Persónuvernd - 2020010646

From GDPRhub
Persónuvernd - 2020010646
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 15 GDPR
Type: Complaint
Outcome: Rejected
Decided:
Published: 10.02.2021
Fine: None
Parties: n/a
National Case Number/Name: 2020010646
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Icelandic
Original Source: Personuvernd (in IS)
Initial Contributor: n/a

The Icelandic DPA (Persónuvernd) has ruled that the National Commissioner of Police had been allowed to refuse to give information about which employees looked up complainant's personal data in the case file system, LÖKE. However, the Commissioner was requested to provide information about which responsible parties were looking for complainant's personal data.

English Summary[edit | edit source]

Facts[edit | edit source]

The DPA received a complaint on the National Commissioner of Police's refusal to consider the complainant's request for information on who had searched the his personal data in the police case file, LÖKE, according to specified case number.

Dispute[edit | edit source]

Holding[edit | edit source]

The DPA concluded that the National Commissioner of Police was authorized to refuse the complainant information about which employees of the office looked him up in his electronic case file system.

On the other hand, the DPA stated that the National Commissioner of Police was not allowed to refuse the complainant information about which responsible parties were looking for personal information about him in the case file system. With reference to point 3. Article 42 Act no. 90/2018, it is proposed that the National Commissioner of Police provide the complainant with the information in question.

Finally, the DPA concluded that the procedural time of the National Commissioner of Police in processing the complainant's request for information was in accordance with Act no. 90/2018, Coll. Regulation (EU) 2016/679, and Regulation no. 322/2001.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

The right of an individual to information on searches in the case file system of the National Commissioner of Police (LÖKE)
Case no. 2020010646
10.2.2021
The Data Protection Authority has ruled in a case in which the National Commissioner of Police's response to an individual's request for information regarding searches in the Office's case file system, LÖKE, and the processing time of the request was attempted. The Data Protection Authority came to the conclusion that the National Commissioner of Police had been allowed to refuse the complainant information about which employees looked up his personal information in the system according to the specified case number. On the other hand, the Office should have provided the complainant with information about the disclosure of his personal information carried out in accordance with the specified case number by other responsible parties. Finally, the Data Protection Authority considered that the procedure of the National Commissioner of Police had complied with the law.

Ruling

On January 28, 2021, the Board of the Data Protection Authority issued a ruling in case no. 2020010646 (formerly 2019071342):


I.
Procedure

1.
Outline of proceedings and proceedings
On July 3, 2019, the Data Protection Authority received a complaint from [B]'s lawyer on behalf of [A] (hereinafter the complainant) about the National Commissioner of Police's processing of the complainant's request for information on who had searched the complainant's personal information in the police case file, LÖKE, according to [specified case number. ] where the complainant was the defendant, as well as over the processing time of the request. The complaint was accompanied, among other things, by a copy of the complainant's request to the National Commissioner of Police, dated 3 May 2019, and a copy of the office's decision, dated 24. sm

By letter dated On November 8, the National Commissioner of Police was notified of the complaint and invited to comment on it. The answer was by letter dated. December 4, s.á. By letter dated On 25 March 2020, a reply letter from the National Commissioner of Police was sent to the complainant and he was invited to submit comments. The complainant replied by letter dated 31. cm By letter dated On 16 April this year, the Data Protection Authority requested further information from the National Commissioner of Police. The answer was by letter dated. 13 May s.á. By letter dated On 21 July this year, a reply letter from the National Commissioner of Police was sent to the complainant and he was invited to submit comments. The answer was by letter dated. August 10 s.á.

All the above documents have been taken into account in resolving the case, although not all of them are specifically described in the following ruling.

The handling of the case has been delayed due to significant concerns at the Data Protection Authority.

2.
The complainant's views
According to what is stated in the complainant's case, he submitted a request on 28 February 2019 to receive an overview of all searches in the police case file system, LÖKE, from the chief of police in the capital area. The request was first answered on April 30, i.e. in the sense that the system was run by the National Commissioner of Police and that requests for an overview of searches in the case file should be directed there. The complaint was sent to the National Commissioner of Police and subsequently repeatedly four times, until the complainant received the refusal of the office, dated. May 24 s.á. For the reasoning of the National Commissioner of Police for the refusal, see the next section.

The complaint states that the complainant's request had been processed on the basis of Regulation no. 322/2001, on the processing of personal information by the police, which was enacted during the period of validity of the previous Act no. 77/2000, on personal protection and handling of personal information. Current law no. 90/2018, on personal data protection and the processing of personal data, on the other hand, provides for more extensive rights for registered individuals to protect their rights than those provided for by older laws. Reference is also made to Article 15. Regulation (EU) 2016/679, which concerns the right of access of registered persons, and point 63 of the preamble to the Regulation and the complainant's position stated that this results in his right to information on the involvement of individual police officers in investigating a complainant in a specified police case.

The complainant points out that according to the then temporary provision III in Act no. 90/2018, the Act applied to the processing of personal information concerning the state's activities in the field of penitentiary. Provisional Provision II also stipulates that Regulation no. 322/2001 shall remain in force, provided that it does not contravene Act no. 90/2018. The complainant considers it clear that the National Commissioner of Police's refusal of his request, with reference to a restrictive interpretation of the provisions of point 3. Paragraph 1 Article 8 of Regulation no. 322/2001, has violated his right according to Act no. 90/2018 and Act no. 75/2019, on the processing of personal data for law enforcement purposes, which implements Directive (EU) 2016/680.

Finally, the complaint refers to the provisions of Article 13. Act no. 75/2019, which concern the right of registered individuals to access information and restrictions on access. The complainant considers that they do not in any way change his right to access the requested information.

In the complainant's letter to the Data Protection Authority, dated March 31, 2020, states, among other things, that he believes that his claim should be resolved on the basis of the legal rules that were in force when the decision of the National Commissioner of Police in question was made. If Act no. 75/2019 is considered to be considered in resolving the case, try the provisions of Article 13. of them, but in the comments of the National Commissioner of Police only reference is made to Art. of the Act, which the complainant considers cannot obstruct or interfere with the fundamental rights of individuals according to Art. The exemptions from the right of access laid down in paragraph 3 (a) of ac. Article 13 Act no. 75/2019, does not apply in this case.

In the complainant's letter to the Data Protection Authority, dated August 10, 2020, states that the complainant does not consider it relevant whether he has been looked up in the case file system by his ID number or by case number. It is the responsibility of the police to show that the search was made for a specific and limited purpose, which as the case may not have been related to the complainant. It is unacceptable for the police to evade the provisions of Act no. 75/2019 by simply using the case number when searching the case file system instead of the ID number of the person in question.

The letter also states that the conclusion of the National Commissioner of Police seems to be based solely on views on the protection of the employees who use LÖKE and not on the rights of the data subject. The purpose of the Privacy Act is to encourage the authorities to handle personal information in accordance with the basic principles and rules on privacy and privacy. Their provisions are set to protect registered individuals and not employees of the authorities. It is clear that the complainant's rights outweigh the interests of police officers in keeping the searches secret. In addition, the provision of such information is necessary.

3.
The views of the National Commissioner of Police
In a letter from the National Commissioner of Police, dated December 4, 2019, reference is made to the premises of the decision of the office that is being discussed here. The decision of the National Commissioner of Police, from 24 May this year, states that in the ruling of the Data Protection Authority in case no. 2004/144 states that the then applicable provisions of point 3. Paragraph 1 Article 18 Act no. 77/2000, on personal protection and handling of personal information, which was identical to the provisions of point 3. Paragraph 1 Article 8 of Regulation no. 322/2001, did not apply when information was received between individual employees of the same responsible party. In the ruling of the Data Protection Authority from 8 March 2017 in case no. 2016/835 further states that the above provisions apply to the dissemination of personal information from the responsible party to external parties. In light of this, employees who have access to the case file of the police due to their work were not considered recipients, according to 3. tölul. Paragraph 1 Article 8 of Regulation no. 322/2001. On this basis, the complainant had been denied access to information on which employees had looked him up in the case file.

The decision also states that it is technically possible to provide the complainant with information about all the employees who have looked him up and the times and number of views. It is the responsibility of each office to monitor the searches of its employees and, as appropriate, to request that employees report the searches. Chiefs of Police and heads of institutions who have access to the case file system can access information on the searches of their employees.

The aforementioned letter from the National Commissioner of Police also refers to the first paragraph. Article 25 Act no. 75/2019, on the processing of personal data for law enforcement purposes, which stipulates that an action registration system shall be used to ensure the traceability of actions in the information systems maintained by the competent authorities for law enforcement purposes. According to the bill, the law refers to all files kept in the LÖKE information system of the National Commissioner of Police. The second sentence of the provision exhaustively lists the purpose for which information from the action register may be used. The cases specified therein do not apply to the complainant's request.

The National Commissioner of Police also points out that the complainant can request an overview of the searches of individual offices on the complainant's ID number in the case file system, as such a search protected him alone. An overview of offices' searches of case numbers may, however, concern others, in addition to which such searches do not have to be related to certain individuals who have been registered in cases. Therefore, such information of the complainant is irrelevant. Since none of the cases listed in paragraphs 1 Article 25 Act no. 75/2019, the complainant should be refused an overview of the offices that have looked up the case number specified by the complainant.

In a letter from the National Commissioner of Police to the Data Protection Authority, dated 13 May 2020, it is reaffirmed that the office makes a distinction between searches in the case file system by ID numbers and case numbers, as searches by case numbers do not have to be related to the person of the individuals who have been registered under the case. It also states that the National Commissioner of Police considers other offices to be responsible for the processing of personal information that is part of their disclosure in the case file system. Complaints regarding suspected illegal searches must therefore be directed to the relevant offices.

The letter also states that if information were passed on about the names or ID numbers of employees who had looked up individual case numbers in the case file system, and times, or such information made available to the complainant, an unsubstantiated suspicion of employees' breach of trust could arise. It is therefore necessary to limit the complainant's right to information with reference to Article 9. of Regulation no. 322/2001 and point c of the third paragraph. Article 13 Act no. 75/2019.

II.
Assumptions and conclusion

1.
Delimitation of a case
This case concerns the National Commissioner of Police's processing of the complainant's request for information on those who looked up his personal information in the Office's case file system according to a specific case number, as well as the National Commissioner of Police's procedure for processing the request.

2.
Scope - Legal Transition
Scope of Act no. 90/2018, on personal data protection and the processing of personal data, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automatic and the processing by other methods than automatic of personal data that are or are to become part of a file.

Personal information includes information about a person who is personally identifiable or personally identifiable, and an individual is considered personally identifiable if it is possible to identify him / her, directly or indirectly, with reference to his or her identity or one or more factors that are characteristic of him or her, cf. 2. tölul. Article 3 Act no. 90/2018 and point 1. Article 4 of the Regulation.

According to para. Article 4 Act no. 90/2018, the Act and Regulation (EU) 2016/679 do not apply to the processing of personal data by the state in preventing, investigating, prosecuting or prosecuting criminal offenses or enforcing criminal sanctions. On the other hand, it should be noted that when the complainant's request was received by the National Commissioner of Police, on 3 May 2019, certain provisions of the Act on the processing of personal data concerning the state's activities in the field of penitentiary, cf. Provisional Provisions III, including Articles 3 and 39 and Article 42. their. The provisions of Article 17 of the Act, which stipulates the right of access and information of individuals, was, on the other hand, not among the provisions that applied to such processing.

According to Temporary Provision II in Act no. 90/2018, hold regulations issued by the Minister on the basis of the previous Act no. 77/2000, on the protection of personal data and the handling of personal data, their validity does not contravene Act no. 90/2018 or Regulation (EU) 2016/679. In comments on the provision in the bill that became Act no. 90/2018 states that this is a collection of rules, some of which are of great significance, such as Regulation no. 322/2001.

It follows from the above that when the complainant's request was submitted to the National Commissioner of Police, his right to information according to Regulation no. 322/2001, which applied to the electronic processing of personal information by the police, cf. Article 1 her. According to the first paragraph. Article 39 Act no. 90/2018, the Data Protection Authority supervises the implementation of those laws, Regulation (EU) 2016/679, special provisions in laws that deal with the processing of personal data and other rules on the subject. It follows from this provision that the Data Protection Authority supervised the implementation of Regulation no. 322/2001.

It should also be noted that on 25 June 2019, Act no. 75/2019 on the processing of personal information for law enforcement purposes, which apply to the processing of personal information by the competent authorities which takes place for law enforcement purposes, cf. Paragraph 1 Article 3 of the Act, but the term personal information is defined in point 1. Article 2 Act no. 75/2019 in the same way as is done in Act no. 90/2018.

With Article 37 Act no. 75/2019, Temporary Provision III in Act no. 90/2018 was amended in such a way that the provisions of that law were not extended to the processing of personal information concerning the state's activities in the field of penitentiary. It is also to be considered that Regulation no. 322/2001 has now been deleted, cf. Paragraph 2 Article 10 of Regulation no. 577/2020 on police records and the processing of personal data for law enforcement purposes, which entered into force on 12 June 2020. According to para. Article 3 Act no. 75/2019, they apply to the processing of personal information that is partially or completely automated and to the processing by other methods than automatic processing of personal information that is or should be part of a file. According to the first paragraph. Article 30 Act no. 75/2019, the Data Protection Authority supervises the implementation of that Act, but the provision and the aforementioned provision of the first paragraph. Article 39 Act no. 90/2018 means that the Data Protection Authority also supervises the implementation of Regulation no. 577/2020. The Data Protection Authority is of the opinion that one of the things that must be examined in this case is whether the complainant can have a greater right to information about the processing of his personal information in the case file system of the police according to current law.

The Data Protection Authority considers it appropriate to consider that in the case file system of the National Commissioner of Police, personal information about the complainant is registered within the meaning of point 2. Article 3 Act no. 90/2018, 1. tölul. Article 4 Regulation (EU) 2016/679 and point 1. Article 2 Act no. 75/2019. The processing in question fell within the scope of Act no. 90/2018 and Regulation no. 322/2001 when the National Commissioner of Police processed the complainant's request but now falls within the scope of Act no. 75/2019 and Regulation no. 577/2020. In the light of the above and in the light of the above, this case concerns the processing of personal information which falls within the competence of the Data Protection Authority.

3.
Responsible party
The person responsible for the processing of personal information complies with Act no. 90/2018 and no. 75/2019 is named the responsible party. According to point 6. Article 3 Act no. 90/2018 refers to an individual, legal entity, government authority or other party who decides alone or in collaboration with other purposes and methods of processing personal information, cf. 7. tölul. Article 4 Regulation (EU) 2016/679. According to point 4. Article 2 Act no. 75/2019, the responsible party is considered to be the competent authority that determines, alone or in collaboration with others, the purpose and methods of processing personal information.

As such, the National Commissioner of Police is considered to be responsible for the processing involved in maintaining the police records provided for in Article 2. of Regulation no. 577/2020, Coll. before Article 2 of Regulation no. 322/2001, and by preserving and making the personal data of the complainant accessible to other responsible parties in the electronic case file system. In addition, the National Commissioner of Police is considered to be responsible for the processing of the complainant's own information on the complainant's personal information in the case file system, including their searches. On the other hand, the National Commissioner of Police will not be held responsible for the processing of the personal information in question by employees of other offices and institutions, such as for searches or registrations, according to the aforementioned law. In view of the above, as well as the fact that the complaint is directed only at the National Commissioner of Police,

4.
Legal environment
According to the first paragraph. Article 8 of Regulation no. 322/2001, a registered individual had, among other things, the right to receive information from the police about who received, had received or would receive information about him (cf. point 3 of the provision). According to para. the same articles, the police should provide written knowledge if requested. The application had to be processed as soon as possible and no later than within one month of receipt. The data subject's right of knowledge did not exist if it was inevitable that information would be kept secret due to police work or if it was necessary to protect the data subject himself or the rights or freedoms of others, cf. Article 9 of the Regulation.

According to para. Article 13 the current Act no. 75/2019, a registered individual has the right to confirmation from the responsible party as to whether personal information about him is processed and, if so, the right to access the personal information. In addition, a registered individual has, among other things, the right to receive information about the recipients of the information (cf. point c of the provision). A request for access may be refused in part or in full if it is deemed necessary, taking into account the legitimate interests and rights of the data subject, cf. Paragraph 3 the same articles, for the purpose specified in the provision. Among other things, the right of access may be restricted for the purpose of proceedings or other activities by a competent authority for law enforcement purposes (cf. point a of the provision), in the interests of national or public security (cf. point b of the provision) or to protect the interests of the data subject. (cf. point c of the provision).

4.1.
The complainant's right of access and information
In this case, it is tested whether the complainant had or is entitled to information from the National Commissioner of Police as to who was responsible for looking up his information in the office's electronic case file system. In this connection, the Data Protection Authority considers that it should be examined whether the complainant had or is entitled to information on which employees of the National Commissioner of Police have looked up a specified case, where the complainant was a defendant, in the Office's electronic case file system, cf. a discussion of responsibility for the processing of personal data referred to in Chapter II.3. in front. In the light of the case file, in the opinion of the Data Protection Authority, it is appropriate to also include in the request that it has dealt with information on which responsible parties have searched the complainant's personal information in the system according to a specific case number.

The provisions of the first paragraph. Article 8 of Regulation no. 322/2001 was unanimous 1-3. tölul. Paragraph 1 Article 18 older law no. 77/2000, on personal protection and handling of personal information. Accordingly, it should be assumed that the same views are sought in the interpretation of the provisions.

In the opinion of the Data Protection Authority, it will not be assumed that in the provisions of point 3. Paragraph 1 Article 8 of Regulation no. 322/2001 had the right of individuals to be informed of when information is received between individual employees of the responsible party, but the provision only applied to the right of individuals to be informed of the dissemination of personal information to other responsible parties. With reference to this, the complainant will not be considered to have been entitled to receive information from the action register of the National Commissioner of Police's case file system on the individual employees 'offices' information on those registered in the system, on the basis of the cited provision. Is that explanation in accordance with the ruling of the Data Protection Authority from 28 February 2005 in case no. 2004/144 and from 8 March 2017 in case no. 2016/835, which tested the rights of individuals according to point 3. Paragraph 1 Article 18 Act no. 77/2000, which was identical to the cited provision of Regulation no. 322/2001. The previous ruling stated, among other things, that information of this kind from the register of events contained personal information about employees and the dissemination of such information to external parties could have various consequences for the employees in question, such as an unsubstantiated suspicion of breach of confidentiality. The Data Protection Authority considers that the same views apply here, in addition to which such disclosure to the data subject on the basis of the provision could, in the Agency's opinion, have made it more difficult for the National Commissioner of Police to carry out his statutory role in favor of law enforcement. In addition, this explanation is in accordance with the ruling of the Data Protection Authority from 29 September 2020 in case no. 2020010601 and from 24 November 2020 in case no.

In its implementation, the Data Protection Authority has considered that the above-mentioned legal interpretation also implies that individuals are entitled to information from the National Commissioner of Police on which responsible parties have looked up their information in the case file system according to ID number, cf. the aforementioned ruling of the Data Protection Authority in case no. 2020010601. It is undisputed that the complainant can obtain that information from the National Commissioner of Police and the Data Protection Authority therefore does not consider it necessary to rule on the complainant's right. On the other hand, there is a dispute as to whether the complainant is entitled to information on which guarantors have looked up his personal information in the case file system according to the specified case number.

In the opinion of the Data Protection Authority, it must be assumed that by looking up the case number in the National Commissioner of Police's case file system, the responsible party will have access to the personal information registered there within the meaning of point 3. Paragraph 1 Article 8 of Regulation 322/2001. It cannot therefore be seen that the manner in which such searches were carried out regarding the complainant's right to information was significant. As a result, the complainant was entitled to information from the National Commissioner of Police as to which persons responsible had access to his personal information which was registered in the case file system by looking up the specified case number.

It is then examined whether the complainant can now have a greater right to information about searches in the case file system of the National Commissioner of Police on the basis of the provision of the second paragraph. Article 13 the current Act no. 75/2019.

According to comments on the provision in the bill that became Act no. 75/2019 is therefore intended to implement the provisions of 13-15. gr. of Directive (EU) 2016/680. The provisions of Article 14 of the Directive concerns the right of registered persons to access, which, inter alia, provides for the right of an individual to information on recipients or categories of recipients who have received personal data. In the opinion of the Data Protection Authority, the wording of the provision in question in the Directive is not broader in this respect than Article 12 (a). of Directive 95/46 / EC, which the first paragraph of Art. Article 8 of Regulation no. 322/2001 was materially based on. It cannot be seen that the definition of the term "recipient" has been substantially changed in this respect in Directive (EU) 2016/680. Finally, it should be noted that neither the wording of Article 13 Act no.

In view of the above, the Data Protection Authority considers that it must be assumed that the complainant does not have the right to receive information from the National Commissioner of Police's action file system on individual employees' searches of information about the complainant registered in the system, based on the cited provision. Is this explanation in accordance with the ruling practice of the Data Protection Authority, cf. the aforementioned ruling in cases no. 2020010601 and 2020010665.

It should be noted that since the information in question from the event registration is considered as such not the complainant's personal information, he will not be considered entitled to receive a copy of the information in question on the basis of the first sentence. Paragraph 2 Article 13 Act no. 75/2019.

4.2.
Procedure of the National Commissioner of Police
It will then be decided whether the procedural time of the National Commissioner of Police due to the complainant's request has complied with Regulation no. 322/2001 and Act no. 90/2018.

From the case file, it can be concluded that the complainant initially submitted a request to the Chief of Police in the capital area on 28 February 2019, which ended with the complainant having on 30 April this year. have been instructed to direct a request to the National Commissioner of Police for the information requested by the complainant. The complainant's request was sent to the National Commissioner of Police by e-mail on 3 May 2019 and was processed by the office on the 24th.

The Data Protection Authority considers that the second paragraph should be clarified. Article 8 of Regulation no. 322/2001 so that the term police has applied to any police department that was considered to be responsible for the processing of personal data within the meaning of point 6. Article 3 Act no. 90/2018 and that each responsible party had one month to process a request addressed to him according to the provision.

It follows from the above that the complainant's request was not considered to have been made to the National Commissioner of Police until 3 May 2019, even though the complainant had previously sent a request for the same information to another responsible party. Therefore, the deadline specified in the second paragraph began. Article 8 of Regulation no. 322/2001 does not apply to the National Commissioner of Police until the date in question. In this respect, and ensuring that the complainant's request was processed within one month of it being submitted, the Data Protection Authority considers that the National Commissioner of Police has processed the complainant's complaint within the time limit laid down in the second paragraph. Article 8 of the Regulation.

5.
Conclusion and instructions
In view of all the above, it is the conclusion of the Data Protection Authority that the National Commissioner of Police was authorized to refuse the complainant information about which employees of the office looked him up in his electronic case file system.

On the other hand, it is the conclusion of the Data Protection Authority that the National Commissioner of Police was not allowed to refuse the complainant information about which responsible parties were looking for personal information about him in the case file system according to [specified case number]. With reference to point 3. Article 42 Act no. 90/2018, it is proposed that the National Commissioner of Police provide the complainant with the information in question. The National Commissioner of Police shall send a confirmation to that effect to the Data Protection Authority no later than 25 February 2021.

Finally, it is the conclusion of the Data Protection Authority that the procedural time of the National Commissioner of Police in processing the complainant's request for information was in accordance with Act no. 90/2018, Coll. Regulation (EU) 2016/679, and Regulation no. 322/2001.



Ú r s k u r ð a r o r ð:
The decision of the National Commissioner of Police to refuse [A] information about the employees who looked up his personal information in the office's electronic case file system was in accordance with Act no. 90/2018 on personal protection and processing of personal information, cf. Regulation (EU) 2016/679, and Regulation no. 322/2001 on the processing of personal data by the police.

The decision of the National Commissioner of Police to refuse [A] information on searches of other responsible parties in the Office's electronic case file system according to [specified case number] was not in accordance with Act no. 90/2018 on personal protection and processing of personal information, cf. Regulation (EU) 2016/679, and Regulation no. 322/2001 on the processing of personal data by the police.
The right of an individual to information on searches in the case file system of the National Commissioner of Police (LÖKE)
Case no. 2020010646
10.2.2021
The Data Protection Authority has ruled in a case in which the National Commissioner of Police's response to an individual's request for information regarding searches in the Office's case file system, LÖKE, and the processing time of the request was attempted. The Data Protection Authority came to the conclusion that the National Commissioner of Police had been allowed to refuse the complainant information about which employees looked up his personal information in the system according to the specified case number. On the other hand, the Office should have provided the complainant with information about the disclosure of his personal information carried out in accordance with the specified case number by other responsible parties. Finally, the Data Protection Authority considered that the procedure of the National Commissioner of Police had complied with the law.

Ruling

On January 28, 2021, the Board of the Data Protection Authority issued a ruling in case no. 2020010646 (formerly 2019071342):


I.
Procedure

1.
Outline of proceedings and proceedings
On July 3, 2019, the Data Protection Authority received a complaint from [B]'s lawyer on behalf of [A] (hereinafter the complainant) about the National Commissioner of Police's processing of the complainant's request for information on who had searched the complainant's personal information in the police case file, LÖKE, according to [specified case number. ] where the complainant was the defendant, as well as over the processing time of the request. The complaint was accompanied, among other things, by a copy of the complainant's request to the National Commissioner of Police, dated 3 May 2019, and a copy of the office's decision, dated 24. sm

By letter dated On November 8, the National Commissioner of Police was notified of the complaint and invited to comment on it. The answer was by letter dated. December 4, s.á. By letter dated On 25 March 2020, a reply letter from the National Commissioner of Police was sent to the complainant and he was invited to submit comments. The complainant replied by letter dated 31. cm By letter dated On 16 April this year, the Data Protection Authority requested further information from the National Commissioner of Police. The answer was by letter dated. 13 May s.á. By letter dated On 21 July this year, a reply letter from the National Commissioner of Police was sent to the complainant and he was invited to submit comments. The answer was by letter dated. August 10 s.á.

All the above documents have been taken into account in resolving the case, although not all of them are specifically described in the following ruling.

The handling of the case has been delayed due to significant concerns at the Data Protection Authority.

2.
The complainant's views
According to what is stated in the complainant's case, he submitted a request on 28 February 2019 to receive an overview of all searches in the police case file system, LÖKE, from the chief of police in the capital area. The request was first answered on April 30, i.e. in the sense that the system was run by the National Commissioner of Police and that requests for an overview of searches in the case file should be directed there. The complaint was sent to the National Commissioner of Police and subsequently repeatedly four times, until the complainant received the refusal of the office, dated. May 24 s.á. For the reasoning of the National Commissioner of Police for the refusal, see the next section.

The complaint states that the complainant's request had been processed on the basis of Regulation no. 322/2001, on the processing of personal information by the police, which was enacted during the period of validity of the previous Act no. 77/2000, on personal protection and handling of personal information. Current law no. 90/2018, on personal data protection and the processing of personal data, on the other hand, provides for more extensive rights for registered individuals to protect their rights than those provided for by older laws. Reference is also made to Article 15. Regulation (EU) 2016/679, which concerns the right of access of registered persons, and point 63 of the preamble to the Regulation and the complainant's position stated that this results in his right to information on the involvement of individual police officers in investigating a complainant in a specified police case.

The complainant points out that according to the then temporary provision III in Act no. 90/2018, the Act applied to the processing of personal information concerning the state's activities in the field of penitentiary. Provisional Provision II also stipulates that Regulation no. 322/2001 shall remain in force, provided that it does not contravene Act no. 90/2018. The complainant considers it clear that the National Commissioner of Police's refusal of his request, with reference to a restrictive interpretation of the provisions of point 3. Paragraph 1 Article 8 of Regulation no. 322/2001, has violated his right according to Act no. 90/2018 and Act no. 75/2019, on the processing of personal data for law enforcement purposes, which implements Directive (EU) 2016/680.

Finally, the complaint refers to the provisions of Article 13. Act no. 75/2019, which concern the right of registered individuals to access information and restrictions on access. The complainant considers that they do not in any way change his right to access the requested information.

In the complainant's letter to the Data Protection Authority, dated March 31, 2020, states, among other things, that he believes that his claim should be resolved on the basis of the legal rules that were in force when the decision of the National Commissioner of Police in question was made. If Act no. 75/2019 is considered to be considered in resolving the case, try the provisions of Article 13. of them, but in the comments of the National Commissioner of Police only reference is made to Art. of the Act, which the complainant considers cannot obstruct or interfere with the fundamental rights of individuals according to Art. The exemptions from the right of access laid down in paragraph 3 (a) of ac. Article 13 Act no. 75/2019, does not apply in this case.

In the complainant's letter to the Data Protection Authority, dated August 10, 2020, states that the complainant does not consider it relevant whether he has been looked up in the case file system by his ID number or by case number. It is the responsibility of the police to show that the search was made for a specific and limited purpose, which as the case may not have been related to the complainant. It is unacceptable for the police to evade the provisions of Act no. 75/2019 by simply using the case number when searching the case file system instead of the ID number of the person in question.

The letter also states that the conclusion of the National Commissioner of Police seems to be based solely on views on the protection of the employees who use LÖKE and not on the rights of the data subject. The purpose of the Privacy Act is to encourage the authorities to handle personal information in accordance with the basic principles and rules on privacy and privacy. Their provisions are set to protect registered individuals and not employees of the authorities. It is clear that the complainant's rights outweigh the interests of police officers in keeping the searches secret. In addition, the provision of such information is necessary.

3.
The views of the National Commissioner of Police
In a letter from the National Commissioner of Police, dated December 4, 2019, reference is made to the premises of the decision of the office that is being discussed here. The decision of the National Commissioner of Police, from 24 May this year, states that in the ruling of the Data Protection Authority in case no. 2004/144 states that the then applicable provisions of point 3. Paragraph 1 Article 18 Act no. 77/2000, on personal protection and handling of personal information, which was identical to the provisions of point 3. Paragraph 1 Article 8 of Regulation no. 322/2001, did not apply when information was received between individual employees of the same responsible party. In the ruling of the Data Protection Authority from 8 March 2017 in case no. 2016/835 further states that the above provisions apply to the dissemination of personal information from the responsible party to external parties. In light of this, employees who have access to the case file of the police due to their work were not considered recipients, according to 3. tölul. Paragraph 1 Article 8 of Regulation no. 322/2001. On this basis, the complainant had been denied access to information on which employees had looked him up in the case file.

The decision also states that it is technically possible to provide the complainant with information about all the employees who have looked him up and the times and number of views. It is the responsibility of each office to monitor the searches of its employees and, as appropriate, to request that employees report the searches. Chiefs of Police and heads of institutions who have access to the case file system can access information on the searches of their employees.

The aforementioned letter from the National Commissioner of Police also refers to the first paragraph. Article 25 Act no. 75/2019, on the processing of personal data for law enforcement purposes, which stipulates that an action registration system shall be used to ensure the traceability of actions in the information systems maintained by the competent authorities for law enforcement purposes. According to the bill, the law refers to all files kept in the LÖKE information system of the National Commissioner of Police. The second sentence of the provision exhaustively lists the purpose for which information from the action register may be used. The cases specified therein do not apply to the complainant's request.

The National Commissioner of Police also points out that the complainant can request an overview of the searches of individual offices on the complainant's ID number in the case file system, as such a search protected him alone. An overview of offices' searches of case numbers may, however, concern others, in addition to which such searches do not have to be related to certain individuals who have been registered in cases. Therefore, such information of the complainant is irrelevant. Since none of the cases listed in paragraphs 1 Article 25 Act no. 75/2019, the complainant should be refused an overview of the offices that have looked up the case number specified by the complainant.

In a letter from the National Commissioner of Police to the Data Protection Authority, dated 13 May 2020, it is reaffirmed that the office makes a distinction between searches in the case file system by ID numbers and case numbers, as searches by case numbers do not have to be related to the person of the individuals who have been registered under the case. It also states that the National Commissioner of Police considers other offices to be responsible for the processing of personal information that is part of their disclosure in the case file system. Complaints regarding suspected illegal searches must therefore be directed to the relevant offices.

The letter also states that if information were passed on about the names or ID numbers of employees who had looked up individual case numbers in the case file system, and times, or such information made available to the complainant, an unsubstantiated suspicion of employees' breach of trust could arise. It is therefore necessary to limit the complainant's right to information with reference to Article 9. of Regulation no. 322/2001 and point c of the third paragraph. Article 13 Act no. 75/2019.

II.
Assumptions and conclusion

1.
Delimitation of a case
This case concerns the National Commissioner of Police's processing of the complainant's request for information on those who looked up his personal information in the Office's case file system according to a specific case number, as well as the National Commissioner of Police's procedure for processing the request.

2.
Scope - Legal Transition
Scope of Act no. 90/2018, on personal data protection and the processing of personal data, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automatic and the processing by other methods than automatic of personal data that are or are to become part of a file.

Personal information includes information about a person who is personally identifiable or personally identifiable, and an individual is considered personally identifiable if it is possible to identify him / her, directly or indirectly, with reference to his or her identity or one or more factors that are characteristic of him or her, cf. 2. tölul. Article 3 Act no. 90/2018 and point 1. Article 4 of the Regulation.

According to para. Article 4 Act no. 90/2018, the Act and Regulation (EU) 2016/679 do not apply to the processing of personal data by the state in preventing, investigating, prosecuting or prosecuting criminal offenses or enforcing criminal sanctions. On the other hand, it should be noted that when the complainant's request was received by the National Commissioner of Police, on 3 May 2019, certain provisions of the Act on the processing of personal data concerning the state's activities in the field of penitentiary, cf. Provisional Provisions III, including Articles 3 and 39 and Article 42. their. The provisions of Article 17 of the Act, which stipulates the right of access and information of individuals, was, on the other hand, not among the provisions that applied to such processing.

According to Temporary Provision II in Act no. 90/2018, hold regulations issued by the Minister on the basis of the previous Act no. 77/2000, on the protection of personal data and the handling of personal data, their validity does not contravene Act no. 90/2018 or Regulation (EU) 2016/679. In comments on the provision in the bill that became Act no. 90/2018 states that this is a collection of rules, some of which are of great significance, such as Regulation no. 322/2001.

It follows from the above that when the complainant's request was submitted to the National Commissioner of Police, his right to information according to Regulation no. 322/2001, which applied to the electronic processing of personal information by the police, cf. Article 1 her. According to the first paragraph. Article 39 Act no. 90/2018, the Data Protection Authority supervises the implementation of those laws, Regulation (EU) 2016/679, special provisions in laws that deal with the processing of personal data and other rules on the subject. It follows from this provision that the Data Protection Authority supervised the implementation of Regulation no. 322/2001.

It should also be noted that on 25 June 2019, Act no. 75/2019 on the processing of personal information for law enforcement purposes, which apply to the processing of personal information by the competent authorities which takes place for law enforcement purposes, cf. Paragraph 1 Article 3 of the Act, but the term personal information is defined in point 1. Article 2 Act no. 75/2019 in the same way as is done in Act no. 90/2018.

With Article 37 Act no. 75/2019, Temporary Provision III in Act no. 90/2018 was amended in such a way that the provisions of that law were not extended to the processing of personal information concerning the state's activities in the field of penitentiary. It is also to be considered that Regulation no. 322/2001 has now been deleted, cf. Paragraph 2 Article 10 of Regulation no. 577/2020 on police records and the processing of personal data for law enforcement purposes, which entered into force on 12 June 2020. According to para. Article 3 Act no. 75/2019, they apply to the processing of personal information that is partially or completely automated and to the processing by other methods than automatic processing of personal information that is or should be part of a file. According to the first paragraph. Article 30 Act no. 75/2019, the Data Protection Authority supervises the implementation of that Act, but the provision and the aforementioned provision of the first paragraph. Article 39 Act no. 90/2018 means that the Data Protection Authority also supervises the implementation of Regulation no. 577/2020. The Data Protection Authority is of the opinion that one of the things that must be examined in this case is whether the complainant can have a greater right to information about the processing of his personal information in the case file system of the police according to current law.

The Data Protection Authority considers it appropriate to consider that in the case file system of the National Commissioner of Police, personal information about the complainant is registered within the meaning of point 2. Article 3 Act no. 90/2018, 1. tölul. Article 4 Regulation (EU) 2016/679 and point 1. Article 2 Act no. 75/2019. The processing in question fell within the scope of Act no. 90/2018 and Regulation no. 322/2001 when the National Commissioner of Police processed the complainant's request but now falls within the scope of Act no. 75/2019 and Regulation no. 577/2020. In the light of the above and in the light of the above, this case concerns the processing of personal information which falls within the competence of the Data Protection Authority.

3.
Responsible party
The person responsible for the processing of personal information complies with Act no. 90/2018 and no. 75/2019 is named the responsible party. According to point 6. Article 3 Act no. 90/2018 refers to an individual, legal entity, government authority or other party who decides alone or in collaboration with other purposes and methods of processing personal information, cf. 7. tölul. Article 4 Regulation (EU) 2016/679. According to point 4. Article 2 Act no. 75/2019, the responsible party is considered to be the competent authority that determines, alone or in collaboration with others, the purpose and methods of processing personal information.

As such, the National Commissioner of Police is considered to be responsible for the processing involved in maintaining the police records provided for in Article 2. of Regulation no. 577/2020, Coll. before Article 2 of Regulation no. 322/2001, and by preserving and making the personal data of the complainant accessible to other responsible parties in the electronic case file system. In addition, the National Commissioner of Police is considered to be responsible for the processing of the complainant's own information on the complainant's personal information in the case file system, including their searches. On the other hand, the National Commissioner of Police will not be held responsible for the processing of the personal information in question by employees of other offices and institutions, such as for searches or registrations, according to the aforementioned law. In view of the above, as well as the fact that the complaint is directed only at the National Commissioner of Police,

4.
Legal environment
According to the first paragraph. Article 8 of Regulation no. 322/2001, a registered individual had, among other things, the right to receive information from the police about who received, had received or would receive information about him (cf. point 3 of the provision). According to para. the same articles, the police should provide written knowledge if requested. The application had to be processed as soon as possible and no later than within one month of receipt. The data subject's right of knowledge did not exist if it was inevitable that information would be kept secret due to police work or if it was necessary to protect the data subject himself or the rights or freedoms of others, cf. Article 9 of the Regulation.

According to para. Article 13 the current Act no. 75/2019, a registered individual has the right to confirmation from the responsible party as to whether personal information about him is processed and, if so, the right to access the personal information. In addition, a registered individual has, among other things, the right to receive information about the recipients of the information (cf. point c of the provision). A request for access may be refused in part or in full if it is deemed necessary, taking into account the legitimate interests and rights of the data subject, cf. Paragraph 3 the same articles, for the purpose specified in the provision. Among other things, the right of access may be restricted for the purpose of proceedings or other activities by a competent authority for law enforcement purposes (cf. point a of the provision), in the interests of national or public security (cf. point b of the provision) or to protect the interests of the data subject. (cf. point c of the provision).

4.1.
The complainant's right of access and information
In this case, it is tested whether the complainant had or is entitled to information from the National Commissioner of Police as to who was responsible for looking up his information in the office's electronic case file system. In this connection, the Data Protection Authority considers that it should be examined whether the complainant had or is entitled to information on which employees of the National Commissioner of Police have looked up a specified case, where the complainant was a defendant, in the Office's electronic case file system, cf. a discussion of responsibility for the processing of personal data referred to in Chapter II.3. in front. In the light of the case file, in the opinion of the Data Protection Authority, it is appropriate to also include in the request that it has dealt with information on which responsible parties have searched the complainant's personal information in the system according to a specific case number.

The provisions of the first paragraph. Article 8 of Regulation no. 322/2001 was unanimous 1-3. tölul. Paragraph 1 Article 18 older law no. 77/2000, on personal protection and handling of personal information. Accordingly, it should be assumed that the same views are sought in the interpretation of the provisions.

In the opinion of the Data Protection Authority, it will not be assumed that in the provisions of point 3. Paragraph 1 Article 8 of Regulation no. 322/2001 had the right of individuals to be informed of when information is received between individual employees of the responsible party, but the provision only applied to the right of individuals to be informed of the dissemination of personal information to other responsible parties. With reference to this, the complainant will not be considered to have been entitled to receive information from the action register of the National Commissioner of Police's case file system on the individual employees 'offices' information on those registered in the system, on the basis of the cited provision. Is that explanation in accordance with the ruling of the Data Protection Authority from 28 February 2005 in case no. 2004/144 and from 8 March 2017 in case no. 2016/835, which tested the rights of individuals according to point 3. Paragraph 1 Article 18 Act no. 77/2000, which was identical to the cited provision of Regulation no. 322/2001. The previous ruling stated, among other things, that information of this kind from the register of events contained personal information about employees and the dissemination of such information to external parties could have various consequences for the employees in question, such as an unsubstantiated suspicion of breach of confidentiality. The Data Protection Authority considers that the same views apply here, in addition to which such disclosure to the data subject on the basis of the provision could, in the Agency's opinion, have made it more difficult for the National Commissioner of Police to carry out his statutory role in favor of law enforcement. In addition, this explanation is in accordance with the ruling of the Data Protection Authority from 29 September 2020 in case no. 2020010601 and from 24 November 2020 in case no.

In its implementation, the Data Protection Authority has considered that the above-mentioned legal interpretation also implies that individuals are entitled to information from the National Commissioner of Police on which responsible parties have looked up their information in the case file system according to ID number, cf. the aforementioned ruling of the Data Protection Authority in case no. 2020010601. It is undisputed that the complainant can obtain that information from the National Commissioner of Police and the Data Protection Authority therefore does not consider it necessary to rule on the complainant's right. On the other hand, there is a dispute as to whether the complainant is entitled to information on which guarantors have looked up his personal information in the case file system according to the specified case number.

In the opinion of the Data Protection Authority, it must be assumed that by looking up the case number in the National Commissioner of Police's case file system, the responsible party will have access to the personal information registered there within the meaning of point 3. Paragraph 1 Article 8 of Regulation 322/2001. It cannot therefore be seen that the manner in which such searches were carried out regarding the complainant's right to information was significant. As a result, the complainant was entitled to information from the National Commissioner of Police as to which persons responsible had access to his personal information which was registered in the case file system by looking up the specified case number.

It is then examined whether the complainant can now have a greater right to information about searches in the case file system of the National Commissioner of Police on the basis of the provision of the second paragraph. Article 13 the current Act no. 75/2019.

According to comments on the provision in the bill that became Act no. 75/2019 is therefore intended to implement the provisions of 13-15. gr. of Directive (EU) 2016/680. The provisions of Article 14 of the Directive concerns the right of registered persons to access, which, inter alia, provides for the right of an individual to information on recipients or categories of recipients who have received personal data. In the opinion of the Data Protection Authority, the wording of the provision in question in the Directive is not broader in this respect than Article 12 (a). of Directive 95/46 / EC, which the first paragraph of Art. Article 8 of Regulation no. 322/2001 was materially based on. It cannot be seen that the definition of the term "recipient" has been substantially changed in this respect in Directive (EU) 2016/680. Finally, it should be noted that neither the wording of Article 13 Act no.

In view of the above, the Data Protection Authority considers that it must be assumed that the complainant does not have the right to receive information from the National Commissioner of Police's action file system on individual employees' searches of information about the complainant registered in the system, based on the cited provision. Is this explanation in accordance with the ruling practice of the Data Protection Authority, cf. the aforementioned ruling in cases no. 2020010601 and 2020010665.

It should be noted that since the information in question from the event registration is considered as such not the complainant's personal information, he will not be considered entitled to receive a copy of the information in question on the basis of the first sentence. Paragraph 2 Article 13 Act no. 75/2019.

4.2.
Procedure of the National Commissioner of Police
It will then be decided whether the procedural time of the National Commissioner of Police due to the complainant's request has complied with Regulation no. 322/2001 and Act no. 90/2018.

From the case file, it can be concluded that the complainant initially submitted a request to the Chief of Police in the capital area on 28 February 2019, which ended with the complainant having on 30 April this year. have been instructed to direct a request to the National Commissioner of Police for the information requested by the complainant. The complainant's request was sent to the National Commissioner of Police by e-mail on 3 May 2019 and was processed by the office on the 24th.

The Data Protection Authority considers that the second paragraph should be clarified. Article 8 of Regulation no. 322/2001 so that the term police has applied to any police department that was considered to be responsible for the processing of personal data within the meaning of point 6. Article 3 Act no. 90/2018 and that each responsible party had one month to process a request addressed to him according to the provision.

It follows from the above that the complainant's request was not considered to have been made to the National Commissioner of Police until 3 May 2019, even though the complainant had previously sent a request for the same information to another responsible party. Therefore, the deadline specified in the second paragraph began. Article 8 of Regulation no. 322/2001 does not apply to the National Commissioner of Police until the date in question. In this respect, and ensuring that the complainant's request was processed within one month of it being submitted, the Data Protection Authority considers that the National Commissioner of Police has processed the complainant's complaint within the time limit laid down in the second paragraph. Article 8 of the Regulation.

5.
Conclusion and instructions
In view of all the above, it is the conclusion of the Data Protection Authority that the National Commissioner of Police was authorized to refuse the complainant information about which employees of the office looked him up in his electronic case file system.

On the other hand, it is the conclusion of the Data Protection Authority that the National Commissioner of Police was not allowed to refuse the complainant information about which responsible parties were looking for personal information about him in the case file system according to [specified case number]. With reference to point 3. Article 42 Act no. 90/2018, it is proposed that the National Commissioner of Police provide the complainant with the information in question. The National Commissioner of Police shall send a confirmation to that effect to the Data Protection Authority no later than 25 February 2021.

Finally, it is the conclusion of the Data Protection Authority that the procedural time of the National Commissioner of Police in processing the complainant's request for information was in accordance with Act no. 90/2018, Coll. Regulation (EU) 2016/679, and Regulation no. 322/2001.



Ú r s k u r ð a r o r ð:
The decision of the National Commissioner of Police to refuse [A] information about the employees who looked up his personal information in the office's electronic case file system was in accordance with Act no. 90/2018 on personal protection and processing of personal information, cf. Regulation (EU) 2016/679, and Regulation no. 322/2001 on the processing of personal data by the police.

The decision of the National Commissioner of Police to refuse [A] information on searches of other responsible parties in the Office's electronic case file system according to [specified case number] was not in accordance with Act no. 90/2018 on personal protection and processing of personal information, cf. Regulation (EU) 2016/679, and Regulation no. 322/2001 on the processing of personal data by the police.

The National Commissioner of Police shall provide [A] with the information in question and confirmation that this has been done shall be sent to the Data Protection Authority no later than 25 February 2021.

The procedure of the National Commissioner of Police in processing a request [A] for information on the processing of his personal information was in accordance with Act no. 90/2018 and Regulation no. 322/2001.


In Privacy, January 28, 2021


Ólafur Garðarsson
Vice Chairman


Björn Geirsson Vilhelmína Haraldsdóttir


Þorvarður Kári Ólafsson
The National Commissioner of Police shall provide [A] with the information in question and confirmation that this has been done shall be sent to the Data Protection Authority no later than 25 February 2021.

The procedure of the National Commissioner of Police in processing a request [A] for information on the processing of his personal information was in accordance with Act no. 90/2018 and Regulation no. 322/2001.


In Privacy, January 28, 2021


Ólafur Garðarsson
Vice Chairman


Björn Geirsson Vilhelmína Haraldsdóttir


Þorvarður Kári Ólafsson