Persónuvernd - 2020010677

From GDPRhub
Persónuvernd - 2020010677
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 5(1)(e) GDPR
Article 5(1)(f) GDPR
Article 6(1)(c) GDPR
Article 6(1)(e) GDPR
Act no. 90/2018 on Data Protection and the Processing of Personal Data
Type: Complaint
Outcome: Upheld
Started:
Decided: 22.06.2020
Published: 20.07.2020
Fine: None
Parties: n/a
National Case Number/Name: 2020010677
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Icelandic
Original Source: Persónuvernd (in IS)
Initial Contributor: n/a

The Icelandic DPA (Persónuvernd) held that the online publication of an Ombudsman's opinion containing the unredacted name and personal details of an individual was a breach of Articles 5 and 6 of the GDPR.

English Summary

Facts

The Association of Icelandic Municipalities published the opinion of the Parliamentary Ombudsman on its website. However, the opinion contained the name and personal information of the complainant, and was online for several weeks, and was only taken down when the complainant contacted an employee of the Association. The Association responded that the information was published online unintentionally, and that they had not reported the breach to the Icelandic DPA because they did not believe the publication of the opinion would lead to a risk to the complainant's rights and freedoms.

Dispute

Did the Association have a responsibility to report the breach to the DPA? Was there a lawful basis for the processing (i.e. the publication of the opinion) under Article 6(1)GDPR?


Holding

The DPA considered that either Article 6(1)(c) - the processing is necessary for complying with a legal obligation - or Article 6(1)(e) - the processing is necessary for the performance of a task carried out in the public interest - could apply to this case. However, it ultimately concluded that neither could apply, because the processing was the result of a mistake. Furthermore, the DPA concluded that the processing was also unlawful because it failed to meet the requirements of Article 5(1)(e) - data subjects shall not be identifiable for longer than is necessary - and Article 5(1)(f) - data shall processed so as to ensure appropriate security for it. It stated that it was not going to answer the question of whether or not the Association had a responsibility to report the breach, despite both parties to the complaint agreeing that a breach had taken place.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

Dissemination of the Association of Icelandic Municipalities on the opinion of the Parliamentary Ombudsman
Case no. 2020010677

07/20/2020

The Data Protection Authority has ruled in a case where a complaint was made about the publication of the opinion of the Parliamentary Ombudsman on the website of the Association of Icelandic Municipalities. The conclusion was that the association was not allowed to publish the opinion, with personally identifiable information about the complainant, as it did not comply with all the basic requirements of the Privacy Act.
ruling


On 22 June 2020, the Data Protection Authority issued a ruling in case no. 2020010677 (formerly 2019101833):
I.
procedures

1.
Outline of case

On October 29, 2019, the Data Protection Authority received a complaint from [A] (hereinafter referred to as the complainant) that the Association of Icelandic Municipalities had published on its website the opinion of the Parliamentary Ombudsman, which contained his name and other personal information about him.

By letter dated On 31 October 2019, the Association of Icelandic Municipalities was invited to submit explanations regarding the complaint. The answer was by letter dated. November 28, 2019. By letter dated On 16 December 2019, the complainant was given an opportunity to comment on the above explanations of the Association of Icelandic Municipalities. The answer was by e-mail on December 23, 2019.

All the above documents have been taken into account in resolving the case, although not all of them are specifically described in the following ruling.
2.
The complainant's views

The complainant considers that the publication of the opinion of the Parliamentary Ombudsman on the website of the Association of Icelandic Municipalities has not been in accordance with Act no. 90/2018, on personal protection and processing of personal information. The opinion has been on the website for weeks. When he found out, he contacted an employee of the union and the opinion was then taken out of publication. In the complainant's opinion, the case is serious and harmful to his person, as it was a shock for him to discover that confidentiality was not respected.

3.
The views of the responsible party

The respondent's reply states that there had been human error and security breach, as the information had been published unintentionally. The breach of security had not been reported to the Data Protection Authority, as the union had considered it unlikely that it would lead to a risk to the complainant's rights and freedoms. The association therefore considered it sufficient to register the safety defect in the deviation registration.

The reason for this assessment is that information that a party has applied for the job in question and was not received is available on the basis of the Information Act, but in the opinion in question it was stated that the complainant had applied for a specific job, he was not called for an interview. subsequently complained to the Parliamentary Ombudsman about the recruitment process. Information about a party's complaint to the Parliamentary Ombudsman and that he has not been summoned for an interview is not covered by the Information Act, but it must be considered that the information does not create a risk for the complainant. The Association of Icelandic Municipalities considered that the harmful effects of the personal information that was made public were insignificant. As soon as a complaint was received from the complainant that the opinion had been published without his personal information having been erased, the document had been removed from publication and instead referred to the opinion of the Parliamentary Ombudsman in question in a anonymous version on his website. It is also stated that work processes within the union have been reviewed to prevent mistakes of this kind from recurring.

II.
Assumptions and conclusion

1.
Scope - Responsible

Scope of Act no. 90/2018, on personal data protection and the processing of personal data, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automated and the processing by other methods than automatic of personal data that are or are to become part of a file.

Personal information includes information about a person who is personally identifiable or personally identifiable, and an individual is considered personally identifiable if it is possible to identify him / her, directly or indirectly, with reference to his or her identity or one or more factors that are characteristic of him or her, cf. 2. tölul. Article 3 of the Act and point 1. Article 4 Regulation.

Processing refers to an operation or series of operations in which personal information is processed, whether the processing is automatic or not, cf. Number 4 Article 3 of the Act and point 2. Article 4 Regulation.

This case concerns the publication of personal information on a website. In this respect and in the light of the above provisions, this case concerns the processing of personal information which falls within the competence of the Data Protection Authority.

The person responsible for the processing of personal information complies with Act no. 90/2018 is named the responsible party. According to point 6. Article 3 of the Act refers to an individual, legal entity, government authority or other party who decides alone or in collaboration with other purposes and methods of processing personal information, cf. 7. tölul. Article 4 Regulation. As such, the Association of Icelandic Municipalities is considered to be responsible for the processing in question.

In the correspondence regarding this case, it was referred to, among other things, that this may be a security breach that should be reported to the Data Protection Authority. Both parties believe that the disclosure constituted a security breach. However, it is debatable whether he should report to the Data Protection Authority, but this was not done.

According to para. Article 39 Act no. 90/2018, every registered individual has the right to lodge a complaint with the Data Protection Authority if he or she considers that the processing of personal data about him or her violates Regulation (EU) 2016/679 or the Act. In that respect, this ruling will only take a position on whether the publication of personal information about the complainant on the website of the Association of Icelandic Municipalities is in accordance with Act no. 90/2018.

2.
Legality of processing

All processing of personal data must be covered by one of the authorization provisions of Article 9. Act no. 90/2018. The authorizations that are particularly relevant in connection with the processing of personal data by the government are that processing is necessary to fulfill the legal obligation that rests with the responsible party, cf. 3. tölul. Article 9, or for work carried out in the public interest or in the exercise of public authority by the responsible party, cf. 5. tölul. the same provision.

In addition to the authorization according to the above, the processing of personal data must satisfy all the basic requirements of the first paragraph. Article 8 Act no. 90/2018, Coll. Article 5 Regulation (EU) 2016/679. Among other things, it stipulates that they shall be preserved in such a way that it is not possible to identify registered persons for longer than is necessary for the purpose of processing (point 5); and that it shall be processed in such a way as to ensure the appropriate security of the personal data (point 6).

According to the information available in this case, the publication of the above-mentioned personal information was the result of a mistake and there was no authorization for it according to Article 9. Act no. 90 // 2018. It therefore did not comply with the provisions of the law.

U r s k u r ð a r o r ð:

The publication of the Association of Icelandic Municipalities on personal information about [A] on its website was not in accordance with Act no. 90/2018, on personal protection and processing of personal information.

In Privacy, June 22, 2020


Helga Þórisdóttir Helga Sigríður Þórhallsdóttir