Persónuvernd - 2020010598

From GDPRhub
Revision as of 10:04, 26 May 2020 by AN (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Iceland |DPA-BG-Color= |DPAlogo=LogoIS.png |DPA_Abbrevation=Persónuvernd |DPA_With_Country=Persónuvernd (Iceland) |Case_Number_Name=20200105...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Persónuvernd - 2020010598
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 2(1) GDPR
Article 12(3) GDPR
Article 15(1) GDPR
Article 4 Act no 90/2018
Article 4 Act no 90/2018 on privacy and processing of personal information
Type: Complaint
Outcome: Rejected
Started:
Decided: 13.05.2020
Published: 20.05.2020
Fine: None
Parties: n/a
National Case Number/Name: 2020010598
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Icelandic
Original Source: Persónuvernd (in IS)
Initial Contributor: n/a

The Persónuvernd (Icelandic DPA) decided that an alleged sending of an email, whose existence is not proven in the course of a complaint, does not fall within the material scope of Article 2(1) GDPR.

English Summary

Facts

Complainant “[A]” filed a complaint with the Persónuvernd, claiming that an email about [A] had been sent to the employees of a company by the company’s lawyer. [A] then requested a copy of the email, but the request was denied. According to the company, the sending of this email to its employees never took place.

Dispute

Does an an alleged sending of an email constitute processing of personal data under Article 2(1) GDPR?

If yes, did the company violate [A]’s right of access to their data under Article 15(1) GDPR?

Holding

The Persónuvernd held that the actions at issue in the complaint (ie the alleged sending of the email) could not be considered to be processing of personal data, because it had not been established that the actions forming the basis of the complaint had actually occurred.

Subsequently, the Persónuvernd held it had no grounds to decide on the question of whether the complainant’s right to access their data under Article 15(1) GDPR had been violated.


Comment

The Persónuvernd did note that had there been a case to examine, it would have considered that the company had complied with its obligations under Article 12(3) GDPR, by responding to the complainant's data access request within the required time period.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

(Machine translation by Google Translate)
"Intended processing of personal data by Siminn hf. and processing of access requests

The Persónuvernd received a complaint that Siminn's lawyer hf. has sent instructions in an email to the Company's employees concerning the complainant, as well as on the processing of the Company at his request for access to the said email. Siminn hf. declined to work with the complainant's personal information in the manner identified in the complaint. The Persónuvernd said words were contradictory as to whether the processed personal data had been processed and therefore it had no grounds for deciding whether personal data had been processed in the manner identified in the complaint. Therefore, the Data Protection Authority could not say that the complainant's rights had been violated according to Act no. 90/2018, on privacy and processing of personal information. In the conclusion of the Data Protection Authority, it is also stated that there is no dispute that Siminn hf. have taken a position on the complainant's access request within the legal time limit.

Ruling
On May 13, 2020, the Data Protection Authority issued a clear ruling in case no. 2020010598 (previously 2019030555):
I.
procedures

1.
Complaint and Procedure
On March 5, 2019, the Persónuvernd received a complaint from [A] (hereinafter referred to as the complainant) over the sending of an email about the complainant by the lawyer of Siminn hf. to other employees of the company and over the processing of Siminn hf. at his request for a copy of the said email. Furthermore, the complainant requests that his right to receive a decision from Siminn hf be waived.
By letter, date. On July 8, 2019, Siminn hf. announced the above complaint and the company provided the opportunity to comment on it. The company responded by letter, dated. August 16th By letter, date. 29, the complainant was given the opportunity to make comments regarding the reply from Siminn hf. The respondent responded by email on September 14th.
All of the above data have been taken into account in resolving the case, although not all of them are specifically explained in the following ruling.

2.
Complainant's point of view
The complaint is based on the fact that Síminn's lawyer hf. sent an e-mail to other employees of the company stating that it was prohibited to deliver to the complainant certain hardware. On September 26, 2018, the complainant went in search of Síminn hf. that he received a copy of the said email but his request was denied.
The complaint refers to the fact that the employees of Siminn hf. at certain of the company's offices, he stated that the above instructions had been emailed to them when he requested a dispatch there.

3.
The view of Siminn hf.
In the aforementioned letter from Siminn hf. states, among other things, that the company has taken a stand on the complainant's request for a copy of the said email on October 17, 2018, but in connection with the request, the company's privacy representative has examined whether the email had been sent. It turned out that such communications had not taken place within the company. This has also been traced in the company's response to the complainant's request for a copy of the said email. It has also been pointed out that the company considers that such communications in general would be considered work documents and therefore exempt from access rights.
Then Siminn hf. the complainant [works with] competitors of Síminn hf. and that he had been denied access to equipment from Siminn hf. to serve [customers of the complainant company]. [...] The Company's Legal Department emphasizes that the Company's employees do not hand over its assets to parties who are not authorized to access them but have not been sent special instructions to staff.
Therefore, no processing of personal information about the complainant has been carried out by e-mail as described in the complaint. In this context, reference is made to Article 4. Act no. 90/2018 on privacy and the processing of personal information, which concerns the material scope of the Act.

II.
Assumptions and conclusion

1.
Case delimitation
The complaint that is being considered in this case, on the one hand, relates to the sending of an email about a complainant from the lawyer of Siminn hf. to other employees of the company and the refusal of the company to send the complainant a copy of the said email. However, the complaint relates to the complainant being barred from doing business with Síminn hf.
With regard to the authority of the Data Protection Authority, cf. discussion in the next section, this ruling is limited to the processing of complainant's personal information by Siminn hf. and the complainant's right to access the information in question. On the other hand, the ruling does not apply to the complainant's trade with Siminn hf.

2.
Conclusion
Scope of Act no. 90/2018, on privacy and processing of personal information, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thus the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of partially or fully automated personal information and the processing of methods other than automatic processing of personal data that is or should be part of a file.
The complainant considers that an email was sent about himself between the employees of Siminn hf. but the company has denied that it has been. According to this, word is against whether the processing of personal data being complained about and the request for access of the complainant took place. With this in mind, the Data Protection Authority has no grounds for deciding whether Síminn hf. has dealt with the complainant's personal information in the manner stated in the complaint and at the same time whether the complainant had the right to access the personal data in question. It cannot therefore be asserted that the complainant's rights were violated in accordance with Act no. 90/2018, on privacy and processing of personal information.
Although it has not been established that the processed complaint has been carried out, the Data Protection Authority considers it right to point out that, without a dispute, the complainant's request for access to the said email was processed within a month of receiving Siminn hf. The company therefore took a stand at the request of the complainant within the time limit provided for in the third paragraph. Article 12 Regulation (EU) 2016/679, cf. Paragraph 1 Article 17 Act no. 90/2018.

You can do this:
It is not known that personal data on [A] has been processed by Siminn hf. who violated his right under Act no. 90/2018, on privacy and processing of personal information.

In Privacy, May 13, 2020"