Persónuvernd (Iceland) - 2020031242

From GDPRhub
Revision as of 08:30, 28 September 2021 by FD (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Persónuvernd (Iceland) - 2020031242
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 12 GDPR
Article 15 GDPR
Lög um persónuvernd og vinnslu persónuupplýsinga nr. 90/2018
Type: Complaint
Outcome: Partly Upheld
Started:
Decided: 07.09.2021
Published: 09.09.2021
Fine: None
Parties: n/a
National Case Number/Name: 2020031242
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Icelandic
Original Source: Icelandic DPA's website (in IS)
Initial Contributor: n/a

The Icelandic DPA held that a school infringed the parents of a student's Articles 12 and 15 GDPR rights for failing to provide them with emails they were entitled to receive and withholding data without adequate notice. However, it was found to be entitled to withhold emails with other parents as providing such data would adversely affect their rights and interests.

English Summary

Facts

The complainants had made an access request under Article 15 GDPR to obtain a copy of the personal data that a school and municipality were processing about their daughter and themselves (including, emails between the complainants and the municipality, handwritten points from a parents' meeting, emails between the school and several parents, the report of a study counselor, etc).

Following that access request, the defendants provided them with a partial file, and did not inform them of the fact that some data had been withheld to protect the interests of third parties. After realizing that the file was incomplete, the complainants contacted the municipality's data protection officer (DPO) to ask whether some data was not missing.

As a result, they received additional data, and were also informed that the school had decided to withhold some data regarding communications with parents of other students, in order to protect the rights and interest of these third parties. Considering that they still had not received all the data they were entitled to, and had not been properly informed about where the data was stored, the complainants lodged a complaint with the Icelandic DPA on 21 March 2021. The DPA decided to conduct an on-site inspection of the municipality office to clarify the matter.

Holding

On 1 September 2021, the Icelandic DPA rendered its decision after considering the views of each party and the additional information collected during the on-site inspection of the municipality office.

Regarding the incomplete nature of the file that was handed to the complainants, the Icelandic DPA stated that, by refusing to disclose emails exchanged between the school and other parents, the defendants had acted in accordance with Article 15(4) GDPR, which provides that "the right to obtain a copy [of one's personal data] shall not adversely affect the rights and freedoms of others". In particular, it had been found that the e-mail communications with parents of other children, although mentioning the complainants' daughter, primarily concerned other students, and that it was therefore appropriate to exclude such documents from the access request to protect the rights of these other parents and students. By contrast, the Icelandic DPA ruled that by withholding e-mails that had been exchanged between the municipality and the complainants, the defendants had infringed Article 15 GDPR.

Regarding the right to information, the Icelandic DPA stressed that under Article 12(4) GDPR, the municipality should have promptly inform the complainants - and at the latest within one month after receiving their request, that certain documents would not be handed over to protect the interests of other individuals. Because it took over two months for this information to be provided, and because the municipality also had failed to mention that the defendants could lodge a complaint wit the DPA against that decision, the Icelandic DPA concluded that the defendants had infringed Article 12(4) GDPR. No fine was however imposed on the defendants.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details. 


                    Individuals FAQ complete FAQ electronic monitoring general privacy right to be forgotten right to information about their genotype What is processing? A new privacy legislation 2018Almennt the new legislation other interesting stuff educational booklet: Privacy children's booklet: Private youth booklet: public companies and administration asked and answered all the questions and answers electronic monitoring general privacy access right controllers, processors and vinnslusamningarÁbyrgðarskyldaVinnsluskrárNý Privacy legislation 2018FræðsluefniLög and reglurLög privacy rules and regulations sacrificed other rules and guidelines operating international and European law Solutions Solutions Reviews Licensing Various letters Privacy function Privacy News Staff and management for media requests for promotional events policy and gildiÁrsskýrslur201620152014201320122011201020092008200720062005200420032002200120001999Annað materials Privacy policy Legal mouth AccessibilityService DesksTwitterEnglishDecisions
             
                
    
    Enter keywords
    
    
      
    
    
  
  
                    SolutionsReviewsLicensingMiscellaneous letters
             
                
                
                                
            Search for solutions
            
        
                
            
                Year from:
                
            
            
                Year to:
                
            
        
                
            Search
        
    
    



    


    


    
      Reception
municipality and school on request for access
      Case no. 2020031242
    

    

     
      
      
        9/9/2021
        
      
      
      
     

    

  

  

  
      The Data Protection Authority has ruled on the processing of the municipality's and schools' request for access by the complainants, who complained that they had not received all the data they considered they were entitled to. In addition, they commented on the omissions in the data they had received and that the data had been withheld without being informed. The Data Protection Authority came to the conclusion that the municipality and the school had provided the complainants with the data they were required to provide on the basis of the access requests in question and that certain access data could have been excluded with reference to the rights and freedoms of others. On the other hand, the processing of the access requests had not been in full compliance with the data protection legislation, as the complainants had not been informed within the statutory deadline that certain data would not be handed over and about the possibility of submitting a complaint to the Data Protection Authority. In addition, the complainants did not receive all the documents that they were entitled to receive when their specific request was processed and they had to take the initiative to provide further documents.

    

    
    Ruling On September 1, the Data Protection Authority issued a ruling in case no. 2020031242: I. Proceedings 1. Outline of the case On 21 March 2020, the Data Protection Authority received a complaint from [A] and [B] (hereinafter the complainants) about the processing of [schools] or [municipalities] on their requests for access to their personal information and their daughter who worked had been included at a certain time. The complainants consider that they have not received all the documents to which they are entitled to receive on the basis of the data protection legislation and comment that [the school] has decided to withhold the data without informing the complainants about it. The complainants also comment that the information in the documents they received was crossed out and that there were inconsistencies in the crossings. Finally, the complainants consider that it is not clear where data on individuals are stored at [the school] or [the municipality]. The complaint was accompanied by an e-mail from the [municipality]'s data protection officer dated 23 January 2020. In a letter from the Data Protection Authority on 5 October 2020, [the school] was invited to provide explanations regarding the complaint. The [school] and [the municipality] responded by letter dated 6 November 2020. The letter was accompanied by a list of the complainants' requests for data and e-mail communications and letters in connection with their data requests from 18 October 2019 to 2 November 2020. The accompanying documents include two an e-mail from another complainant to the [municipality]'s privacy officer on 15 November 2019 requesting a copy of documents concerning the complainants and their daughter from the systems of the [municipality], […] and [school] municipal offices from May 2019 to that date. The attachments also include a letter from the [municipality]'s privacy officer on 13 December 2019, in which the complainants' request is processed. The e-mail communication between the complainants and the Privacy Officer from January and February 2020 states that when the documents were handed over in December 2019, the complainants did not receive e-mail communication from [the school] and the parents of other students with reference to their children's interests. In addition, there was a lack of handwritten data that the privacy officer said were probably working data, a study counselor's summary of processing for […] and some pages in a […] report that the complainants had received. According to an e-mail from the Data Protection Officer on 6 March 2020, additional documents were ready for delivery on the 9th of the same month, and he stated that all the documents he had found in the case had been handed over. the letter that the employee of the municipality had sent to the professional council […]. A picture of the letter was attached to the complainants 'complaint. By e-mail dated 18 February 2021, the complainants informed the Data Protection Authority that [the municipality] did not find any data that had been processed in connection with the parents' meeting […] 2020. The complaint was accompanied by communication […] .20 "and on the delivery of handwritten comments on the meeting. The accompanying answers from the [municipality]'s data protection officer state that handwritten points are considered working documents and will therefore not be handed over, according to Article 8. Information Act no. 140/2012. Data that is on paper is stored in student folders that are in a locked access-controlled file cabinet. The complainants' complaint was accompanied by a copy of the text of the ruling of the Appellate Committee on Information, stating that the current principal [of the school] had gone through the complainants' folders and their daughter but had not found any handwritten points from the parents' meeting. offered to provide explanations for the above additions to the complaint. The [municipality] responded by letter on 23 April of the same year. The letter was accompanied by an e-mail communication between the then principal [school] and the professional council […] from 25 March and 8 April 2020, the minutes of the parents' meeting […] 2020 and the rulings of the Appellate Committee on Information in cases no. […] And […]. to all the above data, although not all of them are specifically mentioned in the following ruling. The handling of the case has been delayed due to a great deal of work on the part of the Data Protection Authority.2. When the data was handed over, they had a well-founded suspicion that not all the data had been handed over, and they therefore contacted the [municipality]'s privacy officer. As a result, they received more data. The complainants believe that they have not yet received all the data to which they are entitled and refer to the fact that in the response of the privacy officer it was stated that the school has decided to withhold data regarding communication with parents [other students] without informing the complainants about that. The data they had received was missing page numbers as well as e-mail communications that had not been delivered. As stated above, the complainants also comment on the deletions in the data they have received and that it is not clear where the data on individuals is stored. ] and that the municipality does not find handwritten comments from the parents' meeting […] 2020.3. The views of [the municipality] and [the school] have already been handed over, documents that the complainants themselves have in their possession and documents that they believe exist but do not exist. The complainants' first request for data was received on 29 March 2019 and data was submitted on 26 April of the same year. The second request was made on 15 November 2019 and documents were submitted on 13 December of the same year. It was also confirmed on 20 January 2020 that all documents regarding the request had been submitted on 15 November of the previous year. The complainants once again requested access to all documents concerning them and their daughter on 13 September 2020. The request was not based on a special legal basis, but the municipality's archivist and privacy officer responded to the request on the basis of the Privacy Act on 7 October the same year. Further specified documents were then excluded from delivery, on the one hand with reference to paragraph 5 (b). Article 12 of Regulation (EU) 2016/679 and on the other hand with reference to the fact that they were working documents, cf. 3. tölul. Paragraph 1 Article 16 administrative law. The complainants also requested the submission of documents on 2 November 2020. It is stated in the answers of [the municipality] and [the school] that there is no list of the documents that have been handed over to the complainants. Efforts have been made to provide the complainants with all documents to which they are entitled according to the Administrative, Information and Personal Data Protection Act, without, however, handing over documents that are not permitted to be handed over. The complainants even received working documents, in addition to the municipality's obligation. On the other hand, when processing subsequent data requests, no working data has been delivered according to the definition in the third paragraph. Article 8 Information Act no. 140/2012, 3. tölul. Paragraph 1 Article 16 of the Administrative Procedure Act no. 37/1993 and the 5th paragraph. Article 17 Privacy Act no. 90 / 2018. The municipality employee's letter to the professional council […], which accompanied the complainants' message on 12 December 2020, was an e-mail from the then principal of the [school] to the professional council […] from 8 April 2020. The message was therefore sent after the initial complaint The complainant received the Data Protection Authority on 21 March of the same year. It is not known on what basis the request for delivery had been sent to the complainants or whether it had been delivered. On the other hand, the e-mail discusses sensitive issues of teachers and other children and bases [the municipality] and [the school] on the fact that the message is therefore exempt from the complainants' right of access on the basis of the Administrative and Information Act and thus on the basis of privacy legislation. Paragraph 6 Article 17 Act no. 90/2018. Regarding handwritten points from the parent meeting […] 2020, [the municipality] and [the school] refer to what is stated in the rulings of the Appellate Committee on Information Matters no. […] and […]. The party who wrote the minutes of the parent meeting informed that it takes down points in its work for its own use, e.g. when writing minutes. These points are only useful to her and she shreds them regularly, at the latest at the end of the school year. which are stored in the school's locked filing cabinet. In addition to the archivist, representatives of [the municipality] and [the school] were present. The employees of the Data Protection Authority were informed that there was no comprehensive list of the data that had been handed over to the complainants or of the data that had been excluded from their access. In view of what had been stated in the case that the school staff's e-mail communication with the parents of other students had been excluded from the complainants' access, with reference to the interests of these students, the school's case file was examined for each student in question. The scope of the data was so large that it was not considered possible to view each and every document, but the documents were opened which were considered a reason to view with reference to the above, ie. in particular e-mail communication with the parents of students other than the complainant's daughter. These included e-mails referring to the complainant's daughter, but the main subject of the messages concerned other students. In addition, other documents were examined at random.5. Rulings of the Appellate Committee on Information Matters The ruling of the Appellate Committee on Information Matters no. […] From […] deals with [the municipality's] processing of the second complainant's request in this case for all data that existed in the municipality's and [school]'s systems until 30 June 2020 and concerned the complainants and their daughter. The ruling states that the documents were handed over to the complainant on 23 June 2020. The next day, the complainant in this case informed the municipality that certain documents had not been among the documents that had been handed over. This included a letter to the professional council at the Directorate of Education and handwritten points from a parent meeting from […] 2020. The municipality's responses stated that handwritten points from a parent meeting in […] 2020 were considered working documents according to point 5. Article 6, cf. Article 8 of the Information Act, and would for that reason not be delivered. Then all the documents would have been delivered at the request of the complainant. The conclusion of the ruling states, among other things, about the letter to the professional council at the Directorate of Education that there seems to have been a misunderstanding between the complainant and the municipality and that the complainant actually referred to an e-mail between the municipality employee and the professional council from 11 March 2020. in the e-mail as a letter, when it had been delivered to the complainant and the Appellate Committee did not consider there to be grounds for questioning that statement. It is also stated about handwritten items from the parents 'meeting in […] 2020 that according to information from the municipality, there are in fact no items from the parents' meeting according to the first paragraph. Article 5 Act no. 140/2012. The Appellate Committee has no grounds for questioning that statement and therefore there is no refusal to access data. The conclusion of the ruling is that the complainant has either received all the documents that his request has obtained and is available from the municipality or that the relevant documents are not available according to the first paragraph. Article 5 Act no. 140 / 2012.In the ruling of the Appellate Committee on Information Matters no. […] From […] deals with [the municipality's] processing of another complainant's request from 22 August 2020 for a copy of all documents from C concerning the complainants and their daughter, both handwritten data and data from the municipality's systems, ie. from the town office and [the school]. The ruling states that the municipality's response to the request stated that the requested documents were ready for delivery. The complainant subsequently informed the municipality that various documents were missing, such as minutes, points that C had taken down at a parent meeting, communication with […], etc. In the [municipality's] reply, it was stated that it was natural to examine whether certain minutes were missing, but that other documents were either working documents or of the nature that they were not permitted to be handed over. The conclusion of the ruling refers to the ruling of the committee no. […] That according to information from [the municipality] handwritten documents from the parents' meeting are not available, according to the first paragraph. Article 5 Act no. 140/2012, and that nothing was found during the handling of the case that indicated that the Appellate Committee was based on incorrect information in the above-mentioned ruling.II.Conditions and conclusion 1. Demarcation of the case, scope and responsible party This case concerns the handling of [the municipality] and [ school] at the request of the complainants for access to data with their personal information and that of their daughter, in addition to which the complainants believe that it is not clear where the municipality and the school store the data of individuals. During the handling of the case, it has been revealed that this is data in the [municipality]'s electronic file system, ONE, and data in the complainant's daughter's student file, which is stored in the school's file cabinet. Furthermore, these are handwritten notes that the secretary took down at a parent meeting in […] 2020 and the complainants also comment that it seems as if they have been deleted after they asked for their copies to be handed over. Scope of Act no. 90/2018 on personal data protection and the processing of personal data and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automatic and the processing by other methods than automatic of personal data that are or should become part of a file. identify him, directly or indirectly, with reference to his identity or one or more factors that are characteristic of him, cf. 2. tölul. Article 3 of the Act and point 1. Article 4 of the Regulation. Processing refers to an action or series of actions where personal information is processed, whether the processing is automatic or not, cf. Number 4 Article 3 of the Act and point 2. Article 4 During the handling of the case, nothing has come to light that indicates that handwritten notes, which the secretary took down at a parent meeting in […] 2020 for his own use in preparing the minutes, have been made part of a register. According to the above provisions, they therefore fall outside the scope of the Data Protection Act and thus the scope of the Data Protection Authority. On the other hand, the processing of personal information in the [municipality]'s electronic documentation system and in the school's student files falls within the scope of the Act and thus the authority of the Data Protection Authority. 90/2018 is named the responsible party. According to point 6. Article 3 of the Act refers to an individual, legal entity, government authority or other party who decides alone or in collaboration with other purposes and methods of processing personal information, cf. 7. tölul. Article 4 of the Regulation. As such, [the municipality] and [the school] are considered to be jointly responsible for the processing of personal information in the municipality's electronic documentation system, but [the school] is one responsible for the processing of personal information in the school's student portfolios.2. on access to their personal information and their daughter in accordance with the provisions of Act no. 90/2018 on personal data protection and the processing of personal data and Regulation (EU) 2016/679. Paragraph 1 Article 8 Act no. 90/2018 and item a of the first paragraph. Article 5 of the Regulation, implies, among other things, that individuals should be aware of when personal information about them is collected or used, viewed or processed in another way, to what extent it is or will be processed and for what purpose. Right of access according to Article 17 Act no. 90/2018 and Article 15. of the Regulation is a factor in ensuring the above and must be viewed in that light. Article 17 Act no. 90/2018, the registered person has the right to access personal information about himself according to the instructions of Article 15. of the Regulation, with the exception that the rights of the data subject must be waived if the urgent interests of individuals related to the information, including the data subject himself, outweigh, cf. Paragraph 3 Article 17 of the Act. Article 15 of the Regulation states that a registered individual shall have the right to receive confirmation from the responsible party as to whether personal information about him is processed and, if so, the right to access the personal information. According to para. the same articles, the responsible party shall provide the data subject with a copy of the personal information that is being processed, but the data subject's rights in this regard shall not impair the rights and freedoms of others, cf. Paragraph 4 of the article. Article 17 Act no. 90/2018 stipulates that information in cases that are being processed by the government may be exempted from the right of access according to the first paragraph. Article 15 of the Regulation to the same extent as applies to exceptions to the right to information according to the Administrative and Information Act. The comments on the provision state that it is assumed that the right of access according to the Personal Data Protection Act will be comparable to the right of a party to a case according to Article 15. of the Administrative Procedure Act and the rights of the public according to Article 5. of the Information Act. As a result, a party may not demand access to documents or other data under the Privacy Act that are exempt from access under the Administrative or Information Act. or refuse to comply with the request, in which case it shall be the responsibility of the party responsible to demonstrate that the request was unfounded or excessive, cf. Paragraph 5 Article 12 If the responsible party does not comply with the request of a registered individual in accordance with the above provisions, he shall notify him without delay of the reasons why this was not done and of the possibility of submitting a complaint to the supervisory authority and seeking legal recourse, cf. Paragraph 4 Article 12 of the Regulation.3. Conclusion The initial complaint in this case was received by the Data Protection Authority on 21 March 2020, and the complainants then considered that they had not received all the data to which they were entitled according to the data protection legislation. The complainants also informed the Data Protection Authority in an e-mail on 12 December 2020 that they had not received a letter that an employee of the municipality had sent to the professional council […]. It has been informed that the letter was an e-mail from the then principal of the [school] which was sent to the professional council on 8 April 2020. In the aforementioned ruling of the Appellate Committee on Information Matters no. , which was issued […], dealt with [the municipality's] processing of the second complainant's request in this case for all data that existed in the municipality's and [school]'s systems until 30 June 2020 and concerned the complainants and their daughter. The Appellate Committee's conclusion is that the complainant has either received all the documents that his request covered and was available from the municipality or that the documents in question are not considered to have been available according to the provisions of the Information Act. Article 17 Act no. 90/2018, which is outlined above, complainants cannot have a greater right of access to data on the basis of Act no. 90/2018 but according to the Information Act no. 140/2012. With reference to the above ruling, it must therefore be considered that the complainants have received all the documents to which their complaints relate and to which they are entitled according to the data protection legislation. children at school or about deletions in the documents that were handed over and it is therefore considered appropriate to discuss the issues here. It must also be considered whether the processing of the complainants' access requests was in other respects in accordance with the provisions of Regulation (EU) 2016/679 and Act no. 90/2018. In a letter from the [municipality's] privacy representative on 13 December 2019, in which the complainants' request for access from 15 November of the same year was answered, it is stated that the names or information about other students have been crossed out with reference to e.g. Paragraph 3 Article 17 Act no. 90/2018. It is also stated in the privacy officer's e-mail to the complainants on 23 January 2020 that no e-mail communication was delivered to the parents of other students as they were primarily about students other than their daughter and that this was very sensitive personal information about those children. is provided for in the 4th paragraph. Article 15 of Regulation (EU) 2016/679 that the right to receive a copy of the personal information that is being processed shall not infringe on the rights and freedoms of others. The conclusion of the on-site inspection of the Data Protection Authority's staff [the municipality] was that when handing over the data to the complainants, the municipality and the school safeguarded the rights and freedoms of other registered individuals in accordance with the above provision. For example, the e-mail communication in question with the parents of other children primarily concerned other students, even though the complainants 'daughter had been referred to, and it was therefore appropriate to exclude the complainants' access. It is therefore the conclusion of the Data Protection Authority that the assessment and decision of the municipality and the school on what documents the complainants should receive and in what way have complied with the provisions of the first, third and fourth paragraphs. Article 15 of the Regulation, cf. Paragraph 2 Article 17 Act no. 90/2018. Complainants have consequently been provided with all the documents to which they have a right of access on the basis of their requests for access to their personal information and that of their daughter, in accordance with the provisions of Act no. 90/2018 and Regulation (EU) 2016 / 679.In accordance with para. Article 12 of Regulation (EU) 2016/679, the [municipality] and [the school] were informed without delay and at the latest within one month of receiving the complainants' request to inform them that certain documents would not be delivered with reference to the interests of other individuals and the possibility of filing a complaint. at the Data Protection Authority. According to the available data, this was first done in an email from the [municipality]'s data protection officer to the complainants on 23 January 2020, or just over two months after the complainants requested the delivery of the data on 15 November 2019. The processing of [the municipality] and [the school] was not in this respect to the provisions of the fourth paragraph. Article 12 of the Regulation, cf. Paragraph 1 Article 17 Act no. 90 / 2018.According to what is stated in the existing e-mail communication between the complainants and the [municipality]'s data protection officer, it is further clear that the complainants did not receive all the documents they were entitled to when their request was processed on 13 December 2019 and that the complainants had to to initiate further submission of further documents. The handling of [the municipality] and [the school] was in this respect not in accordance with the provisions of the third paragraph. Article 12 and the third paragraph. Article 15 of Regulation (EU) 2016/679, cf. Paragraph 2 Article 17 Act no. 90 / 2018. Ruling: [The municipality] and [the school] have provided [A] and [B] the documents that they were required to provide on the basis of the complainants' requests for access to their personal information and that of their daughter, according to the provisions of Act no. . 90/2018 on personal data protection and the processing of personal data and Regulation (EU) 2016/679. Article 12 and the third paragraph. Article 15 of Regulation (EU) 2016/679, cf. Paragraphs 1 and 2 Article 17 Act no. 90 / 2018.In Privacy, 1 September 2021, Helga Þórisdóttir Valborg Steingrímsdóttir


    





















  
                    Privacy PolicyLegal DisclaimerAccessibilityService DeskTwitter
Retrieved from "https://gdprhub.eu/index.php?title=Persónuvernd_(Iceland)_-_2020031242&oldid=20144"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki