Persónuvernd - Mál nr. 2020010601

From GDPRhub
Persónuvernd - Mál nr. 2020010601
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 4(1) GDPR
Article 15 GDPR
Art. 6 reglugerð nr. 322/2001
Art. 8 reglugerð nr. 322/2001
Art. 13 reglugerð nr. 322/2001
Type: Complaint
Outcome: Partly Upheld
Decided: n/a
Published: n/a
Fine: None
Parties: n/a
National Case Number/Name: Mál nr. 2020010601
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Icelandic
Original Source: Persónuvernd (in IS)
Initial Contributor: n/a

The Icelandic DPA (Persónuvernd) held that a data subject's request for information about which of their employees looked up their personal information in a police office case file system could be refused.

English Summary[edit | edit source]

Facts[edit | edit source]

The complainant requested the police to give access to information on the employees who looked up his personal information in the Office's electronic case file system and on searches of other responsible parties needs. These requested where refused.

Dispute[edit | edit source]

Is the refusal of the request to access information on the employees who looked up personal data in the Office´s electronic case file system and on other responsible parties in accordance with applicable law?

Holding[edit | edit source]

The decision of the National Commissioner of Police to refuse information on the employees who looked up his personal information in the Office's electronic case file system, on the timing of searches, as well as on their number, was legitimate.

The decision of the National Commissioner of Police to refuse information on searches of other responsible parties in the Office's electronic case file system, as well as on the purpose of its own searches, was not legitimate.

The procedure of the National Commissioner of Police in processing a request for information on the processing of his personal information was in accordance with applicable law.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

Ruling on the right of an individual to information on searches in the case file system of the National Commissioner of Police (LÖKE)
Case no. 2020010601

10/8/2020

The Data Protection Authority has ruled in a case in which an attempt was made to refuse the National Commissioner of Police to provide an individual with certain information about searches of his personal information in the Office's case file system (LÖKE), as well as the Office's procedure for the request for information. The Data Protection Authority came to the conclusion that the National Commissioner of Police had been allowed to refuse the complainant information about which employees looked him up in the office's electronic file system, when the searches were made, as well as their number. On the other hand, the National Commissioner of Police would not have been allowed to deny the complainant information about which persons were responsible for searching personal information about him in the case file system, as well as information about the purpose of searching the complainant's personal information. It was also the conclusion of the Data Protection Authority that the procedure of the National Commissioner of Police in processing the complainant's request for information had been in accordance with Act no. 90/2018, Coll. Regulation (EU) 2016/679, and Regulation no. 322/2001.
Ruling


At a meeting of the Board of the Data Protection Authority on 29 September 2020, the following ruling was issued in case no. 2020010601 (formerly 2019030664):

I.	Procedure

1.
Outline of proceedings and proceedings

On 15 March 2019, the Data Protection Authority received a complaint from [B]'s lawyer on behalf of [A] (hereinafter referred to as the complainant) about the National Commissioner of Police's response to the complainant's request for information on how often he had been searched in the police case file, LÖKE. established, who had been responsible for the searches, when the searches had been made and for what purpose. The complaint relates to the fact that the National Commissioner of Police rejected the complainant's request, processed it too late and did not fulfill his duty to provide guidance that the complainant was allowed to refer the decision to the Data Protection Authority. The complaint was accompanied, among other things, by a copy of the complainant's request to the National Commissioner of Police, dated 23 April 2018, and a copy of the decision of the National Commissioner of Police, dated October 23

By letter dated On 2 May 2019, the National Commissioner of Police was notified of the complaint and invited to comment on it. The National Commissioner of Police responded with letters dated May 22 and July 23 s.á. The letters were accompanied by an overview of the number of searches of the complainant's ID number in the case file system of the police and the prosecuting authority, in the register of names and the guilt section, dated. 10 May this year, confirmation of the registration of the complainant's complaint with the National Commissioner of Police, as well as a copy of the complainant's lawyer's e-mail to the National Commissioner of Police, dated September 24, 2018. By letter dated On 13 August 2019, the reply letters of the National Commissioner of Police were presented to the complainant and he was invited to submit comments. The complainant's lawyer replied by letter dated September 19 By letter dated March 18, 2020, the Data Protection Authority requested further information from the National Commissioner of Police. The National Commissioner of Police responded by letter dated. April 8, s.á. By letter dated On 16 April this year, the National Commissioner of Police's reply letter was presented to the complainant and he was invited to submit comments. On June 9, s.á. The complainant's lawyer confirmed that he did not intend to comment further, but reiterated his previous case.

All the above documents have been taken into account in resolving the case, although not all of them are specifically described in the following ruling.

The handling of the case has been delayed due to significant concerns at the Data Protection Authority.
2.
The complainant's views

The complainant relies on the fact that he was entitled to the requested information on the basis of Article 8. of Regulation no. 322/2001, on the processing of personal information by the police. Regarding the right to information, he also refers to Article 15. of the Administrative Procedure Act no. 37/1993 and the second paragraph. Article 17 Act no. 90/2018, on personal protection and the processing of personal information, in addition to the views behind the rules regarding the parties' right to information from the government.

Pursuant to Article 9 of Regulation no. 322/2001 to limit the right to information of registered individuals, but the provision must be clarified narrowly as it contains an exception to the principle of the right to information of individuals according to Art. her. The National Commissioner of Police, however, did not base his refusal on the conditions of Art. of the Regulation had been complied with, but the refusal was based on Art. her. It will not be seen that Art. of the Regulation has been applicable. Therefore, the complainant considers the refusal to be illegal.

The complainant considers that his request for information falls within the wording of Article 8. of Regulation no. 322/2001. Instructions in the Act on Confidentiality will generally not be considered to reduce individuals' right to information about themselves and it does not matter to the complainant's right to information that the regulation contains instructions on limited authority of police officers to process personal information from the case file system. The complainant's access to information from the case file system is a prerequisite for him to be able to appeal the handling of the information to the committee for supervision of the police.

The complainant also considers that the views expressed in the ruling of the Data Protection Authority from 8 March 2017, in case no. 2016/835, was based on and the National Commissioner of Police had referred in his reasoning was not sufficient to justify the refusal of his request as other points of view had been tried in that case. There has been no attempt at the right to information on searches in the police case file system and therefore there has been no attempt at rules on the right to information and restrictions on that right according to Regulation no. 322/2001. In addition, a ruling in the case in question was announced before the entry into force of Act no. 90/2018, which has enshrined the principle of transparency, among other things. Furthermore, the complainant's request in the present case concerned more issues than were discussed in the ruling in question. Therefore, it would have been more in line with the views of proportionality to refuse only the provision of information on which employees had looked up the complainant in the case file system, the National Commissioner of Police considered there to be reasons to do so, but there was nothing to prevent the complainant from providing other information. The complainant considers, notwithstanding the above, that Art. of Regulation no. 322/2001, which stipulates the dissemination of personal information, opposes that the provisions of point 3 Paragraph 1 Article 8 it will be clarified that the complainant's right to information only covers the dissemination of his personal information to an outside party.

Finally, the complaint contains comments on the National Commissioner of Police's procedure regarding the complainant's request for access. It states that the complainant sent his request to the National Commissioner of Police on 23 April 2018, but that it was not answered until six months later, i.e. on 23 October 2018. The complainant considers that the processing time in question has, among other things, violated Article 8. of Regulation no. 322/2001, which stipulates that a complaint must be processed as soon as possible and no later than within one month of receipt of the complaint. On the other hand, the complaint states that the reasoning of the National Commissioner of Police was scarce and that it did not contain sufficient instructions on the authority to complain to the Data Protection Authority or information on the deadline in that connection.

3.
The views of the National Commissioner of Police

In a letter from the National Commissioner of Police, dated 22 May 2019, states that in the ruling of the Data Protection Authority in case no. 2004/144 states that the then applicable provisions of point 3. Paragraph 1 Article 18 Act no. 77/2000, on personal protection and handling of personal information, which was identical to the provisions of point 3. Paragraph 1 Article 8 of Regulation no. 322/2001, does not apply when information is received between individual employees of the same responsible party. In the ruling of the Data Protection Authority in case no. 2016/835 states that the provision covers the transfer of personal information from the responsible party to another responsible party. With reference to the grounds of the above rulings, the complainant's request was rejected. The concept of recipients of personal information has not been expanded with the entry into force of Act no. 90/2018 and therefore does not apply to individual police employees and others who have access to the police case file system.
It is technically possible to provide the complainant with information about all the employees who have looked him up and the times and number of searches. If an individual considers that information about him / her, which is registered in the case file system, is being handled illegally, he or she can lodge a complaint on that occasion with the relevant police department or the committee for police supervision, which investigates whether personal information has been handled in accordance with law and rules. All employees are bound by a duty of confidentiality according to Act no. 70/1996 on the rights and obligations of government employees and the Police Act no. 90/1996. Furthermore, employees' access to personal information is not more extensive than is necessary in view of the tasks they carry out, in accordance with Article 13. of Regulation no. 322/2001. Chiefs of Police and heads of institutions can access information on employee searches and they are therefore the only ones in a position to assess whether searches are related to cases they handle. If an employee has not been registered in a case that he or she looks up, the person in question must be given the opportunity to explain the reason for the search. Failure to do so may give rise to an unfounded suspicion of breach of trust. In this connection, reference is made to the grounds for the ruling of the Data Protection Authority in case no. 2004/144. Furthermore, information on the number of searches, their timing and purpose is not information to which the complainant is entitled according to the first paragraph. Article 8 of Regulation no. 322/2001.

The letter also states that the National Commissioner of Police has responded to the complainant's request within the monthly deadline specified in the second paragraph. Article 8 of Regulation no. 322/2001. The Office's investigation revealed that the complainant's complaint was first received on 24 September 2018 when the complainant's lawyer sent an e - mail to the official e - mail address of the National Commissioner of Police.

As previously stated, the National Commissioner of Police's letter to the Data Protection Authority included an overview of the number of searches of the complainant's ID number in the police register and the prosecution, in the register of names and fines by office. By letter dated On 23 July 2019, the National Commissioner of Police informed the Data Protection Authority that the office did not comment on the complainant receiving a copy of the summary in question.

In a letter from the National Commissioner of Police to the Data Protection Authority, dated 8 April 2020, states that the office considers it appropriate to provide the complainant with information about the purpose of the National Commissioner of Police's search of the complainant in the case file system, but that this search was made in order to obtain information on the number of searches of the complainant's ID number. However, the National Commissioner of Police is only in a position to obtain information from the employees of his office and assess the purpose of their searches and whether that information may be disseminated.


It is referred to that in the rules of the National Commissioner of Police from 25 September 2019 on supervision of searches in the police system, it is stated that the chiefs of police of each office can monitor the searches of their employees and supervise their employees. The complainant can, on the basis of information on searches within the office, contact the relevant office and request further information. Those who monitor searches in the police system have access to information on employee searches. However, they do not have access to information on searches of ID numbers, but the National Commissioner of Police has assisted the offices with such information from the action register. The letter also states that the complainant's right to information was in fact limited with reference to the fact that it was necessary to protect the rights of others, cf. Paragraph 1 Article 9 of Regulation no. 322/2001 on the processing of personal data by the police. More specifically, these are employees of the police and other institutions who have access to the police system and that unsubstantiated suspicions of breach of confidentiality may fall on employees who have access to the system and need to use it for their work, if further information about them is shared, such as names or ID numbers.
II.
Assumptions and conclusion

1.
Delimitation of a case

This case concerns an individual's request for certain information from the action register for searches of information about him that has been registered electronically in the case file system of the National Commissioner of Police, as well as information on the purpose of those searches.
2.
Scope - Legal Transition

Scope of Act no. 90/2018, on personal data protection and the processing of personal data, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automatic and the processing by other methods than automatic of personal data that are or are to become part of a file.

Personal information includes information about a person who is personally identifiable or personally identifiable, and an individual is considered personally identifiable if it is possible to identify him / her, directly or indirectly, with reference to his or her identity or one or more factors that are characteristic of him or her, cf. 2. tölul. Article 3 Act no. 90/2018 and point 1. Article 4 of the Regulation.

According to para. Article 4 Act no. 90/2018, the Act and Regulation (EU) 2016/679 do not apply to the processing of personal data by the state in preventing, investigating, prosecuting or prosecuting criminal offenses or enforcing criminal sanctions. On the other hand, it should be noted that when the complainant's request was received by the National Commissioner of Police, on 24 September 2018, certain provisions of the Act on the Processing of Personal Data that concerned the State's activities in the field of penitentiary, cf. Provisional Provision III, incl. Articles 3 and 39 their. The provisions of Article 17 of the Act, which stipulates the right of access and information of individuals, was, on the other hand, not among the provisions that applied to such processing.

According to Temporary Provision II in Act no. 90/2018, hold regulations issued by the Minister on the basis of the previous Act no. 77/2000 on personal protection and handling of personal information, its validity does not contravene Act no. 90/2018 or Regulation (EU) 2016/679. In comments on the provision in the bill that became Act no. 90/2018 states that this is a collection of rules, some of which are of great significance, such as Regulation no. 322/2001.

It follows from the above that when the complainant's request was submitted to the National Commissioner of Police, his right to information was exercised in accordance with Regulation no. 322/2001, which applied to the electronic processing of personal information by the police, cf. Article 1 her. According to the first paragraph. Article 39 Act no. 90/2018, the Data Protection Authority supervises the implementation of those laws, Regulation (EU) 2016/679, special provisions in laws that deal with the processing of personal data and other rules on the subject. It follows from this provision that the Data Protection Authority handled the implementation of Regulation no. 322/2001.

It should also be noted that after this complaint was received by the Data Protection Authority, Act no. 75/2019 on the processing of personal information for law enforcement purposes, which apply to the processing of personal information by the competent authorities which takes place for law enforcement purposes, cf. Paragraph 1 Article 3 of the Act, but the term personal information is defined in point 1. Article 2 Act no. 75/2019 in the same way as is done in Act no. 90/2018.

With Article 37 Act no. 75/2019, Temporary Provision III in Act no. 90/2018 was amended in such a way that the provisions of that law were not extended to the processing of personal information concerning the state's activities in the field of penitentiary. It is also to be considered that Regulation no. 322/2001 has now been deleted, cf. Paragraph 2 Article 10 of Regulation no. 577/2020 on police records and the processing of personal data for law enforcement purposes, which entered into force on 12 June 2020. According to para. Article 3 Act no. 75/2019, they apply to the processing of personal information that is partially or completely automated and to the processing by other methods than automatic processing of personal information that is or should be part of a file. According to the first paragraph. Article 30 Act no. 75/2019, the Data Protection Authority supervises the implementation of that Act, but of the provision and the aforementioned provision of the first paragraph. Article 39 Act no. 90/2018 means that the Data Protection Authority also supervises the implementation of Regulation no. 577/2020. The Data Protection Authority is of the opinion that one of the things that must be examined in this case is whether the complainant can have a greater right to information about the processing of his personal information in the case file system of the police according to current law.

The Data Protection Authority considers it appropriate to consider that in the case file system of the National Commissioner of Police, personal information about the complainant is registered within the meaning of point 2. Article 3 Act no. 90/2018, 1. tölul. Article 4 Regulation (EU) 2016/679 and point 1. Article 2 Act no. 75/2019. On the other hand, it is not considered appropriate to consider that information on searches in the case file system is considered to be the complainant's personal information within the meaning of the cited provisions, but that it is information on the processing of the complainant's personal information.

The processing in question fell within the scope of Act no. 90/2018 and Regulation no. 322/2001 when the National Commissioner of Police processed the complainant's request but now falls within the scope of Act no. 75/2019 and Regulation no. 577/2020. In the light of the above and in the light of the above, this case concerns the processing of personal information which falls within the competence of the Data Protection Authority.
3.
Responsible party

The person responsible for the processing of personal information complies with Act no. 90/2018 and no. 75/2019 is named the responsible party. According to point 6. Article 3 Act no. 90/2018 refers to an individual, legal entity, government authority or other party who decides alone or in collaboration with other purposes and methods of processing personal information, cf. 7. tölul. Article 4 Regulation (EU) 2016/679. According to point 4. Article 2 Act no. 75/2019, the responsible party is considered to be the competent authority that determines, alone or in collaboration with others, the purpose and methods of processing personal information.

As such, the National Commissioner of Police is considered to be responsible for the processing involved in maintaining the police records provided for in Article 2. of Regulation no. 577/2020, Coll. before Article 2 of Regulation no. 322/2001, and by preserving and making accessible to other users the complainant's personal information in an electronic case file system. In addition, the National Commissioner of Police is considered to be responsible for the processing of the complainant's own personal data in the complainant's personal information in the case file system, incl. their views. On the other hand, the National Commissioner of Police will not be held responsible for the processing of the personal information in question by employees of other offices and institutions, such as for searches or registrations, according to the aforementioned law. In view of the above, as well as the fact that the complaint is directed only to the National Commissioner of Police, this ruling does not apply to the complainant's right to information about other than the National Commissioner of Police's processing of the complainant's personal data registered in the case file system.
4.
Legal environment

In this case, the complainant's request for certain information on searches in the National Commissioner of Police's electronic case file system is being resolved, as well as whether the National Commissioner of Police has processed the complainant's request in accordance with the relevant procedural rules.
According to the first paragraph. Article 8 of Regulation no. 322/2001, a registered individual had the right to receive information from the police about what information about him was or had been processed (point 1), the purpose of the processing (point 2) and who received, had received or would receive information about he (point 3). According to para. the same articles, the police should provide written knowledge if requested. The application had to be processed as soon as possible and no later than within one month of receipt.

According to para. Article 13 Act no. 75/2019, a registered individual has the right to confirmation from the responsible party as to whether personal information about him is processed and, if so, the right to access the personal information. In addition, a registered individual has the right, among other things, to receive information about the purpose of the processing and its legal basis (cf. section a of the provision) and the recipients of the information (cf. section c). According to point c of the third paragraph. the same articles may deny a request for access in part or in full, taking into account the legitimate interests and rights of the data subject to protect the interests of others than the data subject.
4.1.
The complainant's right of access and information
4.1.1.
Information on who was responsible for the searches

In this case, it is examined, among other things, whether the complainant had or is entitled to information from the National Commissioner of Police as to who was responsible for looking up his information in the Office's electronic case file system. In this connection, the Data Protection Authority considers that the employees of the National Commissioner of Police have looked it up in the Office's electronic case file system, cf. a discussion of responsibility for the processing of personal data referred to in Chapter 3 of Annex II. part of the front. The Data Protection Authority also understands from the request that it concerned information on which guarantors had looked up the complainant's personal information in the system.

The provisions of the first paragraph. Article 8 of Regulation no. 322/2001 was unanimous 1-3. tölul. Paragraph 1 Article 18 older law no. 77/2000, on personal protection and handling of personal information. Accordingly, it should be assumed that the same points of view are sought in the interpretation of the provisions. In the opinion of the Data Protection Authority, it is not particularly important in this connection that the regulation provision relates to the right to information for the processing of personal data by the police.

In the opinion of the Data Protection Authority, it will not be assumed that in the provisions of point 3. Paragraph 1 Article 8 of Regulation no. 322/2001 had the right of individuals to be informed when information is received between individual employees of the responsible party, but the provision only applied to the right of individuals to be informed about the dissemination of personal information to other responsible parties. With reference to this, the complainant will not be considered to have had the right to receive information from the action register of the National Commissioner of Police's case file system on the individual employees 'offices' information on the complainant's registered in the system, based on the cited provision. Is that explanation in accordance with the ruling of the Data Protection Authority from 28 February 2005 in case no. 2004/144 and from 8 March 2017 in case no. 2016/835, which tested the rights of individuals according to point 3. Paragraph 1 Article 18 Act no. 77/2000, which was identical to the cited provision of Regulation no. 322/2001.

However, it also follows from the above explanation that the complainant was entitled to information from the National Commissioner of Police as to which responsible parties had looked up his information in the case file system, but the complainant's request was rejected in this respect. On the other hand, it is clear that the complainant has received the information in question during the proceedings.
It will then be examined whether the complainant can now have a greater right to information about the National Commissioner of Police's employees' information on the complainant in the Office's case file system on the basis of the provision of the second paragraph. Article 13 the current Act no. 75/2019.

According to comments on the provision in the bill that became Act no. 75/2019 is therefore intended to implement the provisions of 13-15. gr. of Directive (EU) 2016/680. The provisions of Article 14 of the Directive concerns the right of registered persons to access, which, inter alia, provides for the right of an individual to information on recipients or categories of recipients who have received personal data. In the opinion of the Data Protection Authority, the wording of the provision in question in the Directive is not broader in this respect than Article 12 (a). of Directive 95/46 / EC, which the first paragraph of Art. Article 8 of Regulation no. 322/2001 was materially based on. It cannot be seen that the definition of the term "recipient" has been substantially changed in this respect in Directive (EU) 2016/680. Finally, it should be noted that neither the wording of Article 13 Act no. 75/2019 or interpretative documents are considered to indicate that the legislation was intended to extend the right of individuals to information of the kind attempted here. In view of the above, the Data Protection Authority considers that it must be assumed that the complainant does not have the right to receive information from the National Commissioner of Police's action file system on individual employees' searches of information about the complainant registered in the system, based on the cited provision.

It should be noted that since the information in question from the event registration is not considered to be the complainant's personal information, as described in Chapter 3 in II. part above, the complainant will not be considered entitled to receive a copy of the information in question on the basis of the first sentence. Paragraph 2 Article 13 Act no. 75/2019.
4.1.2.
Information on timing and number of searches

It will then be decided whether the complainant had or is entitled to information on when and how often the National Commissioner of Police looks up his personal information in the case file system, cf. a discussion of responsibility for the processing of personal data referred to in Chapter 3 of Annex II. part of the front.

In the opinion of the Data Protection Authority, the wording of the first paragraph will not be inferred. Article 8 of Regulation no. 322/2001 nor explanatory documents that the National Commissioner of Police should have provided the complainant with information on the timing or number of searches. The Data Protection Authority therefore considers that it must be assumed that the National Commissioner of Police was authorized to reject the complainant's request for the information in question on the grounds that his right to knowledge under the provision did not apply to them.

It cannot be seen that the complainant's right to information on the timing and number of searches of his personal information in the National Commissioner of Police's case file system has been increased by the second paragraph. Article 13 Act no. 75/2019, Coll. Directive (EU) 2016/680. Accordingly, the Data Protection Authority does not consider it appropriate to require the National Commissioner of Police to provide the complainant with the information in question.
4.1.3.
Information on the purpose of browsing

The complainant's request to the National Commissioner of Police also concerned information on the purpose of looking up his personal information in the Office's electronic case file system.

The National Commissioner of Police has stated that the office is only in a position to provide information on the purpose of searches in the police case file system by its own employees and not employees of other institutions that have access to the case file system. On the other hand, those who supervise the system at the relevant institutions can obtain such information from their own employees. With reference to the comments of the National Commissioner of Police, it is not agreed that the National Commissioner of Police should or should have provided the complainant with information in this regard, as he did not have access to the information in question and is therefore not responsible for its processing. Article 3 Act no. 90/2018 and point 4. Article 2 Act no. 75/2019, as outlined in Chapter 3 in II. part above. On the other hand, it is examined here whether the National Commissioner of Police should have provided the complainant with information about the purpose of the search of his own employees.

As stated in Chapter 4 above, the complainant was entitled to information on the purpose of processing, cf. 2. tölul. Paragraph 1 Article 8 of Regulation no. 322/2001. The Data Protection Authority considers that it must be assumed that the provision in question contained the complainant's right to receive information on the purpose of searching for his personal information in the case file system, which was carried out by the National Commissioner of Police. From the answers of the National Commissioner of Police, however, it can be deduced that the office first carried out such a search after the complainant's request had been processed, ie. under the operation of this case. It is also clear that the complainant has now received information about the purpose of that processing.
4.2.
Procedure of the National Commissioner of Police

Finally, it remains to be determined whether the procedure of the National Commissioner of Police regarding the complainant's request was in accordance with Regulation no. 322/2001 and Act no. 90/2018. More specifically, it is examined whether the time it took the National Commissioner of Police to process the complainant's request was in accordance with the law, as well as whether the National Commissioner of Police provided the complainant with adequate instructions on the authority to complain to the Data Protection Authority.

From the explanations of the National Commissioner of Police and the documents he has submitted, it can only be concluded that the office first granted the complainant's request on 24 September 2018. This has not been objected to by the complainant. The decision of the National Commissioner of Police is dated 23 October 2018. The decision will be considered to involve the final processing of the case by the National Commissioner of Police, although the office later gave the complainant access to some of the information his request was for processing this case. To this end, the Data Protection Authority considers that the National Commissioner of Police has processed the complainant's complaint within the time limit laid down in the second paragraph. Article 8 of Regulation no. 322/2001.

There was also no provision for the duty of the National Commissioner of Police to provide guidance regarding the right of individuals to file a refusal pursuant to Article 8. of Regulation no. 322/2001 under the Data Protection Authority, in the provision itself or in the provisions of Act no. 90/2018, Coll. also Regulation (EU) 2016/679, which applied to the processing of personal data by the police when the events of this case took place. Accordingly, it cannot be assumed that the lack of instructions from the National Commissioner of Police to the complainant about his authority to refer the decision to the Data Protection Authority constituted a violation of the provisions of the Act or Regulation no. 322/2001.

It should be noted, however, that in the 3rd sentence. Paragraph 4 Article 13 Act no. 75/2019, which came into force after the National Commissioner of Police processed the complainant's complaint, now stipulates the obligation of the responsible party to inform the data subject of his right to lodge a complaint with the Data Protection Authority in cases where the responsible party restricts or denies a registered person access to his personal information.
3.
Conclusion

In view of all the above, it is the conclusion of the Data Protection Authority that the National Commissioner of Police was allowed to refuse the complainant information about which employees looked him up in the office's electronic file system, when the searches were made, as well as their number.

On the other hand, it is the conclusion of the Data Protection Authority that the National Commissioner of Police was not allowed to refuse the complainant information about which persons were responsible for searching personal information about him in the case file system, as well as information about the purpose of searching the complainant's personal information. In light of the fact that the complainant was provided with the information in question during the operation of this case, it is not considered whether special instructions should be directed to the National Commissioner of Police regarding access to them.

Finally, it is the conclusion of the Data Protection Authority that the procedure of the National Commissioner of Police in processing the complainant's request for information was in accordance with Act no. 90/2018, Coll. Regulation (EU) 2016/679, and Regulation no. 322/2001.
U r s k u r ð a r o r ð:

The decision of the National Commissioner of Police to refuse [A] information on the employees who looked up his personal information in the Office's electronic case file system, on the timing of searches, as well as on their number, was in accordance with Regulation no. 322/2001 on the processing of personal information by the police and Act no. 90/2018 on personal data protection and the processing of personal data, cf. Regulation (EU) 2016/679.

The decision of the National Commissioner of Police to refuse [A] information on searches of other responsible parties in the Office's electronic case file system, as well as on the purpose of its own searches, was not in accordance with Regulation no. 322/2001 on the processing of personal information by the police and Act no. 90/2018 on personal data protection and the processing of personal data, cf. Regulation (EU) 2016/679.

The procedure of the National Commissioner of Police in processing a request [A] for information on the processing of his personal information was in accordance with Act no. 90/2018 and Regulation no. 322/2001.

In Privacy, September 29, 2020

Björg Thorarensen
chairman

Ólafur Garðarsson Björn Geirsson

Vilhelmína Haraldsdóttir Þorvarður Kári Ólafsson