Persónuvernd (Iceland) - Case no. 2021040978

From GDPRhub
Revision as of 15:03, 2 November 2022 by Fz (talk | contribs) (Clarifications)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Persónuvernd - Case no. 2021040978
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 4(7) GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided: 19.10.2022
Published: 19.10.2022
Fine: n/a
Parties: Landsbankinn hf.
National Case Number/Name: Case no. 2021040978
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Icelandic
Original Source: Icelandic DPA (in IS)
Initial Contributor: n/a

The Icelandic DPA held that a bank was not the controller of personal information communicated through its employees' office emails pursuant to Article 4(7) GDPR when the emails did not concern the bank's activities.

English Summary

Facts

On 27 April 2021, Landsbankinn hf., a bank and the alleged controller, received an access request from the complainant, the data subject, regarding personal data which the bank may have. More specifically, the data subject requested access to the email communication of the bank's employees that had him as a subject. The communication took place through office email addresses but did not concern the bank's operations.

The bank provided the data subject with a copy of all the personal information processed in the bank's activities. However, it rejected the request to the extent that it concerned the e-mail communication of its employees, stating that another controller is concerned, namely, a workers' union. The data subject is a former member of the union and, in the bank's opinion, the data subject's request for access to the emails of employees of the bank, related to their confidential duties for the union, is not made in good faith. The bank speculated that the complainant is trying to access personal information from the activities of a third party through the bank.

The data subject responded that the bank's arguments for refusing his access request do not stand up to scrutiny. The data request is directed to the bank because it is known that the bank's email address was used for the processing and distribution of information about the data subject and, therefore, the request is rightly directed to it. In the opinion of the data subject, it is unreasonable that he was advised to contact an unrelated non-governmental organization in order to gain access to data stored in a mailbox operated by the bank.

Holding

The Icelandic DPA held that the bank was not the controller for the purposes of the email communication requested by the data subject.

According to Article 4(7) GDPR, "controller" refers to an individual, legal entity, government or other entity that alone or in cooperation with others determines the purposes and methods of processing personal data.

In the data subject's right of access request to the bank, two of its employees are listed, who are also board members of a workers' union. The data subject requested a copy of their e-mail communications with third parties concerning the him. It is clear from the documents of the case that the aforementioned e-mail communications which discussed the data subject concerned the work of the persons in question for the union.

The DPA held that similar considerations apply to the e-mail communications in question as apply to the handling of employees' private e-mails that are not related to the employer's activities. Taking into account Article 9 of the Icelandic regulations no. 837/2006 on electronic monitoring and handling of personal information generated during electronic monitoring, employers are prohibited to view employees' personal e-mail unless it is absolutely necessary, such as due to a computer virus or a similar technical incident.

Accordingly, the e-mail communication in question is irrelevant to the bank, as they do not concern its operations. The bank cannot assess the data subject's right to access about this data since that assessment falls under the union as the controller of the data.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

Solutions

Landsbankin's processing of access requests in accordance with the law

Case no. 2021040978

19.10.2022

Personal Protection ruled in a case where there was a complaint about the processing of Landsbankinn hf. on a request for access to the complainant's personal information. More specifically, the access request pertained to the email communications of the bank's employees, which took place through their email addresses at the bank but did not concern the bank's operations.

The conclusion of the Privacy Protection was that the refusal of Landsbankinn hf. on the access request complied with the law on personal protection and processing of personal information.

Ruling

On October 19, 2022, Personal Protection issued the following ruling in case no. 2021040978:

i
Procedure
1.
Outline of a case

On April 27, 2021, Personal Data Protection received a complaint from [A] (hereinafter the complainant) about the handling of Landsbankinn hf. on his request for access to his personal information that the bank may have. More specifically, the access request pertained to the email communications of the bank's employees, which took place through their email addresses at the bank but did not concern the bank's operations.

By letter, dated On September 6, 2021, Landsbankin was invited to provide explanations regarding the complaint. They responded with a letter dated September 22, 2021. By letter, dated On November 15, 2021, the complainant was given the opportunity to comment on Landsbankinn's point of view. The complainant's comments were received by letter, dated December 6, 2021.

When resolving the case, all the above-mentioned documents have been taken into account, although not all of them are separately explained in the following ruling.

2.
Complainant's point of view

The complainant has stated that Landsbankin's argument for refusing his access request does not stand up to scrutiny as the bank is the processor of the information in question. The complainant has the right to access all of his information that was processed by the employees of the bank to whom the request relates. It does not stand up to the opinion that the complainant is advised to contact an unrelated non-governmental organization in order to gain access to data stored in a mailbox operated by Landsbanki. The data request is directed to the Landbank because it is known that the bank's email address was used for the processing and distribution of information about the complainant, and therefore the request is rightly directed to the bank.

3.
Landsbankinn's point of view

Landsbankin's answers state that the bank has processed the complainant's request for access to his personal information in accordance with the provisions of the Privacy Act. The complainant has been given a copy of all the personal information processed about him in the bank's activities as the party responsible for the processing of the personal information. The employees of Landsbankinn that the complainant mentions in his complaint did not deal with the complainant's issues in their work for Landsbankinn. The part of the complainant's access request, which the bank rejected, concerned another independent guarantor, i.e. Union of employees of financial companies (hereafter SSF). Landsbankinn is not a processor for SSF. The complainant is a former employee of SSF and, in the bank's opinion, his request for access to certain emails of named employees of the bank, related to their confidential duties for SSF, is not made in good faith. The request is not submitted to exercise the right to information and access to personal information that Landsbankinn processes about the complainant as a responsible party in its activities. It seems that the complainant is trying to access personal information from the activities of a third party through Landsbankinn's rights portal. The right of access of the Personal Protection Act applies to the controller of processing and its purpose is not to enable individuals to request access to personal information from the activities of unrelated parties, as requested by the complainant.

II.
Assumptions and conclusion
1.
Legal environment and conclusion

Scope of law no. 90/2018, on personal protection and processing of personal data, and regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thus the authority of Personal Protection, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partially or fully automated and the processing of personal data that is or is to become part of a file by methods other than automatic.

This case concerns Landsbankin's handling of the complainant's request for access to his personal information at the bank. Accordingly, and taking into account the above-mentioned provisions, this case concerns the processing of personal data that falls under the authority of the Personal Protection Agency.

The person responsible for the processing of personal information is compatible with Act no. 90/2018 is the named responsible party. According to number 6 Article 3 of the Act, it refers to an individual, legal entity, government or other entity that alone or in cooperation with others determines the purposes and methods of processing personal data, cf. Number 7. Article 4 of the regulation. In the complainant's right of access request to Landsbankinn, two employees of the bank are listed, who are also [board member B] SSF on the one hand and [board member C] SSF on the other, and a copy of their e-mail communications with third parties concerning the complainant is requested. It is clear from the documents of the case that the aforementioned e-mail communications concerned the work of the persons in question for SSF, but they include, among other things, discussed the issues of the complainant, who is a former SSF employee. As is the case here, it is the opinion of the Personal Protection Authority that similar considerations apply to the e-mail communications in question and apply to the handling of employees' private e-mails that are not related to the employer's activities, cf. i.a. taking into account the provisions of Article 9 regulations no. 837/2006, on electronic monitoring and handling of personal information generated during electronic monitoring, according to which, among other things, it is not permitted to view employees' personal e-mail unless it is absolutely necessary, such as due to a computer virus or a similar technical incident. According to the foregoing, the e-mail communication is therefore Landsbankin hf. irrelevant, as they do not concern the bank's operations. It is also clear that Landsbankinn hf. cannot assess the complainant's right to access the data in question and whether something should be excluded, since that assessment falls under SSF as the responsible party of the data.

With reference to the above, Personal Protection believes that Landsbankin hf. was authorized to refuse a request for access to said e-mail communication.

Ruling:

Landsbankin's refusal of the complainant's access request was in accordance with Act no. 90/2018, on personal protection and processing of personal information, cf. regulation (EU) 2016/679.

Privacy, 19 October 2022,

Helga Sigríður Þórhallsdóttir                    Bjarni Freyr Rúnarsson