of the complainant's ID number in particular is to look at the ID number information are considered general personal information and their publication is therefore generally the same views and outlined above. The publication of the information is therefore required rely on one of the authorizations listed in Article 9. Act no. 90/2018, sbr. Article 6 Regulation (EU) 2016/679.

In view of the circumstances of the case of this, it is not considered possible to accept the publication of information on the complainant's ID number was considered necessary for the purpose of the processing. This is especially true that the purpose of the processing is to increase transparency in the administration, in this case with regard to the procedure and processing of the City of Reykjavík's planning proposals, but it will not be seen that the complainant's ID number is relevant in that connection. Then it's processing authorizations listed in Article 9. of the Act, however, all reserve that the processing is necessary, with the exception of point 1. of the provision authorizing processing on the basis of the consent of the data subject, but such consent does not exist for. It must also be considered that the responsibility of the responsible party is to review the material submitted comments before their publication and make sure the publication complies with law, cf. Paragraph 2 Article 8 of the Act, cf. Paragraph 2 Article 5 of the Regulation (ESB) 2016/679.

With reference to the above The Data Protection Authority considers that even though the complainant himself entered his ID number its application to the City of Reykjavík, the municipality lacked permission to publish information about the complainant's ID number in his comment on a website of the city.
3.2.
Principles of processing personal information

Auk authorization according to the above, the processing of personal information must be satisfied all the principles of the first paragraph. Article 8 Act no. 90/2018, Coll. Article 5 of the Regulation (ESB) 2016/679. Among other things, it stipulates that personal information shall processed in a lawful, fair and transparent manner towards the data subject (1. tölul.); that they shall be obtained in clearly defined, lawful and objective terms purpose and not further worked for other and incompatible purposes (paragraph 2); and that they should be adequate, appropriate and not in excess of what is necessary based on the purpose of the processing (item 3).

We assessment of whether the condition of transparency is met, it is necessary to consider 2. mgr. Article 17 Act no. 90/2018 and Article 13. Regulation (EU) 2016/679, but according to the latter provision, the responsible party must inform the data subject certain items when personal information is obtained from him. Among otherwise the data subject must be provided with information on recipients or categories recipients of the information, if any. The obligation to teach does not exist, however present if and to the extent that the data subject has already become aware of them matters that must be informed on the basis of the provision, cf. Paragraph 4 Article 13 of the Regulation. It is therefore necessary to assess whether, and to what extent, the complainant had become aware that his submitted comment would be published unchanged on the website of the City of Reykjavík.

Then which is previously traced is provided for in the second paragraph. Article 13 Information Act no. 140/2012 that the government shall work systematically to make records of cases, a list of case documents and the data itself is immediately accessible electronically. Í comments on the provision in the bill to the law is specified that has not been proposed with the bill that a general rule on the obligation of the government be enacted to publish a list of cases or documents in their possession, rather, the provision stipulates that the government shall work systematically on this publication. Accordingly, it must be considered that the provision in question contains the Information Act does not imply a direct obligation to publish case documents but only an authorization to do so such publication, taking into account the exceptional rules in the same law. Then is to consider the information that the responsible party must explain to the other registered from according to 1.-3. mgr. Article 13 of Regulation (EU) 2016/679 will not be employed by the cited provisions of the Information Act except to a limited extent. Obligation of the responsible party according to Article 13 of the Regulation, when information is obtained from the data subject himself, will therefore generally not be met by reference to law. For comparison, Article 14 specifically states. Regulation (EU) 2016/679, which deals with the information that must be provided immediately personal information has not been obtained from a registered person, subject to educational obligation according to the provision is not present if and to the extent clearly prescribed on the collection or dissemination of the information in the law of the Member State to which the responsible party belongs under and which provide for appropriate measures to protect legitimate interests of the registered.

According to Paragraph 2 Article 8 Act no. 90/2018, Coll. Paragraph 2 Article 5 Regulation (EU) 2016/679, the responsible party is responsible for compliance with the principles of the law in the processing of personal data and shall be able to demonstrate this. That is a duty to be able to demonstrate what knowledge the data subject has already acquired, how and when it was granted and that no changes were made that had as a result of which knowledge becomes obsolete.

With with reference to all of the above, it is not considered appropriate to consider that the complainant has became aware of the publication on the basis that it had a basis in it applicable law. It is also clear that the City of Reykjavík did not provide information complainant that his comment would be published unchanged on the Internet, but in responses the city stated, among other things, that such information had not been forthcoming been granted. The conclusion of the Data Protection Authority is that the City of Reykjavík has not comply with the provisions of Article 13. of Regulation (EU) 2016/679, cf. Paragraph 2 Article 17 fix no. 90/2018, Coll. also a reservation in point 1. Paragraph 1 Article 8 of the Transparency Act in the processing of personal information.

In Article 42 Act no. 90/2018, Coll. also the second paragraph. Article 58 of the Regulation deals with instructions Privacy on remedial action. In Article 42 of the Act states that Privacy may prescribe remedial measures, including giving an instruction that the responsible party conducts processing operations in accordance with the provisions of the Regulation, as appropriate, in a specific manner and within a specific time, cf. Number 4 of the provision and point d of the second paragraph. Article 58 of the Regulation, and restricted or prohibited processing temporarily or permanently, cf. 6. tölul. of the provision and point f of the second paragraph. Article 58 of the Regulation.

With reference to of the above, it is proposed that the City of Reykjavík delete the complainant's ID number his comment on the zoning proposal published on the city's website. Then is proposed for the City of Reykjavík to provide education in the future in accordance with Article 13. of Regulation (EU) 2016/679, cf. 1. tölul. Paragraph 1 Article 8 and the second paragraph. Article 17 Act no. 90/2018, due to the planned publication of comments on planning proposals. The City of Reykjavík shall send the Data Protection Authority confirmation of this that the instructions have been followed, together with a description of how they will be carried out to the training, no later than 24 September 2020.
Ruling:

The City of Reykjavík's processing of personal information [A] did not comply with Act no. 90/2018, um privacy and processing of personal data and Regulation (EU) 2016/679.

It is proposed that the City of Reykjavík delete the ID number [A] from his comment with a local planning proposal published on the city's website. Then it is proposed The City of Reykjavík will henceforth provide education in accordance with Article 13. of Regulation (EU) 2016/679, cf. 1. tölul. Paragraph 1 Article 8 and 2. mgr. Article 17 Act no. 90/2018, due to the planned publication of comments on planning proposals. The City of Reykjavík shall send the Data Protection Authority confirmation of this that the instructions have been followed, together with a description of how they will be carried out to the training, no later than 24 September 2020.

In Privacy, August 27, 2020

Björg Thorarensen
chairman

Ólafur Garðarsson Björn Geirsson


Vilhelmína Haraldsdóttir Þorvarður Kári Ólafsson
Retrieved from "https://gdprhub.eu/index.php?title=Persónuvernd_-_2020010584&oldid=11456"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki